From isn at c4i.org Fri Apr 2 07:21:36 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 2 08:04:00 2004 Subject: [ISN] Repost: NSPW 2004 Call For Papers Message-ID: Forwarded from: Abe Singer FOR IMMEDIATE RELEASE ---------- Reminder: Call for Papers, Deadline 4/10/2004 New Security Paradigms Workshop 2004 An ACSA-sponsored workshop http://www.nspw.org September 20-23, 2004 White Point Beach Resort, Nova Scotia, Canada (http://www.whitepoint.com/resortindex.htm) For twelve years the New Security Paradigms Workshop (NSPW) has provided a stimulating and highly interactive forum for innovative approaches to computer security. The workshop offers a constructive environment for experienced researchers and practitioners as well as newer participants in the field. The result is a unique opportunity to exchange ideas. NSPW 2004 will take place September 20 - 23 at theWhite Point Beach Resort, located on the southern shore of beautiful Nova Scotia. The resort can be reached by air via Halifax or by ferry from Portland, Maine. In order to preserve the small, focused nature of the workshop, participation is limited to authors of accepted papers and conference organizers. NSPW is unique in format and highly interactive in nature. Each paper is typically the focus of 45 to 60 minutes of presentation and discussion. Authors are encouraged to present ideas that might be considered risky in some other forum, and all participants are charged with providing feedback in a constructive manner. The resulting intensive brainstorming has proven to be an excellent medium for furthering the development of these ideas. The proceedings, which are published after the workshop, have consistently benefited from the inclusion of workshop feedback. Because we expect new paradigms, we accept wide-ranging topics in information security. Papers that present a significant shift in thinking about difficult security issues or builds on a previous shift are welcomed. Our program committee particularly looks for new paradigms, innovative approaches to older problems, early thinking on new topics, and controversial issues that might not make it into other conferences but deserve to have their try at shaking and breaking the mold. We welcome three categories of submission: research papers, 5 - 10 page position papers, and discussion topic proposals. Discussion topic proposals should include an in-depth description of the topic to be discussed, a convincing argument that the topic will lead to a lively discussion, and supporting materials. Submissions must be accompanied by a justification statement (why this is a new paradigm) and an attendance statement (how many authors expect to attend). All attendees are expected to stay for the entire duration of the workshop. Detailed submission information and instructions may be found at www.nspw.org. Important dates: Submission Deadline April 10, 2004 Notification of acceptance: June 16, 2004 We expect to offer a limited amount of financial aid to those who require it. More information will be provided on our web site www.nspw.org as it becomes available. Workshop General and Vice Chairs Carla Marceau ATC-NY 33 Thornwood Dr. Suite 500 Ithaca, NY 14850 Email: carla@atc-nycorp.com Voice: +1 (607) 266-7110 Simon Foley Department of Computer Science University College Cork Cork, Ireland Email: s.foley@cs.ucc.ie Voice: +353 21 490 2929 Local Arrangements Carrie Gates Dalhousie University gates@cs.dal.ca Financial Aid Hilary Hosmer Data Security Inc. hosmer@datasecinc.com John McHugh SEI/CERT jmchugh@cert.org Publications Victor Raskin Purdue University vraskin@purdue.edu Publicity Abe Singer San Diego Supercomputer Center University of California, San Diego Program Committee Co-Chairs R. Sekar Department of Computer Science Stony Brook University Stony Brook, NY 11794 Email: sekar@cs.sunysb.edu Voice: +1 (631) 632-5758 John McHugh SEI/CERT 4500 5th Avenue, Room 4204 Pittsburgh, PA 15213-3890 Email: jmchugh@cert.org Voice:+1 (412) 268-7737 Program Committee William Arbaugh University of Maryland blakley@us.ibm.com Bob Blakley IBM blakley@us.ibm.com Carrie Gates Dalhousie University gates@cs.dal.ca Steve Greenwald Independent Consultant sjg6@gate.net Carla Marceau ATC-NY carla@atc-nycorp.com Ken Olthoff NSA olthoff@earthlink.net Vern Paxson International Computer Science Institute and Lawrence Berkeley National Laboratory vern@icir.org Ahmad Sadeghi Ruhr University Bochum sadeghi@crupto.rub.de Marv Schaefer Books With A Past bwapast@erols.com Matthias Schunter IBM Research mts@zurich.ibm.com VN Venkatakrishnan Stony Brook University venkat@cs.sunysb.edu Mary Ellen Zurko IBM Software Group mzurko@us.ibm.com From isn at c4i.org Fri Apr 2 07:22:19 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 2 08:04:01 2004 Subject: [ISN] WorldWide WarDrive 4 Announced Message-ID: Forwarded from: roamer -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Announcing the Fourth WorldWide WarDrive (WWWD) 12-19 June, 2004 The WorldWide WarDrive is an effort by security professionals and hobbyists to generate awareness of the need by individual users and companies to secure their access points. The goal of the WorldWide WarDrive (or WWWD) is to provide a statistical analysis of the many access points that are currently deployed. We feel that many end users are not aware that the factory or "default" settings on Access Points do not take any security measures into account. By providing these statistics we hope that end users will become aware of the need to take simple measures to secure their access points. The WWWD provides a snapshot of the security posture of currently deployed wireless access points throughout the world. During the Third WorldWide WarDrive, which took place in July 2003, over 88,000 unique access points were discovered worldwide. The statistics compiled for the WWWD have become the defacto standard for statistics used by many media outlets and wireless security vendors to further generate public awareness of wireless security issues. The Fourth WorldWide WarDrive will take place 12-19 June 2004. The WorldWide WarDrive has teamed with the Wireless Geographic Logging Engine (WiGLE www.wigle.net) to provide real time maps and statistics as data from each area is uploaded. This is a departure from past events where statistics and maps were compiled at the conclusion of the week long WWWD. Also in conjunction with the announcement of the Fourth WorldWide WarDrive, the Church Of WiFi is proud to announce that an updated version of WarKizNiz is available at www.michiganwireless.org/tools/WarKizNiz/ WarKizNiz accepts input from Kismet log files and converts them into NetStumbler .ns1 format. Coordination of drives throughout the world is done at the WorldWide WarDrive Forums located at http://www.c2security.org/forums/wwwd/ As in the past, discussions pertaining to the WWWD can also be conducted on the WarDriving mailing list (http://mailsrv.dis.org/mailman/listinfo/wardriving). New for WWWD4 is the creation of a mailing list devoted solely to wireless security issues. To join this list, hosted by Michigan Wireless go to http://www.michiganwireless.org/lists.html. For general information about the WorldWide WarDrive visit the WorldWide WarDrive website at www.worldwidewardrive.org or the WWWD Frequently Asked Questions document at http://www.worldwidewardrive.org/faq.html. Media persons interested in articles or interviews should email media@worldwidewardrive.org with MEDIA INQUIRY in the subject line. Roamer roamer@worldwidewardrive.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAaez9kdZkhH2Wha0RAkfDAKDMjmCfjkLPRKxoCJvoHZk7qTvXPgCg50GN qZ9Q1ejTIESTPXvpR6kYuWM= =SfsA -----END PGP SIGNATURE----- From isn at c4i.org Fri Apr 2 07:23:03 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 2 08:04:02 2004 Subject: [ISN] Windows & .NET Magazine Security UPDATE--Wiping Old Hard Disks Clean--March 31, 2004 Message-ID: ==================== ==== This Issue Sponsored By ==== Symantec ON iPatch - First Enterprise Patch Management Solution http://list.winnetmag.com/cgi-bin3/DM/y/efG60CJgSH0CBw0BGbT0AO Symantec V2i Protector - Real-time Backup/Recovery http://list.winnetmag.com/cgi-bin3/DM/y/efG60CJgSH0CBw0BGbS0AN ==================== * In Focus: Wiping Old Hard Disks Clean * Security News and Features - News: Scripting MBSA 1.2 - News: Windows 2003 AD Quotas - News: Cryptcat and Netcat; Secure Your Domain for 100 Years - News: Three Betas: XP SP2, LimitLogon, Mozilla 1.7 * New and Improved - Respond to Network Security Information in Real Time ==================== ==== Sponsor: Symantec ON iPatch - First Enterprise Patch Management Solution ==== ON iPatch lets you proactively patch and secure thousands of computers simultaneously - including remote and mobile computers, no matter where they are located or connected - and rapidly recover from virus corruption, without the significant cost and time delay of sending IT staff to remote locations. ON iPatch proactively identifies and installs all missing patches and removes unauthorized files and applications. It provides an automated, unattended solution for a security audit of all your managed computers, and has the ability to place corrupted computers in "safe mode" and then execute remediation utilities off line in a 100% unattended manner. Click here for more information: http://list.winnetmag.com/cgi-bin3/DM/y/efG60CJgSH0CBw0BGbT0AO ==================== ==== In Focus: Wiping Old Hard Disks Clean ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net A component that's typically changed during computer upgrades is the hard disk. Users run out of space and need a larger disk, particularly if their existing disks are somewhat old and therefore probably have less capacity. Swapping out disks or complete systems is common, but I wonder whether you wipe clean your old disks before sending them off for recycling or resale. If you do wipe the disks, are you sure that data can't be recovered from them? Some people might think that simply using Fdisk to destroy partitions is a good enough technique for eliminating data. After all, if the partitions are gone, who could recover the data, right? Wrong. Fdisk changes only partition tables--it doesn't touch the other sectors on the drive. So any data that users stored on those other sectors is still there, which means that someone with a little knowledge could recover that data. Simson Garfinkel wrote the article "Hard Disk Risk" about a year ago for CSO Magazine. In the article, Garfinkel talks about his adventures in purchasing old hard drives at resale shops and the data that he found on them. One drive was formerly used in an ATM machine and contained a year's worth of transaction records; another drive had more than 5000 credit card numbers; yet another had sensitive personal information about an individual Only 10 percent of the drives Garfinkel purchased were properly wiped of data. http://www.simson.net/clips/2003.CSO.04.hard_disk_risk.htm To wipe a disk clean, you need to overwrite all sectors on a drive in some fashion. Some disk-wiping tools can overwrite sectors numerous times to better ensure that the magnetic flux (which is the means by which data is recorded) is dramatically changed so that little if any flux remains to be used toward data recovery. Or you might decide that one overwrite process is enough for your needs. Garfinkel raises an interesting question: If you give your old hardware to resellers or other organizations, do you trust these organizations to satisfactorily delete your data? You might consider wiping your own drives before you release them from your control. To get the job done, you might use Autoclave, LSoft Technologies' Active@KillDisk, Stellar Information Systems' Stellar Wipe Safe Data Eraser, Heidi Computers' Eraser, or any number of other tools designed to destroy disk-based data. http://staff.washington.edu/jdlarios/autoclave http://www.killdisk.com http://www.stellarinfo.com/file-eraser.htm http://www.heidi.ie/eraser If you're interested in some facts as well as theory about how someone might recover data from your old drives and how disk-wiping technology can help prevent that from happening, be sure to read Peter Gutmann's extensive article on the subject. http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/ Last week, I requested feedback about this newsletter. I've received numerous responses and want to thank those of you who did respond. However, I'd like to hear from even more of you! If you're so inclined, please email me your comments. If you missed last week's editorial, you can read it at the URL below. In essence, I welcomed any suggestions, comments, or critiques regarding this newsletter. Send your response to mark at ntsecurity dot net, and please prefix the subject line with "SECUPD" so that I can more easily identify responses to this request. http://www.winnetmag.com/article/articleid/42127/42127.html ==================== ==== Sponsor: Symantec V2i Protector ? Real-time Backup/Recovery ==== In the event of a security threat or disaster V2i Protector provides a real-time, disk-based backup and disaster recovery solution designed to capture a system's active state. Using V2i Protector, you can also quickly restore failed systems to a specified point-in-time by performing a full system restoration, a complete bare metal recovery or restore individual files and folders in minutes. V2i Protector creates exact backups of volumes/partitions through the use of snapshot technology. This captures all files and volumes, including system personalities and configurations. Click here to download an evaluation version today: http://list.winnetmag.com/cgi-bin3/DM/y/efG60CJgSH0CBw0BGbS0AN ==================== ==== Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html News: Scripting MBSA 1.2 Updated sample scripts are now available for the Microsoft Baseline Security Analyzer (MBSA) 1.2. Microsoft published the updates on March 17. http://www.winnetmag.com/article/articleid/42116/42116.html Feature: Windows 2003 AD Quotas Windows Server 2003 has a new Active Directory (AD) quotas feature that lets you monitor and limit the number of objects a security principal (user, group, or computer) can create in a partition. This feature is similar to the built-in quota that Windows 2000 and later versions assign to authenticated users for creating computer objects except that the new Windows 2003 quotas apply to all object types. Robbie Allen explains the new feature in this article on our Web site. http://www.winnetmag.com/article/articleid/41898/41898.html News: Cryptcat and Netcat; Secure Your Domain for 100 Years You've probably heard of Netcat, a flexible network utility that can perform all sorts of functions. But have you heard of Cryptcat? The tool has been around for almost 4 years, but plenty of people don't know it exists. Network Solutions now lets you secure your domain name for 100 years in advance for $999. http://www.winnetmag.com/article/articleid/42131/42131.html News: Three Betas: XP SP2, LimitLogon, Mozilla 1.7 Microsoft released Windows XP Service Pack 2 (SP2) to public beta last week. Along with the beta, the company established 11 newsgroups in which users can discuss various aspects of the service pack. The ieXbeta.com Web site reports that Microsoft is now accepting applications for beta testers of an upcoming Windows Server 2003 Resource Kit tool, LimitLogon, which will let you limit the number of allowed concurrent sessions per user in an Active Directory (AD) domain. The tool requires Windows 2003 and Microsoft IIS 6.0. The Mozilla Organization released the Mozilla 1.7 public beta. The new version includes improved cookie controls, support for SMTP "MSN Authentication" in the mail client, performance improvements, and several other enhancements. http://www.winnetmag.com/article/articleid/42093/42093.html ==================== ==== Sponsor: Virus Update from Panda Software ==== Are your traditional antivirus solutions really protecting your network? Panda Antivirus GateDefender is a dedicated hardware device installed at the Internet gateway to block viruses before they contaminate your network. It scans 7 different communication protocols, achieving optimum protection against external attacks. Panda Antivirus GateDefender 7100 (25-500 seats) & Panda Antivirus GateDefender 7200 (500 seats+) provide the highest scalability with native load balancing that transparently adapts to traffic volume. Visit "Panda's GateDefender Stands Guard!" at http://list.winnetmag.com/cgi-bin3/DM/y/efG60CJgSH0CBw0BEGa0A7 for more information. ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) Windows & .NET Magazine Connections Windows & .NET Magazine Connections features speakers from Microsoft and other top independent experts. Complete details about workshops, breakout sessions, and speakers are now online. All attendees will get a chance to win a Florida vacation. Keep your competitive edge by learning from the world's best experts. Go online now to register. http://list.winnetmag.com/cgi-bin3/DM/y/efG60CJgSH0CBw0KXQ0A8 Take Our Brief Survey! Does your company use third-party management tools to manage your Microsoft Windows network? If you do, Windows & .NET Magazine would like to hear from you about your preferences. Please respond to our short survey regarding Windows management tools and we'll enter you in a drawing to win one of two $50 Amazon.com gift certificates. http://list.winnetmag.com/cgi-bin3/DM/y/efG60CJgSH0CBw0BGAr0AL ==================== ==== Hot Release: Free Trial SSL Certificate from Thawte ==== Take your first step towards giving your online business a competitive advantage. Test-drive a Thawte SSL certificate - our easy online guide will show you how. Click here to get started: http://list.winnetmag.com/cgi-bin3/DM/y/efG60CJgSH0CBw0BGmP0AV ==================== ==== Security Toolkit ==== Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.winnetmag.com/windowssecurity/panda FAQ: Can I Move Microsoft Exchange Server Systems Between Administrative Groups? by John Savill, http://www.winnetmag.com/windowsnt20002003faq A. No, even in a native Exchange Server 2003 organization, you can't move servers between administrative groups. However, if you're running Exchange in native mode, you can move mailboxes between administrative groups. To work around the inability to move Exchange servers between administrative groups, you can delete a server in one group and recreate it from scratch in another by performing the following steps: 1. Remove all resources and mailboxes from the server you want to move (in native mode, you can move the mailboxes to another server temporarily or use Exmerge to export the mailboxes). 2. Remove the server from the administrative group (i.e., uninstall Exchange). 3. Rebuild the server and select the new administrative group. 4. If Exchange is in native mode, move the mailboxes from the temporary Exchange server back to the original server. If you used Exmerge, import the mailboxes and relink them to the Active Directory (AD) accounts. Featured Thread: pcAnywhere with ISA Server (Four messages in this thread) Yushi writes that a client has requested that Yushi set up pcAnywhere on the client's server so that the client can remotely administer a database. The server is running Small Business Server (SBS) 2000 and Internet Security and Acceleration (ISA) Server. Yushi wants to know how to configure ISA Server to allow access to pcAnywhere. Lend a hand or read the responses: http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=118332 ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) New Web Seminar Preemptive Email Security: How Enterprise Rent-A-Car Eliminates Spam Get the inside scoop on how Enterprise Rent-A-Car eliminated spam and viruses, improved their email security, and increased productivity. Don't miss this opportunity to educate yourself and become a smarter customer when it comes to choosing an antispam solution that best fits your organization's needs. Sign up for this free Web seminar today! http://list.winnetmag.com/cgi-bin3/DM/y/efG60CJgSH0CBw0BGhc0Aj ==== New and Improved ==== by Jason Bovberg, products@winnetmag.com Respond to Network Security Information in Real Time eEye Digital Security and e-Security announced an enterprise threat-management solution. The eEye Retina Network Security Scanner scans every machine on a corporate network for vulnerabilities and immediately makes that information available to the e-Security ESM real-time management console, so you have accurate and timely information available to help you prioritize resources for vulnerability remediation. For more information about this partnership, contact eEye or e-Security on the Web. http://www.eeye.com http://www.esecurity.net Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. =================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== ==== Contact Our Sponsors ==== Primary/Secondary Sponsor: Symantec -- http://www.symantec.com Hot Release Sponsor: Thawte -- http://www.thawte.com ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z You received this email message because you asked to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Apr 2 07:23:54 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 2 08:04:03 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-14 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-03-25 - 2004-04-01 This week : 50 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: During the past week there has been a lot of talk about a "new" vulnerability in Internet Explorer. It has even been referred to as a so called "Zero-day" vulnerability. However, this is not the case. It is a variant of an older vulnerability in the "ShowHelp()" function in Internet Explorer, which allows a malicious website to download and run ".CHM" files on the local system. What's new, and what people have been talking about is that instead of using the "ShowHelp()" function in Internet Explorer, a new attack vector for this problem has been revealed by using either the "ms-its:" or "mk:@MSITStore:" URI handlers. More information about this can be found in referenced Secunia Advisory below. Reference: http://secunia.com/SA10523 ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA10395] Internet Explorer URL Spoofing Vulnerability 2. [SA11082] Sun Java System (Sun ONE) SSL Vulnerabilities 3. [SA11199] Microsoft Visual C++ Constructed ISAPI Extensions Denial of Service 4. [SA11228] Check Point Products OpenSSL Vulnerabilities 6. [SA11139] OpenSSL SSL/TLS Handshake Denial of Service Vulnerabilities 7. [SA11213] HP Web JetAdmin Multiple Vulnerabilities 8. [SA11168] Symantec Internet Security ActiveX Component Arbitrary File Execution 9. [SA11215] Trend Micro Interscan VirusWall Directory Traversal Vulnerability 10. [SA10523] Internet Explorer showHelp() Restriction Bypass Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA11231] Foxmail UrlToLocal Buffer Overflow Vulnerability [SA11236] A-CART SQL Injection and Cross Site Scripting Vulnerabilities [SA11216] Nexgen FTP Server Directory Traversal Vulnerability [SA11222] eSignal STREAMQUOTE Buffer Overflow Vulnerability [SA11215] Trend Micro Interscan VirusWall Directory Traversal Vulnerability UNIX/Linux: [SA11264] LIN:BOX Web-based Management Interface User Authentication Bypass [SA11256] MadBMS Unspecified Login Vulnerability [SA11235] psInclude Arbitrary Command Execution Vulnerability [SA11218] OpenLinux update for mutt [SA11263] Gentoo update for mplayer [SA11262] Gentoo update for mc [SA11261] Gentoo update for OpenLDAP [SA11255] quoteengine SQL Injection Vulnerability [SA11250] Red Hat update for ethereal [SA11248] OpenLinux update for vim [SA11246] Mandrake update for Ethereal [SA11240] Gentoo update for oftpd [SA11239] Red Hat update for mozilla [SA11238] Debian update for libpam-pgsql [SA11237] libpam-pgsql SQL Injection Vulnerability [SA11232] Hibyte HiGuest Script Insertion Vulnerability [SA11227] Gentoo update for Courier [SA11226] Gentoo update for UUDeview [SA11225] Gentoo update for ethereal [SA11220] oftpd PORT Command Denial of Service Vulnerability [SA11219] OpenLinux update for mc [SA11217] Gentoo update for Apache 2 [SA11214] Sun Solaris CDE dtlogin XDMCP Parsing Vulnerability [SA11260] SillySearch "search" Parameter Cross Site Scripting Vulnerability [SA11258] TCPDUMP ISAKMP Payload Handling Denial of Service Vulnerabilities [SA11257] Gentoo update for fetchmail [SA11249] UnixWare update for Perl [SA11244] cPanel Multiple Cross-Site Scripting Vulnerabilities [SA11234] Interchange Arbitrary Variable Content Disclosure [SA11230] XMB Cross Site Scripting Vulnerabilities [SA11233] FreeBSD IPv6 "setsockopt()" Input Validation Vulnerability [SA11224] GNOME gnome-session Privilege Escalation Vulnerability [SA11253] Clam AntiVirus Realtime Scanning VirusEvent Security Issue [SA11247] OpenLinux update for util-linux Other: [SA11254] Symantec Clientless VPN Gateway OpenSSL Vulnerability Cross Platform: [SA11259] MPlayer HTTP Location Header Parsing Heap Overflow Vulnerability [SA11245] eZ publish Unspecified Template Editing Vulnerability [SA11241] PhotoPost Multiple Vulnerabilities [SA11229] phpBB "privmsg.php" SQL Injection Vulnerability [SA11228] Check Point Products OpenSSL Vulnerabilities [SA11221] phpBB Multiple Vulnerabilities [SA11243] Cloisterblog Multiple Vulnerabilities [SA11242] WebCT Campus Edition Cross Site Scripting Vulnerability [SA11223] MySQL "mysqlbug" Insecure Temporary File Creation Vulnerability [SA11251] Oracle9i Application Server Cross Site Scripting Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA11231] Foxmail UrlToLocal Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-03-29 The XFOCUS Security Team has reported a vulnerability in Foxmail, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11231/ -- [SA11236] A-CART SQL Injection and Cross Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-03-30 Manuel Lopez has reported two vulnerabilities in A-CART, which can be exploited by malicious people to conduct Cross Site Scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/11236/ -- [SA11216] Nexgen FTP Server Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2004-03-25 Ziv Kamir has reported a vulnerability in Nexgen FTP Server, allowing malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11216/ -- [SA11222] eSignal STREAMQUOTE Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-03-26 Vizzy has reported a vulnerability in eSignal, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11222/ -- [SA11215] Trend Micro Interscan VirusWall Directory Traversal Vulnerability Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2004-03-25 Tri Huynh has reported a vulnerability in Trendmicro Interscan VirusWall, allowing malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11215/ UNIX/Linux:-- [SA11264] LIN:BOX Web-based Management Interface User Authentication Bypass Critical: Highly critical Where: From remote Impact: Security Bypass Released: 2004-03-31 Martin Eiszner has reported a vulnerability in LIN:BOX, which can be exploited by malicious people to bypass the user authentication of the web-based management interface. Full Advisory: http://secunia.com/advisories/11264/ -- [SA11256] MadBMS Unspecified Login Vulnerability Critical: Highly critical Where: From remote Impact: Released: 2004-03-31 Andy has discovered an unspecified vulnerability within the login functionality of MadBMS. Full Advisory: http://secunia.com/advisories/11256/ -- [SA11235] psInclude Arbitrary Command Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-03-30 Haris Tbr has discovered a vulnerability in psInclude, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11235/ -- [SA11218] OpenLinux update for mutt Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2004-03-26 SCO has issued updated packages for mutt. These fix a vulnerability, which can be exploited by malicious people to crash the mail client or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/11218/ -- [SA11263] Gentoo update for mplayer Critical: Moderately critical Where: From remote Impact: System access Released: 2004-03-31 Gentoo has issued an update for mplayer. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11263/ -- [SA11262] Gentoo update for mc Critical: Moderately critical Where: From remote Impact: System access Released: 2004-03-31 Gentoo has issued an update for mc. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11262/ -- [SA11261] Gentoo update for OpenLDAP Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-03-31 Gentoo has issued an update for OpenLDAP. This fixes an older vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) on a vulnerable system. Full Advisory: http://secunia.com/advisories/11261/ -- [SA11255] quoteengine SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2004-03-31 A vulnerability has been discovered in quoteengine, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/11255/ -- [SA11250] Red Hat update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-03-31 Red Hat has issued updated packages for ethereal. These fix multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11250/ -- [SA11248] OpenLinux update for vim Critical: Moderately critical Where: From remote Impact: System access Released: 2004-03-31 SCO has issued updated packages for vim. These fix an older vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11248/ -- [SA11246] Mandrake update for Ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-03-31 MandrakeSoft has issued updated packages for ethereal. These fix multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11246/ -- [SA11240] Gentoo update for oftpd Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-03-30 Gentoo has issued an update for oftpd. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a Denial of Service. Full Advisory: http://secunia.com/advisories/11240/ -- [SA11239] Red Hat update for mozilla Critical: Moderately critical Where: From remote Impact: System access, DoS, Cross Site Scripting, Security Bypass Released: 2004-03-30 Red Hat has issued updated packages for mozilla, which fixes various vulnerabilities. Full Advisory: http://secunia.com/advisories/11239/ -- [SA11238] Debian update for libpam-pgsql Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-03-30 Debian has issued updated packages for libpam-pqsql. These fixes a vulnerability, which can be exploited by malicious people to manipulate SQL queries. Full Advisory: http://secunia.com/advisories/11238/ -- [SA11237] libpam-pgsql SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-03-30 Primoz Bratanic has reported a vulnerability in libpam-pgsql, allowing malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/11237/ -- [SA11232] Hibyte HiGuest Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-03-30 ShelzZ has discovered a vulnerability in Hibyte HiGuest, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/11232/ -- [SA11227] Gentoo update for Courier Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-03-29 Gentoo has issued an update for Courier. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11227/ -- [SA11226] Gentoo update for UUDeview Critical: Moderately critical Where: From remote Impact: System access Released: 2004-03-29 Gentoo has issued an update for UUDeview. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11226/ -- [SA11225] Gentoo update for ethereal Critical: Moderately critical Where: From remote Impact: System access, DoS Released: 2004-03-29 Gentoo has issued an update for ethereal. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11225/ -- [SA11220] oftpd PORT Command Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-03-26 Andreas Rueegg and Philippe Oechslin have discovered a vulnerability in oftpd, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11220/ -- [SA11219] OpenLinux update for mc Critical: Moderately critical Where: From remote Impact: System access Released: 2004-03-26 SCO has issued updated packages for mc. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11219/ -- [SA11217] Gentoo update for Apache 2 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-03-26 Gentoo has issued updates for Apache 2. These fix three vulnerabilities, potentially allowing malicious people to cause a Denial of Service or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11217/ -- [SA11214] Sun Solaris CDE dtlogin XDMCP Parsing Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-03-25 Dave Aitel has reported that the CDE implementation in Sun Solaris is affected by a vulnerability in the dtlogin service. This can potentially be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11214/ -- [SA11260] SillySearch "search" Parameter Cross Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-03-31 SmOk3 has discovered a vulnerability in SillySearch, which can be exploited by malicious people to conduct Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/11260/ -- [SA11258] TCPDUMP ISAKMP Payload Handling Denial of Service Vulnerabilities Critical: Less critical Where: From remote Impact: DoS Released: 2004-03-31 Rapid7 has discovered two vulnerabilities in TCPDUMP, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11258/ -- [SA11257] Gentoo update for fetchmail Critical: Less critical Where: From remote Impact: DoS Released: 2004-03-31 Gentoo has issued an update for fetchmail. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11257/ -- [SA11249] UnixWare update for Perl Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-03-31 SCO has issued an update for Perl. This fixes an old vulnerability in the Safe.pm module, which provides safe compartments to evaluate Perl code in. Full Advisory: http://secunia.com/advisories/11249/ -- [SA11244] cPanel Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-03-30 Sullo has reported multiple vulnerabilities in cPanel, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/11244/ -- [SA11234] Interchange Arbitrary Variable Content Disclosure Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-03-30 A vulnerability has been discovered in Interchange, which can be exploited by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11234/ -- [SA11230] XMB Cross Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-03-29 Janek Vind has reported multiple vulnerabilities in XMB, allowing malicious people to conduct Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/11230/ -- [SA11233] FreeBSD IPv6 "setsockopt()" Input Validation Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information, DoS Released: 2004-03-30 Katsuhisa ABE and Colin Percival have discovered a vulnerability in FreeBSD, which can be exploited by malicious, local users to gain knowledge of sensitive information or cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11233/ -- [SA11224] GNOME gnome-session Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-03-30 A vulnerability has been reported in GNOME, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11224/ -- [SA11253] Clam AntiVirus Realtime Scanning VirusEvent Security Issue Critical: Not critical Where: From local network Impact: Privilege escalation Released: 2004-03-31 l0om has reported a security issue in Clam AntiVirus, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11253/ -- [SA11247] OpenLinux update for util-linux Critical: Not critical Where: Local system Impact: Exposure of sensitive information, Exposure of system information Released: 2004-03-31 SCO has issued updated packages for util-linux. These fix a vulnerability, which potentially could disclose information to users. Full Advisory: http://secunia.com/advisories/11247/ Other:-- [SA11254] Symantec Clientless VPN Gateway OpenSSL Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-03-31 Symantec has acknowledged a vulnerability in the OpenSSL implementation of Symantec Clientless VPN Gateway, which can be exploited by malicious people to cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11254/ Cross Platform:-- [SA11259] MPlayer HTTP Location Header Parsing Heap Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-03-31 blexim has discovered a vulnerability in MPlayer, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11259/ -- [SA11245] eZ publish Unspecified Template Editing Vulnerability Critical: Moderately critical Where: From remote Impact: Released: 2004-03-30 An unspecified vulnerability has been reported in eZ publish when editing templates. Full Advisory: http://secunia.com/advisories/11245/ -- [SA11241] PhotoPost Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2004-03-30 JeiAr has reported multiple vulnerabilities in PhotoPost, which can be exploited by malicious people to conduct Cross Site Scripting, SQL injection, and script insertion attacks. Full Advisory: http://secunia.com/advisories/11241/ -- [SA11229] phpBB "privmsg.php" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-03-29 Janek Vind has reported a vulnerability in phpBB, allowing malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/11229/ -- [SA11228] Check Point Products OpenSSL Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-03-29 Check Point has acknowledged that the OpenSSL implementation in certain products is affected by vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11228/ -- [SA11221] phpBB Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2004-03-29 The vendor has released a new version of phpBB. This fixes multiple vulnerabilities, allowing malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/11221/ -- [SA11243] Cloisterblog Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Exposure of sensitive information, Exposure of system information, Cross Site Scripting Released: 2004-03-30 Dotho has reported a vulnerability in Cloisterblog, which can be exploited by malicious people to conduct Cross Site Scripting and directory traversal attacks. Full Advisory: http://secunia.com/advisories/11243/ -- [SA11242] WebCT Campus Edition Cross Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-03-30 Simon Boulet has reported a vulnerability in WebCT, which can be exploited by malicious people to conduct Cross Site Scripting attack. Full Advisory: http://secunia.com/advisories/11242/ -- [SA11223] MySQL "mysqlbug" Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-03-29 Shaun Colley has reported a vulnerability in MySQL, potentially allowing malicious users to escalate their privileges. Full Advisory: http://secunia.com/advisories/11223/ -- [SA11251] Oracle9i Application Server Cross Site Scripting Vulnerability Critical: Not critical Where: From remote Impact: Cross Site Scripting Released: 2004-03-31 A security issue has been reported in Oracle9i Application Server Single Sign-on, potentially allowing malicious people to conduct Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/11251/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Apr 2 07:57:19 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 2 08:04:04 2004 Subject: [ISN] Task force urges security collaboration Message-ID: http://www.fcw.com/fcw/articles/2004/0329/web-task-04-01-04.asp By Florence Olsen April 1, 2004 Improving software security will demand a concerted effort from government, industry and higher education, said members of a national task force on software development in a report released today. In a 100-page document, the security task force made four broad recommendations for improving software security. In most of them, members called for common knowledge to be applied where it is now given only lip service. "As a software executive, the hardest thing to do is to look into the eyes of a team member who's been working for your company for 20 years and to say, 'You've been doing it wrong for 20 years,'" Ron Moritz, chief security strategist for Computer Associates International Inc. and a co-chairman of the task force, said in an interview. "But that's what we're doing now." The task force defines secure software as software that preserves "the confidentiality, integrity and availability" of information. The report concluded that software security improvement requires: * Higher education to do a better job of teaching future software developers. * The software industry to make security an integral part of the design process. * Policymakers and others to create incentives that reward those who create secure software code. * And the software industry to come together on a common method of managing the process of patching software when insecurities are discovered. Federal agencies and other organizations should carefully pick and choose which recommendations to focus on, Moritz said. "If you try to do everything, you'll probably will get nothing done," he said. The group also recommended more basic research on creating secure software. "The research process has slowed down and needs to be reenergized," Moritz said. He cited Sun Microsystems Inc.'s Java language as a vast improvement over existing languages when it was created 10 years ago. It may be in the national interest to finance research on a language that goes even further than Java to help programmers write secure software, Moritz said. Perhaps the harshest statement in the report came from the task force's educational subgroup: "If the United States is to progress beyond immature infrastructures created by amateurs, professionalism based on a sound university education is required." Although the task force was not created to advise the Homeland Security Department, the report suggests a role for DHS in creating security metrics for the principal components of the United States' cyberinfrastructure and keeping track of progress in meeting those benchmarks. "I see DHS as the project manager, as the key influencing body," Moritz said. "I'm not suggesting that it replace" the Office of Management and Budget. The task force was organized by the National Cyber Security Partnership, which includes the Business Software Alliance; the Information Technology Association of America; TechNet, a chief executive officers group; and the U.S. Chamber of Commerce. Among the partnership's members are academic, corporate, government and industry cybersecurity experts. The task force developed its recommendations in response to the President's National Strategy to Secure Cyberspace. From isn at c4i.org Mon Apr 5 01:58:59 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 5 02:21:00 2004 Subject: [ISN] Linux Advisory Watch - April 2nd 2004 Message-ID: +----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | April 2nd, 2004 Volume 5, Number 14a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for mc, openssl, ethereal, libxml2, emil, Linux kernel, apache, UUDeview, courier, oftpd, fetchmail, squid, OpenLDAP, mplayer, Mozilla, and apache. The distributors include Conectiva, Debian, FreeBSD, Gentoo, Mandrake, Red Hat, Trustix, and Turbolinux. ---- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suites open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 ---- Ape about EtherApe It is always the same scene in Hollywood films. The networks are penetrated; cryptic images and characters are scrolling across the screen. We're being hacked! Did you ever wish you could keep a closer eye on your network? Sure we have sniffers and other tools, but did you ever want something graphical? I've always been a huge fan of ntop, but feel that it lacks on graphical end. My curiosity drives the question, what is happening on my network? Another interesting program that I enjoy using is EtherApe. It is a network monitor that displays traffic graphically. It supports a wide range of protocols and network types. The display is color-coded allowing users to quickly understand the type of traffic on a network. The project is several years old, originally being based on etherman. It is licensed under the GPL and is currently packaged for many different Linux distributions. The hardware requirements are minimal, however it does require you to use X and have libcap installed. With EtherApe you'll find the network monitoring has never been this fun. On an active network, one can easily be drawn to just watching the activity. It can be a very useful tool, but the entertainment value should not be discounted. One of the most useful features of EtherApe is the dynamic graphic images it creates. These can be used to further explain concepts or attacks methodologies to business decision makers who wouldn't normally understand the output of tcpdump. More information about EtherApe can be found at the project website: http://etherape.sourceforge.net/ Also, for those of you who are just curious, severals screenshots are also available: http://etherape.sourceforge.net/images/ Until next time, cheers! Benjamin D. Thomas ben@linuxsecurity.com ---- Interview with Siem Korteweg: System Configuration Collector In this interview we learn how the System Configuration Collector (SCC) project began, how the software works, why Siem chose to make it open source, and information on future developments. http://www.linuxsecurity.com/feature_stories/feature_story-162.html -------------------------------------------------------------------- Security: MySQL and PHP This is the second installation of a 3 part article on LAMP (Linux Apache MySQL PHP). In order to safeguard a MySQL server to the basic level, one has to abide by the following guidelines. http://www.linuxsecurity.com/feature_stories/feature_story-130.html -------------------------------------------------------------------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 3/31/2004 - mc Buffer overflow vulnerability Flaw allows the execution of arbitrary code. http://www.linuxsecurity.com/advisories/conectiva_advisory-4183.html 3/31/2004 - OpenSSL Denial of service vulnerabilities This update fixes three denial of service vulnerabilities that affect OpenSSL versions distributed with Conectiva Linux. http://www.linuxsecurity.com/advisories/conectiva_advisory-4184.html 3/31/2004 - ethereal Multiple vulnerabilities This patch fixes a large number of vulnerabilities, some remotely exploitable. http://www.linuxsecurity.com/advisories/conectiva_advisory-4185.html 3/31/2004 - libxml2 Buffer overflow vulnerability An attacker can exploit this vulnerability to execute arbitrary code with the privileges of the user running an affected application. http://www.linuxsecurity.com/advisories/conectiva_advisory-4186.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 3/26/2004 - emil Multiple vulnerabilities Ulf Harnhammar discovered a number of vulnerabilities in emil, both various buffer overflows and format string bugs. http://www.linuxsecurity.com/advisories/debian_advisory-4157.html 3/29/2004 - pam-pgsql Unchecked input vulnerability Multiple vulnerabilities An attacker could exploit this bug to insert SQL statements. http://www.linuxsecurity.com/advisories/debian_advisory-4160.html +---------------------------------+ | Distribution: FreeBSD | ----------------------------// +---------------------------------+ 3/29/2004 - kernel Input validation error Flaw with IPv6 validation may result in memory locations being accessed without proper validation. http://www.linuxsecurity.com/advisories/freebsd_advisory-4161.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 3/26/2004 - apache 2.x Multiple vulnerabilities Vulnerabilities include code execution and denial of service. http://www.linuxsecurity.com/advisories/gentoo_advisory-4156.html 3/29/2004 - UUDeview Buffer overflow vulnerability By decoding a MIME archive with excessively long strings for various parameters, it is possible to crash UUDeview, or cause it to execute arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4163.html 3/29/2004 - Courier Multiple buffer overflows Explotation of overflows may result in execution of arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4164.html 3/29/2004 - ethereal Multiple buffer overflows Explotation of these bugs may result in denial of service or remote execution of arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4165.html 3/29/2004 - oftpd Denial of service vulnerability A port command with a number above 255, even unauthenticated, can crash the oftpd server. http://www.linuxsecurity.com/advisories/gentoo_advisory-4166.html 3/31/2004 - fetchmail Denial of service vulnerability Fetchmail 6.2.5 fixes a remote DoS. http://www.linuxsecurity.com/advisories/gentoo_advisory-4177.html 3/31/2004 - squid Access control escape vulnerability A URL can be specially crafted to automatically bypass the squid Access Control functionality. http://www.linuxsecurity.com/advisories/gentoo_advisory-4178.html 3/31/2004 - mc Buffer overflow vulnerability A remotely-exploitable buffer overflow in Midnight Commander allows arbitrary code to be run on a user's computer. http://www.linuxsecurity.com/advisories/gentoo_advisory-4179.html 3/31/2004 - OpenLDAP Denial of service vulnerability A failed password operation can cause the OpenLDAP slapd server, if it is using the back-ldbm backend, to free memory that was never allocated. http://www.linuxsecurity.com/advisories/gentoo_advisory-4180.html 3/31/2004 - mplayer Buffer overflow vulnerability MPlayer contains a remotely exploitable buffer overflow in the HTTP parser that may allow attackers to run arbitrary code on a user's computer. http://www.linuxsecurity.com/advisories/gentoo_advisory-4181.html 3/31/2004 - Monit Multiple vulnerabilities A denial of service and a buffer overflow vulnerability have been found in Monit. http://www.linuxsecurity.com/advisories/gentoo_advisory-4182.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 3/31/2004 - ethereal Multiple vulnerabilities This update patches quite a few ethereal issues, with threats ranging from denial of service to execution of arbitrary code. http://www.linuxsecurity.com/advisories/mandrake_advisory-4175.html 3/31/2004 - squid Access control escape vulnerability It is possible for a remote attacker to create URLs that would not be properly tested against squid's ACLs, and thus be automatically allowed. http://www.linuxsecurity.com/advisories/mandrake_advisory-4176.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 3/29/2004 - squid ACL escape vulnerability If a Squid configuration uses Access Control Lists (ACLs), a remote attacker could cause allowed access to crafted, prohibited URLs. http://www.linuxsecurity.com/advisories/redhat_advisory-4162.html 3/29/2004 - Mozilla Denial of service vulnerability The parsing of unexpected ASN.1 constructs within S/MIME data could cause Mozilla to crash or consume large amounts of memory. http://www.linuxsecurity.com/advisories/redhat_advisory-4167.html 3/30/2004 - etherial Multiple vulnerabilities Updated Ethereal packages that fix various security vulnerabilities are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4168.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 3/30/2004 - fcron,crontabs,stunnel,kernel,ntp Multiple vulnerabilities Multiple vulnerabilities Patches now available for these packages. http://www.linuxsecurity.com/advisories/trustix_advisory-4171.html 3/30/2004 - xinetd,dev,filesystem Multiple vulnerabilities Multiple vulnerabilities Patches now available for these packages also. http://www.linuxsecurity.com/advisories/trustix_advisory-4172.html 3/30/2004 - tcpdump,libpcap Multiple vulnerabilities Multiple vulnerabilities The new upstream version of tcpdump fixes several bugs, some security related. http://www.linuxsecurity.com/advisories/trustix_advisory-4173.html 3/30/2004 - apache Multiple vulnerabilities The new upstream version of apache addresses several security issues. http://www.linuxsecurity.com/advisories/trustix_advisory-4174.html +---------------------------------+ | Distribution: Turbolinux | ----------------------------// +---------------------------------+ 3/30/2004 - wu-ftpd/OpenSSL Multiple vulnerabilities Multiple vulnerabilities New patches fix multiple vulnerabilities in both packages. http://www.linuxsecurity.com/advisories/turbolinux_advisory-4170.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Apr 5 02:01:01 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 5 02:21:01 2004 Subject: [ISN] Blackwater Security Memorial Fund Message-ID: http://www.blackwatersecurity.com April 1, 2004; 8:40 a.m. EST "We grieve today for the loss of our colleagues and we pray for their families. The names of the victims will not be released out of respect for their families. "The graphic images of the unprovoked attack and subsequent heinous mistreatment of our friends exhibits the extraordinary conditions under which we voluntarily work to bring freedom and democracy to the Iraqi people. "Coalition forces and civilian contractors and administrators work side by side every day with the Iraqi people to provide essential goods and services like food, water, electricity and vital security to the Iraqi citizens and coalition members. Our tasks are dangerous and while we feel sadness for our fallen colleagues, we also feel pride and satisfaction that we are making a difference for the people of Iraq. A Memorial Fund has been established to support the victim's families of the March 31, 2004 Fallujah attack. All memorial gifts will be documented and appropriately acknowledged with due regard to the wishes of the donor and the nature of the contribution. Our thoughts and prayers are with the families of the victims Please Mail the contributions to: Memorial Fund PO Box 159 Moyock, NC 27958 Please Make checks Payable to: Memorial Fund Please no cash contributions. From isn at c4i.org Mon Apr 5 02:01:41 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 5 02:21:01 2004 Subject: [ISN] The Rise of Complex Terrorism Message-ID: http://www.petroleumworld.com/SuF040404.htm By Thomas Homer-Dixon Modern societies face a cruel paradox: Fast-paced technological and economic innovations may deliver unrivalled prosperity, but they also render rich nations vulnerable to crippling, unanticipated attacks. By relying on intricate networks and concentrating vital assets in small geographic clusters, advanced Western nations only amplify the destructive power of terrorists?and the psychological and financial damage they can inflict. It's 4 a.m. on a sweltering summer night in July 2003. Across much of the United States, power plants are working full tilt to generate electricity for millions of air conditioners that are keeping a ferocious heat wave at bay. The electricity grid in California has repeatedly buckled under the strain, with rotating blackouts from San Diego to Santa Rosa. In different parts of the state, half a dozen small groups of men and women gather. Each travels in a rented minivan to its prearranged destination?for some, a location outside one of the hundreds of electrical substations dotting the state; for others, a spot upwind from key, high-voltage transmission lines. The groups unload their equipment from the vans. Those outside the substations put together simple mortars made from materials bought at local hardware stores, while those near the transmission lines use helium to inflate weather balloons with long silvery tails. At a precisely coordinated moment, the homemade mortars are fired, sending showers of aluminum chaff over the substations. The balloons are released and drift into the transmission lines. Simultaneously, other groups are doing the same thing along the Eastern Seaboard and in the South and Southwest. A national electrical system already under immense strain is massively short-circuited, causing a cascade of power failures across the country. Traffic lights shut off. Water and sewage systems are disabled. Communications systems break down. The financial system and national economy come screeching to a halt. Sound far-fetched? Perhaps it would have before September 11, 2001, but certainly not now. We've realized, belatedly, that our societies are wide-open targets for terrorists. We're easy prey because of two key trends: First, the growing technological capacity of small groups and individuals to destroy things and people; and, second, the increasing vulnerability of our economic and technological systems to carefully aimed attacks. While commentators have devoted considerable ink and airtime to the first of these trends, they've paid far less attention to the second, and they've virtually ignored their combined effect. Together, these two trends facilitate a new and sinister kind of mass violence?a "complex terrorism" that threatens modern, high-tech societies in the world's most developed nations. Our fevered, Hollywood-conditioned imaginations encourage us to focus on the sensational possibility of nuclear or biological attacks?attacks that might kill tens of thousands of people in a single strike. These threats certainly deserve attention, but not to the neglect of the likelier and ultimately deadlier disruptions that could result from the clever exploitation by terrorists of our societies' new and growing complexities. Weapons of Mass Disruption The steady increase in the destructive capacity of small groups and individuals is driven largely by three technological advances: more powerful weapons, the dramatic progress in communications and information processing, and more abundant opportunities to divert non-weapon technologies to destructive ends. Consider first the advances in weapons technology. Over the last century, progress in materials engineering, the chemistry of explosives, and miniaturization of electronics has brought steady improvement in all key weapons characteristics, including accuracy, destructive power, range, portability, ruggedness, ease-of-use, and affordability. Improvements in light weapons are particularly relevant to trends in terrorism and violence by small groups, where the devices of choice include rocket-propelled grenade launchers, machine guns, light mortars, land mines, and cheap assault rifles such as the famed AK-47. The effects of improvements in these weapons are particularly noticeable in developing countries. A few decades ago, a small band of terrorists or insurgents attacking a rural village might have used bolt-action rifles, which take precious time to reload. Today, cheap assault rifles multiply the possible casualties resulting from such an attack. As technological change makes it easier to kill, societies are more likely to become locked into perpetual cycles of attack and counterattack that render any normal trajectory of political and economic development impossible. Meanwhile, new communications technologies?from satellite phones to the Internet?allow violent groups to marshal resources and coordinate activities around the planet. Transnational terrorist organizations can use the Internet to share information on weapons and recruiting tactics, arrange surreptitious fund transfers across borders, and plan attacks. These new technologies can also dramatically enhance the reach and power of age-old procedures. Take the ancient hawala system of moving money between countries, widely used in Middle Eastern and Asian societies. The system, which relies on brokers linked together by clan-based networks of trust, has become faster and more effective through the use of the Internet. The Rise of Complex Terrorism Information-processing technologies have also boosted the power of terrorists by allowing them to hide or encrypt their messages. The power of a modern laptop computer today is comparable to the computational power available in the entire U.S. Defense Department in the mid-1960s. Terrorists can use this power to run widely available state-of-the-art encryption software. Sometimes less advanced computer technologies are just as effective. For instance, individuals can use a method called steganography ("hidden writing") to embed messages into digital photographs or music clips. Posted on publicly available Web sites, the photos or clips are downloaded by collaborators as necessary. (This technique was reportedly used by recently arrested terrorists when they planned to blow up the U.S. Embassy in Paris.) At latest count, 140 easy-to-use steganography tools were available on the Internet. Many other off-the-shelf technologies?such as "spread-spectrum" radios that randomly switch their broadcasting and receiving signals?allow terrorists to obscure their messages and make themselves invisible. The Web also provides access to critical information. The September 11 terrorists could have found there all the details they needed about the floor plans and design characteristics of the World Trade Center and about how demolition experts use progressive collapse to destroy large buildings. The Web also makes available sets of instructions?or "technical ingenuity"?needed to combine readily available materials in destructive ways. Practically anything an extremist wants to know about kidnapping, bomb making, and assassination is now available online. One somewhat facetious example: It's possible to convert everyday materials into potentially destructive devices like the "potato cannon." With a barrel and combustion chamber fashioned from common plastic pipe, and with propane as an explosive propellant, a well-made cannon can hurl a homely spud hundreds of meters?or throw chaff onto electrical substations. A quick search of the Web reveals dozens of sites giving instructions on how to make one. Finally, modern, high-tech societies are filled with supercharged devices packed with energy, combustibles, and poisons, giving terrorists ample opportunities to divert such non-weapon technologies to destructive ends. To cause horrendous damage, all terrorists must do is figure out how to release this power and let it run wild or, as they did on September 11, take control of this power and retarget it. Indeed, the assaults on New York City and the Pentagon were not low-tech affairs, as is often argued. True, the terrorists used simple box cutters to hijack the planes, but the box cutters were no more than the "keys" that allowed the terrorists to convert a high-tech means of transport into a high-tech weapon of mass destruction. Once the hijackers had used these keys to access and turn on their weapon, they were able to deliver a kiloton of explosive power into the World Trade Center with deadly accuracy. [...] From wk at c4i.org Mon Apr 5 02:02:48 2004 From: wk at c4i.org (William Knowles) Date: Mon Apr 5 02:21:02 2004 Subject: [ISN] Secret hackers to aid war on internet fraud Message-ID: http://www.timesonline.co.uk/article/0,,5-1063208,00.html April 05, 2004 By Joe Morgan FEARS that small online retailers are the weakest link in the fight against internet fraud have prompted MasterCard, the global payment scheme group, to set up secret teams of hackers to test security systems in the sector. The Times has learnt that the project, named Site Data Protection (SDP), will go live in May and will target online outlets that fail to comply with appropriate levels of internet security. SDP teams will be recruited by the banks that have relationships with online merchants whose systems do not come up to scratch. Brian Morris, head of e-business solutions at MasterCard, said that while large online retailers had robust internet security systems, small and medium-size enterprises (SMEs) "could benefit from the assistance". Organised criminal gangs are increasingly hacking into the systems of online retailers and stealing subscribers' credit card and personal details. The information can then be used to commit "card-not-present fraud" - fraudulent buying of goods and services from a remote location, usually by phone or via the internet. Card-not-present fraud is thought to be one of the world's fastest growing crimes. Stolen personal details have also been used by gangs to commit "phishing", sending fake e-mails purporting to be from a bank or retailer to cardholders to trick them into revealing bank account details. MBNA and Barclays were recently victims of phishing. Mr Morris said: "This initiative will help a lot of merchants. Websites will be tested to see if firewalls are secure enough and backdoor and trapdoor areas are not susceptible to hackers. We will also test all routes in and out of sites." He said that the cost of the services would be determined by the banks. Medium-size retailers' exposure to fraud could also rise dramatically following this year's nationwide roll out of chip and PIN, a new anti-fraud initiative pioneered by the banks. While large retailers benefit from economies of scale in upgrading to the new checkout terminals, where customers pay using a four-digit number, smaller businesses find the costs a heavy burden *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* From isn at c4i.org Mon Apr 5 02:03:08 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 5 02:21:03 2004 Subject: [ISN] Insurers to drop hacking premiums Message-ID: http://www.vnunet.com/News/1154014 By Steve Ranger [02-04-2004] Prices for hacking insurance are predicted to drop for some businesses as insurers begin to understand the market better. So far in the UK the take-up of insurance against dangers such as hacking and viruses has been fairly low at about five per cent of companies, according to Stephen Wares, manager of UK technology for specialist insurer Hiscox. Insurance can cost from ?20,000 to millions of pounds depending on the size of company and type of risk. But as insurers become more familiar with risks and build up a list of clients they will become less cautious, leading to more competitive rates for premiums, said Wares. This will mean insurance for small and medium businesses will become cheaper. Costs for large companies, which are already well understood, are unlikely to change. In contrast, insurance company Willis predicted recently that premiums for cyber-risk coverage in the US could jump by 25 per cent this year. "We expect premiums for [this form of cover] to increase 20 to 25 per cent in 2004. Pricing will depend upon the client's use of the web, reliance on information systems and security profile," the insurer said. "Security expectations are rising and markets are responding. Some insurers have already reported the number of applications for cyber-insurance increasing by 75 per cent compared to previous years." Coverage offered by insurers includes threats such as hacking and viruses, denial of service attacks, cyber-extortion and malicious acts by employees. It can also include down-stream liability, insuring a company against its systems being used to launch a denial of service attack against another, for example. From isn at c4i.org Tue Apr 6 10:07:44 2004 From: isn at c4i.org (InfoSec News) Date: Tue Apr 6 10:57:34 2004 Subject: [ISN] Secret hackers to aid war on internet fraud Message-ID: Forwarded from: "Bill Scherr IV, GSEC, GCIA" Folks... The only difference between this, and the RIAA hacking P2P clients is the sector of the economy. Two wrongs don't make a right! MasterCard should require an independent review, rather than breaking clients systems. Breaking a lock is breaking a lock, regardless of why it is done! B. ------- Forwarded message follows ------- Date sent: Mon, 5 Apr 2004 01:02:48 -0500 (CDT) From: William Knowles To: isn@attrition.org Organization: C4I.org - http://www.c4i.org Subject: [ISN] Secret hackers to aid war on internet fraud Send reply to: isn@c4i.org [ Double-click this line for list subscription options ] http://www.timesonline.co.uk/article/0,,5-1063208,00.html April 05, 2004 By Joe Morgan FEARS that small online retailers are the weakest link in the fight against internet fraud have prompted MasterCard, the global payment scheme group, to set up secret teams of hackers to test security systems in the sector. The Times has learnt that the project, named Site Data Protection (SDP), will go live in May and will target online outlets that fail to comply with appropriate levels of internet security. SDP teams will be recruited by the banks that have relationships with online merchants whose systems do not come up to scratch. Brian Morris, head of e-business solutions at MasterCard, said that while large online retailers had robust internet security systems, small and medium-size enterprises (SMEs) "could benefit from the assistance". Organised criminal gangs are increasingly hacking into the systems of online retailers and stealing subscribers' credit card and personal details. The information can then be used to commit "card-not-present fraud" - fraudulent buying of goods and services from a remote location, usually by phone or via the internet. [...] Bill Scherr IV, GSEC, GCIA EWA / Information & Infrastructure Technologies National Guard Regional Technology Center / Norwich Campus Northfield, VT 05663 802-485-1962 From isn at c4i.org Tue Apr 6 10:08:09 2004 From: isn at c4i.org (InfoSec News) Date: Tue Apr 6 10:57:35 2004 Subject: [ISN] Linux Security Week - April 5th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | April 5th, 2004 Volume 5, Number 14n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "File And Email Encryption With GnuPG," "The Layered Approach to Security is Dead," and "Protecting yourself against mini-DDoS attacks." ---- >> NEW Step-by-Step SSL Guide for Apache from Thawte << Thawte's new guide will show you how to test, purchase, install and use a Thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://ad.doubleclick.net/clk;7739216;9007465;r ---- LINUX ADVISORY WATCH: This week, advisories were released for mc, openssl, ethereal, libxml2, emil, Linux kernel, apache, UUDeview, courier, oftpd, fetchmail, squid, OpenLDAP, mplayer, Mozilla, and apache. The distributors include Conectiva, Debian, FreeBSD, Gentoo, Mandrake, Red Hat, Trustix, and Turbolinux. http://www.linuxsecurity.com/articles/forums_article-9129.html Interview with Siem Korteweg: System Configuration Collector In this interview we learn how the System Configuration Collector (SCC) project began, how the software works, why Siem chose to make it open source, and information on future developments. http://www.linuxsecurity.com/feature_stories/feature_story-162.html ---- >> Bulletproof Virus Protection << Protect your network from costly security breaches with Guardian Digitals multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn04 -------------------------------------------------------------------- Security: MySQL and PHP This is the second installation of a 3 part article on LAMP (Linux Apache MySQL PHP). In order to safeguard a MySQL server to the basic level, one has to abide by the following guidelines. http://www.linuxsecurity.com/feature_stories/feature_story-130.html --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * File And Email Encryption With GnuPG (PGP) April 5th, 2004 File and mail security is easy to achieve with the right tools. PGP has proven itself the leader, and GnuPG is the tool of choice in the Linux world. http://www.linuxsecurity.com/articles/cryptography_article-9134.html * Security Enhanced Linux March 31st, 2004 Operating system security is (or at least should be) of critical importance to us all. However, the varying levels of security required differ for each systems administrator. http://www.linuxsecurity.com/articles/host_security_article-9114.html * Back to Linux Basics With Debian GNU/Linux March 31st, 2004 Debian GNU/Linux: Reliable, solid, and free infrastructure server. As the bigger guns in the enterprise Linux space move to commercialize their software as much as possible, the Debian project continues to provide a Linux distribution that offers organizations the sort of commodity infrastructure for which Linux was originally known. http://www.linuxsecurity.com/articles/vendors_products_article-9119.html * Serve up your Next Presentation March 29th, 2004 You'll notice that I haven't said much about security. With small audiences in isolated locations you may not need much security at all. If you are doing a weekend retreat way out in the woods (using portable generators, maybe) with nobody else around for miles, you probably can get by with just knowing your audience members and watching what they are doing when your Web server is up and running. http://www.linuxsecurity.com/articles/general_article-9103.html +------------------------+ | Network Security News: | +------------------------+ * Announcing the Fourth WorldWide WarDrive (WWWD) April 2nd, 2004 The WorldWide WarDrive is an effort by security professionals and hobbyists to generate awareness of the need by individual users and companies to secure their access points. The goal of the WorldWide WarDrive (or WWWD) is to provide a statistical analysis of the many access points that are currently deployed. http://www.linuxsecurity.com/articles/organizations_events_article-9127.html * The Layered Approach to Security is Dead... Long Live Layered Security April 1st, 2004 Life isn't the same as it used to be, the good old days of leaving your door unlocked are gone, never to return. Business isn't the same either. IT has brought into the workplace, organisational and cultural challenges. http://www.linuxsecurity.com/articles/general_article-9126.html * Protecting yourself against mini-DDoS attacks March 30th, 2004 These are distributed denial of service attacks small enough to fly below the security radars of ISPs and law enforcement agencies, but potent enough to shut down cable or DSL modems connections. As evidenced by my inability to do anything about an attack on my connection (which I use to get my job done, but is shared with other family members for personal use), the perpetrators can wreak havoc without fear of reprisals. http://www.linuxsecurity.com/articles/network_security_article-9108.html +------------------------+ | General Security News: | +------------------------+ * Forrester questions Linux security April 5th, 2004 A new study from Forrester Research has concluded that the Linux operating system is not necessarily more secure than Windows. The report finds that on average, Linux distributors took longer than Microsoft to patch security holes, although Microsoft flaws tended to be more severe. http://www.linuxsecurity.com/articles/host_security_article-9133.html * Task force urges security collaboration April 2nd, 2004 Improving software security will demand a concerted effort from government, industry and higher education, said members of a national task force on software development in a report released today. http://www.linuxsecurity.com/articles/general_article-9130.html * Human Nature vs. Security March 31st, 2004 If you're asked to picture security for a house, the image that might jump to mind is of that pimply faced kid who comes around every few months with promises of free-installation of an alarm system or 6 months of free monitoring. http://www.linuxsecurity.com/articles/general_article-9117.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Apr 6 10:08:25 2004 From: isn at c4i.org (InfoSec News) Date: Tue Apr 6 10:57:36 2004 Subject: [ISN] Security scare for business laptops Message-ID: http://news.ft.com/servlet/ContentServer?pagename=FT.com/StoryFT/FullStory&c=StoryFT&cid=1079420167575&p=1012571727085 By Chris Nuttall in London Published: April 5 2004 Business travellers are unwittingly making company secrets available to rivals by ignoring the risks of local wireless networks, known as wi-fi hotspots, security experts warn. IT security experts who have carried out checks at hotels, railway stations and other public places equipped with wireless internet access technology have found the networks and users' computers are often insecure. "It's actually happening: there is competitive intelligence being gathered," said Richard Hollis, chief executive of Orthus, a security firm. Hackers - who need little specialist knowledge - can access contents of a rival's laptop because other users' files are visible to anybody using an unsecured wireless network. Hackers are also using wi-fi hotspots to store their files on other computers. "I'm walking into corporations and commercial hotspots that are finding things on their networks that they didn't put there and it's scaring the hell out of them. What if someone used such a network to store paedophile images or to attack a bank? The company would be liable," said Mr Hollis. Nevertheless, wi-fi is an "incredibly securable technology", Mr Hollis insists. Users need only disable file-sharing on their laptops and install a firewall to prevent them being hijacked. In the UK the Institute of Directors, which provides free wi-fi access to members from different companies using its premises, says it has not suffered any major incidents but is "aware of the major security issues." Broadreach Networks, which provides wi-fi hotspots, says its equipment has firewalls that prevent hackers seeing any other machines connected to the hotspot. But Magnus McEwen-King, chief executive, said: "Not all networks have done this to prevent hackers getting access." From isn at c4i.org Tue Apr 6 10:48:21 2004 From: isn at c4i.org (InfoSec News) Date: Tue Apr 6 10:57:37 2004 Subject: [ISN] EPA improves security compliance Message-ID: http://www.fcw.com/fcw/articles/2004/0405/web-fisma-04-05-04.asp By Sarita Chourey April 5, 2004 Environmental Protection Agency officials dramatically improved their ability to follow information security regulations by spending half a million dollars on a compliance system. Several companies and government agencies have contacted the EPA to learn about its increased compliance with the Federal Information Security Management Act of 2002, said Mark Day, the EPA's deputy chief information officer. Since buying software from BindView Corp. more than a year ago, the agency's FISMA technical compliance has risen from 35 percent to 95 percent, attracting interest inside and outside of the federal government., Day said. In an Office of Management and Budget report, "Budget of the United States 2005; Analytical Perspectives," officials stated that the EPA "excelled at protecting their information security assets." BindView's product, BindView Report Packs, is designed to help information technology administrators target and eliminate security vulnerabilities in information systems. The software cost the agency about $500,000, Day said. As with many new IT strategies, particularly ones that involve intensified oversight, initial hesitancy among agency staff members gave way to broad-based approval, Day said. "There were a couple brave souls who took this on and proved that it could be done," he said. "Then later, when someone said, 'It's too hard. It can't be done,' the answer was easy: 'Everyone else is doing it.' " The BindView system gave managers the tools to give instructions and check compliance, which helped the EPA chart and publish its compliance. "It's amazing how these charts went from being something very disliked in the first couple months to now most of the IT professionals saying to their boss, 'Here's independent proof that I am doing my job.' " Officials ensured that the EPA's compliance reports were widely published, lending to system-critical transparency and credibility, Day said. And managers didn't have to be technical experts to address their IT problems. "The typical problem a manager gets is a report saying a password isn't set up. What can they do? They don't know how to fix that. Well, now they say get me green." EPA isn't endorsing BindView's product, Day sa From isn at c4i.org Tue Apr 6 10:48:36 2004 From: isn at c4i.org (InfoSec News) Date: Tue Apr 6 10:57:39 2004 Subject: [ISN] Volunteer Security Pros Launch Free Vulnerability Database Message-ID: http://www.eweek.com/article2/0,1759,1561608,00.asp By Dennis Fisher April 2, 2004 A group of volunteer security professionals has compiled what is likely one of the larger freely accessible vulnerability databases on the Internet. The OSVDB (Open Source Vulnerability Database) is meant to serve as a central collection point for information on any and all security vulnerabilities. Despite what you might assume from the name, the project's creators are not just interested in collecting data on flaws in open-source software. Instead, they're collecting information on vulnerabilities from a wide variety of sources that they then distribute freely, under an open-source license. The project, which went live on Wednesday, has been in the works since 2002. The team has spent most of its time since then gathering and categorizing vulnerability data. Most of the records in the database come from submissions to myriad security-related mailing lists. OSVDB is run by a small group of security professionals who have worked on the project on their own time. Jake Kouns, chief moderator of the team, said the project so far has catalogued nearly 1,900 vulnerabilities, with another 2,700 or so submissions waiting to be confirmed and edited. Once a new vulnerability is found, one of more than two dozen volunteer "data manglers" is assigned to confirm its veracity and get the information in shape for inclusion in the database. The flaw is then given a unique identifier and slated for database inclusion. Kouns said that the group is hoping to begin comparing its database with other, similar stores, including the CVE (Common Vulnerabilities and Exposures) project maintained by The Mitre Corp., so that it can reference CVE numbers wherever they're applicable. The CVE project assigns unique numbers to each new vulnerability and publishes a one-line description of the problem. Currently, the OSVDB supports three open-source security products: the Snort intrusion detection system, the Nessus network scanner and the Nikto Web-server scanner. From isn at c4i.org Wed Apr 7 10:06:23 2004 From: isn at c4i.org (InfoSec News) Date: Wed Apr 7 10:39:39 2004 Subject: [ISN] Windows & .NET Magazine Security UPDATE--Patch Management Resources--April 7, 2004 Message-ID: ==================== ==== This Issue Sponsored By ==== Windows Scripting Solutions http://list.winnetmag.com/cgi-bin3/DM/y/efMq0CJgSH0CBw0BFyu0AO New Web Seminar--Preemptive Email Security: How Enterprise Rent-A-Car Eliminates Spam http://list.winnetmag.com/cgi-bin3/DM/y/efMq0CJgSH0CBw0BGhc0Ao ==================== 1. In Focus: Resources for Patch Management 2. Security News and Features - Recent Security Vulnerabilities - News: Open Source Vulnerability Database Online - News: New Forensics Tool: Port Reporter - News: WinBlox Monitors and Prevents I/O - Feature: Honeypots for Windows 3. Instant Poll 4. Security Toolkit 5. New and Improved - Prevent Identity Theft ==================== ==== Sponsor: Windows Scripting Solutions ==== Try a Sample Issue of Windows Scripting Solutions Windows Scripting Solutions is the monthly newsletter from Windows & .NET Magazine that shows you how to automate time-consuming, administrative tasks by using our simple downloadable code and scripting techniques. Sign up for a sample issue right now, and find out how you can save both time and money. Click here! http://list.winnetmag.com/cgi-bin3/DM/y/efMq0CJgSH0CBw0BFyu0AO ==================== ==== 1. In Focus: Resources for Patch Management ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net Keeping systems up to date and thus protected against various attack methods is sometimes difficult. You're aware that many patch-management solutions are available, including solutions from Microsoft as well as third-party software vendors. You need information about the available patch-management solutions to determine which might best fit your needs. In addition, you probably sometimes need to discuss your particular patch-management solution with other people to help better understand its problems or quirks. Numerous resources are available that can help. If you're shopping for a patch-management solution, remember that Mark Burnett and some of his associates recently tested seven patch-management solutions to gauge their effectiveness. Those solutions include BigFix Patch Manager, Ecora Patch Manager, Gravity Storm Software's Service Pack Manager, PatchLink Update, SecurityProfiling's SysUpdate, Shavlik Technologies' HFNetChkPro, and St. Bernard Software's UpdateExpert. Burnett's findings are available in his article on our Web site. http://www.winnetmag.com/article/articleid/40710/40710.html Patch management is the primary focus of the April issue of Windows & .NET Magazine. Mark Burnett discusses advanced patch-management techniques and resources that can assist in your efforts. Of course, before you roll out a patch to your enterprise, you'll probably want to test it to ensure that it works properly in your environment. Jason Fossen discusses patch testing and offers tips and scripting ideas. You can read the articles in the print magazine, or if you subscribe to the print magazine or our VIP program, you can access the articles on our Web site. http://www.winnetmag.com/windows/issues/issueid/688/index.html http://www.winnetmag.com/article/articleid/41980/41980.html http://www.winnetmag.com/article/articleid/41979/41979.html Another April issue article you might find interesting is Michael Otey's commentary "Unreasonable Expectations." In Otey's opinion, Microsoft needs to fix its patching process. You don't need to be a subscriber to read what Otey has to say. http://www.winnetmag.com/article/articleid/41987/41987.html If you'd like to discuss patch-management solutions with other network administrators, a relatively new resource is available: the Patch Management mailing list. I've been a subscriber since its inception and can say that the list is a valuable resource. Shavlik Technologies hosts the related Web site, but the list is vendor neutral--there's no slant toward one product or another. Conversation about any topic regarding any Windows or Linux patch or any patch solution is welcome--regardless of the vendor. You can subscribe to the mailing list by going to the first URL below. At the Web site, you'll also find articles related to patch management, including a list of product comparisons from a variety of mainstream publishers. And be sure to check out Jason Chan's informative article "Essentials of Patch Management Policy and Practice" at the second URL below. http://www.patchmanagement.org http://www.patchmanagement.org/pmessentials.asp ==================== ==== Sponsor: New Web Seminar--Preemptive Email Security: How Enterprise Rent-A-Car Eliminates Spam ==== Get the inside scoop on how Enterprise Rent-A-Car eliminated spam and viruses, improved their email security, and increased productivity. Don't miss this opportunity to educate yourself and become a smarter customer when it comes to choosing an antispam solution that best fits your organization's needs. Sign up for this free Web seminar today! http://list.winnetmag.com/cgi-bin3/DM/y/efMq0CJgSH0CBw0BGhc0Ao ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html News: Open Source Vulnerability Database Online The Open Source Vulnerability Database (OSVDB), provided by the Open Security Foundation (OSF), is now online and available to the public. OSVDB is an archive of known vulnerabilities and includes vulnerability data pertaining to all platforms. http://www.winnetmag.com/article/articleid/42218/42218.html News: New Forensics Tool: Port Reporter Can you ever have enough tools to assist with troubleshooting and forensic analysis? Probably not, and that's a good reason to add the new Port Reporter to your toolkit. Port Reporter is free from Microsoft and logs TCP and UDP port activity to a text file. http://www.winnetmag.com/article/articleid/42212/42212.html News: WinBlox Monitors and Prevents I/O Liu Die Yu released source code for his WinBlox tool, a command-line utility that can record, filter, and prevent file I/O operations. Yu hopes people will download the source code and help find bugs. Although you can download WinBlox and test it, Yu cautions that the utility is still under development and might not be suitable for production environments. http://www.winnetmag.com/article/articleid/42219/42219.html Feature: Honeypots for Windows Long thought of as toys for security administrators who have too much time on their hands, honeypots are gaining an increased presence on corporate networks. Honeypots are nonproduction computer assets set up for the express purpose of being a potential target for unauthorized activities. Roger A. Grimes offers a look at four honeypots (Honeyd-WIN32 0.5, KeyFocus's KFSensor, Network Security Software's SPECTER 7.0, and VMware Workstation 4.0) in this article on our Web site. http://www.winnetmag.com/article/articleid/41976/41976.html ==== Announcements ==== (from Windows & .NET Magazine and its partners) The Windows & .NET Magazine Network VIP Web Site/Super CD Has It All! With a VIP Web Site/Super CD subscription, you'll get online access to all of our publications, a print subscription to Windows & .NET Magazine, and a subscription to our VIP Web site, a banner-free resource loaded with articles you can't find anywhere else. Click here to find out how you can get it all: http://list.winnetmag.com/cgi-bin3/DM/y/efMq0CJgSH0CBw0BGza0A5 Register today for Microsoft Tech Ed 2004 Don't miss Tech Ed 2004 -- May 23-28, 2004 in San Diego, CA -- the definitive Microsoft conference for building, deploying, securing and managing connected solutions. You'll find 11 conference tracks and over 400 sessions. Get answers to your technical questions, meet industry experts, evaluate new products, and take advantage of extensive networking opportunities. Register today. http://list.winnetmag.com/cgi-bin3/DM/y/efMq0CJgSH0CBw0BGE40AS ==== 3. Instant Poll ==== Results of Previous Poll The voting has closed in the Windows & .NET Magazine Network Security Web page nonscientific Instant Poll for the question, "Does your company use or intend to use Voice over IP (VoIP) technology?" Here are the results from the 89 votes. - 40% Yes, we use it now - 31% Yes, we intend to use it - 22% No, we don't plan to use it - 6% Not sure (Deviations from 100 percent are due to rounding.) New Instant Poll The next Instant Poll question is, "If you're using Microsoft Software Update Services (SUS) or the new Windows Update Services (WUS), how satisfied with the product are you?" Go to the Security Web page and submit your vote for - Very satisfied - Somewhat satisfied - Not satisfied http://www.winnetmag.com/windowssecurity ==== 4. Security Toolkit ==== Virus Alert: Netsky.R Netsky.R spreads through an email message with variable characteristics. However, the message subject always includes the text "Re: Document." The worm deletes several other worms, including Mydoom.A, Mydoom.B, and Mimail.T. Netsky.R will also attempt to launch Denial of Service (DoS) attacks against several Web pages between April 12 and 16. http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=45991 Virus Alert: Netsky.Q Netsky.Q spreads through an email message with variable characteristics. The worm exploits a Microsoft Internet Explorer (IE) vulnerability to automatically run a message attachment when a user views the message through Microsoft Outlook's preview pane. Netsky.Q deletes several other worms including Mydoom.A, Mydoom.B, Mimail.T, and several Bagle variants. The worm will attempt to launch Denial of Service (DoS) attacks against several Web pages between April 8 and 11. When the system date and time is March 30, 2004 between 5:00 a.m. and 10:59 a.m., the worm emits random tones through the internal speakers. http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=45926 FAQ: How can I use Group Policy to disable System Restore in Windows XP and later? by John Savill, http://www.winnetmag.com/windowsnt20002003faq A. System Restore is a systemwide setting. As a result, you must disable it at the Computer Configuration level by performing the following steps: 1. Load the Group Policy Object (GPO) that you want to modify. For example, go to Start, Programs, Administrative Tools, Active Directory Users and Computers; right-click a domain; select Properties; select the Group Policy tab; then create a new GPO or edit an existing GPO. 2. Navigate to Computer Configuration, Administrative Templates, System, System Restore. 3. Double-click "Turn off System Restore," set it to Enabled, then click OK. 4. Close the GPO. The change will take effect at the next refresh. Featured Thread: ISA Server SMTP Filter (Three messages in this thread) Jack is using ISA Server to reverse-cache some services for outside users at his organization. He also uses the SMTP filter so that he can prevent certain email messages and attachments from entering his organization. However, he's seeing errors in the ISA Server Event Viewer that indicate invalid SMTP commands, and the email filters don't seem to work when he applies them. Lend a hand or read the responses: http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=118824 ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) New Web Seminar--The Spam Problem Solved: Hensel Phelps Construction Company Case Study Find out how Hensel Phelps Construction, a multibillion-dollar national contractor, has implemented a multilayered antispam solution to increase user productivity and decrease the burden on IT staff resources, infrastructure, and budget. Sign up now for this free Web seminar! http://list.winnetmag.com/cgi-bin3/DM/y/efMq0CJgSH0CBw0BGzb0A6 ==== 5. New and Improved ==== by Jason Bovberg, products@winnetmag.com Prevent Identity Theft FSPro Lab announced Identity Knight, software that prevents the theft of personal information when users use Microsoft Internet Explorer (IE) 5.0's AutoComplete option to fill out online forms. Identity Knight deletes any data that users don't want to be stored in Windows Protected Storage, which AutoComplete uses for data storage. FSPro Lab also offers Credit Card Knight, which works exclusively with credit card numbers. You can download Identity Knight and Credit Card Knight from the company's Web site; free demo versions are available. Identity Knight costs $34.95, and Credit Card Knight costs $24.95. For more information about these products, contact FSPro Lab on the Web. http://www.fspro.net Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. =================== ==== Sponsored Links ==== Argent Comparison Paper: The Argent Guardian Easily Beats Out MOM http://list.winnetmag.com/cgi-bin3/DM/y/efMq0CJgSH0CBw0BDWV0AH Microsoft(R) TechNet Microsoft(R) TechNet Webcasts: essential guidance, industry experts http://list.winnetmag.com/cgi-bin3/DM/y/efMq0CJgSH0CBw0BG360AC =================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z You received this email message because you asked to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From wk at c4i.org Wed Apr 7 10:22:20 2004 From: wk at c4i.org (William Knowles) Date: Wed Apr 7 10:39:40 2004 Subject: [ISN] Arrests key win for NSA hackers Message-ID: http://www.globetechnology.com/servlet/story/RTGAM.20040406.gtterror06/BNStory/Technology/ By DAVID AKIN Globe and Mail Update Apr. 6, 2004 A computer hacker who allowed himself to be publicly identified only as ''Mudhen'' once boasted at a Las Vegas conference that he could disable a Chinese satellite with nothing but his laptop computer and a cellphone. The others took him at his word, because Mudhen worked at the Puzzle Palace -- the nickname of the U.S. National Security Agency facility at Fort Meade, Md., which houses the world's most powerful and sophisticated electronic eavesdropping and anti-terrorism systems. It was these systems, plus an army of cryptographers, chaos theorists, mathematicians and computer scientists, that may have pulled in the first piece of evidence that led Canadian authorities to arrest an Ottawa man on terrorism charges last week. Citing anonymous sources in the British intelligence community, The Sunday Times reported that an e-mail message intercepted by NSA spies precipitated a massive investigation by intelligence officials in several countries that culminated in the arrest of nine men in Britain and one in suburban Orleans, Ont. -- 24-year-old software developer Mohammed Momin Khawaja, who has since been charged with facilitating a terrorist act and being part of a terrorist group. The Orleans arrest is considered an operational milestone for this vast electronic eavesdropping network and its operators. But Dave Farber, an Internet pioneer and computer-science professor at Carnegie-Mellon University in Pittsburgh, said the circumstances are also notable because it will be the first time that routine U.S. monitoring of e-mail traffic has led to an arrest. "That's the first admission I've actually seen that they actually monitor Internet traffic. I assumed they did, but no one ever admitted it," Mr. Farber said. Officials at the NSA could not be reached for comment. But U.S. authorities are uniquely positioned to monitor international Internet and telecommunications traffic because many of the world's international gateways are located in their country. And once that electronic traffic touches an American computer -- an e-mail message, a request for a website or an Internet-based phone call, for instance -- it is routinely monitored by NSA spies. "Foreign traffic that comes through the U.S. is subject to U.S. laws, and the NSA has a perfect right to monitor all Internet traffic," said Mr. Farber, who has also been a technical adviser to the U.S. Federal Communications Commission. That's what happened in February, when NSA officers at Fort Meade intercepted a message between correspondents in Britain and Pakistan, The Sunday Times reported. The contents of that message have not been revealed, but are significant enough that dozens of intelligence officials were mobilized in Britain, Canada and the United States. The intelligence officers at Fort Meade rely on a sophisticated suite of supercomputers and telecommunications equipment to analyze millions of messages and phone calls each day, looking for certain keywords or traffic patterns. Internet traffic is chopped up into small chunks called packets, and each individual package is then routed over the Internet, to be reassembled at the recipient's end. The packet is wrapped in what computer scientists sometimes refer to as the envelope. And just as the exterior of a regular piece of mail contains important addressing information, so does the envelope of a digitized packet. These bits of information are called headers, and they can be valuable to investigators as well. Headers typically contain generic descriptions of the packet's contents, in order to let computers make better decisions about how to route the packet through the Internet. E-mail traffic gets a lower priority than Internet video traffic, for instance. Headers also pick up the numeric or Internet Protocol (IP) address of all the computers a packet touches as it travels from its originating machine all the way to its destination. Every computerized device connected to the Internet has its own unique IP number. Investigators could program their supercomputers to flag packets of information that met certain criteria, such as a certain IP number, a certain traffic pattern or a certain kind of content. As soon as a packet is flagged, investigators would apply for warrants to assemble the packets and read the messages' contents. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* From isn at c4i.org Wed Apr 7 10:23:00 2004 From: isn at c4i.org (InfoSec News) Date: Wed Apr 7 10:39:41 2004 Subject: [ISN] Last draft released for security guide Message-ID: http://www.fcw.com/fcw/articles/2004/0405/web-nist-04-06-04.asp By Florence Olsen April 6, 2004 The National Institute of Standards and Technology today released a final draft of security guidelines for federal agencies that need to certify and accredit their information systems. With May as their target date for publication, NIST officials cited an urgent need to receive comments on the final draft document by April 21. The proposed guidelines are relevant to security requirements that all federal agencies must meet under the Federal Information Security Management Act of 2002. NIST officials incorporated several significant changes in the final draft based on earlier comments they received. Among them are newly defined roles for the chief information officer and senior agency information security officer in the certification and accreditation process. Also new are additional guidelines for low-impact information systems, a revised timetable for interim approval to operate information systems, and a summary table of tasks and subtasks for security certification and accreditation. Comments on Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, can be sent to sec-cert@nist.gov. From isn at c4i.org Wed Apr 7 10:23:12 2004 From: isn at c4i.org (InfoSec News) Date: Wed Apr 7 10:39:41 2004 Subject: [ISN] Firm invites experts to punch holes in ballot software Message-ID: http://zdnet.com.com/2100-1105_2-5186016.html By Robert Lemos CNET News.com April 6, 2004 VoteHere, a maker of security software for voting machines, published the source code for its product online in hopes of garnering additional analysis of its method for verifying the integrity of electronic votes. The company, which has patented its VHTi technology, wants comments, not competition, so it released the code and several documents to its Web site under a license that restricts use of the code to analysis for a period of 60 days. "We pride ourselves on being good students of cryptography," said Jim Adler, founder and CEO of the Bellevue, Wash.-based company. "We know there is no security through obscurity, so we want to be open." Revealing encryption algorithms for peer review is a standard practice in encryption circles and allows experts to poke holes in other people's technology. VoteHere hopes the additional scrutiny will prove that its technology is sound, Adler said. The company's software is designed to let voters verify that their ballots were properly handled. It assigns random identification numbers to ballots and candidates. After people vote, they get a receipt that shows which candidates they chose--listed as numbers, not names. Voters can then use the Internet and their ballot identification number to check that their votes were correctly counted. "It doesn't protect the system from compromise, but it detects when compromises happen," Adler said. "We are the barking dogs: If anything touches the ballots, it can be detected." The move comes as questions arise about the security of electronic and Internet voting. Though few problems with electronic voting machines arose on March 1, Super Tuesday, many problems have cropped up during other elections. Some states, Michigan among them, are going full bore to ballots cast on the Internet, despite some computer scientists' concerns that the Net is not secure enough to prevent election tampering. About 28 percent of Michigan voters cast their ballot online in February during that state's Democratic caucus. In the same month, the Department of Defense backed away from plans to conduct a trial that could have let the 6 million Americans abroad cast their vote online. VoteHere has had its own security issues to deal with as well. In December, the company called in the FBI to investigate a breach in the company's network. Adler said the investigation was ongoing and stressed that VoteHere's plans to release source code had been in the works since last summer. From isn at c4i.org Wed Apr 7 10:24:36 2004 From: isn at c4i.org (InfoSec News) Date: Wed Apr 7 10:39:42 2004 Subject: [ISN] Secret hackers to aid war on internet fraud Message-ID: Forwarded from: Harlan Carvey Cc: bschnzl@cotse.net > Two wrongs don't make a right! MasterCard should require an > independent review, rather than breaking clients systems. Breaking > a lock is breaking a lock, regardless of why it is done! Come on! You've got to be kidding me, right? The only thing about this article that alludes to "'secret' hackers" is the title! Think about it...assume this is all a secret (just by the fact that it is now public makes it not secret) and the target organizations/SMEs don't know about it. If the MasterCard teams do get in...then the target SMEs can then pursue the attackers legally. Without some sort of prior agreement and authorization, in a contract, any such activities would be illegal. I think that only thing "secret" here is the names of the "hackers" themselves, and it looks to me as if the wrong impression about what's really going on has been formed. That's what tends to happen with too little information...assumptions fill the gaps. From isn at c4i.org Thu Apr 8 10:04:47 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 8 10:19:17 2004 Subject: [ISN] Email attack could kill servers Message-ID: http://www.newscientist.com/news/news.jsp?id=ns99994858 14:29 06 April 04 NewScientist.com news service Will Knight A crafty way of knocking out any email server using a few carefully constructed emails has been identified by a team of computer security experts. The trick involves sending forged emails that contain thousands of incorrect addresses in the "copy to" fields that are normally used to send duplicate messages. Researchers at UK-based NGSSoftware sent these emails to the largest email servers on the internet, and found they could force huge quantities of unwanted email to pour into another mail server of their choice. The exploit depends on finding a server configured to return an email plus its attachments to each incorrect address. But this can be tested by sending just a single message. The next step is to forge an email so it appears to come from the mail server that is to be the target of the attack. This is also relatively simple trick. Finally, the forged email, complete with the thousands of incorrect addresses is sent. The resulting avalanche of "bounced" messages sent to the target server would almost certainly cause it to crash, and leave its users without access to their mail. "With one 10 kilobyte email I could then send 100 megabytes back to a server of my choosing," says Gunter Ollman, one of the researchers who identified the potential attack. Fortune 500 The researchers tested the email servers of all Fortune 500 companies and found that 30 per cent could be used to launch this type of attack. All email is sent across the internet using the Simple Mail Transfer Protocol (SMTP), which stipulates that a notification should be sent whenever a message with a bad address is received. There are numerous different types of email server, however, which can all be configured in various ways. Ollman adds that using an insecure email server to send the initial messages would make the attack virtually untraceable. "You can pretty much do it anonymously," he told New Scientist. It should be fairly simple to reconfigure mail servers so that they are no longer vulnerable to this attack, but Ollman notes that is up to each company to take this step: "They all need to take a look at their mailing architecture," he says. "It only takes two or of these companies for the attack to work." From isn at c4i.org Thu Apr 8 10:05:04 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 8 10:19:18 2004 Subject: [ISN] An Antitrust Antidote for Software Security Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A58955-2004Apr7.html By Brian Krebs washingtonpost.com Staff Writer April 7, 2004 Congress should change U.S. antitrust laws to make it easier for businesses to pressure software vendors to improve the security of their products, according to a congressional advisory panel report released yesterday. Under the proposal, certain industry sectors could set software security standards for their businesses. Vendors whose software fails meet those requirements would be barred from selling to those industries. The idea is an attempt to find ways for the business community to protect critical infrastructures like the electricity grid and the banking, water and telecommunications networks from hackers and other online criminals. "There have always been exceptions to antitrust laws when dealing with issues relating to national security, and I can't think of a more important area to have some standards than in this area of cybersecurity," said John Burke, a Washington attorney who represents the Financial Services Roundtable, a group of financial services companies that participated in drafting the cybersecurity recommendations. The problem, Burke said, is that without a specific exemption from Congress or the U.S. Justice Department, the plan could run afoul of federal antitrust laws that prohibit group boycotts. The Corporate Information Security Working Group was convened last November by Rep. Adam Putnam (R-Fla.), chairman of a House subcommittee dealing with information security. The group met shortly after software industry lobbying groups persuaded him to shelve a plan to require publicly traded companies to report their cybersecurity readiness to the Securities and Exchange Commission (SEC). Putnam is studying the antitrust idea but has not decided whether he will formally introduce it as a bill, said spokesman Bob Dix. The group's recommendations were released on Tuesday, several days after another task force led by the nation's top software companies conceded that new government regulations might be necessary to strengthen the nation's important computer networks against online attacks. Lawmakers have focused much attention on information security issues during the past year amid a spike in identity theft, viruses and other online criminal activity. The White House approved a national cybersecurity plan more than a year ago but it contains no requirements for businesses to improve their electronic security practices. The companies that own 85 percent of the nation's essential infrastructure say they are committed to making sure that their systems are secure, but many of them complain that the software they use is riddled with security holes. Those flaws, they said, cost businesses billions of dollars a year. An antitrust exemption, some say, would help them collectively pressure software firms for improvements. Cathy Allen, who heads the Financial Services Roundtable's technology division, said the software industry has largely ignored the banking sector's voluntary security certification program. Instead, she said, the software vendors often play off one company against another -- offering discounts and other incentives to get them to drop their security requirements. "Trying to negotiate better security standards in our contracts with the vendors isn't very effective because many companies simply won't sell to you unless you agree to their terms," Allen said. "What we'd like to do is to be able to put some teeth behind our voluntary requirements." The banking industry spends nearly $1 billion each year patching and adapting computer systems to remedy software vulnerabilities, according to a Financial Services Roundtable report released in February. The Information Technology Association of America (ITAA) opposes the antitrust idea. The association represented software developers and other high-tech companies in the cybersecurity working group. It did not have the power to veto the antitrust recommendation, which was agreed on by consensus among the group's other members. "This is basically an attempt to give certain industry groups cartel market power to fix prices," said ITAA General Counsel Joe Tasker. "What we have is a case where the buyers themselves consistently violate their own principles." "We're not averse to it per se, but we're not sure why it's needed," said Robert Hoffman, vice president of congressional and legislative affairs for business software maker Oracle Corp. Hoffman said that Oracle supports a number of different ways to improve software security, but said that an antitrust exemption is a "pretty heavy hammer." The Justice Department routinely grants antitrust exemptions, said Bob Lande, an antitrust law professor at the University of Baltimore School of Law. Antitrust exemptions previously granted by Congress include one notable 1970 law that allows newspapers operating in the same market to pool their resources on advertising, printing and distribution. Major League Baseball operates under an exemption effectively granted by the U.S. Supreme Court in 1922 that requires the league to approve any of its teams' decisions to move from one city to another. "Antitrust laws are amazingly flexible rules and can deal easily with legitimate business justifications," Lande said. "The way they're being interpreted by today's judges are in a very conservative, non-aggressive manner, I can't say the risk of antitrust problems is zero, but boy it is low." Changing the antitrust laws also would hold software developers who work with Linux more accountable for security, said Alan Paller, director of research for the SANS Institute and a member of the cybersecurity group. Such a requirement would be more challenging for open source vendors because much of the software is maintained by thousands of independent software developers, he added. "This could force a certain amount of discipline on that group that they may not want to have... They would no longer be able to throw up their hands and ignore responsibility for security just because it's open source." The cybersecurity working group made nearly two-dozen other recommendations. One would limit public access to information about the locations and weak points of vital communications, power and water networks. Another proposes that Congress insulate companies from shareholder lawsuits if a hacker breaks into their systems. Putnam, meanwhile, plans to introduce a bill to implement another recommendation from the panel -- amending the federal government's technology acquisition guidelines to ensure that agencies seeking new computer software and hardware make cybersecurity a priority. From isn at c4i.org Thu Apr 8 10:05:16 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 8 10:19:20 2004 Subject: [ISN] Police cyber crime pin-up girl busted for hacking site Message-ID: http://mdn.mainichi.co.jp/news/20040408p2a00m0dm011000c.html (Wire stories, Japan, April 8, 2004) A 16-year-old girl who starred in the National Police Agency's (NPA) educational video against online crimes has ironically been accused of hacking an Internet homepage, officers said Thursday. The high school girl, whose name is being withheld under law, has admitted to committing an online crime, although she warned the public against it in the video. "I'm sorry," officers quoted the girl as saying. Tokyo police plan to send her documents to prosecutors on charges of illegal online access. The girl appeared in a video produced by the National Police Agency's affiliate in December last year after she passed an audition. The video explains Internet crimes such as illegal downloading of music. Only several days after filming, the girl and two of her friends illegally accessed a homepage of a friend's band, and then made changes to the pages. The girl said she hacked the page because her friend in the band had bad-mouthed her on an Internet site. The video, distributed to prefectural police offices, educational institutions and libraries across Japan, will be recalled. From isn at c4i.org Thu Apr 8 10:05:28 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 8 10:19:21 2004 Subject: [ISN] Cisco warns of wireless security hole Message-ID: http://www.nwfusion.com/news/2004/0407ciscowarns.html By Paul Roberts IDG News Service 04/07/04 Networking equipment maker Cisco is warning customers about a security hole in two products used to manage wireless LANs and e-business services in corporate data centers. The company said Wednesday that a user name and password coded into some versions of its Wireless LAN Solution Engine and Hosting Solution Engine software could give attackers complete control of the devices. Attackers could use the default logins to hide rogue wireless access points on wireless LANs, create and modify user privileges or change configuration settings, Cisco said. The vulnerability affects versions 2.0, 2.0.2 and 2.5 of the Wireless LAN Solution Engine (WLSE) and versions 1.7, 1.7.1, 1.7.2 and 1.7.3 of the Hosting Solution Engine (HSE). The San Jose company posted software patches on its Web site for both products. The WLSE product manages Cisco Aironet wireless LAN (WLAN) infrastructures, tying together different Aironet products, such as wireless access points, and making it easier for administrators to deploy, monitor and configure the devices on their WLAN. The WLSE also has security features that can spot unauthorized, or "rogue," access points and applying wireless networking security polices to devices on the network, Cisco said. The HSE is a network management hardware appliance that uses the Cisco 1140 platform. The product maps out and then monitors the performance and integrity e-business services in data centers that use Cisco products. A default user name and password combination were written, or "hard coded," into the software that runs on both devices and cannot be disabled. A malicious user who had the password would have complete control of the affected device, which could be used as a platform for further attacks, Cisco warned. For the WLSE, having the default user name and password would give the malicious user the ability to cause system-wide outages by changing the radio frequency used to send data over the WLAN, or secretly install an unauthorized access point that could be used to gather confidential information from the WLAN. For customers using the HSE, the default password could allow an attacker to redirect traffic from a Web site hosting e-business services, resulting in financial loss, Cisco said. Cisco said it is not aware of any attacks that use the hard-coded login information, but advised customers to install the appropriate software patch. From isn at c4i.org Thu Apr 8 10:05:41 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 8 10:19:21 2004 Subject: [ISN] Microsoft takes security class on the road Message-ID: http://news.com.com/2100-7355_3-5186861.html By Robert Lemos Staff Writer, CNET News.com April 7, 2004, Microsoft's on a mission to get technology pros to think harder about security. The software giant is sending executives to 20 cities across the United States to train developers and information system managers in how to better protect their systems. The free events, dubbed Security Summits, are the first step in Microsoft's plan to train 500,000 information technology workers worldwide by the end of this year, according to Mike Nash, vice president for Microsoft's Security Business unit. "We want to make sure that customers have a security strategy," Nash said. "There were people that got hit with Slammer, and they go away and implement a security plan and then Blaster comes along and they said, 'Wow, that's a nonissue.' The hope (in holding these events) is to skip step one." The Security Summits kicked off in New York City on Tuesday with free day-long classes for network administrators and information-system managers. The seminar was repeated on Wednesday. The events attracted about 1,000 people each. The events are Microsoft's latest effort in its two-year-old Trustworthy Computing initiative. The software giant has taken major steps to elevate security concerns, such as delaying its next version of Windows in order to divert developers to a security update, known as Service Pack 2, for Windows XP. Chairman Bill Gates underscored Microsoft's commitment to better security in a public letter sent to customers last month. "Security is as big and important a challenge as any our industry has ever tackled," Gates wrote. "It is not a case of simply fixing a few vulnerabilities and moving on." However, Microsoft's focus on security has resulted in longer development times for patches for vulnerabilities in its products. The company has begun to de-emphasize patching as a security solution and has started urging companies to think more broadly about security instead, promoting the use of training and better network protection. At the Security Summit events, Microsoft customers can attend one of two tracks: one basic, the other for more advanced system administrators. The events include general sessions meant for information technology professionals and scheduled one-on-one meetings between executives from Microsoft and customer companies, Nash said. Microsoft plans to hold other events worldwide to train more IT professionals, to hit its half-million-person mark, according to Nash. Nash stressed that the Security Summit tour is only one step in Microsoft's security efforts and is not designed to provide a final solution to the online security woes that affect many companies. "500,000 people trained on security, that is a pretty good footing," he said. "But I don't think anyone believes...that the issue is going to be solved by the end of 2004." From isn at c4i.org Thu Apr 8 10:06:13 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 8 10:19:22 2004 Subject: [ISN] Firm invites experts to punch holes in ballot software Message-ID: Forwarded from: Kurt Seifried How do we know that this is the software that they compile and ship? We don't. Source disclosure is useless in this situation unless the build process is somehow audited, or they ship source and whatever else I need to build identical binaries to theirs, which I can then compare and go "yes, these binaries are identical, ergo it's probable that the sources we used are identical, ergo the source I audited and found to be correct is probably what was used to build the production binaries". I'm sorry but I see no reason to trust these companies implicitly, I think they should be held to an extremely high standard of "guilty until proven innocent". They have the ability to change the laws and governments we live within. Any other object with this capability (judges, politicians/etc) is generally made to go through a rigourous process and/or when they make/change laws there are multiple checks and balances (appeal courts, congress, the preseidents veto, the queen's veto, etc.). With voting machines there appear to be no checks and balances. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ From isn at c4i.org Thu Apr 8 10:13:01 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 8 10:19:23 2004 Subject: [ISN] Windows to remain security risk for years to come Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,92013,00.html News Story by Matthew Broersma APRIL 07, 2004 (TECHWORLD.COM) LONDON -- Microsoft Corp.'s efforts to limit the ongoing damage from worms such as Blaster will not pay off for several years, according to security experts. New Windows PCs will begin shipping with security switched on by default for the first time, with the release of Windows XP Service Pack 2 this summer, but it will take five or six years before such basic protections are common on the installed base of PCs, according to a Symantec Corp. executive. Such unprotected PCs are increasingly being used to spread worms such as Blaster and junk e-mail, usually without the PC owner's knowledge; a recent Symantec survey found that a system will, on average, receive a Blaster-generated packet of data within one second of connecting to the Internet. "The threat will reduce slowly as we start to have security more widespread," Nigel Beighton, Symantec's director of community defense, said. "The industry has learned it has to ship technology with security switched on. But right now there are millions of Windows 98 users still out there, there is still a huge number of legacy PCs around, and it will take five or six years for that situation to change." Last week, Microsoft revealed that the various flavors of the Blaster worm had infected at least 8 million PCs since it first appeared in August, based on data from its Windows Update. Security experts say the company is doing the right thing by making Windows PCs secure by default, but say such steps are only a beginning. A major problem contributing to the ongoing spread of Blaster, Welchia and similar worms is that new PCs are still shipped with the flaws that allow them to spread, such as the Remote Procedure Call (RPC) flaw exploited by Blaster, analysts said. "The Microsoft operating system ships unpatched," said Thomas Kristensen, CTO of security firm Secunia. "If you go online with a broadband or dial-up connection to get the security updates, it's possible for Blaster to attack and infect your machine." One solution would be for Microsoft or system manufacturers to add the security patches before selling a machine, but the decentralized, commodified nature of the PC industry would make this strategy difficult, experts said. "Retailers could offer a secured PC with the updates installed, but consumers could always go and find a PC with a lower price where you have to upgrade it yourself," said Beighton. "In a commodity market, the consumer will always look for a bargain." Rather than try to keep OEMs around the world up to date with security patches, Microsoft's move with SP2 will be to turn on security features such as Windows XP's built-in firewall, which will protect users from attacks such as RPC exploits. This could have problems of its own, with some industry observers predicting it will lead to a huge upsurge in technical support calls; the firewall will block access to services that were previously available, such as game servers, unless it is reconfigured. The move should make a difference -- at least to buyers of new PCs. "Anybody who's bought an up-to-date machine in a year's time will be in a considerably better position than they are now," Beighton said. However, the real problem isn't new PCs, Beighton noted, it's the millions of older machines still in use without protections or updates of any kind. Even if these users are diligent, they will find it difficult to upgrade if they have a dial-up connection; Microsoft's service packs make the updates easier to download and install, but they only appear three to six months after a threat has materialized, Beighton said. An alternative is Microsoft's new patch CD program, allowing users to order a CD containing security updates for machines running Windows 98 and newer software. The CD is a one-off offering, and only contains patches up to October 2003, a Microsoft spokeswoman said. Most users may not be that diligent, however. Symantec found that many worms continue to spread even after their built-in expiration date has passed because the PC's clock has not been set properly. "That's how ill-administered they are," Beighton said. Blaster and its ilk represent a major new trend that has emerged in hacking in the past three years or so, say security experts. Previously, attacks were carried out by individuals, but now the process has been almost entirely automated, with hackers sharing code that takes advantage of well-known exploits. Seventy percent of vulnerabilities in 2003 required no new exploit code, up from 60% in 2002, according to a Symantec threat report published last month. Symantec found that blended attacks like Blaster, which combine the characteristics of viruses, worms, Trojan horses and malicious code with vulnerabilities to spread an attack, are increasingly exploiting back-doors left by previous worms. This year, for example, the Doomjuice and Deadhat blended attacks both made use of the back-door left by MyDoom in January, Symantec said. From isn at c4i.org Thu Apr 8 10:15:51 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 8 10:27:08 2004 Subject: [ISN] PHRACK #62 CALL FOR PAPERS Message-ID: [-]=====================================================================[-] : P H R A C K - 6 2 : CALL FOR PAPERS * CALL FOR PAPERS * CALL FOR PAPERS * CALL FOR PAPERS --------------------------------- Deadline: 01 July 2004 at 11:59pm http://www.phrack.org/cfp_p62.txt --------------------------------- Phrackstaff is pleased to bring you PHRACK CALL FOR PAPERS #62. Thanks to our buddies in australia will we go for another historical hardcover release at ruxc0n (http://www.ruxcon.org). Phrack authors get free entrance. Check out http://www.phrack.org for more infos. Dont bother us with lame articles -- only the real papers will make it. PHRACK is now accepting papers for this edition. As usual, papers can be on any topic related to the following: - hacking - phreaking - spying - carding - cybernetics - radio - electronics - forensics - reverse engineering - cryptography - anarchy - conspiracy - world news As in previous issues, we will showcase selected tools from the hacking community. Send us your toolz, links and logs for warez that are worthy of being mentioned in our holy magazine. Since 1985, PHRACK MAGAZINE has been providing the hacker community with information on operating systems, network technologies and telephony, as well as relaying features of interest for the international computer underground. PHRACK MAGAZINE is made available to the public, as often as possible, free of charge. PHRACK STAFF <--- is at ruxc0n! phrackstaff@phrack.org [-]=====================================================================[-] From isn at c4i.org Fri Apr 9 04:07:04 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 9 04:20:01 2004 Subject: [ISN] Email attack could kill servers Message-ID: Forwarded from: Kurt Seifried > All email is sent across the internet using the Simple Mail Transfer > Protocol (SMTP), which stipulates that a notification should be sent > whenever a message with a bad address is received. There are > numerous different types of email server, however, which can all be > configured in various ways. While serious this can be dealt with relatively easily, Postfix for example supports local recipient maps which can be based on the local UNIX password database, the alias maps database, a virtual users database (meaning it can be completely arbitrary and no local accounts/etc are required, just export a list from your Exchange server/ADS once a day and dump it in). Thus if an email recipient doesn't exist the email is rejected during the connection, i.e. no real traffic amplification takes place (and you stay RFC compliant). In addition to this it prevents spam to non-existent email accounts from clogging up your mail servers causing them to hold messages, create bounces, etc. In general some form of traffic amplification will always be capable with email if the mail server creates bounce messages at all (and it's unlikely people will be willing to completely disable bounce/error messages/etc). However with intelligent filtering/limiting what you accept and rejecting email during the connection, not once it has been accepted for delivery this problem can largely be addressed. Hopefully this will also lead to better rejection/bounce capabilities from major mail servers at the connection level and not force people to accept mail so that they can then reject/bounce it, or to third party products/proxies that bolt on to existing systems. Of course setting your server up correctly won't prevent you from inbound attacks, but it will prevent you from being used to attack other people. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ From isn at c4i.org Fri Apr 9 04:07:26 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 9 04:20:02 2004 Subject: [ISN] Security tool more harmful than helpful? Message-ID: http://news.com.com/2100-7349_3-5187776.html By Robert Lemos Staff Writer, CNET News.com April 8, 2004 The common wisdom in the security world is that easy-to-use scripts to circumvent security--called "exploits"--are a threat to the Internet. The Metasploit Project and its founder, HD Moore, hope to change that perception. On Wednesday, the project released an updated design framework to the Metasploit tool, which allows security experts to check computers on their networks and identify those vulnerable to newly released flaws. The updated framework, known as Metasploit Framework 2.0, enables people to create standardized plug-ins for the tool so that they can legally hack into computers by manipulating the latest security holes. The tool already has 18 exploits and 27 different possible payloads. Overall, the tool could help administrators find and patch systems vulnerable to a new flaw, thereby blocking a would-be intruder from breaching a company's network security, according to Moore. "This is a good research tool," Moore said, noting that some 30 percent of Metasploit beta testers are security consultants who seek to plug holes in their clients' networks. Other companies are using the tool proactively to detect flaws in their applications. "There is a large software company that has...rolled the Metasploit stuff into their (quality assurance) testing," he said. Such a tool, however, could also become an online attacker's friend, automating the detection of vulnerable servers so that even a person with little technical knowledge could break into a computer, security researchers maintain. A recent report by market research firm Forrester into software security threats found that attacks "explode after unscrupulous hackers build scripted versions." Many critics agree, saying such exploit-testing scripts--which turn a highly technical vulnerability into code that can be run with a few commands--allow far too many people to become online attackers. "There will be about 10 academics and serious researchers who may find this interesting and about 10,000 kiddies who will blow each other's virtual brains out, with enterprise security folks caught in the middle," said Peter Lindstrom, the director of research for security consultancy Spire Security. However, Metasploit does allow savvy network administrators to play on the same level as malevolent hackers, said Stephen Northcutt, director of training and certification for The SANS Institute, which teaches security and network administration. In particular, the tool saves them from having to spend a lot of time on coding. "There is a natural concern that the tool will be used for malevolent purposes. But attackers are already developing exploits by hand, so this doesn't actually change anything," Northcutt said. "It is an iterative step in the development of shell code exploits, just as virus factory software was a step in the development of that flavor of malware." Even Moore agrees that the project's wares will make exploiting vulnerabilities easier. However, he also maintains that the tool will be invaluable to system administrators to demonstrate that their networks are vulnerable and so gain the corporate resources necessary to patch their systems. "The problem today is that many organizations do not patch systems until a working exploit is released," Moore said. "The bottom line is that exploits are not only useful but are (also) required for many types of legitimate work." In fact, companies have created similar tools--and programs that use similar technologies--to do just that. Two security companies, Immunity and Core Security Technologies, have created their own network attack program to aid consultants who find vulnerable systems for a living. And in February, Hewlett-Packard announced that it had developed an automated attack tool that would create benign exploits to test a network's digital immune system. To help defend against malicious use, Metasploit is putting signatures into its software to help the makers of defensive security products detect attacks generated via the tool. Moore also points out that anyone can already buy such a product from a handful of security companies. However, he acknowledges that the widespread use of such software may make some network administrators' jobs harder. "If (you are) a system admin that only patches boxes, of course you aren't going to want to see any new exploit code," Moore said. But that doesn't mean the problem is going away, he added. "We can do anything we want to curb exploit releases--make it illegal in America--but they will still get released," he said. From isn at c4i.org Fri Apr 9 04:08:26 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 9 04:20:04 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-15 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-04-01 - 2004-04-08 This week : 46 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia has launched a new service called Secunia Virus Information. Secunia Virus Information is based on information automatically collected from 7 different anti-virus vendors. The data will be parsed and indexed, resulting in a cronological list, a searchable index, and grouped profiles with information from the 7 vendors. Example: http://secunia.com/virus_information/8592/ Furthermore, when certain criteria are triggered virus alerts will be issued. You can sign-up for the alerts here: Secunia Virus Alerts: http://secunia.com/secunia_virus_alerts/ Secunia Virus Information: http://secunia.com/virus_information/ ======================================================================== 2) This Week in Brief: A vulnerability has been reported in Panda ActiveScan, which can be exploited by malicious people to compromise a vulnerable system. Currently no response or patch is available from the vendor. Please refer to referenced Secunia Advisory for more information. Reference: http://secunia.com/SA11312 Peter Winter-Smith of NGSSoftware has identified a vulnerability in the very popular music player Winamp versions 2.91 through 5.02. The vulnerability may be triggered by visiting a malicious website with a vulnerable Winamp client. All users are advised to update to version 5.03. Reference: http://secunia.com/SA11285 Apple has release a security update for Mac OS X, which corrects multiple vulnerabilities. The update is available from the vendor website. Reference: http://secunia.com/SA11303 ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA11273] Internet Explorer/Outlook Express Restricted Zone Status Bar Spoofing 2. [SA10395] Internet Explorer URL Spoofing Vulnerability 3. [SA10523] Internet Explorer showHelp() Restriction Bypass Vulnerability 4. [SA11285] Winamp "in_mod.dll" Heap Overflow Vulnerability 5. [SA11082] Sun Java System (Sun ONE) SSL Vulnerabilities 6. [SA11139] OpenSSL SSL/TLS Handshake Denial of Service Vulnerabilities 7. [SA11297] F-Secure Anti-Virus for MIMEsweeper Virus Detection Bypass 8. [SA11293] Citrix MetaFrame Password Manager Authentication Information Disclosure 9. [SA11301] F-Secure BackWeb Privilege Escalation Vulnerability 10. [SA10736] Internet Explorer File Download Extension Spoofing ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA11312] Panda ActiveScan Control "Internacional" Property Heap Overflow Vulnerability [SA11298] Perl win32_stat Function Buffer Overflow Vulnerability [SA11289] eMule "DecodeBase16()" Buffer Overflow Vulnerability [SA11285] Winamp "in_mod.dll" Heap Overflow Vulnerability [SA11292] Microsoft SharePoint Portal Server Cross-Site Scripting Vulnerabilities [SA11286] FTGate Web Mail Cross-Site Scripting and Path Exposure [SA11279] MondoSearch Multiple Vulnerabilities [SA11294] IBM Director Agent Denial of Service Vulnerability [SA11301] F-Secure BackWeb Privilege Escalation Vulnerability [SA11293] Citrix MetaFrame Password Manager Authentication Information Disclosure [SA11313] McAfee McFreeScan Module System Information Disclosure [SA11273] Internet Explorer/Outlook Express Restricted Zone Status Bar Spoofing UNIX/Linux: [SA11311] Gentoo update for tcpdump [SA11308] Gentoo update for KDE [SA11303] Mac OS X Security Update Fixes Multiple Vulnerabilities [SA11296] OpenPKG update for mc [SA11295] Mandrake update for mplayer [SA11282] IRIX update for ftpd [SA11281] Debian update for oftpd [SA11274] HP OpenCall MultiService Controller H.323 Vulnerabilities [SA11272] CactuShop Multiple Vulnerabilities [SA11304] Monit Web-based Administration Interface Multiple Vulnerabilities [SA11271] Gentoo update for monit [SA11309] Debian update for tcpdump [SA11283] IRIX Frame Padding Vulnerability [SA11280] Debian update for interchange [SA11306] Debian update for heimdal [SA11275] Heimdal Cross-Realm Trust Spoofing Vulnerability [SA11310] Gentoo update for sysstat [SA11307] Debian update for xine-ui [SA11305] Gentoo update for Portage [SA11300] SuSE Linux YaST Temporary File Creation Vulnerability [SA11291] Debian update for fte [SA11290] FTE Text Editor Multiple Buffer Overflow Vulnerabilities Other: [SA11278] Sidewinder Potential OpenSSL Vulnerabilities [SA11276] VMware ESX Server Privilege Escalation Vulnerabilities Cross Platform: [SA11314] RealPlayer/RealOne R3T File Handling Buffer Overflow Vulnerability [SA11299] IGI 2: Covert Strike RCON Command Format String Vulnerability [SA11288] HAHTsite Scenario Server Project Name Buffer Overflow Vulnerability [SA11287] ADA Image Server Request Buffer Overflow and Directory Traversal [SA11297] F-Secure Anti-Virus for MIMEsweeper Virus Detection Bypass [SA11270] Roger Wilco Multiple Vulnerabilities [SA11315] Intel Server Control and Server Management Insecure Firmware Setting [SA11302] Qmail Non-Delivery Notification DDoS Security Issue [SA11277] ADA Image Server Directory Listing Vulnerability [SA11284] Dreamweaver Database Connection Script Security Issue ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA11312] Panda ActiveScan Control "Internacional" Property Heap Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-04-07 Rafel Ivgi has discovered a vulnerability in Panda ActiveScan Control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11312/ -- [SA11298] Perl win32_stat Function Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-04-06 iDEFENSE has discovered a vulnerability in Perl and ActivePerl, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11298/ -- [SA11289] eMule "DecodeBase16()" Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-04-05 Kostya Kortchinsky has reported a vulnerability in eMule, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11289/ -- [SA11285] Winamp "in_mod.dll" Heap Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-04-05 NGSSoftware has discovered a vulnerability in Winamp, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11285/ -- [SA11292] Microsoft SharePoint Portal Server Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-04-06 Ory Segal has reported multiple vulnerabilities in Microsoft SharePoint Portal Server 2001, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/11292/ -- [SA11286] FTGate Web Mail Cross-Site Scripting and Path Exposure Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2004-04-06 Dr_insane has discovered some vulnerabilities in FTGate Web Mail, where the most serious can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/11286/ -- [SA11279] MondoSearch Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Exposure of sensitive information, DoS Released: 2004-04-02 Protego has reported flere vulnerabilities in MondoSearch, which can be exploited by malicious people to use the application as a proxy, cause a DoS (Denial of Service), or disclose certain administrative usernames. Full Advisory: http://secunia.com/advisories/11279/ -- [SA11294] IBM Director Agent Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-04-08 Juanma Merino has reported a vulnerability in IBM Director Agent, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11294/ -- [SA11301] F-Secure BackWeb Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-06 A vulnerability has been discovered in F-Secure BackWeb, which can be exploited by malicious, local users to gain SYSTEM privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/11301/ -- [SA11293] Citrix MetaFrame Password Manager Authentication Information Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-04-05 A security issue has been reported in Citrix MetaFrame Password Manager, which may disclose authentication information. Full Advisory: http://secunia.com/advisories/11293/ -- [SA11313] McAfee McFreeScan Module System Information Disclosure Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2004-04-07 A vulnerability has been discovered in McAfee McFreeScan Module, which can be exploited by malicious people to gain knowledge of certain information about a user's system. Full Advisory: http://secunia.com/advisories/11313/ -- [SA11273] Internet Explorer/Outlook Express Restricted Zone Status Bar Spoofing Critical: Not critical Where: From remote Impact: Security Bypass Released: 2004-04-01 http-equiv has discovered a weakness in Internet Explorer, which potentially can be exploited by malicious people to trick users into visiting a malicious website. Full Advisory: http://secunia.com/advisories/11273/ UNIX/Linux:-- [SA11311] Gentoo update for tcpdump Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-04-07 Gentoo has issued an update for tcpdump. This fixes one vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a system running tcpdump. Full Advisory: http://secunia.com/advisories/11311/ -- [SA11308] Gentoo update for KDE Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-07 Gentoo has issued an update for kdepim. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11308/ -- [SA11303] Mac OS X Security Update Fixes Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-04-07 The vendor has acknowledged multiple vulnerabilities in Apple Mac OS X, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11303/ -- [SA11296] OpenPKG update for mc Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-06 OpenPKG has issued an updated package for mc. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11296/ -- [SA11295] Mandrake update for mplayer Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-06 MandrakeSoft has issued an update for mplayer. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11295/ -- [SA11282] IRIX update for ftpd Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-04-05 SGI has issued updates for ftpd. These fixes a vulnerability allowing malicious users to cause a Denial of Service. Full Advisory: http://secunia.com/advisories/11282/ -- [SA11281] Debian update for oftpd Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-04-05 Debian has issued updated packages for oftpd. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11281/ -- [SA11274] HP OpenCall MultiService Controller H.323 Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-04-01 HP has acknowledged some vulnerabilities in the HP OpenCall Multiservice Controller (OCMC) H.323 implementation, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11274/ -- [SA11272] CactuShop Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-04-01 Nick Gudov has reported two vulnerabilities in CactuShop, allowing malicious people to conduct SQL injection and Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/11272/ -- [SA11304] Monit Web-based Administration Interface Multiple Vulnerabilities Critical: Moderately critical Where: From local network Impact: System access Released: 2004-04-06 Matthew Murphy has discovered multiple vulnerabilities in Monit, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11304/ -- [SA11271] Gentoo update for monit Critical: Moderately critical Where: From local network Impact: System access, DoS Released: 2004-04-01 Gentoo has issued an update for monit. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11271/ -- [SA11309] Debian update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2004-04-07 Debian has issued updated packages for tcpdump. These fix two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11309/ -- [SA11283] IRIX Frame Padding Vulnerability Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-04-05 SGI has acknowledged an older information disclosure vulnerability within certain network drivers. Full Advisory: http://secunia.com/advisories/11283/ -- [SA11280] Debian update for interchange Critical: Less critical Where: From remote Impact: Exposure of sensitive information, Exposure of system information Released: 2004-04-05 Debian has issued updated packages for interchange. These fix a vulnerability, which can be exploited by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11280/ -- [SA11306] Debian update for heimdal Critical: Less critical Where: From local network Impact: ID Spoofing Released: 2004-04-07 Debian has issued updated packages for heimdal. These fix a vulnerability, which can allow certain people to impersonate others. Full Advisory: http://secunia.com/advisories/11306/ -- [SA11275] Heimdal Cross-Realm Trust Spoofing Vulnerability Critical: Less critical Where: From local network Impact: ID Spoofing Released: 2004-04-02 A vulnerability has been reported in Heimdal, which may allow certain people to impersonate others. Full Advisory: http://secunia.com/advisories/11275/ -- [SA11310] Gentoo update for sysstat Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-07 Gentoo has issued updated packages for sysstat. These fix a vulnerability, allowing malicious local users to escalate their privileges. Full Advisory: http://secunia.com/advisories/11310/ -- [SA11307] Debian update for xine-ui Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-07 Debian has issued updated packages for xine-ui. These fix a vulnerability, which potentially can be exploited by malicious, local users to escalate their privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/11307/ -- [SA11305] Gentoo update for Portage Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-07 Gentoo has issued an update for Portage. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11305/ -- [SA11300] SuSE Linux YaST Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-08 l0om has reported a vulnerability in SuSE Linux, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/11300/ -- [SA11291] Debian update for fte Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-05 Debian has issued updated packages for fte. These fix multiple vulnerabilities, which can be exploited by malicious, local users to gain "root" privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/11291/ -- [SA11290] FTE Text Editor Multiple Buffer Overflow Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-05 Steve Kemp has reported multiple vulnerabilities in FTE Text Editor, which potentially can be exploited by malicious, local users to gain escalated privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/11290/ Other:-- [SA11278] Sidewinder Potential OpenSSL Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-04-02 Secure Computing Corporation has issued a patch for their Sidewinder firewall. Full Advisory: http://secunia.com/advisories/11278/ -- [SA11276] VMware ESX Server Privilege Escalation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-02 VMware has issued updated packages for the kernel. These fix three vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11276/ Cross Platform:-- [SA11314] RealPlayer/RealOne R3T File Handling Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-04-07 NGSSoftware has discovered a vulnerability in RealOne Player / RealPlayer, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11314/ -- [SA11299] IGI 2: Covert Strike RCON Command Format String Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-04-06 Luigi Auriemma has reported a vulnerability in IGI 2: Covert Strike, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11299/ -- [SA11288] HAHTsite Scenario Server Project Name Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-04-05 Dennis Rand has reported a vulnerability in HAHTsite Scenario Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11288/ -- [SA11287] ADA Image Server Request Buffer Overflow and Directory Traversal Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2004-04-05 Dr_insane has discovered two vulnerabilities in ADA Image Server, which can be exploited by malicious people to compromise a vulnerable system or gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11287/ -- [SA11297] F-Secure Anti-Virus for MIMEsweeper Virus Detection Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-04-06 A vulnerability has been reported in F-Secure Anti-Virus for MIMEsweeper, potentially allowing malware to bypass the virus detection. Full Advisory: http://secunia.com/advisories/11297/ -- [SA11270] Roger Wilco Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, DoS Released: 2004-04-02 Luigi Auriemma has reported some vulnerabilities in Roger Wilco, which can be exploited by malicious people to cause a DoS (Denial of Service) and bypass certain restrictions. Full Advisory: http://secunia.com/advisories/11270/ -- [SA11315] Intel Server Control and Server Management Insecure Firmware Setting Critical: Moderately critical Where: From local network Impact: System access Released: 2004-04-07 A vulnerability has been reported in certain Intel Server Control and Server Management utilities, potentially allowing malicious people unauthorised access. Full Advisory: http://secunia.com/advisories/11315/ -- [SA11302] Qmail Non-Delivery Notification DDoS Security Issue Critical: Less critical Where: From remote Impact: Released: 2004-04-08 Stefan Frei, Ivo Silvestri, and Gunter Ollmann recently published a paper describing a way to utilise certain mail servers for DDoS (Distributed Denial-of-Service) attacks on other systems. Full Advisory: http://secunia.com/advisories/11302/ -- [SA11277] ADA Image Server Directory Listing Vulnerability Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-04-02 Donato Ferrante has discovered a vulnerability in ADA Image Server (ImgSvr), which can be exploited by malicious people to disclose the content of a directory. Full Advisory: http://secunia.com/advisories/11277/ -- [SA11284] Dreamweaver Database Connection Script Security Issue Critical: Not critical Where: From remote Impact: Security Bypass Released: 2004-04-05 Macromedia has issued an advisory regarding a security issue in Dreamweaver, potentially allowing malicious people to manipulate databases. Full Advisory: http://secunia.com/advisories/11284/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Apr 9 04:08:43 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 9 04:20:05 2004 Subject: [ISN] Expert releases Cisco wireless hacking tool Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,92049,00.html News Story by Paul Roberts APRIL 08, 2004 IDG NEWS SERVICE One day after it disclosed a security vulnerability in a wireless networking product, Cisco Systems Inc. must contend with a new threat -- the long-promised release of a hacking tool that targets wireless networks running its LEAP wireless authentication protocol. The tool, called Asleap, allows users to scan the wireless network broadcast spectrum for networks using LEAP (Lightweight Extensible Authentication Protocol), capture wireless network traffic and crack user passwords, according to a message posted to the Bugtraq online security discussion group yesterday. Cisco didn't immediately respond to requests for comment. The tool was designed to compromise WLANs using LEAP with so-called dictionary attacks that exploit weakly protected passwords, according to the message, which purports to be from Joshua Wright, a network engineer at Johnson & Wales University in Providence, R.I. Wright made headlines last year after he publicized the password vulnerability in LEAP (see story). A demonstration of the Asleap tool in August at the DEFCON security conference prompted Cisco to issue a bulletin to customers warning of LEAP's vulnerability to dictionary attacks. The tool uses off-line dictionary attacks to break LEAP passwords. In such attacks, malicious users must capture WLAN traffic in which legitimate users try to access the network. Next, the attacker analyzes that traffic off-line and tries to guess the password by testing long lists of possible values from a "dictionary" of terms, eventually "guessing" the correct value. Wright's tool makes it easy to capture the required log-in traffic by allowing attackers to spot WLANs using LEAP and then deauthenticate users on the WLAN, forcing them to reconnect and re-enter their user name and password. That makes capturing the wireless traffic with hidden password information easy, Wright said. The tool also allows attackers to scour large dictionaries of terms, comparing approximately 45 million possible values per second to the captured authentication traffic to guess the password and break LEAP's security, he said. After sending a copy of the tool to Cisco in August, Wright agreed to wait for the company to find a more secure replacement for the protocol before releasing his tool to the public. In February, Cisco unveiled a new WLAN security protocol designed to stop dictionary attacks called Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) (see story). In his latest message, Wright said he was releasing the tool to the public to help LEAP users "evaluate the risks of using LEAP as a mechanism to protect the security of wireless networks." Wright also posted a link to a Web page where interested parties can download both Linux and Windows versions of Asleap. Wright said he publicized the vulnerabilities in LEAP because he believed that Cisco encouraged customers to use its proprietary LEAP protocol over more secure mechanisms such as the Protected Extensible Authentication Protocol because "it made more money for them." In February, Cisco submitted a draft version of EAP-FAST to the Internet Engineering Task Force for inclusion in the upcoming 802.1x WLAN security standard. The company has also built native support for EAP-FAST into many of its Aironet wireless access points and promised versions of its network client devices, such as wireless networking cards, that support the protocol in the first quarter of 2004. Cisco couldn't immediately confirm availability of Aironet clients supporting EAP-FAST. From isn at c4i.org Fri Apr 9 04:09:05 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 9 04:20:06 2004 Subject: [ISN] Tracking the Blackout bug Message-ID: http://www.theregister.co.uk/2004/04/08/blackout_bug_report/ By Kevin Poulsen SecurityFocus 8th April 2004 A number of factors and failings came together to make the August 14th northeastern blackout the worst outage in North American history. One of them was buried in a massive piece of software compiled from four million lines of C code and running on an energy management computer in Ohio. To nobody's surprise, the final report on the blackout released by a US-Canadian task force Monday puts most of blame for the outage on Ohio-based FirstEnergy Corp., faulting poor communications, inadequate training, and the company's failure to trim back trees encroaching on high-voltage power lines. But over a dozen of task force's 46 recommendations for preventing future outages across North America are focused squarely on cyberspace. That may have something to do with the timing of the blackout, which came three days after the relentless Blaster worm began wreaking havoc around the Internet - a coincidence that prompted speculation at the time that the worm, or the traffic it was generating in its efforts to spread, might have triggered or exacerbated the event. When US and Canadian authorities assembled their investigative teams, they included a computer security contingent tasked with looking specifically at any cybersecurity angle on the outage. In the end, it turned out that a computer snafu actually played a significant role in the cascading blackout - though it had nothing to do with viruses or cyber terrorists. A silent failure of the alarm function in FirstEnergy's computerized Energy Management System (EMS) is listed in the final report as one of the direct causes of a blackout that eventually cut off electricity to 50 million people in eight states and Canada. The alarm system failed at the worst possible time: in the early afternoon of August 14th, at the critical moment of the blackout's earliest events. The glitch kept FirstEnergy's control room operators in the dark while three of the company's high voltage lines sagged into unkempt trees and "tripped" off. Because the computerized alarm failed silently, control room operators didn't know they were relying on outdated information; trusting their systems, they even discounted phone calls warning them about worsening conditions on their grid, according to the blackout report. "Without a functioning alarm system, the [FirstEnergy] control area operators failed to detect the tripping of electrical facilities essential to maintain the security of their control area," reads the report. "Unaware of the loss of alarms and a limited EMS, they made no alternate arrangements to monitor the system." With the FirstEnergy control room blind to events, operators failed to take actions that could have prevented the blackout from cascading out of control. In the aftermath, investigators quickly zeroed in on the Ohio line-tripping as a root cause. But the reason for the alarm failure remained a mystery. Solving that mystery fell squarely on the corporate shoulders of GE Energy, makers of the XA/21 EMS in use at FirstEnergy's control center. According to interviews, a half-a-dozen workers at GE Energy began working feverishly with the utility and with energy consultants from KEMA Inc. to figure out what went wrong. The XA/21 isn't based on Windows, so it couldn't have been infected by Blaster, but the company didn't immediately rule out the possibility that the worm somehow played a role in the alarm failure. "In the initial stages, nobody really knew what the root cause was," says Mike Unum, manager of commercial solutions at GE Energy. "We spent a considerable amount of time analyzing that, trying to understand if it was a software problem, or if - like some had speculated - something different had happened." Sometimes working late into the night and the early hours of the morning, the team pored over the approximately one-million lines of code that comprise the XA/21's Alarm and Event Processing Routine, written in the C and C++ programming languages. Eventually they were able to reproduce the Ohio alarm crash in GE Energy's Florida laboratory, says Unum. "It took us a considerable amount of time to go in and reconstruct the events." In the end, they had to slow down the system, injecting deliberate delays in the code while feeding alarm inputs to the program. About eight weeks after the blackout, the bug was unmasked as a particularly subtle incarnation of a common programming error called a "race condition," triggered on August 14th by a perfect storm of events and alarm conditions on the equipment being monitoring. The bug had a window of opportunity measured in milliseconds. "There was a couple of processes that were in contention for a common data structure, and through a software coding error in one of the application processes, they were both able to get write access to a data structure at the same time," says Unum. "And that corruption lead to the alarm event application getting into an infinite loop and spinning." Testing for Flaws "This fault was so deeply embedded, it took them weeks of poring through millions of lines of code and data to find it," FirstEnergy spokesman Ralph DiNicola said in February. After the alarm function crashed in FirstEnergy's controls center, unprocessed events began to cue up, and within half-an-hour the EMS server hosting the alarm process folded under the burden, according to the blackout report. A backup server kicked-in, but it also failed. By the time FirstEnergy operators figured out what was going on and restarted the necessary systems, hours had passed, and it was too late. This week's blackout report recommends that the U.S. and Canadian governments require all utilities using the XA/21 to check in with GE Energy to ensure "that appropriate actions have been taken to avert any recurrence of the malfunction." GE Energy says that's a moot point: though the flaw has not manifested itself elsewhere, last fall the company gave its customers a patch against the bug, along with installation instructions and a utility to repair any alarm log data corrupted by the glitch. According to Unum, the company sent the package to every XA/21 customer - more than 100 utilities around the world - and offered to help install it, "irrespective of their current support status," he says. The company did everything it could, says Unum. "We text exhaustively, we test with third parties, and we had in excess of three million online operational hours in which nothing had ever exercised that bug," says Unum. "I'm not sure that more testing would have revealed that. Unfortunately, that's kind of the nature of software... you may never find the problem. I don't think that's unique to control systems or any particular vendor software." Tom Kropp, manager of the enterprise information security program at the Electric Power Research Institute, an industry think tank, agrees. He says faulty software may always be a part of the electric grid's DNA. "Code is so complex, that there are always going to be some things that, no matter how hard you test, you're not going to catch," he says. "If we see a system that's behaving abnormally well, we should probably be suspicious, rather than assuming that it's behaving abnormally well." But Peter Neumann, principal scientist at SRI International and moderator of the Risks Digest, says that the root problem is that makers of critical systems aren't availing themselves of a large body of academic research into how to make software bulletproof. "We keep having these things happen again and again, and we're not learning from our mistakes," says Neumann. "There are many possible problems that can cause massive failures, but they require a certain discipline in the development of software, and in its operation and administration, that we don't seem to find. ... If you go way back to the AT&T collapse of 1990, that was a little software flaw that propagated across the AT&T network. If you go ten years before that you have the ARPAnet collapse. "Whether it's a race condition, or a bug in a recovery process as in the AT&T case, there's this idea that you can build things that need to be totally robust without really thinking through the design and implementation and all of the things that might go wrong," Neumann says. Despite the absence of cyber terrorism in the blackout's genesis, the final report includes 13 recommendations focused squarely on protecting critical power-grid systems from intruders. The computer security prescriptions came after task force investigators discovered that the practices of some of the utility companies involved in the blackout created "potential opportunities for cyber system compromise" of EMS computers. "Indications of procedural and technical IT management vulnerabilities were observed in some facilities, such as unnecessary software services not denied by default, loosely controlled system access and perimeter control, poor patch and configuration management, and poor system security documentation," reads the report. Among the recommendations, the task force says cyber security standards established by the North America Electric Reliability Council, the industry group responsible for keeping electricity flowing, should be vigorously enforced. Joe Weiss, a control system cyber security consultant at KEMA, and one of the authors of the NERC standards, says that's a good start. ""The NERC cyber security standards are very basic standards," says Weiss. "They provide a minimum basis for due diligence." But so far, it seems software failure has had more of an effect on the power grid than computer intrusion. Nevertheless, both Weiss and EPRI's Kropp believe that the final report is right to place more emphasis on cybersecurity than software reliability. "You don't try to look for something that's going to occur very, very, very infrequently," says Weiss. "Essentially, a blackout like this was something like that. There are other issues that are higher probability that need to be addressed." From isn at c4i.org Mon Apr 12 03:59:45 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 12 04:13:09 2004 Subject: [ISN] Linux Advisory Watch - April 9th 2004 Message-ID: +----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | April 9th, 2004 Volume 5, Number 15a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for the Linux kernel, interchange, fte, sysstat, oftpd, squid, heimdal, tcpdump, portage, kde, tcpdump, sysstat, ClamAV, Automake, and mplayer. The distributors include Debian, Gentoo, Mandrake, and Turbolinux. ---- NEW Step-by-Step SSL Guide for Apache from Thawte Thawte's new guide will show you how to test, purchase, install and use a Thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://ad.doubleclick.net/clk;7739216;9007465;r ---- File Integrity Monitoring Recently, I stumbled across a relatively new tool called AFICK. It stands for Another File Integrity CHecker. It is similar to both Tripwire and AIDE. AFICK is GPLed and completely written in PERL. It is extremely flexible has been tested on a wide range of Linux, Windows, and Unix system. According to the AFICK project website, it has a decent performance advantage over AIDE. However, I have not independently verified this. If you're looking for a new toy to play with, I recommend giving it a try. Installing and using AFICK is a piece of cake. The core piece of code is command line based. A perl-based GUI and webmin module is also available for easy administration. AFICK is available as an independent tar.gz, zip, RPM, and Debian package. It is good idea to take a look at the afick.conf file before attempting to execute the script. AFICK can be used with only a few simple commands. To use AFICK, an OS configuration file must be specified and then your system initialized. This can be done with the following command: # afick.pl -c linux.conf -i During the initialization process it builds a database of checksums for all files on your system. Next, to compare the checksums of your files and the values stored in the database, run the following command: # afick.pl -c linux.conf -k After making changes to a system, it is necessary to update the checksum database. Updating is also easy: # afick.pl -c linux.conf -u As with all integrity checking software, it is advisable to create a cron-job that will compare the files checksums with a database at a regular interval. Also, the integrity of the database is very important. If this is compromised, further changes to the system may go undetected. Write protected media can be used to help this problem. While the commands above may seem simple, its functionality is not limited to those alone. A full listing of command line option are available on the AFICK website: http://afick.sourceforge.net/man.html Until next time, cheers! Benjamin D. Thomas ben@linuxsecurity.com ---- Guardian Digital Launches Next Generation Internet Defense & Detection System Guardian Digital has announced the first fully open source system designed to provide both intrusion detection and prevention functions. Guardian Digital Internet Defense & Detection System (IDDS) leverages best-in-class open source applications to protect networks and hosts using a unique multi-layered approach coupled with the security expertise and ongoing security vigilance provided by Guardian Digital. http://www.linuxsecurity.com/feature_stories/feature_story-163.html -------------------------------------------------------------------- Interview with Siem Korteweg: System Configuration Collector In this interview we learn how the System Configuration Collector (SCC) project began, how the software works, why Siem chose to make it open source, and information on future developments. http://www.linuxsecurity.com/feature_stories/feature_story-162.html -------------------------------------------------------------------- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suites open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 4/5/2004 - kernel 2.4 mips/pa-risc Privilege escalation vulnerabilities Herein is combined the Debian advisories for the same kernel bugs on both the mips and pa-risc platforms. http://www.linuxsecurity.com/advisories/debian_advisory-4190.html 4/5/2004 - interchange Missing input sanitation This vulnerability can be exploited by an attacker to expose the content of arbitrary variables. http://www.linuxsecurity.com/advisories/debian_advisory-4191.html 4/5/2004 - fte Multiple buffer overflow vulnerabilities This patch removes setuid root from vfte, which has a number of known buffer overflows. http://www.linuxsecurity.com/advisories/debian_advisory-4192.html 4/5/2004 - sysstat Insecure temporary file vulnerability As usual for temporary file vulnerabilities, this allows local users to read/overwrite arbitrary files with the permissions of the running user. http://www.linuxsecurity.com/advisories/debian_advisory-4193.html 4/5/2004 - oftpd Denial of service vulnerability A remote attacker could cause the oftpd process to crash by specifying a large value in a PORT command. http://www.linuxsecurity.com/advisories/debian_advisory-4194.html 4/5/2004 - squid ACL bypass vulnerability A URL can be crafted to be ignored (and automatically pass) by Squid's ACL system. http://www.linuxsecurity.com/advisories/debian_advisory-4195.html 4/6/2004 - heimdal Cross-realm impersonation vulnerability Patch fixes an error which allows someone with control over a realm to impersonate anyone in the cross-realm trust path. http://www.linuxsecurity.com/advisories/debian_advisory-4197.html 4/6/2004 - xine-ui Insecure temporary file vulnerability Cross-realm impersonation vulnerability Bug allows attacker to read/write arbitrary files with the permissions of the program user. http://www.linuxsecurity.com/advisories/debian_advisory-4198.html 4/7/2004 - tcpdump Denial of service vulnerability Crafted invalid ISAKMP packets can remotely crash tcpdump. http://www.linuxsecurity.com/advisories/debian_advisory-4203.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 4/6/2004 - Portage Insecure temporary file vulnerability Exploitation of this bug could allow an attacker to wipe out the contents of an arbitrary file. http://www.linuxsecurity.com/advisories/gentoo_advisory-4199.html 4/6/2004 - kde Buffer overflow vulnerability KDE-PIM may be vulnerable to a remote buffer overflow attack that may allow unauthorized access to an affected system. http://www.linuxsecurity.com/advisories/gentoo_advisory-4200.html 4/6/2004 - tcpdump Multiple buffer overflows Attacker could exploit this to execute arbitrary code with the permissions of the 'pcap' user. http://www.linuxsecurity.com/advisories/gentoo_advisory-4201.html 4/7/2004 - sysstat Multiple vulnerabilities Multiple vulnerabilities may allow an attacker to execute arbitrary code or overwrite arbitrary files. http://www.linuxsecurity.com/advisories/gentoo_advisory-4204.html 4/7/2004 - ipsec-tools Key non-verification vulnerability Multiple vulnerabilities racoon (a utility in the ipsec-tools package) does not verify digital signatures on Phase1 packets. http://www.linuxsecurity.com/advisories/gentoo_advisory-4207.html 4/7/2004 - util-linux Information leak vulnerability Multiple vulnerabilities Due to a pointer error, the 'login' program might leak sensitive information. http://www.linuxsecurity.com/advisories/gentoo_advisory-4208.html 4/7/2004 - ClamAV Denial of service vulnerability ClamAV is vulnerable to a denial of service attack when processing certain RAR archives. http://www.linuxsecurity.com/advisories/gentoo_advisory-4209.html 4/8/2004 - Automake Symbolic link vulnerability Automake may be vulnerable to a symbolic link attack which may allow an attacker to modify data or elevate their privileges. http://www.linuxsecurity.com/advisories/gentoo_advisory-4210.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 4/6/2004 - mplayer Buffer overflow vulnerability Exploitation could result in the execution of arbitrary code with the permissions of the user. http://www.linuxsecurity.com/advisories/mandrake_advisory-4202.html 4/7/2004 - fileutils/coreutils Denial of service vulnerability Buffer overflow vulnerability 'ls' can be made to segfault upon listing directories with large numbers of files on an amd64 platform. http://www.linuxsecurity.com/advisories/mandrake_advisory-4205.html +---------------------------------+ | Distribution: Turbolinux | ----------------------------// +---------------------------------+ 4/7/2004 - apache/httpd/libxml2/mod_python Multiple vulnerabilities Buffer overflow vulnerability Many fixes for buffer overflows and DOS attacks. http://www.linuxsecurity.com/advisories/turbolinux_advisory-4206.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Apr 12 03:59:57 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 12 04:13:13 2004 Subject: [ISN] SecurityDocs.com - Website Indexes Security White Papers Message-ID: Forwarded from: Mitchell Rowton SecurityDocs.com was founded two months ago with the intention of indexing information security white papers. The web site currently has about 1,400 papers in over 80 categories. Google has always been the best research tool for InfoSec professionals, but the results often point to home pages or product marketing brochures. Security Professionals moderate the submission of all documents on SecurityDocs and only allow papers that have a significant technical value. Marketing material and vendor fluff is not accepted. The value of SecurityDocs is that it collects white paper meta data from other popular security sources. This allows InfoSec professionals to browse by category or search for papers based on the category, description, title, rating, and other information specific to that paper. Allowing viewers the ability to rate and comment on papers gives future readers a better expectation of the papers value. SecurityDocs is completely free and does not require registration before accessing any of the features. http://www.securitydocs.com From isn at c4i.org Mon Apr 12 04:00:11 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 12 04:13:14 2004 Subject: [ISN] The federal computer security report card: Lessons from Uncle Sam Message-ID: http://www.computerworld.com/securitytopics/security/story/0,,91899,00.html Opinion by Marc Gartenberg APRIL 08, 2004 COMPUTERWORLD For the fourth year in a row, the federal government released its "Report Card on Computer Security at Federal Departments and Agencies" (download PDF) [1]. The average grade for fiscal 2003 was a D (65). The overall average grade in 2002 was an F (55); in 2001, it was also an F (53). Since 2000 was the first year that any measurements were taken, that year's score was "Incomplete" with a letter grade of D-. Looking at the situation through the lens of an eternal optimist (and realist), maybe, just maybe, agency heads, the Office of Management and Budget and Congress will start looking for ways to get these agencies where they should be. An empire in the age of technology can and should be able to get passing grades in information security. As an alternative to looking at the trends and drawing the conclusion that things aren't really that bad since, after all, the overall score is improving, let's examine instead the underlying factors that led to these scores. Then we can see why our dear Uncle Sam needs some help, and we can offer some suggestions. Through this analysis, it will become clear that the issues are related to establishing, maintaining and measuring enterprise security management strategy as part of the systems development life cycle so that no government agency or company ever has to settle for a D. Why the bad grades? To answer that, we need to examine the factors upon which the scorecard is based. These include certification and accreditation processes and recognize subtle distinctions in the categories of IT systems, namely general support systems and major applications (a.k.a. mission-critical applications), and realize that there are still many legacy systems long overdue for retirement. Ready? First, here's the process, which sounds simple. The National Institute of Standards and Technology (NIST), a component of the U.S. Department of Commerce, publishes and updates its policy guidance for information security. Federal agency security chiefs are supposed to see that these guidelines are followed within their agencies. The problem is that the NIST guidance isn't very concise regarding implementation. It also isn't an operational procedure manual. Rather, to a great extent, it's a higher-level management policy document. This creates a gap between knowing what to do and how to do it. Yet the scorecard rates an agency on how well it implements the guidelines. Then there's the reporting scheme, which is handled by each agency's own Office of the Inspector General. These offices are designed as semi-autonomous bodies operating within and under the jurisdiction of each agency head. Another factor is that this year agencies had to meet the requirements of the Federal Information Security Management Act (FISMA). This law expands on the information-security evaluation and reporting requirements enacted in 2001 under the Government Information Security Reform Act (GISRA). Under FISMA, agencies must demonstrate their progress in areas including risk management, contingency and continuity procedures to ensure that their mission-critical and general-support systems are protected. This includes annual IT security reviews, reporting and remediation planning on systems at all stages of the systems development life cycle. So while agencies in previous years were showing improvements on the standards according to GISRA, the fact that the regulations changed midstream caused many agencies to have a problem meeting the new mandates. When all these dependent variables are synthesized, you can see that getting an A isn't all that easy. Is it fission or fusion? Interestingly, though, FISMA has been a long time coming, and the federal security chiefs had fair time and warning before the sun set on GISRA. It's also noteworthy that the grades in previous years weren't much better -- how could they get any worse? Last year's grade average was an F. This year it's a D. So, maybe things are getting better. It's hard to say, since each agency, regardless of size, is given an equal weight in determining the overall average, so a couple of A's such as for the National Science Foundation and the Nuclear Regulatory Commission (whew!) helped improve the scores a bit overall. The ROI of security Federal and industry chief security officers will agree that it's hard to build a tangible case for increased security appropriations. This is primarily because it's hard to quantitatively justify increased spending on IT security because there's little tangible immediate return on investment. That's what makes IT security policy development all the more challenging. Namely, proving that the need exists and that a properly formed strategy can mitigate risks, protect critical information assets and ensure confidentiality, integrity and availability. One way to increase appropriations, though, is to fail a security audit and place the blame on inadequate funding, which is essentially what's happening. The fiscal 2005 federal budget increases IT spending by about 10% over fiscal 2004, to close to $60 billion. A company, especially a public one, has to maintain solid earnings while building equity. Meanwhile, it takes leadership and vision to recognize the value of a solid IT enterprise security policy. Much has been written on demonstrating ROI for IT security, so I won't get too granular here. Suffice it to say that it doesn't take too much effort to perform a solid risk assessment and produce a risk-level matrix that clearly demonstrates the risk thresholds of any enterprise. The tough part is gaining support and momentum for developing a solid set of plans (contingency, continuity of operations, training and education) and to ensure that these plans get the critical executive-level support within the organization. Lessons learned - the "P word" That would be policy, and that's just what NIST provides. But that's not enough. The federal government - and this applies to industry as well - needs guidance but also needs procedures to follow. The average IT professional needs a set of standards to subscribe to and a set of guidelines on how to meet those standards. That's the missing piece, which I hope will be recognized and developed sometime soon. It was another year of dismal federal IT security grades, and the complexities and threats in the world aren't diminishing. Government agencies and related organizations have their work cut out for them, but the pieces are there. By optimizing talent, focusing on embedding security into the systems development cycle and including further refinement of continuity planning, along with the continual retirement of legacy systems, the overall grades should show improvement next year. [1] http://public.ansi.org/ansionline/Documents/Standards%20Activities/Homeland%20Security%20Standards%20Panel/ComputerSecurity.pdf From isn at c4i.org Mon Apr 12 04:00:23 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 12 04:13:15 2004 Subject: [ISN] OS X Trojan Horse Is a Nag Message-ID: http://www.wired.com/news/mac/0,2125,63000,00.html By Leander Kahney Apr. 09, 2004 (Editor's note: This story corrects an earlier report that stated that the Macintosh operating system had become a target of a malicious Trojan Horse.) Security experts on Friday slammed security firm Intego for exaggerating the threat of what the company identified as the first Trojan for Mac OS X. On Thursday, Intego issued a press release saying it had found OS X's first Trojan Horse, a piece of malware called MP3Concept or MP3Virus.Gen that appears to be an MP3 file. If double-clicked and launched in the Finder, the Trojan accesses certain system files, the company claimed. While Intego said the Trojan was benign, it said future versions could be authored to delete files or hijack infected machines. In the release, and in subsequent telephone interviews, Intego was vague about the purported Trojan's workings and its origins. On Friday, Mac programmers and security experts accused the company of exaggerating the threat to sell its security software. "They gave the impression that this is a threat, but it isn't," said Dave Schroeder, a systems engineer with the University of Wisconsin. "It is a benign proof of concept that was posted to a newsgroup. It isn't in the wild, and can't be spread in the wild. It's a non-issue." "They are spreading FUD to sell their software," said Ryan Kaldari, a programmer from Nashville, Tennessee, referring to the shorthand for fear, uncertainty and doubt. Rob Rosenberger of Vmyths said he'd seen virus hype many, many times, and if antivirus companies put out alarmist press releases, it's for one of two reasons: "Either they're delusional or they're trying to own the hysteria," he said. "This has been going on for 16 years now." Rachel Keiserman, a tech-support person at Intego, denied on Friday that her company exaggerated the threat or was attempting a publicity stunt. "It's not a hoax or anything like that." She declined to comment further and pointed to a press release listing questions and answers, which defended the company's decision to classify the issue as a threat. "While the first versions of this Trojan Horse that Intego has isolated are benign, this technique opens the door to more serious risks," the company said. "The exploit that it uses is both insidious and dangerous, and it is our duty as a vendor of Macintosh security solutions to protect our users. We don't believe in waiting until the damage occurs, unlike some of our competitors." Technically, the threat isn't a Trojan Horse by the standard definition: It isn't a working piece of malicious code and can't easily be spread to other computers, experts said. Instead, it is a demonstration of a possible threat. "We're talking about theoreticals here," said Schroeder. "It is possible for OS X to be infested with Trojans, viruses and security issues, but until it is, they aren't justified in raising the alarm." The demonstration contains a real MP3 file of someone laughing. When launched in jukebox software like iTunes, the MP3 file plays and nothing else happens. But if double-clicked in the Finder, the MP3 file plays and a warning is displayed. The program can't be spread by e-mail or through a file-sharing network unless it is compressed using software like Aladdin's Stuffit. Failing to compress the MP3 file before sending it renders the software inoperative. The program exploits a vulnerability that goes back to the original Mac operating system: The system allows programs to appear as a file. Programs can have any icons, names or file extension. In other words, users could be tricked into activating a malicious program, thinking they were opening a document, picture or song. The vulnerability was exploited several times by Trojans authored for previous versions of the Mac OS. Mac programmer Bo Lindbergh wrote the threat demonstration and posted a link on the comp.sys.mac.programmer.misc newsgroup on March 20. The link leads to a site in Sweden. The file has now been removed. Lindbergh didn't respond to an e-mail requesting comment. Symantec on Friday said it was aware of the software. "It is a proof-of-concept Trojan that does affect the Mac platform; however, it is currently not present in the wild," the company said in a statement. It said it would continue to monitor the situation. Likewise, Apple spokeswoman Natalie Sequeira said the company was investigating. "We are aware of the potential issue identified by Intego and are working proactively to investigate it," she said. From isn at c4i.org Mon Apr 12 04:00:36 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 12 04:13:16 2004 Subject: [ISN] NY Times hacker sentencing delayed Message-ID: http://www.theregister.co.uk/2004/04/10/nyt_sentence_delay/ By Kevin Poulsen SecurityFocus 10th April 2004 Adrian Lamo's sentencing hearing for his 2002 intrusion into the New York Times internal network was postponed this week. The 22-year-old hacker appeared with his attorney in federal court in New York Thursday for what was originally scheduled to be his sentencing. Instead, federal judge Naomi Buchwald agreed to put off the hearing until June 16th, according to court records, which do not otherwise explain the postponement. Reached by phone, Lamo declined to comment, as did his lawyer, public defender Sean Hecker. The reticence is unusual for Lamo, who gained national attention for finding and playfully exploiting gaping security holes at large corporations, including Excite@Home and Worldcom, then openly discussing the details with the press. The federal case against Lamo began in February, 2002, when, according to court documents, FBI agent Christine Howard read about the New York Times hack on SecurityFocus, which first reported on the incident. Lamo said at the time that he penetrated the Times after a two-minute scan turned up seven misconfigured proxy servers acting as doorways between the public Internet and the Times private intranet, making the latter accessible to anyone capable of properly configuring their Web browser. Once inside, Lamo exploited weaknesses in the Times password policies to broaden his access, eventually browsing such disparate information as the names and Social Security numbers of the paper's employees, logs of home delivery customers' stop and start orders, instructions and computer dial-ups for stringers to file stories, lists of contacts used by the Metro and Business desks, and the "WireWatch" keywords particular reporters had selected for monitoring wire services. He also added his real name, phone number and email address to a database of 3,000 contributors to the Times op-ed page, where he listed himself as an expert in "Computer hacking, national security, communications intelligence." In a plea deal with prosecutors, Lamo plead guilty last January to a single count of computer fraud for cracking the New York Times internal network and recklessly causing damage exceeding $5,000. The prosecution and defense agreed on a six to twelve month sentencing range which, under federal guidelines, could permit Lamo to serve his sentence under house arrest or confined to a halfway house, at the court's discretion. The judge is not bound by the sentencing recommendation, and could sentence Lamo to more or less time. The hacker also potentially faces $15,000 to $20,000 in fines, and could be ordered to pay financial restitution. Are part of the plea, both sides stipulated that the hacker caused between $30,000 and $70,000 in losses through a combination of his unauthorized use of the Times' Lexis-Nexis account, and his access to an unprotected Microsoft customer service database. (The Microsoft incident, which took place in 2001, was unrelated to the Times intrusion, but was included in the plea as "relevant conduct" for sentencing purposes) Lamo is now a student at a community college in Sacramento, California, where he's studying journalism. He was originally freed on a $250,000 bond, secured in part by his parent's house, where the court ordered him to live. But on Thursday Lamo was released on his own recognizance, according to court records. From isn at c4i.org Tue Apr 13 04:46:53 2004 From: isn at c4i.org (InfoSec News) Date: Tue Apr 13 05:55:13 2004 Subject: [ISN] DHS Could Respond to Cyber Attack on Critical Infrastructure Message-ID: Forwarded from: Mark Bernard http://www.fcw.com/fcw/articles/2004/0329/web-dhs-03-30-04.asp By Florence Olsen March 30, 2004 In the event of a cyberattack on the nation's infrastructure, the Homeland Security Department would have the authority and the wherewithal to coordinate an appropriate response, department officials told lawmakers today. Members of the House Select Committee on Homeland Security questioned top information technology officials at DHS, focusing on recent reports that the department remains disorganized within and not well-coordinated with other federal, state and local agencies and the private sector. Rep. Robert Andrews (D-N.J.) said he is concerned about the lack of clear lines of authority for responding to a national cyberattack. "Who's in charge when we have a crisis?" he asked. Robert Liscouski, assistant secretary for infrastructure protection at DHS, said lines of communication are in place so that DHS could coordinate a national response. He said DHS' authority to coordinate a response is based on a presidential directive, Homeland Security Presidential Directive No. 7, which President Bush issued on Dec. 17, 2003. Authorities are still filling in the details of that directive, he said. The fiscal 2005 budget for the National Cyber Security Division is $79 million, most of which is allocated for building up a national cyberspace security readiness and response system, Liscouski said. The core of that system is the existing U.S. Computer Emergency Readiness Team. For its internal security needs, department officials announced that they will use a commercial product, called Trusted Agent FISMA, to capture and maintain security reporting data required under the Federal Information Security Management Act of 2002. Steven Cooper, DHS' chief information officer, said the use of that tool should "improve the timeliness and accuracy of our reporting." DHS has fared poorly in recent reports on FISMA compliance. From isn at c4i.org Tue Apr 13 04:47:10 2004 From: isn at c4i.org (InfoSec News) Date: Tue Apr 13 05:55:14 2004 Subject: [ISN] Linux Security Week - April 12th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | April 12th, 2004 Volume 5, Number 15n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "AFICK: Another File Integrity Checker," "File And Email Encryption With GnuPG," and "Networking improvements in the 2.6 kernel." ---- >> Secure Online Data Transfer with SSL << Get Thawte's new introductory guide to SSL security which covers the basics of how it operates. A discussion of the various applications of SSL certificates and their appropriate deployment is also included along with details of how to test SSL on your web server. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawte02 ---- LINUX ADVISORY WATCH: This week, advisories were released for the Linux kernel, interchange, fte, sysstat, oftpd, squid, heimdal, tcpdump, portage, kde, tcpdump, sysstat, ClamAV, Automake, and mplayer. The distributors include Debian, Gentoo, Mandrake, and Turbolinux. http://www.linuxsecurity.com/articles/forums_article-9160.html ---- Guardian Digital Launches Next Generation Internet Defense & Detection System Guardian Digital has announced the first fully open source system designed to provide both intrusion detection and prevention functions. Guardian Digital Internet Defense & Detection System (IDDS) leverages best-in-class open source applications to protect networks and hosts using a unique multi-layered approach coupled with the security expertise and ongoing security vigilance provided by Guardian Digital. http://www.linuxsecurity.com/feature_stories/feature_story-163.html ---- Interview with Siem Korteweg: System Configuration Collector In this interview we learn how the System Configuration Collector (SCC) project began, how the software works, why Siem chose to make it open source, and information on future developments. http://www.linuxsecurity.com/feature_stories/feature_story-162.html ---- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Growing Acceptance of Linux has Dark Side April 9th, 2004 There are still few viruses aimed at Linux, says David Wreski, chief executive officer of Guardian Digital Inc., an Allendale, N.J., maker of Internet and security applications for Linux, but there have been Linux-specific viruses and worms and the threat is growing. http://www.linuxsecurity.com/articles/host_security_article-9162.html * Understanding Patches April 8th, 2004 When vendors become aware of vulnerabilities in their products, they often issue patches to fix the problem. Make sure to apply relevant patches to your computer as soon as possible so that your system is protected. http://www.linuxsecurity.com/articles/host_security_article-9157.html * AFICK: Another File Integrity Checker April 8th, 2004 Afick stands for "Another File Integrity Checker". It is a security tool, very close from the well known tripwire. It allows to monitor the changes on your files systems, and so can detect intrusions. It's designed to be quick and portable (perl script) on unix and windows operating systems. http://www.linuxsecurity.com/articles/host_security_article-9155.html * Introduction to Enterprise Linux April 7th, 2004 Summary: What is Enterprise Linux? Who has it? What does it cost? Are there any viable free alternatives? These are all questions that this article will address and try to answer. http://www.linuxsecurity.com/articles/vendors_products_article-9149.html * Volunteer Security Pros Launch Free Vulnerability Database April 6th, 2004 A group of volunteer security professionals has compiled what is likely one of the larger freely accessible vulnerability databases on the Internet. The OSVDB (Open Source Vulnerability Database) is meant to serve as a central collection point for information on any and all security vulnerabilities. http://www.linuxsecurity.com/articles/security_sources_article-9146.html * Forrester questions Linux security April 6th, 2004 A new study from Forrester Research has concluded that the Linux operating system is not necessarily more secure than Windows. The report finds that on average, Linux distributors took longer than Microsoft to patch security holes, although Microsoft flaws tended to be more severe. http://www.linuxsecurity.com/articles/general_article-9142.html * File And Email Encryption With GnuPG (PGP) April 5th, 2004 File and mail security is easy to achieve with the right tools. PGP has proven itself the leader, and GnuPG is the tool of choice in the Linux world. Anyone who has read this column a while knows I'm a bit obsessive about crypto. With the speed of modern or even old processors, there's no reason that there should be any cleartext transmissions on the Internet at all. http://www.linuxsecurity.com/articles/cryptography_article-9134.html +------------------------+ | Network Security News: | +------------------------+ * Networking improvements in the 2.6 kernel April 7th, 2004 The new Linux 2.6 kernel offers many improvements over the 2.4 version. One area of technical advancement is in the kernel networking options. Although there are enhancements in most of the files associated with the networking options, this article focuses on major feature improvements and additions that affect entire sections rather than on specific files. http://www.linuxsecurity.com/articles/network_security_article-9153.html +------------------------+ | General Security News: | +------------------------+ * ROI: A Measure Of IT Success April 8th, 2004 It is certainly difficult to justify investments in security protection and assign a dollar amount to the level of security needed to keep an organization safe. Incorrect decisions may lead to an exhaustion of resources or an oversight in areas needing protection, potentially resulting in a breach. Says Wreski, "Investing in a solid infrastructure with room for future expansion up front is good business sense, and leveraging open-source solutions that consistently deliver greater ROI, increased security protection, and better flexibility will fundamentally change how information is managed. http://www.linuxsecurity.com/articles/general_article-9154.html * The Issue of Compliance - Its Here and Its Expanding! April 8th, 2004 Complexity of language aside, Sarbox has wide-ranging implications that span the breadth of the high-tech industry. It has become increasingly important to know which portions of the law apply to your organization, and to the organizations that you do business with. http://www.linuxsecurity.com/articles/general_article-9159.html * The Myth of the Secure Operating System? April 5th, 2004 The old adage about there being "safety in numbers" no longer applies, at least not in the world of IT security. Microsoft platforms are not only the most widespread, but also the most attacked. About that much, most -- but not all -- commentators agree. http://www.linuxsecurity.com/articles/network_security_article-9138.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From wk at c4i.org Tue Apr 13 05:20:34 2004 From: wk at c4i.org (William Knowles) Date: Tue Apr 13 05:55:14 2004 Subject: [ISN] Auditors working on cyber-risk standard Message-ID: http://www.computerweekly.com/articles/article.asp?liArticleID=129851&liArticleTypeID=1&liCategoryID=2&liChannelID=22&liFlavourID=1&sSearch=&nPage=1 by Nick Huber 13 April 2004 Plans by an industry consortium to develop a checklist to assess cyber-threats could help IT directors justify security spending and help protect companies against hackers, according to IT directors and industry experts. The consortium, which includes the Big Four accountancy firms and US-based insurance giant AIG International, aims to agree a cyber-risk model that can be used by companies in all industries. Auditors and insurers could also use the risk preparedness index to help decide whether a company has adequate IT security arrangements. Although details of the framework have yet to be finalised - and the companies involved in the consortium have declined to comment further - security experts said it will focus on an organisation's IT security safeguards, such as its firewalls and anti-virus software, and compare this to the security threats it faces. IT directors welcomed the security initiative. "IT infrastructure risk management is of critical importance to the industry and Barclays broadly welcomes the principles behind this initiative," said Barclays Group chief technology officer Kevin Lloyd. "We will continue to monitor the development of this framework with interest," he said. Nick Leake, director of operations and infrastructure at ITV, said, "I think the real value of this approach is in sorting out the companies with dreadful levels of non-compliance/operation from those with high levels. It will not be much use in distinguishing the better of two already very compliant operations. "And as with all these things, it will have to be kept up-to date," he said. Industry experts said a model for measuring security risk would be a breakthrough if it was widely adopted. The model would also help IT departments justify security spending. "The new security standard looks promising, although a lot of the devil will be in the detail," said Graham Titterington, principal analyst at Ovum. "It will make it easier for people to justify spending on IT security because the backers of the standard are blue chip companies, which gives it credibility with the board." Current standards for information security, such as BS7799, do not focus primarily on assessing security risks to a business, Titterington added. Neil Barrett, technical director of security consultancy Information Risk Management, said the security model would allow IT directors to measure their organisations' security arrangements against a benchmark. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* From isn at c4i.org Tue Apr 13 05:37:26 2004 From: isn at c4i.org (InfoSec News) Date: Tue Apr 13 05:55:15 2004 Subject: [ISN] Slow down the security patch cycle Message-ID: http://www.computerworld.com/securitytopics/security/story/0,,92037,00.html Opinion by Bill Addington APRIL 08, 2004 COMPUTERWORLD There are many myths surrounding computer network security that are counterproductive to finding a true solution to the problem. One of these is the belief that vendors should speed up the process of producing and releasing patches for security vulnerabilities that have been discovered by security researchers. Instead, we need a completely different solution to the patch management problem, and part of the solution involves slowing down, not speeding up, patch releases. Slow them down? What about hackers taking advantage of the vulnerability in the meantime? What about those "zero day" exploits? To answer this, we need to know how the researcher/patcher/exploiter cycle really works and the motivations of each party in the cycle. This cycle is where researchers discover vulnerabilities, software companies patch the vulnerabilities and hackers exploit the vulnerabilities. First, let's define a zero day exploit. An exploit is a method devised to take advantage of a specific software vulnerability using a software virus, Trojan horse or worm. When the exploit is done without a virus, Trojan or worm, it's using an undocumented feature. The zero day type of exploit is discovered, not as part of the security research process, but when an active exploit is using a vulnerability the software developer was previously unaware of. Many different groups at that point rush to reverse-engineer the exploit to document the vulnerability. Antivirus vendors compete to be first to announce a method to detect and fix the exploit and the software vendor must devise and release a patch immediately to combat the exploit. By far the most common type of exploit is the buffer overflow, and software vendors are spending millions of dollars to find and prevent these types of vulnerabilities. These vulnerabilities still exist -- they are getting fewer in number, however, and finding them is now much more difficult. Part of my consulting practice to software vendors and their major customers is finding and reporting these types of vulnerabilities. Where I used to be able to do the "find vulnerabilities blindfolded with one arm tied behind my back" routine, I now actually have to work to find them in major software products [...] From isn at c4i.org Tue Apr 13 05:37:40 2004 From: isn at c4i.org (InfoSec News) Date: Tue Apr 13 05:55:16 2004 Subject: [ISN] Microsoft shuffles execs to combat security flaws Message-ID: http://news.com.com/2100-1009_3-5190183.html By Ina Fried Staff Writer, CNET News.com April 12, 2004 Microsoft has transferred two top executives to its security business unit, the latest in a series of shifts designed to put more resources into battling viruses and other threats. The company has shifted Gordon Mangione, head of Microsoft's SQL Server unit, to a new role as corporate vice president of security products. In his new position, Mangione will be responsible for the development and support of Microsoft security products, including the company's ISA Server, a product that acts as an intermediary between the Internet and a company's internal network. Microsoft also moved Rich Kaplan, who had been head of the company's content development and delivery group, to the newly created role of corporate vice president of security marketing. Kaplan has been doing some security work over the past year as Microsoft has sought to better publicize ways that companies can make using Microsoft products more secure. Kaplan also helped lead Microsoft's efforts regarding the Y2K issue. Mangione has had some experience dealing with security issues as well. He headed the SQL unit when the SQL Slammer worm hit more than a year ago. Both Kaplan and Mangione will report to Mike Nash, the corporate VP who heads Microsoft's Security Business and Technology Unit. A Microsoft representative said the move is designed to expand the number of executives involved in the security push. "We are pleased to add both Rich Kaplan and Gordon Mangione, two very experienced and talented executives," security business unit representative Amy Carroll said in a statement. Amid continued criticism over security gaps, the company is pouring resources into security, shifting engineers away from Longhorn--the next version of Windows--to the team adding security improvements to Windows XP via the Service Pack 2 upgrade due shortly. Microsoft said a replacement for Kaplan has not yet been named, while Mangione's duties will be assumed by Paul Flessner, the senior vice president of Microsoft's overall server platform division, as well as by several general managers. From isn at c4i.org Thu Apr 15 03:02:30 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 15 03:12:55 2004 Subject: [ISN] Windows & .NET Magazine Security UPDATE--Free Security eBooks--April 14, 2004 Message-ID: ==================== ==== This Issue Sponsored By ==== CipherTrust http://list.winnetmag.com/cgi-bin3/DM/y/efTa0CJgSH0CBw0BHFc0A7 Windows Scripting Solutions http://list.winnetmag.com/cgi-bin3/DM/y/efTa0CJgSH0CBw0BFyu0AF ==================== 1. In Focus: Free Security eBooks 2. Security News and Features - Recent Security Vulnerabilities - News: Fortify Your Program Code - News: Seclarity Secures Desktops - News: Security for SANs - News: NetScreen Secure Meeting 3. Security Toolkit - FAQ - Featured Thread 4. New and Improved - Turn Your PC into a Burglar Alarm System ==================== ==== Sponsor: CipherTrust ==== Corporations are experiencing spam levels in excess of 60% of their total email volume. The effect of this volume on productivity, bandwidth and storage is significant and costly. But these are not the only effects. Spam now presents a serious threat to security with implications for network integrity and legal liability. In this white paper, you'll learn about the security threat presented by spam, as well as valuable insight into spammer methods and techniques, all from the experts in anti-spam and email security at CipherTrust. Take action now to secure your networks against spam! http://list.winnetmag.com/cgi-bin3/DM/y/efTa0CJgSH0CBw0BHFc0A7 ==================== ==== 1. In Focus: Free Security eBooks ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net You know that learning more about security is an ongoing process. Plenty of online resources--such as countless articles and white papers from a long list of businesses and individuals--can help you along the way. One particular type of resource that might interest you is eBooks. Numerous free security-related eBooks are available online, and this week, I want to tell you about a few of them that you might find useful. The first eBooks I want to mention are in our own Windows IT Library. We have several titles available right now and more in production. Some of the titles include "A Guide to Group Policy," "Content Security in the Enterprise--Spam and Beyond," "A Guide to Windows Power Tools," and "Preemptive Email Security and Management." You can download individual chapters or even entire books in .pdf format. http://www.windowsitlibrary.com/ebooks Another ebook you might find interesting is the independently published "IIS Security and Programming Countermeasures." Written by Jason Coombs, the book is available for download as a set of text files in one .zip file. You can read more about it in the related news story on our Web site. http://www.winnetmag.com/article/articleid/38829/38829.html Another great resource for eBooks is Realtime Publishers, which publishes a long list of titles, many of which pertain to security. A few of the titles you'll find at Realtime's Web site are "Email Management and Security," "Identity Management," "Windows 2000 Security," "Blocking Spam with Sender Validation," "Securing .NET Server," and "Email Protection." http://cc.realtimepublishers.com/rtp.asp Microsoft's Security Guidance Center, particularly the Products and Technologies Index, offers books, articles, and checklists that cover all of Microsoft's enterprise products. Subject matter includes older products, such as Windows 98; newer products, such as Windows Server 2003; and just about everything in between, such as Microsoft Exchange Server, IIS, Internet Security and Acceleration (ISA) Server, SQL Server, and Systems Management Server (SMS). Be sure to check out the Security Guidance Center, along with the other resources I mentioned, and consider bookmarking these URLs for future reference. http://www.microsoft.com/security/guidance/prodtech/default.mspx ==================== ==== Sponsor: Windows Scripting Solutions ==== Try a Sample Issue of Windows Scripting Solutions Windows Scripting Solutions is the monthly newsletter from Windows & .NET Magazine that shows you how to automate time-consuming administrative tasks by using our simple downloadable code and scripting techniques. Sign up for a sample issue right now, and find out how you can save both time and money. Click here! http://list.winnetmag.com/cgi-bin3/DM/y/efTa0CJgSH0CBw0BFyu0AF ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html News: Fortify Your Program Code A new company, Fortify Software, offers solutions that help developers secure their program code during development and runtime. http://www.winnetmag.com/article/articleid/42319/42319.html News: Seclarity Secures Desktops Another new company, Seclarity, plans to debut its product at next month's NetWorld+Interop show in Las Vegas. Seclarity's SiNic uses a combination of hardware and software to provide firewall capabilities, authentication, access control, network translation, and encryption services for desktops. http://www.winnetmag.com/article/articleid/42320/42320.html News: Security for SANs Hifn announced new 4300 and 4350 HIPP III Storage Security Processors, which provide security for Storage Area Networks (SANs). The processors are designed to meet specifications for iSCSI, Fibre Channel over TCP/IP (FCIP), and Network Attached Storage (NAS). Hifn said the new processors are based on Hifn's FlowThrough architecture and handle IP Security (IPSec) on one chip. The 4300 model can handle throughput of 1Gbps in full duplex mode (2Gbps total), and the 4350 can handle as much as 4Gbps total. Processor prices start at $47 per chip for a quantity of 10,000. http://www.winnetmag.com/article/articleid/42321/42321.html News: NetScreen Secure Meeting NetScreen Technologies announced the NetScreen Secure Meeting appliances, which provide Secure Sockets Layer (SSL)-based security for online meetings and application sharing. The appliances support centralized management; clustering and fault tolerance; delegation of administration and scheduling; auditing; cross-platform operation for Windows, Mac OS, and Linux; and as many as 250 concurrent users per device. Secure Meeting is available in three models and as an upgrade for the company's Secure Access appliance. http://www.winnetmag.com/article/articleid/42322/42322.html ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) Get 2 Free Sample Issues of SQL Server Magazine! SQL Server Magazine is a must-read resource loaded with relevant information covering database modeling and design, performance tuning, security, ADO.NET, ASP.NET, XML, and the latest topics that SQL Server developers, administrators, and business-intelligence architects need to know. Try two (no-risk) sample issues today, and discover the timesaving, helpful content the magazine has to offer. Click here: http://list.winnetmag.com/cgi-bin3/DM/y/efTa0CJgSH0CBw0BHFd0A8 Free "Group Policy Catalog" When You Attend "Group Policy--Why Management Matters in Your Enterprise" While Active Directory Group Policy plays a crucial role in helping you comply with industry regulations and reduce the total cost of managing end users and desktops, you must also find a managed way to distribute Active Directory security. Join us for this Web seminar with Jeremy Moskowitz and Indy Chakrabarti for an in-depth discussion about Group Policy and why to use it. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/efTa0CJgSH0CBw0BG870A8 ==================== ==== Hot Release ==== Need to Secure Multiple Domain or Host Names? In this guide you will find out how to test, purchase, install and use a Thawte Digital Certificate on your MSIIS web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. Get your copy of this new guide now: http://list.winnetmag.com/cgi-bin3/DM/y/efTa0CJgSH0CBw0BHFe0AA ==================== ==== 3. Security Toolkit ==== FAQ: Displaying Property Tabs in the AD Snap-in by John Savill, http://www.winnetmag.com/windowsnt20002003faq Q: Can I restore missing property tabs in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in? A. If you use the Active Directory Users and Computers snap-in on a remote computer (such as a Windows XP workstation), you might notice that certain tabs are missing--for example, Published Certificates, Object, and Security. To display the tabs, select View, Advanced Features. The Dial-in tab is also missing, but you can't display the Dial-in tab on a remote XP workstation that uses the Active Directory Users and Computers snap-in. If you need to edit the options on the Dial-in tab, you can use Windows 2000 Server Terminal Services to log on to a domain controller (DC) and set the options on the remote workstation from the DC. Featured Thread: VPN Solutions (Two messages in this thread) Roy is looking for some help with setting up a VPN. His network uses Windows Server 2003 with Active Directory (AD) and a Cisco Systems Cisco PIX 515E firewall that connects to the Internet through a 256Kbps leased line. Roy's company would like to provide worldwide access to company data and email for 10 to 15 people who use Windows XP and Windows 2000. Roy wonders how much of an exposure these remote users will be and would like an inexpensive VPN solution. Lend a hand or read the responses: http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=119200 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) New Web Seminar--Preemptive Email Security: How Enterprise Rent-A-Car Eliminates Spam Get the inside scoop on how Enterprise Rent-A-Car eliminated spam and viruses, improved their email security, and increased productivity. Don't miss this opportunity to educate yourself and become a smarter customer when it comes to choosing an antispam solution that best fits your organization's needs. Sign up for this free Web seminar today! http://list.winnetmag.com/cgi-bin3/DM/y/efTa0CJgSH0CBw0BGhc0Af ==================== ==== 4. New and Improved ==== by Jason Bovberg, products@winnetmag.com Turn Your PC into a Burglar Alarm System IRCAS released IRCAS Alarm 2.0, motion-detection software for your home or office. IRCAS Alarm monitors images from your computer's camera to detect motion in a room. You can use a mobile phone, PDA, or PC to log on to IRCAS to look at the images that IRCAS Alarm has taken, turn your alarm on or off, or simply check the current status of your alarm system. When IRCAS Alarm senses motion, it alerts you immediately through email. IRCAS Alarm costs $79 for a one-user license and 12 months' use of IRCAS's secure server for storing images. You can download a free trial version from the company's Web site. http://www.ircas.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. ==================== ==== Sponsored Links ==== Argent Comparison Paper: The Argent Guardian Easily Beats Out MOM http://list.winnetmag.com/cgi-bin3/DM/y/efTa0CJgSH0CBw0BDWV0A7 Microsoft(R) TechNet Microsoft(R) TechNet Webcasts: essential guidance, industry experts http://list.winnetmag.com/cgi-bin3/DM/y/efTa0CJgSH0CBw0BG360A2 Postini Find out how Enterprise Rent-A-Car eliminates spam: Free Seminar http://list.winnetmag.com/cgi-bin3/DM/y/efTa0CJgSH0CBw0BG8I0AR ==================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== ==== Contact Our Sponsors ==== Primary Sponsor: CipherTrust -- http://www.ciphertrust.com -- 1-877-448-8625 Hot Release Sponsor: Thawte -- http://www.thawte.com ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z You received this email message because you asked to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Apr 15 03:03:31 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 15 03:12:56 2004 Subject: [ISN] Looking for a Few Developers Message-ID: Forwarded from: Forrest Rae The OSVDB project has been growing steadily for the last 2 years. At first the software behind OSVDB was simple, and easily maintained by a single person with others contributing smaller pieces. Since the "Go Live" of the project, the development team has been swamped with an unexpected amount of pending work. This includes bugs, small feature requests, and new major functionality. The OSVDB Development team is currently looking for help. We are in need of developers to help manage the development work load. If you're interested please forward a technical resume to: moderators@osvdb.org Requirements include, Familiar with the following: -Web Applications -Linux (Gentoo preferred) -Apache Web Server -PHP -SQL (PostgreSQL, PGplsql preferred) -OpenSSH -CVS -XML (XMLRPC, Soap, XSLT etc...) Why should you develop for OSVDB? Developing for OSVDB is very rewarding. - The OSVDB project is extremely popular and your work will receive the proper attention. - Developing for OSVDB will bring accreditation and exposure to your technical ability and provide an additional resume item if interested. - Your efforts will help increase the level of security worldwide. - The OSVDB project is made possible by a massive backend web application that autonomously handles workload distribution, editing, moderation, user scoring, and vulnerability status. - Work on a team that is influencing the way the security industry gets vulnerability information. -- Forrest Rae Lead Developer Open Source Vulnerability Database http://www.osvdb.org/ From isn at c4i.org Thu Apr 15 03:03:52 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 15 03:12:57 2004 Subject: [ISN] Hackers breach supercomputer centers Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,92230,00.html News Story by Paul Roberts APRIL 14, 2004 IDG NEWS SERVICE In recent weeks, malicious hackers have infiltrated computer systems at universities in the U.S. and worldwide, leading to questions about the security of scientific research data, according to an official at the National Science Foundation. The systems were located at universities and research facilities that operate high-performance computer centers, including facilities that are part of a project funded by the NSF called TeraGrid, said Sangtae Kim, director of the Division of Shared CyberInfrastructure at the NSF, an independent U.S. government agency. Supercomputing centers at U.S. universities, including the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign and the Center for Advanced Computing Research at the California Institute of Technology, are partners in the TeraGrid project. Systems at TeraGrid partner facilities were hacked, but no systems that make up TeraGrid itself were compromised, Kim said. The NSF doesn't know who was behind the attacks, but the agency believes the attacks were part of a much larger action that affected high-end systems worldwide, including sites in Europe. Many of the compromised systems are connected to university research centers, Kim said. Stanford University's Information and Technology Systems and Services (ITSS) group published a security alert on Saturday warning researchers about compromises of a number of systems running the Sun Solaris and Linux operating systems on the Stanford campus. The advisory also noted that the attacks were part of a move against "a large number of research institutions and high performance computing centers." The university became aware of the intrusions after users noticed discrepancies in the time of their last reported log-in, which indicated that their log-in information had been hijacked. Other systems began performing poorly or started reporting errors after the intruders installed so-called rootkits, or programs that allow the malicious hacker to disguise his presence and gather information such as usernames and passwords from the compromised system, the ITSS alert said. Attackers gained access to the systems by cracking or sniffing passwords from insecure network traffic such as Telnet remote communications sessions or from password files on other compromised systems, according to the alert. Once logged onto a system, the attackers looked for systems that didn't have up-to-date operating system patches and then used known software exploits to elevate their privileges from user to administrator (or "root") status. Other systems fell to hackers because of loose security configurations for Network File Service, a way to share files and directories over networks or the Internet. Many institutions have applied loose security to those shared directories to "facilitate the distribution of system management and data processing tasks," the advisory said. The ITSS group recommended that compromised systems be taken off the network and completely rebuilt, with new versions of the operating system and up-to-date patches installed. Universities that cooperate to conduct scientific research are particularly susceptible to compromise because of the open nature of their missions, according to Jonathan Bingham, president of Intrusic Inc. in Waltham, Mass., which sells technology to spot covert and illicit activity on computer networks, which it terms "noiseless action." "You've got large groups of individuals trying to access systems from all over the world, so universities commonly have portions of their network set up almost like the Internet in that access is wide open," Bingham said. Malicious hackers can easily gain access to less secure areas of a university's network and then listen to network traffic to capture the credentials needed to access more sensitive areas, he said. While some experts raised the specter of massive denial-of-service attacks using the hijacked supercomputers, the real threat to the TeraGrid project and the universities that got hacked is from stealthier behavior, such as quietly leaking sensitive data from compromised research machines, Bingham said. Rebuilding and patching compromised systems will close the holes that the intruders used, but it is no guarantee that the malicious hackers behind the compromise no longer have access to the sensitive networks. "Once they're in a network of this size and scope, they're going to compromise other systems using stealth techniques that are different from the ones they used to get in. Once you figured out [the compromise] and know what systems are vulnerable, they're already on a different system," Bingham said. From isn at c4i.org Thu Apr 15 03:04:09 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 15 03:12:58 2004 Subject: [ISN] Cisco Admits Security Problem, Issues Stronger Protocol Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=18901468 By Mobile Pipeline News April 14, 2004 Cisco Systems has acknowledged security problems with its proprietary Lightweight Extensible Authentication Protocol (LEAP) and released a new security protocol that it said eliminates the threat. The problems with LEAP were highlighted by the release last week of a tool that attacks the protocol. The tool, called "asleap," was released by Joshua Wright, a security architect for Johnson & Wales University. Cisco then released its EAP Flexible Authentication via Secure Tunneling (EAP-FAST) protocol, which it said isn't vulnerable to dictionary attacks. It announced the release--and acknowledged the problems with LEAP--in a security notice posted on Cisco's site. In that notice, Cisco acknowledged that, "as with most password-based authentication algorithms, Cisco LEAP is vulnerable to dictionary attacks." It described EAP-FAST as a protocol "for users who wish to deploy an 802.1X Extensible Authentication Protocol type that doesn't require digital certificates and isn't vulnerable to dictionary attacks." Cisco suggested that if people want to continue using LEAP, they should create a strong password policy. Otherwise, the security notice suggested, they may wish to migrate to EAP-FAST or similar protocols such as PEAP or EAP-TLS. From isn at c4i.org Thu Apr 15 03:04:27 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 15 03:12:59 2004 Subject: [ISN] Microsoft Patches: Too Much of a Good Thing? Message-ID: http://www.microsoft-watch.com/article2/0,1995,1567937,00.asp By Mary Jo Foley April 14, 2004 It's like clockwork these days: Every second Tuesday of the month, Microsoft releases its amalgamated security patches and fixes. Microsoft's customers have come to plan on this monthly happening. And many of them have programmed their systems to automatically download the patches when they appear - usually around 10 a.m. PST. So what's the problem? Too many users hitting too few servers. The result? Problems connecting to Microsoft's Windows Update site, where the downloadable patches reside. "Now that more people are aware that updates are due on the second Tuesday - I'm seeing what I thought would happen...Denial of service of Windows Update from their own customers," said one Microsoft customer, systems engineer Rafael Cappas. "I checked Windows Update at 5 p.m. PST last night and it was unresponsive and received many 'server too busy' messages. I checked Windows Update at 9 a.m. EST this morning and the same problems were present," he said. "Microsoft can add more servers to clusters but that would not be the solution, especially as more and more home users, small business users and even corporate customers schedule updates on that monthly update," Cappas continued. But "what happens to out of schedule updates once they set it and forget it?" Internet watchers at Netcraft noticed the bottleneck yesterday, April 14, right after Microsoft released its latest collection of Windows fixes. Users were especially anxious to obtain the April fixes, as three of the four collections of them were marked as "critical" by the Redmond software giant. "Microsoft's Windows Update web site has been experiencing slow response times in the wake of yesterday's release of critical security updates," noted the Netcraft researchers. However, "a browser request through Internet Explorer eventually raises the site after an extended wait, and in some cases it is possible to successfully download and install updates over a broadband connection." Microsoft acknowledged the problem. The company's security response and Windows Update teams noted that following this Tuesday's security bulletin release, requests to Windows Update "nearly doubled in volume from typical release days." A company spokeswoman admitted that the demand caused "some performance slowdowns yesterday." But she added that "Microsoft has put into place additional resources and increased capacity to ensure that the increase in volume will not affect customer experience on Windows Update." At the end of day on Wednesday, she noted that Microsoft was "not currently seeing any problems meeting the increase in volume." The spokeswoman added that "Microsoft attributes this significant increase in update downloads to the recent move to a monthly release schedule which makes security more predictable for customers, as well as the increased use of Windows Update and Auto Update." Netcraft officials said that the DNS for windowsupdate.microsoft.com isn't managed by Microsoft itself. Savvis Communications, which runs the former Digital Island content distribution network (CDN) it acquired from Cable & Wireless earlier this year, oversees the site, Netcraft said. "CDNs help manage Internet traffic (including distributed denial-of-service (DdoS) attacks) by using large, geographically distributed networks of servers to move files closer to the end user," Netcraft explained. Microsoft customer Cappas offered a suggestion to help alleviate the bottleneck. "Manual downloads of the patches still work if you go through the security bulletin links," Cappas said. "Microsoft should allow admins the ability to manually download patches and include them in Software Update Services (now renamed Windows Update Services) without having the SUS server always connected to the Internet and automatically downloading (or not being able to) updates. "Automation can be a good thing, but when things go wrong, you should always have a way to do things manually," he concluded. From isn at c4i.org Thu Apr 15 03:04:42 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 15 03:13:00 2004 Subject: [ISN] File and email encryption with GnuPG (PGP) part five Message-ID: +------------------------------------------------------------------+ | Linux Security: Tips, Tricks, and Hackery | | Published by Onsight, Inc. | | | | 14-April-2004 | | http://www.hackinglinuxexposed.com/articles/20040414.html | +------------------------------------------------------------------+ This issue sponsored by Linuxfest Northwest 2004, Bellingham, WA, April 17 LFNW is a showcase for what Northwest Linux users are doing with Linux and open source software. It's a place for Linux enthusiasts to get together to share their passion for what good software can do. If you want to attend or help out, visit http://www.linuxnorthwest.org/. -------------------------------------------------------------------- File and email encryption with GnuPG (PGP) part five By Brian Hatch Summary: Verifying public keys. ------ Verification is part of any security system. SSH, FTP, POP, and IMAP servers ask for your password before it lets you log into the machine, get your files, or snag your email. NTP can be configured to require keys before it'll let you mess with it's clock. CIFS requires a password or kerberos tickets before granting you access to shares. Now some of the above examples can be done without a password, true enough. FTP can use the anonymous account. NTP keys are seldom used between end hosts and stratum 2 servers. CIFS guest shares are (overly) common. PGP falls into the same boat. In order to use PGP safely, you need to verify that the public key you have truly belongs to the individual or organisation you expect. Remember - anyone can create a PGP key with any name/comment/email data that they want. I could create a key with "George W. Bush (Texan) president@whitehouse.gov" just as easily as he could.[1] To verify the key, you need to communicate with the actual party in a way that you know it's them. For example: In person Get together with the person directly, and verify their identity. For example check out their driver's license or some other presumably official form of identification. Make flattering comments about how they've lost weight to make things less formal and invasive. Suggest their hair colour is a few shades to the grey side from what they have listed. On the phone If you know the person well enough to recognise their voice, no reason you can't verify keys over a phone call. Ask a few questions that only they could answer, such as "What's your favourite burger topping" or "Where were we when you first taught me to compile my own kernel?" The important thing is that you have verified that they are in fact the person they claim to be, and that they are the person you are communicating with when you verify the key. So, having established communication with the person, you need to exchange the information about your key. There are three crucial parts of the key, and you can find them in gpg --fingerprint keyid output: $ gpg --fingerprint jdoe@example.com pub 1024D/D5D3BDA6 2003-12-14 John Doe (My First PGP Key) Key fingerprint = 0E43 DC31 C484 431C 5B07 3875 7B2D D3D8 D5D3 BDA6 The important parts are: Key bits, KeyID, and Key Type. Above, the Key Bits (i.e. the key strength) is 1024, the Key Type is DSA (noted by the 'D' after '1024'), and the KeyID is D5D3BDA6. The KeyID is just a handy way of accessing the key - you use it when you upload or download keys from keyservers, for example. The Key Bits determines the strength of the key. The algorithm, DSA vs RSA for example, determines how the key is used internally. Not all versions of PGP software support both keys (RSA was patented until 2000, for example.) One interesting tidbit: For DSA keys, you can actually skip verifying this part - notice that the last eight characters of the fingerprint (D5D3 BDA6)) are simply the KeyID. Verifying KeyID isn't required in that case, but it can't hurt. Fingerprint The fingerprint above is 0E43 DC31 C484 431C 5B07 3875 7B2D D3D8 D5D3 BDA6 The fingerprint is essentially a hash of the public key information. Rather than verifying all thousand-odd bits, instead you verify the hash, which is a 20 byte string. It is not likely that you'll be sitting down at your computer when the party to be verified has their key on them.[2] Instead, you're more likely to meet at lunch, or a PGP keysigning party. In these cases, the easiest way to exchange keys is to have printed out your fingerprint information ahead of time on a piece of paper, verify they are whom they claim to be, and exchange paper fingerprints. You should do something, such as sign the paper itself, to be sure you remember that you've verified this key. Once you have the person's fingerprint, having already been verified with the human himself, you can sign the key at home at your leisure. So, how do you sign the key? That's next week's topic... NOTES: [1] Ok, perhaps I'd be able to do so sooner than the current US Commander in Chief. They've never been known for their technological savvy. In fact, I think I could handhold my 4 year old daughter through it faster. [2] You wouldn't want to verify and sign the key with them there anyway, to avoid them shoulder surfing your password. ------------- Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He'll be giving a talk at LinuxFest Northwest (www.linuxnorthwest.org), titled "Practical SSH - Encryption, Tunneling, and Automation." And if anyone wants a ride up from Seattle, drop me a line. Brian can be reached at brian@hackinglinuxexposed.com. -------------------------------------------------------------------- This newsletter is distributed by Onsight, Inc. The list is managed with MailMan (http://www.list.org). You can subscribe, unsubscribe, or change your password by visiting http://lists.onsight.com/ or by sending email to linux_security-request@lists.onsight.com. Archives of this and previous newsletters are available at http://www.hackinglinuxexposed.com/articles/ -------------------------------------------------------------------- Copyright 2004, Brian Hatch. From isn at c4i.org Mon Apr 19 04:56:28 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 19 05:37:59 2004 Subject: [ISN] Secret hackers to aid war on internet fraud Message-ID: Forwarded from: Malcolm McWhinnie [The attached letter is below as InfoSec News no longer permits attachments to the list. - WK] Dear colleagues I have attached a letter that has been sent to the London Times, which addresses the recent article entitled "Secret hackers to aid war on internet fraud". I would be obliged if you can assist in the communication process by publishing this letter on your site also. Thank you for your assistance Best Regards Malcolm McWhinnie VP Global Information Security MasterCard International 2200 MasterCard Blvd 290 West Lake O'Fallon MO 63366-7263 (636) 722 4220 -=- Dear Editor: Online retailers may need some reassurance if they have read The Times' article 'Secret hackers to aid war on Internet fraud' (Monday 5th April). The article incorrectly implies that MasterCard is using secret hackers to break into online retailers systems' in a bid to test their security systems without their knowledge. MasterCard does not recruit secret hackers to test security systems of online merchants. Moreover, there is no hacking involved, at all, in our Site Data Protection (SDP) programme, which we publicly announced and launched in 2003. SDP, and its commercially available products and tools, is used only with the knowledge, consent and permission of participating retailers. It helps online retailers to assess their web security to proactively defend themselves against website intrusion and secure their systems against fraud. The programme includes security standards and evaluation tools that help to identify possible weaknesses in online systems, highlighting vulnerabilities in real-time and categorising any potential risks. As a further check, on-line retailers may separately perform their own penetration testing outside the scope of SDP. MasterCard offers SDP through our member financial institutions to online retailers to help them protect data stored in their systems and aid them in their fight against Internet fraud. Yours faithfully Brian Morris MasterCard Europe From isn at c4i.org Mon Apr 19 04:58:49 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 19 05:38:00 2004 Subject: [ISN] Linux Advisory Watch - April 16th 2004 Message-ID: +----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | April 16th, 2004 Volume 5, Number 16a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for apache, the Linux kernel, mysql, xonix, ssmtp, openoffice, squid, cvs, Heimdal, iproute, pwlib, scorched, tcpdump, cadaver, and mailman. The distributors include Conectiva, Debian, Fedora, FreeBSD, Gentoo, Mandrake, Red Hat, and SuSE. ---- >> Secure Online Data Transfer with SSL << Get Thawte's new introductory guide to SSL security which covers the basics of how it operates. A discussion of the various applications of SSL certificates and their appropriate deployment is also included along with details of how to test SSL on your web server. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawte02 ---- Professional Associations Those of you who have been in the IT industry for years are probably already familiar with most professional organizations. Some of the more popular include ISSA (Information Systems Security Association), USENIX/SAGE, ACM, IAPSC, and countless others. Most organizations require its members to pay dues, but that is not without value. Because there are so many different organizations, it is a better idea to pick one or two and get heavily involved. Many organizations are worldwide, but have local chapters. This provides many opportunities for benefit. Did you ever wish you knew the right people? Local chapter meetings are great for professional networking. Some organizations have quarterly meetings, others hold them monthly. Chapter events are a great opportunity to meet people that have similar interests and needs. If you are in search for a specific security solution, often you will find someone at a meeting who can offer it. Conversely, if you're a business owner and wish to extend your services, meetings can be helpful. Organizations such as the ISSA offer educational benefits. Usually meetings include a lecture that is centered around an information security topic. Other meetings can include practical demonstrations and round-table discussions. Also, ad hoc study groups are often formed to prepare for certification exams. Do you need additional credentials on your resume/cv? Do you wish you could prove to management that you are ready for a leadership position? Professional organizations also offer its members the chance to lead. Positions such as chapter president, vice president, secretary, etc. open for election each year. Although time consuming, it can be a worthwhile commitment. Finally, most professional organizations have monthly/quarterly journals that are written by members. Rather than being subject to corporate pressures, you'll find the articles in these journals are of high quality and relatively unbiased. Usually you can also find archives of past papers/publications on each organization's Web site. For more information about some of the professional organizations that I've mentioned, please see the following Web sites: Information Systems Security Association http://www.issa.org Association for Computing Machinery http://www.acm.org USENIX/SAGE http://www.usenix.org International Association of Professional Security Consultants http://www.iapsc.org/ Until next time, cheers! Benjamin D. Thomas ben@linuxsecurity.com ---- Guardian Digital Launches Next Generation Internet Defense & Detection System Guardian Digital has announced the first fully open source system designed to provide both intrusion detection and prevention functions. Guardian Digital Internet Defense & Detection System (IDDS) leverages best-in-class open source applications to protect networks and hosts using a unique multi-layered approach coupled with the security expertise and ongoing security vigilance provided by Guardian Digital. http://www.linuxsecurity.com/feature_stories/feature_story-163.html -------------------------------------------------------------------- Interview with Siem Korteweg: System Configuration Collector In this interview we learn how the System Configuration Collector (SCC) project began, how the software works, why Siem chose to make it open source, and information on future developments. http://www.linuxsecurity.com/feature_stories/feature_story-162.html -------------------------------------------------------------------- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 4/12/2004 - 'mod_python' DoS This update fixes a remote denial of service vulnerabiliy in Apache web-servers which have mod_python enabled. http://www.linuxsecurity.com/advisories/conectiva_advisory-4216.html 4/13/2004 - 'squid' ACL bypass vulnerability This update fixes a vulnerability that allows a malicious user to bypass url_regex ACLs by using a specially crafted URL. http://www.linuxsecurity.com/advisories/conectiva_advisory-4217.html 4/14/2004 - apache Multiple vulnerabilities Patch corrects non-filtered escape sequences and a DoS attack. http://www.linuxsecurity.com/advisories/conectiva_advisory-4219.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 4/14/2004 - kernel Multiple vulnerabilities This is three advisories in one, each for the same group of kernel 2.4.x vulnerabilities. The first is for the PA-RISC architecture, the second for the IA-64 architecture, and the third for the PowerPC/apus and S/390 architectures. http://www.linuxsecurity.com/advisories/debian_advisory-4229.html 4/14/2004 - mysql Insecure temporary file vulnerabilities Two scripts contained in the package don't create temporary files in a secure fashion, which could lead to a root exploit. http://www.linuxsecurity.com/advisories/debian_advisory-4230.html 4/15/2004 - kernel 2.4.18 Multiple vulnerabilities Here is a patch release specifically for kernel 2.4.18 on the i386 architecture, fixing multiple kernel security issues, and fixing a build error from a previous patch to same. http://www.linuxsecurity.com/advisories/debian_advisory-4231.html 4/15/2004 - xonix Privilege retention vulnerability A local attacker could exploit this vulnerability to gain gid "games". http://www.linuxsecurity.com/advisories/debian_advisory-4232.html 4/15/2004 - ssmtp Format string vulnerability These vulnerabilities could potentially be exploited by a remote mail relay to gain the privileges of the ssmtp process (including potentially root). http://www.linuxsecurity.com/advisories/debian_advisory-4233.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 4/14/2004 - kernel Multiple vulnerabilities This patch fixes a variety of buffer overflow and information leak vulnerabilities. http://www.linuxsecurity.com/advisories/fedora_advisory-4228.html 4/15/2004 - kernel Corrected md4sums Something went wrong with the md5sums in yesterdays announcement. http://www.linuxsecurity.com/advisories/fedora_advisory-4234.html 4/15/2004 - openoffice Multiple format string vulnerabilities This patch fixes vulnerabilities that may allow execution of arbitrary code, as well as other bugfixes. http://www.linuxsecurity.com/advisories/fedora_advisory-4238.html 4/15/2004 - squid 2.5 ACL escape vulnerability This is a backport of an older patch which prevented crafted URLs from being able to ignore Squid's ACLs. http://www.linuxsecurity.com/advisories/fedora_advisory-4239.html +---------------------------------+ | Distribution: FreeBSD | ----------------------------// +---------------------------------+ 4/15/2004 - cvs Chroot escape vulnerability This patch fixes two cvs errors, one with the client and one with the server. Both allow chroot escapes. http://www.linuxsecurity.com/advisories/freebsd_advisory-4240.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 4/9/2004 - Heimdal Cross-realm scripting vulnerability Heimdal contains cross-realm vulnerability allowing someone with control over a realm to impersonate anyone in the cross-realm trust path. http://www.linuxsecurity.com/advisories/gentoo_advisory-4211.html 4/9/2004 - iproute Denial of service vulnerability The iproute package allows local users to cause a denial of service. http://www.linuxsecurity.com/advisories/gentoo_advisory-4212.html 4/9/2004 - pwlib Multiple vulnerabilities Multiple vulnerabilites have been found in pwlib that may lead to a remote denial of service or buffer overflow attack. http://www.linuxsecurity.com/advisories/gentoo_advisory-4213.html 4/9/2004 - Scorched 3D Format string attack vulnerability Scorched 3D is vulnerable to a format string attack in the chat box that leads to Denial of Service on the game server and possibly allows execution of arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4214.html 4/15/2004 - cvs Multiple vulnerabilities There are two vulnerabilities in CVS; one in the server and one in the client. These vulnerabilities allow the reading and writing of arbitrary files on both client and server. http://www.linuxsecurity.com/advisories/gentoo_advisory-4235.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 4/9/2004 - ipsec-tools Signature non-verification vulnerability Multiple vulnerabilities Racoon does not verify the RSA signature during phase one of a connection using either main or aggressive mode. Only the certificate of the client is verified, the certificate is not used to verify the client's signature. http://www.linuxsecurity.com/advisories/mandrake_advisory-4215.html 4/14/2004 - cvs Chroot escape vulnerability A maliciously configured server could then create any file with content on the local user's disk. http://www.linuxsecurity.com/advisories/mandrake_advisory-4226.html 4/14/2004 - kernel Multiple vulnerabilities This patch fixes a large variety of kernel bugs, including an assortment of filesystem related vulnerabilities. http://www.linuxsecurity.com/advisories/mandrake_advisory-4227.html 4/15/2004 - tcpdump Multiple vulnerabilities Corrects out of bounds read and DoS attack. http://www.linuxsecurity.com/advisories/mandrake_advisory-4236.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 4/14/2004 - cvs Chroot escape vulnerability Updated cvs packages that fix a client vulnerability that could be exploited by a malicious server are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4222.html 4/14/2004 - cadaver Multiple format string vulnerabilities An updated cadaver package that fixes a vulnerability in neon exploitable by a malicious DAV server is now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4223.html 4/14/2004 - mailman Denial of service vulnerability An updated mailman package that closes a DoS vulnerability in mailman introduced by RHSA-2004:019 is now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4224.html 4/14/2004 - OpenOffice Multiple format string vulnerabilities An attacker could create a malicious WebDAV server in such a way as to allow arbitrary code execution on the client. http://www.linuxsecurity.com/advisories/redhat_advisory-4225.html 4/15/2004 - subversion Multiple format string vulnerabilities An attacker could create a malicious WebDAV server in such a way as to allow arbitrary code execution on the client connecting via subserversion. http://www.linuxsecurity.com/advisories/redhat_advisory-4237.html +---------------------------------+ | Distribution: Suse | ----------------------------// +---------------------------------+ 4/14/2004 - kernel Multiple vulnerabilities Two vulnerabilities, one involving symlink names and one involving the JFS filesystem, can both be used to gain root privileges. http://www.linuxsecurity.com/advisories/suse_advisory-4220.html 4/14/2004 - cvs Chroot escape vulnerability Patches an ability for a rogue CVS server to remotely create arbitrary absolute-path files with the user's permission. http://www.linuxsecurity.com/advisories/suse_advisory-4221.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Apr 19 04:59:06 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 19 05:38:01 2004 Subject: [ISN] Vulnerable to risk: Other resorts susceptible to a similar outage Message-ID: http://www.lasvegassun.com/sunbin/stories/sun/2004/apr/15/516694304.html April 15, 2004 By Liz Benston LAS VEGAS SUN The power outage that shut down the Bellagio and caused the evacuation of thousands of employees and customers could happen at any resort on the Las Vegas Strip and at any time, Clark County's top building inspector said Wednesday. That's primarily because the power failure occurred on the property and with Bellagio equipment rather than on an outer line supplied by Nevada Power Co., Clark County Department of Development Services Building Division Director Ron Lynn said. Some newer resorts such as the Bellagio own several power generators on site that can create instantaneous backup power to run their resorts should Nevada Power lines fail, he said. If Nevada Power's lines to the Bellagio had failed, the property's generators would have kicked on, flooding the property with the same power load in about the time it takes to flick a switch, he said. "(Resort guests) wouldn't have known the difference," he said. "Maybe the lights would have flickered and that's it." But that's not what happened at the Bellagio Sunday, he said. The failure occurred internally on resort-owned power lines, meaning the power carried from Nevada Power lines had nowhere to go and generators couldn't pick up the slack, he said. The generators are set up to go on if power doesn't come on to the property. An internal power line failure could mean bad news for any major casino, resort officials say. "The same kind of initial outage could happen to anyone," Harrah's Entertainment Inc. spokesman Gary Thompson said. What happens next could be more crucial, however, he said. Harrah's Rio hotel-casino has taken the rare step of building its own combustion turbine power plant that is designed to provide "more power than needed to get the resort up and operating very quickly" should the resort's main power line fail, Thompson said. With the power plant and following proper procedures, the resort would be able to power up the resort in a few minutes and wouldn't have to rely on emergency power and evacuate guests in the process like the Bellagio did, he said. The 4.92 megawatt plant, designed to provide at least 40 percent of the resort's power load, will be up and running in the next several weeks and is expected to cost the company about $7 million. Before adding the plant, the resort had a primary power source and an emergency power source. The emergency source is a separate cable line that is required of all resorts and provides minimal lighting so that guests can evacuate the property and powers safety features such as fire alarm system, smoke detectors and heat detectors. The Bellagio also has a main power line and an emergency, or "safety" backup line to maintain minimal power for safety purposes. When some cables in the main line shorted, the property shut off power in all the main cables to repair the damaged ones and relied on its separate emergency line, which is fed by a separate line provided by Nevada Power, Lynn said. The Bellagio's power system meets code requirements and the resort followed proper safety procedures by shutting down its primary power source when a few of the main power cables shorted, he said. "We are concerned with the minimum standard for safety," he said. Other features such as the amount of power needed to run the resort and backup generators on the site aren't code requirements, he said. "It's not a safety issue. That's a business decision," he said. Lynn said he isn't aware of any company in town that has a bulletproof system or dual, identical power lines that run separately from Nevada Power into a resort. "I find it highly unlikely that any hotel has a truly redundant (power) system," he said. Like the Rio, the Venetian hotel-casino has also taken some extra steps in an attempt to fend off potential power failures. In addition to the requisite emergency power line, the Venetian owns duplicate cabling on its property that runs into the resort, providing some backup should one of the lines fail, Venetian's Director of Facilities Kim Grange said. The property also has dual transformers as well as a computerized system that allows employees to immediately swap power loads from one line to another should problems arise, he said. The property could still run into problems if both power lines went out or if Nevada Power lines failed, however, he said. If Nevada Power lines were cut, the company's generators would only be able to power about 60 percent of the resort, which wouldn't allow for business as usual, Grange said. After the Bellagio incident, Venetian engineers examined the resort's system, which constantly undergoes preventative maintenance, he said. "I feel that we're very protected here at the Venetian because we've got a lot of redundant equipment," he said. "We've taken every measure to head off any unforeseen circumstances. But there are no guarantees. Things can happen." The Bellagio incident was especially unfortunate because the cable failure occurred on a primary conduit adjacent to the resort, an "achilles heel" for the property, Grange said. While dual cabling at the Venetian provides some protection, the Venetian has so far decided against building its own power plant because Nevada Power rates are still reasonable and the cost wouldn't be worth the return on investment, he said. Besides giving the property immediate access to its own power source in the event of a power outage, the Rio's cogeneration plant is also aimed at cutting the company's power bill, Thompson said. The plant also helps out other power users by reducing the demand for power during peak times when power costs are higher, he said. Some observers have questioned whether there was some flaw in the layout of the power cables at Bellagio or whether there was some human error involved in either the initial cable failure or the repair process. MGM MIRAGE spokesman Alan Feldman said the resort has until now focused on fixing the problem and will now begin to devote more time to investigating what caused it. Many people have been speculating about what happened without actually studying the evidence, which is still coming in, he said. "Human error is one of the things we will look at," he said. "We have focused on the evidence but not enough to make any kind of determination about what happened. This was a complicated event. We will likely find out that there were many things along the way." Lynn said the county hasn't ruled out human error as a factor in the blackout but said it's still premature to speculate about whether something might have exacerbated the problem. "Our primary investigation is on what initially transpired and created the problem in the first place," he said. The county will begin its own investigation in earnest today by examining data collected by Bellagio computers about power supplies across the property, he said. The reopening of the resort couldn't have happened any faster than it did, Lynn said. Thousands of feet of burned-out cable needed to be taken out and replaced, a process that wasn't fully complete until Wednesday morning, he said. The power systems then took hours to test and retest, Lynn said. "It takes time to put the systems back on line," he said. "We ran some scenarios to see how they would run in an emergency system and that took a good deal of time." The testing process is similar to that performed at a new resort, he said. County building inspectors performed tests until Wednesday afternoon and approved the property to open around 4 p.m. The property opened just before 5 p.m. and by about 5:30 p.m. more than 1,000 guests who had been put up at neighboring hotels had returned to check in. From isn at c4i.org Mon Apr 19 04:59:20 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 19 05:38:02 2004 Subject: [ISN] Visa cards violated: BofA is reissuing after hack attack Message-ID: http://business.bostonherald.com/technologyNews/view.bg?articleid=439 By Jay Fitzgerald April 16, 2004 Holders of Fleet Visa business credit cards may be the latest victims of hackers who possibly got hold of sensitive card numbers via a merchant's computer system, officials acknowledged yesterday. Fleet Credit Card Services, now part of Bank of America [BAC: chart, news] Corp. after this month's takeover of FleetBoston Financial Corp. [FBF: chart, news] , is sending new cards to an unspecified number of customers because of a security breach at an unnamed merchant. Deborah Pulver, the spokeswoman, wouldn't say how many customers will get new cards and account numbers. ``It's a very small portion of our business accounts,'' she said. ``There was some type of compromise'' apparently tied to Visa. In a statement to the Herald yesterday, Visa USA confirmed that it was ``recently notified by a U.S. merchant that it may have experienced a data security breach resulting in the compromise of Visa card account information.'' A Visa spokesman would not elaborate. Officials declined to say if the latest incident is tied to a recent theft of credit card numbers at Natick-based BJ's Wholesale Club Inc. On March 12, BJ's warned that a ``few hundred'' of its 8 million members had their credit card numbers stolen in a possible systems breach. Citizens Bank, Washington Trust Bancorp, of Rhode Island, and Navy Federal Credit Union in Virginia were among the firms that issued new credit cards and account numbers after BJ's disclosure. Amy Russ, a BJ's spokeswoman, said yesterday that she couldn't comment on the matter. Douglas Devitt, a co-owner of Voyager Sound Inc., a Weston software developer, said he recently got a letter, dated April 9, from Fleet saying his Fleet Platinum Visa business card account may have been one of those obtained by an ``unauthorized party.'' The letter stresses that there's no actual sign of ``fraudulent activity'' in the account, but that the card would be replaced anyway. Devitt said he's a member of BJ's, but had never used that specific Fleet card at BJ's. About a month ago, he said, Fleet issued him a new business credit card due to a possibly unrelated fraud case in which his account was improperly charged $1,200. Now Fleet is replacing his card for the second time in a month, he said. ``I'm just glad someone is watching out'' for his interests, he said. Devitt said he talked to one person at Fleet who told him that the latest incident involved ``Nigerian mafia'' hackers. But Fleet's Pulver said there was no Nigerian connection to her knowledge. Richard Smith, an Internet security consultant in Brookline, said he knows no details about the BJ's and Fleet incidents. But he said merchants in general are often the ``weak link'' in the credit-card security system. ``The credit-card system has many players involved,'' he said, noting there have been infamous cases of Russian and Eastern European hackers stealing U.S. credit card numbers. From isn at c4i.org Mon Apr 19 05:07:14 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 19 05:38:03 2004 Subject: [ISN] How secure is your handheld? Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,92338,00.html by Joel Strauch APRIL 16, 2004 PC WORLD The No. 1 threat to the sensitive data stored on your handheld device or smart phone remains physically losing the device, but other threats are looming on the handheld horizon. "When you send a defective PDA to the manufacturer for tech support, they usually give you a new one and then resell the old one," said John Girard, vice president and research director at Gartner Inc. "Buying dead machines is an ideal method of pursuing identity theft." What's more, 90% of mobile devices lack the protection necessary to ward off hackers, according to a recent strategic planning assumption conducted by Stamford, Conn.-based Gartner. "Most devices have IrDA, Bluetooth and wireless connections, and many of them aren't set up properly. You can just walk around with a connected device of your own and see what you can find," Girard said. Even if there are security settings activated by default on a device, users will often turn them off if they find them unintuitive to use, he said. "Security needs to be as transparent as possible to users," Girard said. Malicious Code While security researchers have developed "proof of concept" viruses for handheld devices and smart phones, nothing has been seen yet "in the wild," said David Perry, global director of education at antivirus developer Trend Micro Inc. in Cupertino, Calif. "E-mail is easier. It's universal, and PDAs aren't." Since handheld device users can still choose from several operating systems, they face a lower risk that a widespread virus will hit mobile devices. "As long as it's really easy to do Windows and e-mail, why should people bend themselves out of shape to hit something else?" Perry asked. But the possibility of always-on wireless connectivity of smart phones and handhelds opens the door to malicious code. "There was a screen saver being passed around in Europe that would put your phone into a loop and lock it up," Girard said. "And worms on a Web site that you visit with your PDA could switch on Bluetooth. But we don't see viruses or malicious code being a significant threat for mobile devices until the end of 2005." Protect Your PDA That doesn't mean you should consider the information on your mobile device completely safe. There are still ways to lose it -- and ways to protect yourself from data loss. "You shouldn't keep things on a PDA that you can't afford to lose. And be vigilant -- don't let it get lost or stolen," Girard said. Also, use the "power-on" password settings in your device, he added. That way, a thief can't even activate your handheld device without your password. "And don't store important stuff on peripheral storage, where the power-on password might not protect it," he added. Third-party applications from vendors such as BlueFire Security Technologies, Asynchrony Solutions and others afford additional protections. "BlueFire has a PDA firewall, and you might ask whether you'd need a PDA firewall," Girard said. "But it shuts down Bluetooth, which closes a port where hackers could get in." Data encryption products from some of the same players are also a consideration, so even if the device does fall into the wrong hands, the data will be much harder to extract. Handheld devices are still much safer than desktops or laptops from virus and hacker attacks, but that won't always be the case. "What you'll find on a PDA today is what you'd find on a laptop five years ago. What you'll find on a PDA five years from now is what you'll find on a laptop today," Girard said. That power and operating system ubiquity will bring a greater potential for harmful intrusions. From isn at c4i.org Mon Apr 19 05:27:25 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 19 05:38:04 2004 Subject: [ISN] Hackers introduce colourful new players to Indonesia's elections Message-ID: http://www.terra.net.lb/wp/Articles/DesktopArticle.aspx?ArticleID=151342&ChannelId=16 19/04/2004 Indonesia's official elections website showed election successes for the unlikely "Pink Grandfather Party" and the "Party of Bottled Mineral Water" after interference by hackers at the weekend, reports said. Indonesia's official elections website showed election successes for the unlikely "Pink Grandfather Party" and the "Party of Bottled Mineral Water" after interference by hackers at the weekend, reports said. The Indonesian General Election Commission (KPU) had to shut down its website for four hours Saturday after hackers changed the names of some of the 24 political parties that contested the April 5 vote, the Jakarta Post said. The names of the top three political parties were unchanged. But the fourth-placed United Development Party (PPP) of Vice President Hamzah Haz, whose party color is Islam's green, became the "Pink Grandfather Party". Fifth-placed upstart the Democrats' Party became "the Party of Bottled Mineral Water", in an apparent reference to its saleability. The People's Mandate Party, in sixth, became the "Party that must repair its website first", while 13 others were just changed to "Pink Party", regardless of their party colors. The Crescent and Star Party was named after a singing bird, the Freedom Party took the name of a character in a popular television series, and the New Indonesian Association Party became "Party of Midwives", for no apparent reason. "The hackers tried to hack our data center and recovery center, which have seven security systems, starting from 6:30 pm. But they failed," said the election commission's information technology division chairman Akhiar Oemry. "They only succeeded in hacking our website, which is part of the public domain," he said. The website was back on line late Saturday after repairs. From isn at c4i.org Mon Apr 19 05:28:29 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 19 05:38:04 2004 Subject: [ISN] Extortionists attack iBetX.com Message-ID: http://www.theregister.co.uk/2004/04/18/online_bookie_ddos/ By John Leyden 18th April 2004 iBetX, the UK-based online betting exchange, has become the latest online bookmaker to be targeted by cyber extortionists. The company's website was temporarily off line from Thursday evening (15 April) until early Friday morning (16 April) as a result of a distributed denial of service (DDoS) attack which flooded the site with spurious requests. In recent weeks several major British bookmakers havecome under similar attacks: they include William Hill, Totalbet, UKbetting and Sporting Options. None are believed to have given in to demands. iBetX.com director Imraan Malik maintained this common front: "The bottom line is that we will not give into extortion and we will work with the UK National High-Tech Crime Unit to safe guard our business and help trace and track down the perpetrators." iBetX is assuring subscribers that their personal details remain safe despite the attack, which did not affect the integrity of its site. "Furthermore, there was no material loss to the business nor did any customer suffer any loss," it added. From isn at c4i.org Mon Apr 19 05:28:53 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 19 05:38:05 2004 Subject: [ISN] Gates closed to the teenager who shut Windows opening Message-ID: http://news.scotsman.com/scotland.cfm?id=422222004 STUART PATTERSON 15 Apr 2004 A TEENAGER who spotted a major security flaw in Microsoft's Windows operating system, told the company and then worked "round the clock" to correct it, says he never got a penny for his efforts. Matt Thompson, 19, was just out of college when he discovered the fault with the software. After he pointed out the problem to Microsoft, which is owned by the billionaire Bill Gates, he spent all his free time working with the firm to correct the error. Mr Thompson, from Aberdeen, said yesterday: "I haven't got any money from them, even though I'm sure they could easily afford it. Microsoft just expected me to work round the clock for the sake of it. "I did get an acknowledgement of thanks on their website, and I think that's supposed to act as my reward." Mr Thompson, a computer enthusiast from an early age, started working at the consultancy firm Aberdeen IT last summer. The company quickly put him to work creating websites and databases for its corporate clients. Like millions of other PC users around the world, his computer is fitted with Microsoft's Windows operating system. But as he used the software while creating a database for a client, he stumbled across an error that threatened the security of every computer that runs on the Windows system. The glitch leaves computers vulnerable to hackers, who can send viruses to the machines via the internet simply by inputting a number of commands into their own PC. He said: "I carried out a few tests. Then I did a few more. I spent hours checking it." Mai Luc, an official spokeswoman for Microsoft, said: "We do not operate a system where we give out financial rewards. "We would, however, like to thank Matt Thompson of Aberdeen IT for working with us to help protect customers by reporting the Jet Vulnerability." From isn at c4i.org Mon Apr 19 05:29:35 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 19 05:38:06 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-16 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-04-08 - 2004-04-15 This week : 43 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia has launched a new service called Secunia Virus Information. Secunia Virus Information is based on information automatically collected from seven different anti-virus vendors. The data will be parsed and indexed, resulting in a cronological list, a searchable index, and grouped profiles with information from the seven vendors. Example: http://secunia.com/virus_information/8592/ Furthermore, when certain criteria are triggered virus alerts will be issued. You can sign-up for the alerts here: Secunia Virus Alerts: http://secunia.com/secunia_virus_alerts/ Secunia Virus Information: http://secunia.com/virus_information/ ======================================================================== 2) This Week in Brief: Microsoft has released four patches for various programs and operating systems, which address more than 20 different vulnerabilities. Some of the vulnerabilities were reported to Microsoft more than 250 days ago. Users are advised to patch up as soon as possible, as several of the vulnerabilities can be exploited by a remote attacker to gain system access to a vulnerable system. Please refer to the four Secunia Advisories below for more information about the specific vulnerabilities and affected software. Reference: http://secunia.com/SA11068 http://secunia.com/SA11067 http://secunia.com/SA11065 http://secunia.com/SA11064 ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA10395] Internet Explorer URL Spoofing Vulnerability 2. [SA10523] Internet Explorer showHelp() Restriction Bypass Vulnerability 3. [SA11064] Microsoft Windows 14 Vulnerabilities 4. [SA11273] Internet Explorer/Outlook Express Restricted Zone Status Bar Spoofing 5. [SA11067] Microsoft Outlook Express MHTML URL Processing Vulnerability 6. [SA11285] Winamp "in_mod.dll" Heap Overflow Vulnerability 7. [SA11065] Microsoft Windows RPC/DCOM Multiple Vulnerabilities 8. [SA11331] Kerio Personal Firewall URL Handling Denial of Service 9. [SA11312] Panda ActiveScan Control "Internacional" Property Heap Overflow Vulnerability 10. [SA11314] RealPlayer/RealOne R3T File Handling Buffer Overflow Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA11352] IMail Express Web Messaging Buffer Overflow Vulnerability [SA11354] TUTOS Cross Site Scripting and SQL Injection Vulnerabilities [SA11331] Kerio Personal Firewall URL Handling Denial of Service [SA11330] 1st Class Mail Server Directory Traversal and Cross Site Scripting [SA11360] Eudora Nested MIME Message Denial of Service Vulnerability UNIX/Linux: [SA11350] HP Internet Express WU-FTPD Multiple Vulnerabilities [SA11346] NewsPHP Admin Access and Cross Site Scripting [SA11344] TikiWiki Multiple Vulnerabilities [SA11338] Gentoo update for scorched3d [SA11325] IBM HTTP Server OpenSSL Vulnerabilities [SA11319] Scorched 3D Chat Box Format String Vulnerability [SA11353] Conectiva update for apache [SA11345] Conectiva update for mod_python [SA11336] Gentoo update for pwlib [SA11329] Gentoo update for ipsec-tools [SA11328] KAME Racoon IKE Daemon RSA Signature Verification Vulnerability [SA11327] nukeKalender Multiple Vulnerabilities [SA11318] Gentoo update for clamav [SA11349] HP OpenView Operations Authentication Bypass Vulnerability [SA11333] LCDProc Multiple System Compromise Vulnerabilities [SA11326] AzDGDatingLite Cross Site Scripting Vulnerability [SA11322] OpenPKG update for fetchmail [SA11320] OpenPKG update for tcpdump [SA11340] Crackalaka Denial of Service Vulnerability [SA11339] RSniff Multiple Connection Denial of Service Vulnerability [SA11335] Gentoo update for heimdal [SA11321] Gentoo update for automake [SA11334] Open WebMail Directory Creation Vulnerability [SA11337] Gentoo update for iproute [SA11332] Sun Cluster Global File System Denial of Service Vulnerability [SA11317] Gentoo update for util-linux Other: [SA11342] X-Micro Access Point Default Username and Password [SA11324] Cisco IPSec VPN Services Module Denial of Service Vulnerability [SA11323] CiscoWorks 1105 WLSE and HSE Default User Account Cross Platform: [SA11358] BEA WebLogic SSL Impersonation Vulnerability [SA11347] PHP-Nuke SQL Injection and Cross Site Scripting [SA11341] Nuked-KlaN Arbitrary File Inclusion [SA11355] Blackboard Cross Site Scripting Vulnerabilities [SA11343] SurgeLDAP Arbitrary File Retrieval Vulnerability [SA11359] BEA WebLogic Exposure of Administrative Credentials [SA11348] Citadel/UX Insecure Default Database Permissions [SA11357] BEA WebLogic Database Password Stored in Plain Text Issue [SA11356] BEA WebLogic Group Membership Security Issue ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA11352] IMail Express Web Messaging Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-04-13 The vendor has reported a vulnerability in IMail Express, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11352/ -- [SA11354] TUTOS Cross Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-04-14 Kereval has reported some vulnerabilities in TUTOS, allowing malicious people to conduct Cross Site Scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/11354/ -- [SA11331] Kerio Personal Firewall URL Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-04-09 Emmanouel Kellinis has reported a vulnerability in Kerio Personal Firewall, allowing malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11331/ -- [SA11330] 1st Class Mail Server Directory Traversal and Cross Site Scripting Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2004-04-09 Dr_insane has reported some vulnerabilities in 1st Class Mail Server, allowing malicious people to view arbitrary files or conduct Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/11330/ -- [SA11360] Eudora Nested MIME Message Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-04-14 Paul Szabo has reported a vulnerability in Eudora, allowing malicious people to cause a Denial of Service. Full Advisory: http://secunia.com/advisories/11360/ UNIX/Linux:-- [SA11350] HP Internet Express WU-FTPD Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2004-04-13 HP has acknowledged some vulnerabilities in their version of WU-FTPD. These can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11350/ -- [SA11346] NewsPHP Admin Access and Cross Site Scripting Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Privilege escalation, System access Released: 2004-04-13 Manuel Lopez has reported some vulnerabilities in NewsPHP, allowing malicious people to gain administrative access and conduct Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/11346/ -- [SA11344] TikiWiki Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access Released: 2004-04-12 JeiAr has discovered multiple vulnerabilities in TikiWiki, allowing malicious people to conduct Cross Site Scripting, SQL injection, script insertion attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11344/ -- [SA11338] Gentoo update for scorched3d Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-04-10 Gentoo has issued an update for scorched3d. This fixes a vulnerability, which potentially can be exploited by malicious users to compromise a vulnerable server. Full Advisory: http://secunia.com/advisories/11338/ -- [SA11325] IBM HTTP Server OpenSSL Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-04-09 IBM has confirmed some older vulnerabilities in IBM HTTP Server, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11325/ -- [SA11319] Scorched 3D Chat Box Format String Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-04-10 FieldySnuts has discovered a vulnerability in Scorched 3D, which potentially can be exploited by malicious people to compromise a vulnerable server. Full Advisory: http://secunia.com/advisories/11319/ -- [SA11353] Conectiva update for apache Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-04-14 Conectiva has issued updated packages for Apache 2. These fix three vulnerabilities, potentially allowing malicious people to cause a Denial of Service or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11353/ -- [SA11345] Conectiva update for mod_python Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-04-13 Conectiva has issued updated packages for mod_python. These fix a vulnerability, which can be exploited by malicious people to cause a Denial of Service. Full Advisory: http://secunia.com/advisories/11345/ -- [SA11336] Gentoo update for pwlib Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-04-10 Gentoo has issued an update for pwlib. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11336/ -- [SA11329] Gentoo update for ipsec-tools Critical: Moderately critical Where: From remote Impact: Hijacking, Security Bypass Released: 2004-04-09 Gentoo has issued an update for ipsec-tools. This fixes a vulnerability, which can be exploited by malicious people to conduct MitM (Man-in-the-Middle) attacks or establish unauthorised connections. Full Advisory: http://secunia.com/advisories/11329/ -- [SA11328] KAME Racoon IKE Daemon RSA Signature Verification Vulnerability Critical: Moderately critical Where: From remote Impact: Hijacking, Security Bypass Released: 2004-04-09 Ralf Spenneberg has reported a vulnerability in KAME Racoon, which can be exploited by malicious people to conduct MitM attacks (Man-in-the-Middle) or establish unauthorised connections. Full Advisory: http://secunia.com/advisories/11328/ -- [SA11327] nukeKalender Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2004-04-09 Janek Vind "waraxe" has reported three vulnerabilities in nukeKalender, allowing malicious people to conduct Cross Site Scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/11327/ -- [SA11318] Gentoo update for clamav Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-04-08 Gentoo has issued an update for clamav. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11318/ -- [SA11349] HP OpenView Operations Authentication Bypass Vulnerability Critical: Moderately critical Where: From local network Impact: Security Bypass Released: 2004-04-13 HP has reported a vulnerability in OpenView Operations, which can be exploited by malicious people to bypass the authentication. Full Advisory: http://secunia.com/advisories/11349/ -- [SA11333] LCDProc Multiple System Compromise Vulnerabilities Critical: Moderately critical Where: From local network Impact: System access Released: 2004-04-12 Adriano Lima has reported multiple vulnerabilities in LCDProc, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11333/ -- [SA11326] AzDGDatingLite Cross Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-04-09 Janek Vind has reported two vulnerabilities in AzDGDatingLite, allowing malicious people to conduct Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/11326/ -- [SA11322] OpenPKG update for fetchmail Critical: Less critical Where: From remote Impact: DoS Released: 2004-04-08 OpenPKG has issued an update for fetchmail. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11322/ -- [SA11320] OpenPKG update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2004-04-08 OpenPKG has issued an updated package for tcpdump. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11320/ -- [SA11340] Crackalaka Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-04-12 Donato Ferrante has reported a vulnerability in Crackalaka, allowing malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11340/ -- [SA11339] RSniff Multiple Connection Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-04-10 Luigi Auriemma has reported a vulnerability in RSniff, which can be exploited by malicious people to cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11339/ -- [SA11335] Gentoo update for heimdal Critical: Less critical Where: From local network Impact: ID Spoofing Released: 2004-04-09 Gentoo has issued updated packages for heimdal. These fix a vulnerability, which can allow certain people to impersonate others. Full Advisory: http://secunia.com/advisories/11335/ -- [SA11321] Gentoo update for automake Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-08 Gentoo has issued an update for automake. This fixes a vulnerability, which can be exploited by malicious local users to escalate their privileges. Full Advisory: http://secunia.com/advisories/11321/ -- [SA11334] Open WebMail Directory Creation Vulnerability Critical: Not critical Where: From remote Impact: Security Bypass Released: 2004-04-09 Eric Wheeler has reported a vulnerability in Open WebMail, allowing malicious users to create arbitrary directories. Full Advisory: http://secunia.com/advisories/11334/ -- [SA11337] Gentoo update for iproute Critical: Not critical Where: Local system Impact: DoS Released: 2004-04-10 Gentoo has issued an update for iproute. This fixes a vulnerability, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11337/ -- [SA11332] Sun Cluster Global File System Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2004-04-09 A vulnerability has been reported in Sun Cluster, allowing malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11332/ -- [SA11317] Gentoo update for util-linux Critical: Not critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information Released: 2004-04-08 Gentoo has issued an update for util-linux. This fixes a vulnerability, which potentially could disclose information to users. Full Advisory: http://secunia.com/advisories/11317/ Other:-- [SA11342] X-Micro Access Point Default Username and Password Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-12 Gergely Risko has reported a vulnerability in X-Micro WLAN 11b Access Point, allowing malicious people to gain control of a vulnerable device. Full Advisory: http://secunia.com/advisories/11342/ -- [SA11324] Cisco IPSec VPN Services Module Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-04-09 Cisco has confirmed a vulnerability in VPNSM, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11324/ -- [SA11323] CiscoWorks 1105 WLSE and HSE Default User Account Critical: Moderately critical Where: From local network Impact: System access Released: 2004-04-09 Cisco has confirmed a vulnerability in CiscoWorks 1105 for WLSE and HSE, which can be exploited by malicious people to gain control of certain devices. Full Advisory: http://secunia.com/advisories/11323/ Cross Platform:-- [SA11358] BEA WebLogic SSL Impersonation Vulnerability Critical: Moderately critical Where: From remote Impact: ID Spoofing Released: 2004-04-14 A vulnerability has been discovered in WebLogic Server and WebLogic Express, which potentially allows malicious people to impersonate a user or server. Full Advisory: http://secunia.com/advisories/11358/ -- [SA11347] PHP-Nuke SQL Injection and Cross Site Scripting Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2004-04-13 Janek Vind has reported some vulnerabilities in PHP-Nuke, allowing malicious people to conduct SQL injection and Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/11347/ -- [SA11341] Nuked-KlaN Arbitrary File Inclusion Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, DoS Released: 2004-04-12 frog-m@n has reported two vulnerabilities in Nuked-KlaN, allowing malicious people to include arbitrary scripts and corrupt the configuration file. Full Advisory: http://secunia.com/advisories/11341/ -- [SA11355] Blackboard Cross Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-04-14 DarC KonQuesT has reported some vulnerabilities in Blackboard, allowing malicious people to conduct Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/11355/ -- [SA11343] SurgeLDAP Arbitrary File Retrieval Vulnerability Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2004-04-12 Dr_insane has reported a vulnerability in SurgeLDAP, allowing malicious people to retrieve files from a vulnerable system. Full Advisory: http://secunia.com/advisories/11343/ -- [SA11359] BEA WebLogic Exposure of Administrative Credentials Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Exposure of system information Released: 2004-04-14 BEA has issued an update for WebLogic Server and WebLogic Express. This fixes a vulnerability allowing malicious users to gain knowledge of administrative credentials. Full Advisory: http://secunia.com/advisories/11359/ -- [SA11348] Citadel/UX Insecure Default Database Permissions Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information Released: 2004-04-13 The vendor has reported a problem in Citadel/UX, which can be exploited by malicious, local users to gain direct access to the database. Full Advisory: http://secunia.com/advisories/11348/ -- [SA11357] BEA WebLogic Database Password Stored in Plain Text Issue Critical: Not critical Where: Local system Impact: Exposure of sensitive information Released: 2004-04-14 A security issue has been discovered in WebLogic Server and WebLogic Express, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11357/ -- [SA11356] BEA WebLogic Group Membership Security Issue Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2004-04-14 A security issue has been discovered in WebLogic Server and WebLogic Express, which may lead to inappropriate privileges being granted. Full Advisory: http://secunia.com/advisories/11356/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Tue Apr 20 03:30:59 2004 From: isn at c4i.org (InfoSec News) Date: Tue Apr 20 04:15:34 2004 Subject: [ISN] Hackers: Under the hood Message-ID: http://www.zdnet.com.au/insight/security/0,39023764,39116620-1,00.htm By Patrick Gray and Fran Foo ZDNet Australia 19 April 2004 special report: Adrenalin pumping through their veins as lines of code are crunched to perfection. Well, that's what we're led to believe, anyway. Welcome to the world of hackers. ZDNet Australia went on the hunt to track down some of the world's most prominent (and notorious) hackers. In this five-part series, we delve into the lives of five prominent hackers who reveal issues close to their heart. Raven Alder, the first woman to deliver a technical presentation at the famed DefCon hacker conference, talks about "gender wars" in the hacking realm. "One popular magazine's 'do you think girl hackers should date boy hackers?' left a bad taste in my mouth, too. Nobody asks the guys this stuff, and finding myself a 'boy hacker' is not really tops on my list of things to do this weekend," Alder says. Kevin Mitnick shares his experience behind bars and recalls the days when he was treated like "Osama bin-Mitnick". For Adrian Lamo, the so-called "homeless hacker", there was no turning back after discovering how to make both sides of a 5.25in floppy disk writable at the tender age of eight. Attrition.org co-founder Brian Martin aka Jericho, who dropped out of college during the second year at architecture school, shares his silliest hacks. Peiter Mudge Zatko, better known simply as Mudge, talks about the origins of L0pht Crack -- a password cracker for Windows based systems which he wrote to "prove a point and not for commercial purposes." Hackers are often perceived as shady characters but securing your perimeter is about anticipating and understanding all forms of threat -- the good, the bad and the ugly -- to your network. Whatever their motives, we hope you will gain some insights into the psyche of a hacker. From isn at c4i.org Tue Apr 20 03:32:26 2004 From: isn at c4i.org (InfoSec News) Date: Tue Apr 20 04:15:35 2004 Subject: [ISN] Hackers: Under the hood - Raven Alder Message-ID: http://www.zdnet.com.au/insight/security/0,39023764,39116620-2,00.htm Name: Raven Alder Handle(s): Raven Age: 28 Place of birth: Mississippi, USA Marital status: Single Current residence: Maryland, USA Job: Security consultant, True North Solutions First computer: Home-built 8088 machine in 1988 or so Best known for: Tracing spoofed distributed denial of service attacks Area(s) of expertise: ISP backbone networking, protocol decoding and design, Linux/BSD security, and cryptography What's the difference between male and female hackers? If you ask Raven Alder, she might let out a string of expletives because gender is a non-issue. Alder was the first woman to deliver a technical presentation at the famed DefCon hacker conference in Las Vegas. But don't harp on it. If there's one thing she hates, it's being type-cast as a "chick hacker". "If I never read another 'she's going to save the Internet' article or have a reporter wanting me to pose by the pool at DefCon with a life preserver, it will be too soon. "One popular magazine's 'do you think girl hackers should date boy hackers?' left a bad taste in my mouth, too. Nobody asks the guys this stuff, and finding myself a 'boy hacker' is not really tops on my list of things to do this weekend," Alder said. Born into a fairly well-to-do family, it was clear that Alder was a brainiac from a young age. "I skipped three grades and was taking college classes at 12, graduated high school at fourteen and college at eighteen," she said. "My parents very much encouraged my sister, brother and me to be academic achievers." Alder has the markings of an uber geek, but her lifestyle is far from sedentary. "Mom put all three of us through martial arts [Shorin Ryu Matsumura discipline] for at least a year. She wanted us to be able to defend ourselves. After that, it was our decision whether or not to continue," she explained. "My kid sister quit and did gymnastics instead, making it almost all the way to being an Olympic-class gymnast before quitting to become the captain of her high school cheerleading squad ... [but] I continued." Alder first dabbled with computers in 1985, fiddling with her school's Apple II, but didn't get serious until after graduate school. "I went to Virginia Tech in an entirely unrelated discipline, but you can't attend that school without becoming at least basically technically competent," she explains. Despite becoming quite involved with geekish pursuits, Alder says her social life hasn't suffered at all. "If anything, it's made it more to my tastes. I like geeks," she confessed. "I'm far more likely to enjoy the company of the folks I see at dc-securitygeeks meetings than I am of the people I'd see at my neighbourhood bar. I've met a variety of fascinating people through hacking, and some of them are now close friends." Alder hasn't taken a holiday "that didn't involve computer security" for around five years. "Most of my vacations are something like, 'Oh, I'll go to Ottawa Linux Symposium, that will be fun!'," she said. While her parents have been supportive, Alder's father is sometimes rattled by the idea of his child hanging around with "hacker types". When she called to tell him she'd be presenting at a computer security conference "he went to brag to his security officer friends". But the thrill didn't last too long. "DEFCON? Do you know what that is? It's full of HACKERS!" her father said. It took her 30 minutes to deliver the "hackers-are-not-bad" speech. But it's not all smiles and sunshine in the security business for Alder -- she once found a serious vulnerability in a "very popular security product". "I wrote up some proof of concept exploit code, and took it to my boss," she explained. The makers of the product didn't really seem to care about the issue nor want to fix it. "I carefully explained the importance of the problem, and the possible ramifications of exploiting it. People are trusting this product with their security data, and if the product itself is [insecure], it's un-trustable and you can't have faith in the veracity of that data," she said. Still, the vendor was unmoved, claiming no one would ever find the glitch. Alder was by this point annoyed. She had found the problem, so others could too. But the vendor simply refused to fix the problem. "Now, if I had been doing this as an independent researcher, I would have posted [it] to Full Disclosure (a security mailing list) at that point. However, since I was working for a company, disclosure was in their hands and not mine, and they chose not to say anything. So the vulnerable product is still out there. "I was explicitly told that I would be sued to the tune of several million dollars if I ever violated my NDA [non-disclosure agreement] and revealed the vulnerability. This is why closed source security is bad. Lesson learnt ... any vulnerability research I do from here on out is my own, and I will be answerable to nobody but myself for disclosure," she said. It could be this experience which has dimmed her view of the industry as a whole. There are good people in the security space, she says, but there are also some bad eggs. "The root problem that the security industry has is ... unscrupulous people selling to an uninformed market. The managers buying security products don't understand security at all, and so they trust the vendors to tell them what is best," Alder argued. "And somehow, conveniently, what is best has a great overlap with whatever that particular vendor happens to be selling." However, it's not just the vendors who are to blame. To a certain extent, Alder said, end-users engage in an "ignorance is bliss" management philosophy. "Many companies just want to be able to throw money at a product and feel secure. They're uninterested in understanding security or changing their habits and environment. Unfortunately, that's not the way that a successful security program works. People who understand security are necessary, and in chronically short supply," she said. "[Companies] have the latest and greatest firewall that nobody has ever bothered to configure, or a very expensive intrusion detection system (IDS) that nobody has the understanding to tune." Alder monitors the nessus.org IDS. Nessus is an open-source vulnerability scanner, so one might expect some sophisticated attacks against that domain but this is not always the case. "Sadly, most of the attacks that people threw at it were pretty stupid -- 'Oooh, I downloaded Nessus! Hey, I'll run Nessus against Nessus!'. I did see some exploit attempts that were fairly similar to the successful attacks against Debian and Gentoo at about the same time, though, so that was neat. And they didn't get in!," she recalled. It seems Alder genuinely enjoys her work, and gets some thrills through some unlikely pursuits. "Hiking, rock climbing, camping. I'm also an avid reader -- I have a taste for science fiction and fantasy, but I'm also fond of archaeology, linguistics, history, particle physics, and biology," she said. In her spare time, she downs chai while arguing philosophy with friends. To aspiring hackers, Alder has this piece of advice: "Learn TCP/IP or the internals of your operating system of choice. Ideally, learn both. Don't just be a script-kiddie who downloads an attack program off the Internet and think that's cool. "Understanding what you're doing is more cool. Having the know-how to develop a new and innovative attack or to develop a creative defence is a lot more impressive than 'dude, I sniffed your Hotmail password'." -- Patrick Gray. From isn at c4i.org Tue Apr 20 03:32:48 2004 From: isn at c4i.org (InfoSec News) Date: Tue Apr 20 04:15:36 2004 Subject: [ISN] Linux Security Week - April 19th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | April 19th, 2004 Volume 5, Number 16n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "CARP your way to high availability," "File and Email Encryption with GnuPG," "Lies, damned Lies and Patches," and "Slow down the Security Patch Cycle." ---- >> Free Trial SSL Certificate from Thawte << Take your first step towards giving your online business a competitive advantage. Test-drive a Thawte SSL certificate our easy online guide will show you how. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawten03 ---- LINUX ADVISORY WATCH: This week, advisories were released for apache, the Linux kernel, mysql, xonix, ssmtp, openoffice, squid, cvs, Heimdal, iproute, pwlib, scorched, tcpdump, cadaver, and mailman. The distributors include Conectiva, Debian, Fedora, FreeBSD, Gentoo, Mandrake, Red Hat, and SuSE. http://www.linuxsecurity.com/articles/forums_article-9190.html ---- Guardian Digital Launches Next Generation Internet Defense & Detection System Guardian Digital has announced the first fully open source system designed to provide both intrusion detection and prevention functions. Guardian Digital Internet Defense & Detection System (IDDS) leverages best-in-class open source applications to protect networks and hosts using a unique multi-layered approach coupled with the security expertise and ongoing security vigilance provided by Guardian Digital. http://www.linuxsecurity.com/feature_stories/feature_story-163.html ---- >> Bulletproof Virus Protection << Protect your network from costly security breaches with Guardian Digital's multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn04 -------------------------------------------------------------------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * CARP your way to high availability April 16th, 2004 You're putting out system management fires, with five SSH sessions open on your desktop. The mail server needs a restart after that kernel patch, so you su to root and type reboot. Just as the connection closes, your brain catches up with your fingertips. http://www.linuxsecurity.com/articles/network_security_article-9191.html * OSVDB Looking for Developers April 16th, 2004 The OSVDB project has been growing steadily for the last 2 years. At first the software behind OSVDB was simple, and easily maintained by a single person with others contributing smaller pieces. http://www.linuxsecurity.com/articles/security_sources_article-9192.html * File and email encryption with GnuPG (PGP) part five April 15th, 2004 Verification is part of any security system. SSH, FTP, POP, and IMAP servers ask for your password before it lets you log into the machine, get your files, or snag your email. NTP can be configured to require keys before it'll let you mess with it's clock. CIFS requires a password or kerberos tickets before granting you access to shares. http://www.linuxsecurity.com/articles/documentation_article-9188.html * Linux Kernel ISO9660 File System Component Buffer Overflow Vulnerability April 15th, 2004 The Linux kernel performs no length checking on symbolic links stored on an ISO9660 file system, allowing a malformed CD to perform an arbitrary length overflow in kernel memory. http://www.linuxsecurity.com/articles/host_security_article-9185.html * Lies, damned lies and patches April 13th, 2004 Vendors can argue about platform security all they want, but there's a simple test of a secure computer: it's the machine that has been patched, says Kerry Thompson. http://www.linuxsecurity.com/articles/host_security_article-9174.html +------------------------+ | Network Security News: | +------------------------+ * Hackers Attack Linux Supercomputers April 14th, 2004 Unknown attackers have compromised a large number of Linux and Solaris machines in high-speed computing networks at Stanford University, California, and other academic research facilities, according to a university advisory. http://www.linuxsecurity.com/articles/hackscracks_article-9179.html * Auditors working on cyber-risk standard April 14th, 2004 Plans by an industry consortium to develop a checklist to assess cyber-threats could help IT directors justify security spending and help protect companies against hackers, according to IT directors and industry experts. http://www.linuxsecurity.com/articles/general_article-9180.html +------------------------+ | General Security News: | +------------------------+ * Would you bend the rules? April 15th, 2004 Windows users in your organisation are severely affected by a spate of viruses, worms and blended threats. Meanwhile, non-Windows users (Linux and Mac OS users for instance) are spared and continue with their daily chores. As the IT manager, you finally decide that an IT security policy be implemented. This policy sets out several guidelines, one of which governs the use of acceptable applications within the company network. http://www.linuxsecurity.com/articles/general_article-9189.html * Check out Securitydocs.com April 14th, 2004 SecurityDocs.com was founded two months ago with the intention of indexing information security white papers. The web site currently has about 1,400 papers in over 80 categories. http://www.linuxsecurity.com/articles/documentation_article-9183.html * Slow down the security patch cycle April 13th, 2004 There are many myths surrounding computer network security that are counterproductive to finding a true solution to the problem. One of these is the belief that vendors should speed up the process of producing and releasing patches for security vulnerabilities that have been discovered by security researchers. http://www.linuxsecurity.com/articles/host_security_article-9175.html * The end of an era? April 13th, 2004 McKee's argument has merit, and there is an army of hardcore Linux developers and users who agree and are pushing to make this open source technology an alternative to the omnipresent Windows. Security, stability and the democratic nature of Linux development are all reasons why the software is superior to Windows, advocates say; but the most important reason to adopt Linux, according to McKee and his allies, is because it's free. http://www.linuxsecurity.com/articles/general_article-9173.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Apr 20 03:33:01 2004 From: isn at c4i.org (InfoSec News) Date: Tue Apr 20 04:15:37 2004 Subject: [ISN] Last part of security strategy released Message-ID: http://www.fcw.com/fcw/articles/2004/0419/web-ncsp-04-19-04.asp By Florence Olsen April 19, 2004 A cybersecurity task force recommended improvements today to a variety of technical standards and practices. Organized by the National Cyber Security Partnership, the task force issued a 104-page report with recommendations for the federal government and industry [1]. The report is the last of five documents prepared by industry and academic experts on the President's National Strategy to Secure Cyberspace, a general blueprint for improving the nation's cybersecurity readiness. The task force members called for what they said were needed improvements to the consumer- and vendor-oriented software security testing program operated by the National Institute of Standards and Technology and the National Security Agency. The report recommends that NIST receive an initial $12 million in new appropriations and $6 million in following years for developing security requirements for specific classes of products such as intrusion-detection systems and virtual private networks. Other steps outlined in the report include making vendors responsible for shipping software products with more of their security features enabled and having the federal government mandate software-vulnerability analysis as a condition of procurement. The group also recommended that industry groups work together to develop a well-defined set of technical standards for designing secure IP networks. Leaders of the Technical Standards and Common Criteria Task Force were Mary Ann Davidson of Oracle Corp., Chris Klaus of Internet Security Systems Inc. and Edward Roback of NIST. [1] http://www.cyberpartnership.org/TF4TechReport.pdf From isn at c4i.org Tue Apr 20 03:58:14 2004 From: isn at c4i.org (InfoSec News) Date: Tue Apr 20 04:15:38 2004 Subject: [ISN] Will Trade Passwords For Chocolate Message-ID: http://www.securitypipeline.com/news/18902074 By Mitch Wagner April 19, 2004 Almost three quarters of office workers in an impromptu man-on-the-street survey were willing to give up their passwords when offered the bribe of a chocolate bar. The organizers of the conference Infosecurity Europe 2004 plans to announce on Tuesday that they surveyed office workers at Liverpool Street Station in England, and found that 71 percent were willing to part with their password for a chocolate bar. The survey also found the majority of workers would take confidential information with them when they change jobs, and would not keep salary details confidential if they came across the details. Some 37 percent of workers surveyed immediately gave their password. If they initially refused, researchers used social engineering tactics, such as suggesting that the password has to do with a pet or children's name. An additional 34 percent revealed their passwords at that point. The company said: "Of the 172 office workers surveyed many explained the origin of their passwords, such as 'my team - Spurs,' 'my name - Charlie,' 'my car -minicooper,' 'my cat's name - Tinks.' The most common password categories were family names such as partners or children (15%), followed by football teams (11%), and pets (8%). The most common password was 'admin.' One interviewee said, 'I work in a financial call center, our password changes daily, but I do not have a problem remembering it as it is written on the board so that every one can see it.... I think they rub it off before the cleaners arrive." The survey also found: - 53 percent of users said they would not give their password to a telephone caller claiming to be calling from their IT department. - Four out of 10 knew their colleagues' passwords. - 55 percent said they'd give their password to their boss. - Two thirds of workers use the same password for work and for personal access such as online banking and web site access. - Workers used an average of four passwords, although one systems administrator used 40 passwords, which he stored using a program he wrote himself to keep them secure. - 51 percent of passwords were changed on a monthly basis, 3 percent changed passwords weekly, 2 percent daily, 10 percent quarterly, 13 percent rarely and 20 percent never. - Many workers who regularly had to change their passwords kept them on piece of paper in their drawers, or stored on Word documents. From isn at c4i.org Wed Apr 21 07:13:44 2004 From: isn at c4i.org (InfoSec News) Date: Wed Apr 21 07:31:05 2004 Subject: [ISN] Britons go 'toothing' for sex with strangers Message-ID: http://www.theage.com.au/articles/2004/04/21/1082395891416.html [Who would have thought a security vulnerability would lead to wild anonymous sex? :) - WK] London April 21, 2004 British commuters take note - the respectable person sitting next to you on the train fumbling with his or her cell phone may be a "toother" looking for sex with a stranger. "Toothing" is a new craze where strangers on trains, buses, in bars and even supermarkets hook up for illicit meetings using messages sent via the latest in phone technology. "Toothing is a form of anonymous sex with strangers -- usually on some form of transport or enclosed area such as a conference or training seminar," says the Beginner's Guide To Toothing on a website dedicated to the pursuit. It is made possible by Bluetooth technology which allows users to send phone contacts, pictures and messages to other Bluetooth-enabled equipment over a range of about 10 metres. Users discovered they could send anonymous messages to people they didn't know with Bluetooth equipment, spawning a craze dubbed "bluejacking". Jon, aka "Toothy Toothing" and the guide's author, explained toothing was born after he was "bluejacked" by an unknown girl while commuting to work in London. After a few days of flirting, she suggested a brief encounter in a station lavatory. "The meeting wasn't a romantic thing - it was purely sexual. Barely anything was said," he said via e-mail. He said potential toothers begin by sending out a random greeting -- usually "Toothing?". "If the other party is interested, messages are exchanged until a suitable location is agreed -- usually a public toilet, although there are tales of more adventurous spots such as deserted carriages or staff areas," his guide adds. Jon, who's in his 20s and works in finance, estimates there could be tens of thousands of toothers from all sorts of professions and lifestyles. Certainly the website's message board is busy. "Any toothing on these trains?" asks one message about services between Cambridge and London, prompting positive responses from "Dannyboy" and "Zeke". "I'll be around London Bridge mainline station around 9.45 - 10am tomorrow if anyone's interested...," another messager called "Boi" wrote hopefully. While some happily recount their successful encounters, others suggest there are a few teething problems with toothing. "I tried toothing in Tooting (south London) last night... not a device to be found," a frustrated "Snowdog" posted sadly. Although clearly not what the industry had in mind, toothing may lead operators towards similar, more mainstream projects. Last month it was reported that a team in Boston had created a service for cell phones called Serendipity, an wireless alternative to online dating. It allows subscribers to store their personal details and what they want from a partner. When there are enough similarities between two people and they happen to be in the same area, it tells their phones to communicate with each other. Dario Betti, of the British-based consultancy Ovum, said bluejacking had really taken off, helped by the fact the service was free. "The element of the unknown, that you are connecting to someone around you that you might not know, it's a novelty factor that is helping it to start," he said. If Jon and those who use his forum are right, toothing is certainly livening up life for some bored commuters. "A lot of my day's taken up with a soul-aching commute into the city, and that just feels like dead time," Jon said. "Flirting is fun, sex is fun. We're just employing expensive, complex toys to find the most basic form of entertainment." From isn at c4i.org Wed Apr 21 07:13:59 2004 From: isn at c4i.org (InfoSec News) Date: Wed Apr 21 07:31:06 2004 Subject: [ISN] Hackers: Under the hood - Brian Martin aka Jericho Message-ID: http://www.zdnet.com.au/insight/security/0,39023764,39116620-3,00.htm Name: Brian Martin Handle(s): Jericho, Security Curmudgeon Age: 30 Place of birth: South Carolina, USA Marital status: Single Current residence: Colorado, USA Job: Independent security consultant First computer: Tandy TRS-80 Best known for: Creating computer security Web site attrition.org The name Brian Martin might not ring a bell in the security sphere but "Jericho" certainly would. Martin is known for his work behind attrition.org, an online resource famous for cataloguing defaced Web sites and security vulnerabilities. He cheerfully admits to "hacking his brains out" in the past. If he was a burglar, Martin would be the type who'd break in and clean up your house. College life was cut short in his second year at architecture school. "I dropped out because I thought the program was horrid and they weren't modern," he said. Despite studying architecture and drafting, he wasn't allowed to use a computer to complete assignments. One of his silliest hacks, he told ZDNet Australia , was "breaking into a machine to run 'satan' [a vulnerability scanner] after its release only to find that we had to install Perl and a new gcc [compiler] for the admin because satan wouldn't compile." "You could tell a hacker [was in] a system back then ... it ran smoother than any other on the network. Every system we hacked was made more secure, stuff fixed and upgraded, and boxes were more streamlined. "It took us a full day to get the machine [to] run satan. We ran it once, laughed, and never used it again," he said. One time, paranoia got the better of him. "I hacked into the phone switch to see if there was a trace on my line ... if there was, my 'investigation' would have been recorded. Back then, half the phone switches had no login. [You'd] connect, ctrl-d to 'wake it up', and you'd have access to 200,000 phone lines," he recalled. But those were memories from a bygone era. Today, he's a reformed character. Sharing his life with three cats, Martin works as a freelance security consultant. But, he's damning in his condemnation of the security industry. "I think the industry sucks. It's self destructing and over run with criminals of one type or another," he said. "Everyone is out for a dollar, they don't care about security any more. It's all about name recognition, egos and cheating people out of money. [It] has been for a while ... to the point where I just don't like it." It's the dishonesty and lack of "real" skills that annoys him the most. Then there's the rampant practise of overcharging for products which Martin describes as "shoddy, band-aid solutions". "Think about it. Consultants are hired to tell customers what security they need but they overcharge these clients, lie about the solutions ... that's fraud ... the industry is full of criminals," he said. Thumbing through his resume is a sobering experience. As a supporter of infamous hacker Kevin Mitnick -- who has been imprisoned three times for computer crime -- Martin sifted through 10 gigabytes of electronic evidence and 1,600 pages of witness testimony in his role as a technical consultant for the defence team. As testament to his versatility as a public speaker, Martin has also delivered presentations to law enforcement agencies, at the famous DefCon hacker conference, and Blackhat briefings. Despite his accomplishments, he once thought about throwing it all away but realised he couldn't bring himself to disconnect from the industry completely. "I like osvdb, and I like my friends in the industry, and working a few days a month to live comfortably is nicer than 40 hours a week in a store," he says. Osvdb is the Open Source Vulnerability Database, a vast online archive of security vulnerabilities, maintained in part by Martin, who formed many of his friendships online. "I'm still good friends with people I met online as far back as 1995," he said. "I met all of the attrition staff online at first, [and] eventually in person. It started out with a few mails, turned into chat for most of the day and eventually led to meeting." "Attrition started with two or three of us, and the rest got involved as they found a piece they wanted to help with," he added. Martin draws no distinction between online communications and face-to-face interaction, and believes anyone who thinks it strange just doesn't understand. "If you meet someone and become good friends through talking and hanging out, then he moves across the country, do you stop being friends with him? Of course not. "Is it really any different that instead of a face-to-face chat, it's done via text? Does it invalidate our conversations, what we talk about, how we choose to bond, and how we become friends?" Friends for life is obviously his mantra ... be they virtual or otherwise. -- Patrick Gray. From isn at c4i.org Wed Apr 21 07:14:12 2004 From: isn at c4i.org (InfoSec News) Date: Wed Apr 21 07:31:08 2004 Subject: [ISN] Flaw Leaves Internet Open to Attacks Message-ID: http://www.eweek.com/article2/0,1759,1571185,00.asp By Dennis Fisher April 20, 2004 A security researcher has developed a new attack for a well-known flaw in the TCP protocol that allows an attacker to effectively shut down targeted routers and terminate existing TCP sessions at will. The scenario has many security experts worried, given the ubiquity of TCP and the fact that there's an attack tool already circulating on the Internet. The basic problem lies in the fact that existing TCP sessions can be reset by sending specially crafted RST (reset) or Syn (synchronization) packets to either of the machines involved in the session. This is in fact an intended feature of the protocol. However, the source IP addresses on these packets can be forged, which makes it possible for attackers not involved in the TCP session to terminate the connection, causing a de facto denial of service. Security experts have known for some time that such an attack was possible in theory, but had thought it to be impractical to implement in the real world because of the difficulty of guessing the random numbers used to establish new TCP sessions. Machines on the receiving end of TCP packets look for this number as a way of determining the authenticity of incoming requests. The numbers are randomly generated and come from a pool of about 4 billion possible 32-bit sequences. But a researcher named Paul Watson has discovered that machines receiving TCP packets will accept packets containing numbers that are within a certain range of the actual sequence number. This makes it far easier to create authentic-looking packets capable of shutting down TCP sessions, according to an analysis of the attack posted Tuesday by the National Infrastructure Security Coordination Center, England's national clearinghouse for security data. Known as a "window," this range of acceptable sequence numbers is established during the initial TCP handshake and varies depending on the devices and applications involved. A larger window size makes it easier for this attack to succeed. And with an automated attack tool already out there, experts expect to see quite a bit of activity in the coming days. "It takes about 15 seconds for the attack tool to resize the window and guess the number and crash the device," said Chris Rouland, vice president of the X-Force research team at Internet Security Systems Inc. in Atlanta. "This certainly will become another tool in the arsenal [of attackers]." Experts say BGP (Border Gateway Protocol) is likely to be most vulnerable to this issue because it relies on a persistent TCP connection between peers. ISPs use the protocol to exchange routing information, and resetting BGP connections often creates the need to rebuild routing tables altogether. Many of the backbone service providers have updated their devices to guard against the new attack, Rouland said, as they were given advance notice of the public release of the information. The likelihood of actual attacks using this technique is lessened somewhat by the fact that attackers need to know both the source and destination IP addresses as well as the source and destination ports for whatever connection they want to go after. Also, using IP Sec wherever possible to encrypt TCP sessions prevents attackers from being able to see TCP data for those sessions. Watson plans to discuss the new technique in more detail at the CanSecWest security conference this week in Vancouver, British Columbia. From isn at c4i.org Wed Apr 21 07:14:23 2004 From: isn at c4i.org (InfoSec News) Date: Wed Apr 21 07:31:09 2004 Subject: [ISN] Segal offers $10,000 reward for info on ex-worker Message-ID: http://www.suntimes.com/output/news/cst-nws-segal20.html BY STEVE WARMBIR AND TIM NOVAK Staff Reporters April 20, 2004 In an unusual move, the firm of indicted insurance czar Michael Segal is offering a $10,000 reward on a Web site for more information about a former employee who the firm accuses of hacking into company computers and sharing files with competitors and government informants. Jury selection began Monday in Segal's criminal trial, but a Segal spokeswoman, Kitty Kurth, said the Web site had nothing to do with the criminal case. Rather, it's related to a civil lawsuit Segal has filed against former employees, including the alleged hacker, David Cheley, whom Segal accuses of conspiring to destroy his company, Near North Insurance Brokerage. Segal is accused of siphoning more than $20 million from a key firm account and spending the money on personal and business expenditures. Segal has brought up the alleged hacking and sharing of e-mails with government informants in his criminal case. However, the federal judge overseeing his criminal case would not grant a hearing to Segal on the matter. The site, hackingreward.com [1], had been up for a few weeks, Kurth said. The name was registered on March 29 this year, records show. The reward was offered after federal authorities told Near North that Cheley would not be prosecuted for any alleged hacking, Kurth said. The site offers a $10,000 reward for new information about hacking into Near North's computer system. It prominently features a photograph of Cheley, 33, of Chicago. It also lists a former home address of Cheley, pages from his Web site that listed his qualifications as a computer programmer, as well as former employers. "Boy, oh, boy," Cheley said as he looked at the Web site for the first time Monday. "Wow," he said later. "These people are something else." Cheley, who denies hacking into the Near North system, said the litigation has destroyed him and sapped his savings. He said he feels like a scapegoat in the matter. "I'm not part of any conspiracy," Cheley said. "These guys have pretty much finished me." [1] http://www.hackingreward.com/ From isn at c4i.org Wed Apr 21 07:15:56 2004 From: isn at c4i.org (InfoSec News) Date: Wed Apr 21 07:31:10 2004 Subject: [ISN] Cisco warns of hijack code for VPN gear Message-ID: http://www.nwfusion.com/news/2004/0420ciswarn.html By Phil Hochmuth Network World Fusion 04/20/04 Cisco last week warned that hacker software now exists that allows attackers to break into a Cisco-based VPN by intercepting VPN logon/password data. The hacker code takes advantage of a previously reported vulnerability in Cisco VPN hardware and software, where Group Passwords are used instead of Public Key Infrastructure (PKI) certificates to authenticate a VPN user. The exploit code affects the Cisco VPN 3000 Concentrator, the Cisco VPN client software for Windows and Linux PCs, and the VPN 3002 hardware client - a small appliance for connecting remote PCs to a Cisco VPN through broadband links. The exploit code could be used to emulate an enterprise VPN termination device, such as the Cisco VPN Concentrator, and glean VPN usernames and passwords from end users. The code could also be used to hijack Cisco VPN connections directly from end users. According to a Cisco statement, "the Group Password used by the Cisco IPSec VPN client is scrambled on the hard drive, but unscrambled in memory. This password can now be recovered on both the Linux and Microsoft Windows platform implementations of the Cisco IPSec VPN client." This so-called "man-in-the-middle" attack only affects Cisco VPN gear using Group Passwords. This is considered a less-secure authentication method than PKI certificate exchanges. Cisco says there are no workarounds for this problem, and recommends that users implement PKI instead of Group Passwords for VPN authentication. The company says it will release software that will fix the Group Password problem on the VPN 3000 Concentrator, client software and hardware client in the third quarter of this year. The news of hacker software for this Cisco VPN weakness comes a week after Cisco warned of a software flaw that could leave the IPSec VPN Module for the Catalyst 6500 switch and 7600 series router susceptible to a denial-of-service attack. From dcopley at eeye.com Wed Apr 21 14:11:17 2004 From: dcopley at eeye.com (Drew Copley) Date: Wed Apr 21 14:19:40 2004 Subject: [ISN] EEYE: Yahoo! Mail Account Filter Overflow Hijack Message-ID: <81637804AB36A644BBDE3ED9DD4E73FDDF306B@hermes.eCompany.gov> "Yahoo! Mail" Account Filter Overflow Hijack Release Date: April 19, 2004 Date Reported: March 10, 2004 Severity: High Vendor: Yahoo! Description: "Yahoo! Mail" is one of the Internet's most popular web based email solutions. They provide free email and large capacity storage, as well as subscription-based services such as mail forwarding, expanded storage and personalized email addresses. eEye Digital Security has discovered a security hole in "Yahoo! Mail" which allows a remote attacker to take over an account remotely by sending a specially crafted email. Technical Description: -----------EXAMPLE EMAIL--------- SCRIPT [->a bunch of chars here [spaces are most stealth], the whole file size will be just about 100KB] [this causes the filter to not work... the code is then run automatically] --------------------------------- The pseudo-diagram above explains the scenario rather well. For whatever reason, Yahoo's email filter simply does not work on files which exceed a certain range. This kind of software issue is relatively common. A remarkable note about this bug is that no one seems to have found it before. As far as anyone knows. Drew's Happy-Happy Quote for the Day: Ben Franklin, "Three can keep a secret if two are dead." Protection: Yahoo! Mail is a hosted, web based service, hence users do not need to patch. Yahoo has already fixed this bug, therefore all Yahoo accounts are now completely safe from it. Vendor Status: Yahoo! has been notified and has rectified the issue. Credit: Drew Copley, eEye Digital Security (dcopley eeye.com), Research Engineer thanks to "http-equiv" for additional research Related Links: Retina Network Security Scanner - Free 15 Day Trial http://www.eeye.com/html/Products/Retina/download.html Greetings: To all of you out there that don't use turn signals. Sooner or later your time is going to come. And a special greeting to all of these competitors of ours making some extra cash by selling pre-fix vulnerabilities through pay for play "mailing lists". I am sure North Korea, the Yakuza, the "Triads", the Russian Mafiya, La Costa Nostra, and every other criminal state or organization appreciates your type of "Partial Full Disclosure for a Darn Good Price" motto. Copyright (c) 1998-2004 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: eEye Digital Security http://www.eEye.com info@eEye.com From isn at c4i.org Thu Apr 22 03:09:54 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 22 03:26:04 2004 Subject: [ISN] Windows & .NET Magazine Security UPDATE--Patches and Risk Management--April 21, 2004 Message-ID: ==================== ==== This Issue Sponsored By ==== Postini Perimeter Manager http://list.winnetmag.com/cgi-bin3/DM/y/efZI0CJgSH0CBw0BHWT0Aq ==================== 1. In Focus: Patches and Risk Management 2. Security News and Features - Recent Security Vulnerabilities - Feature: Tighter Security in Outlook 2002 SP3 - Feature: What's Hot - Buyer's Guide: Web Content-Filtering Solutions - Feature: What You Need to Know About Microsoft SmartScreen Technology and the Exchange Intelligent Message Filter 3. Instant Poll 4. Security Toolkit - FAQ - Featured Thread 5. New and Improved - Protect Your Hard Disk from Unauthorized Access ==================== ==== Sponsor: Postini Perimeter Manager ==== Learn from a real world "Enterprise" case study given by one of your IT colleagues on how he significantly reduced spam and viruses and improved his email security and productivity. You'll get the inside scoop on how Enterprise Rent-A-Car evaluated and selected a managed service solution to protect its email system. Email expert and author Peter Bowyer will describe the merits of the "preemptive" email security approach compared with more traditional approaches. Then hear industry pioneer Scott Petry describe the merits of the "preemptive" email security approach compared with more traditional approaches, as well as the latest trends in spam and virus attacks. Don't miss this opportunity to be smarter when choosing an anti-spam solution that's right for you. http://list.winnetmag.com/cgi-bin3/DM/y/efZI0CJgSH0CBw0BHWT0Aq ==================== ==== 1. In Focus: Patches and Risk Management ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net The four security bulletins that Microsoft released April 13 address some 20 vulnerabilities found in most Windows OSs and in Windows NetMeeting and Microsoft Outlook Express 6.0 and Outlook Express 5.5. If you haven't already inspected the security bulletins to determine how soon you should patch your systems, consider doing so sooner rather than later. Microsoft labeled six of the vulnerabilities critical and the remaining 14 important or lesser risks. Microsoft suggests that you load all critical patches within 24 hours of their release, important patches within a month, moderate patches within four months (using the patch itself, a roll-up package, or a new service pack, depending on availability), and low-importance patches any time during the next 12 months. Of course, you should use the suggested roll-out times only as a guideline--your environment and policies will better suggest your time frames for patch roll-outs. Also last week, Microsoft published the paper "Security Management: Oh Patch How I Hate Thee; Let Me Count the Ways" by Jesper M. Johansson. In it, you'll find a description of Microsoft product patches and severity ratings, the methods Microsoft uses to make patches available, tips about how you might be able to install patches without rebooting a system afterward, and other anecdotal information. The article also mentions Microsoft Virtual PC, which you might be able to use to establish an environment in which you can test patches before rolling them out. http://www.microsoft.com/technet/community/columns/secmgmt/default.mspx http://www.microsoft.com/windowsxp/virtualpc You probably have loads of software from other vendors, and obviously you need to stay informed about any security vulnerabilities this software might have. One tool you might consider using is Cassandra, from the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University. Cassandra lets you establish profiles that contain lists of products you use or are interested in monitoring for new security risks. You can also configure your profiles so that you receive email notifications when new data becomes available about products on your lists. Cassandra searches the National Institute of Standards and Technology's (NIST's) ICAT vulnerability database and vulnerability information from Secunia, which in some cases might be more timely and more inclusive than ICAT's information. You can use a freeware tool such as Sassafras Software's KeyAudit (a software inventory and auditing utility) to help generate and update your profiles. https://cassandra.cerias.purdue.edu/main/index.html http://www.cerias.purdue.edu http://icat.nist.gov http://www.secunia.com http://www.sassafras.com/keyaudit.html Check into Cassandra. It might help automate your current processes or even fill some gaps in your security risk knowledge. ==================== ==== Sponsor: Postini Perimeter Manager ==== Learn from a real world case study given by one of your IT colleagues on how he reduced spam and viruses and improved his email security and productivity. You'll get the inside scoop on how Enterprise Rent-A-Car evaluated and selected a managed service solution to protect its email system. Then hear email expert Scott Petry describe the merits of the "preemptive" email security approach, as well as the latest trends in spam and virus attacks. Register today to learn more about choosing the right anti-spam solution for your organization. http://list.winnetmag.com/cgi-bin3/DM/y/efZI0CJgSH0CBw0BHWT0Aq ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html Feature: Tighter Security in Outlook 2002 SP3 Microsoft caused a commotion when it released Office XP Service Pack 3 (SP3) in March. Along with fixing bugs in Outlook 2002 and other Office programs, this service pack tightens "object model guard" security for programs that access the contents of Outlook messages and other items. The tighter security had an immediate effect on certain antispam applications, PDA-synchronization tools, and other programs that work with Outlook--in some cases triggering a security prompt every few minutes as Outlook downloaded new messages. Users who didn't want to deal with the prompts had to choose between disabling their antispam programs (at least temporarily) or removing both SP3 and Office XP, then reinstalling Office XP and doing without the new security features. http://www.winnetmag.com/article/articleid/42298/42298.html Feature: What's Hot In this article, readers highlight exceptional products that help them do their job. The products are JAM Software's TreeSize Professional, which helps you understand how your disk space is allocated; MailFoundry's MailFoundryEP appliance for filtering email content and thereby increasing overall network security; and Flowerfire's Sawmill log-analysis tool for manipulating huge amounts of log data into more meaningful reports. http://www.winnetmag.com/article/articleid/41975/41975.html Buyer's Guide: Web Content-Filtering Solutions Businesses that want to limit employee Internet access to only business-related content and services have the luxury of choosing from a variety of Web content-filtering solutions. The techniques these products employ range from simple blocked-URL lists to network appliances that "learn" and can make dynamic policy changes. The appropriate Web content-filtering solution for your business depends on factors such as your company's size, type of business, resources, network infrastructure, and corporate culture. Compare your requirements with the product descriptions in the accompanying table and do the necessary research before you buy. http://www.winnetmag.com/article/articleid/41978/41978.html Feature: What You Need to Know About Microsoft SmartScreen Technology and the Exchange Intelligent Message Filter Microsoft has spent several years working on antispam technology, and beginning in 2003, we finally started seeing some results, including a new spam filter that debuted in the company's MSN Hotmail and MSN 8 mail servers. In late 2003, Microsoft added this technology, dubbed SmartScreen Technology, to its Microsoft Office Outlook 2003 email and personal information manager (PIM) client. The company also announced plans to make the technology available to certain Microsoft Exchange Server 2003 customers through a new add-on called the Exchange Intelligent Message Filter. This article tells you what you need to know about SmartScreen Technology and the Exchange Intelligent Message Filter. http://www.winnetmag.com/article/articleid/41970/41970.html ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) Complimentary eBook--"The Expert's Guide for Exchange 2003: Preparing for, Moving to, and Supporting Exchange Server 2003" This eBook will educate Exchange administrators and systems managers about how to best approach the migration and overall management of an Exchange 2003 environment. The book will concentrate on core issues such as configuration management, accounting, and monitoring performance with an eye toward migration, consolidation, security, and management. http://list.winnetmag.com/cgi-bin3/DM/y/efZI0CJgSH0CBw0BGSd0A2 Microsoft Tech Ed 2004 Europe, 29 June - 2 July, Amsterdam Get the most out of Microsoft's software and technology at Microsoft's premier European conference for building, deploying, securing and managing connected solutions. Benefit from 400+ sessions packed with technical content covering Microsoft Visual Studio .NET 2003, Windows Server 2003, Exchange Server 2003, SQL Server 2000, and more. Register now and save 300 Euros. http://list.winnetmag.com/cgi-bin3/DM/y/efZI0CJgSH0CBw0zFv0Ar ==================== ==== 3. Instant Poll ==== Results of Previous Poll The voting has closed in the Windows & .NET Magazine Network Security Web page nonscientific Instant Poll for the question, "If you're using Microsoft Software Update Services (SUS) or the new Windows Update Services (WUS), how satisfied with the product are you?" Here are the results from the 71 votes. - 48% Very satisfied - 34% Somewhat satisified - 18% Not satisfied New Instant Poll The next Instant Poll question is, "As a security administrator, what's your most important task?" Go to the Security Web page and submit your vote for - Security monitoring and auditing - Policy management and enforcement - Patch management - End-user education - Other http://www.winnetmag.com/windowssecurity ==== 4. Security Toolkit ==== FAQ: The Microsoft Windows Security Update CD by John Savill, http://www.winnetmag.com/windowsnt20002003faq Q: What's the Microsoft Windows Security Update CD? A. Microsoft has released a CD-ROM that includes all service packs and fixes for Windows XP, Windows 2000, Windows Me, Windows 98, and Win98 SE. The CD-ROM is free (including the cost of postage for US customers), and you don't need to provide a credit card when you place your order. You'll actually receive two CD-ROMs in the mail--the first has all the fixes, and the second has trial antivirus and firewall products. You can learn more about it and order a copy at Microsoft's Web site. http://www.microsoft.com/security/protect/cd/order.asp Featured Thread: GPO Settings vs. User Settings (Four messages in this thread) A reader wonders what happens when users' settings conflict with Group Policy computer settings. Do the users' settings take precedence because they're applied last (after the user logs on), or do the Group Policy settings "win"? Lend a hand or read the responses: http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=119472 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) New--The Exchange Server Seminar Series Simplify your life with Windows Server 2003 and Exchange Server 2003. Learn the advantages of migrating to an integrated communications environment, consolidating and simplifying implementation of technology, and accelerating worker productivity. Coming to your city soon. Register now for this free event! http://list.winnetmag.com/cgi-bin3/DM/y/efZI0CJgSH0CBw0BG6C0Az ==================== ==== 5. New and Improved ==== by Jason Bovberg, products@winnetmag.com Protect Your Hard Disk from Unauthorized Access Authenex announced Authenex HDLock, a security system that secures PCs and notebooks from unauthorized access. Authenex HDLock uses 128-bit Advanced Encryption Standard (AES) hard-disk encryption and a strong (two-factor) authentication logon process to confirm the identity of the person requesting access to the computer. The software requires the use of a physical A-Key token in combination with a password. Authenex HDLock costs $79.95 per user and is available in quantities of 10. For more information about Authenex HDLock, contact Authenex at 877-288-4363 or on the Web. http://www.authenex.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. ==================== ==== Sponsored Links ==== Argent Comparison Paper: The Argent Guardian Easily Beats Out MOM http://list.winnetmag.com/cgi-bin3/DM/y/efZI0CJgSH0CBw0BDWV0Ao Javelina Software Award-Winning Tools for Active Directory Management. Free Trial! http://list.winnetmag.com/cgi-bin3/DM/y/efZI0CJgSH0CBw0BHRC0AU Microsoft Security Knowledge Improves Security. Visit www.securitywhitepaper.com. http://list.winnetmag.com/cgi-bin3/DM/y/efZI0CJgSH0CBw0BHSy0AP ==================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== ==== Contact Our Sponsors ==== Postini, Inc. -? 888-584-3150 or 650-216-3574, http://www.postini.com/go/winnet ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z You received this email message because you asked to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Apr 22 03:10:19 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 22 03:26:05 2004 Subject: [ISN] ITL Bulletin for April 2004 Message-ID: Forwarded from: Elizabeth Lennon ITL BULLETIN FOR APRIL 2004 SELECTING INFORMATION TECHNOLOGY SECURITY PRODUCTS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce Information technology security products are essential to better secure information technology (IT) systems, and many products to protect IT systems are available in the marketplace today. But IT security products alone will not guarantee that an organization's IT systems are secure. Security products should be selected and used within the organization's overall program to manage the design, development, and maintenance of its IT security infrastructure, and to protect the confidentiality, integrity, and availability of its mission-critical information. The foundation for the selection of IT security products is a comprehensive information security management program, including risk management procedures that are applied throughout the System Development Life Cycle (SDLC). The risk management process enables organizations to analyze their systems for security, to identify appropriate and cost-effective controls, to select and use security products that will protect their information and information systems, and to monitor the effectiveness of the controls. Management, operational, and technical controls are needed to support security objectives and to protect information. Guide to Selecting Information Technology Security Products NIST's Information Technology Laboratory published Special Publication (SP) 800-36, Guide to Selecting Information Technology Security Products, to help organizations select cost-effective and useful products for their systems. Written by Timothy Grance, Marc Stevens, and Marissa Myers, NIST SP 800-36 defines broad security product categories and specifies product types, product characteristics, and environment considerations within those categories. This ITL Bulletin summarizes the publication, which is available at http://csrc.nist.gov/publications. The guide presents pertinent questions that an organization should ask when selecting a product from within the categories. As security products evolve and change, organizations can modify the questions to be asked to fit their particular needs. When used with other NIST publications, including those listed in the More Information section at the end of this bulletin, the guide will help organizations develop a comprehensive approach to managing their IT security and information assurance requirements. In its March 2004 report, "Information Security: Technologies to Secure Federal Systems," the U.S. General Accounting Office (GAO) referred to the product selection guide, as well as other NIST publications. The GAO report discusses commercially available, state-of-the-practice cybersecurity technologies that federal agencies can use to secure their information systems, and states, "these technologies implement the technical controls that NIST recommends federal agencies deploy in order to effectively meet federal requirements." The GAO emphasizes the importance of developing a framework and a continuing cycle of activity to assess risks, implement effective security procedures, and monitor the effectiveness of the procedures. GAO 04-467 is available at http://www.gao.gov/. Who Selects Security Products for an Organization People throughout the organization may be involved in product selection at both the individual and the group level. All should be aware of the importance of security in the organization's information infrastructure and the security impacts of their decisions. People involved include the following: * IT Security Program Manager, who is responsible for developing enterprise standards for IT security; * Chief Information Officer, who is responsible for the organization's IT planning, budgeting, investment, performance, and acquisition; * IT Investment Board (or equivalent), which is responsible for planning and managing the capital planning and investment control process for federal agencies, as specified in the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act); * Program Manager, who owns the data, initiates the procurement, is involved in strategic planning, and is aware of functional system requirements; * Acquisition Team, which is composed of representatives from program, technical, and contracting areas of the organization and which provides a balanced perspective of cost and schedule considerations; * Contracting Officer, who has authority to enter into, administer, and terminate contracts; * Contracting Officer's Technical Representative, who is appointed by the Contracting Officer to manage the technical aspects of a particular contract; * IT System Security Officer, who is responsible for ensuring the security of an information system throughout its life cycle; and * Other participants, who may include the system certifier and accreditor, system users, and people representing information technology, configuration management, design, engineering, and facilities groups. Using the Risk Management Process in Product Selection Before selecting specific products, organizations should review the current status of their security programs and the security controls planned or in place to protect their information and information systems. Organizations should use the risk management process to identify the effective mix of management, operational, and technical security controls that will mitigate risk to an acceptable level. The Secretary of Commerce recently approved Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, for use by federal government organizations (available at http://csrc.nist.gov/publications/fips/). The new standard helps federal agencies identify and prioritize their most important information and information systems by defining the maximum impact that a breach in confidentiality, integrity, or availability could have on the agency's operations, assets, and/or individuals. The security categorization serves as the starting point for the selection of security controls that are commensurate with the importance of the information and information system to the agency, and then for the selection of appropriate security products. Draft NIST SP 800-53, Recommended Security Controls for Federal Information Systems, provides recommendations for minimum-security controls associated with the various security categories defined in FIPS 199. Organizations may adjust the set of recommended controls based on local risk assessments. After systems and products are in place, the controls should be monitored for effectiveness throughout the system life cycle. Products Discussed NIST SP 800-36 provides information about the following IT security product categories, including the types of products in each category, the product characteristics, and the environment considerations for each category: * Identification and Authentication products including security tokens, authentication protocols, and biometric control systems; * Access Control products including access control lists and role based access control systems; * Intrusion Detection products including network-based, host-based, and application-based systems; * Firewall products that control the flow of network traffic between networks or between a host and a network; * Public Key Infrastructure systems that manage cryptographic key pairs and associate key holders with their public keys; * Malicious Code Protection systems including malicious code scanners, integrity checkers, vulnerability monitors, and improper behavior blockers; * Vulnerability Scanners that examine servers, workstations, firewalls, and routers for known vulnerabilities; * Forensic systems that identify, preserve, extract, and document computer-based evidence; and * Media Sanitizing products that remove data from or modify storage media so that the data cannot be retrieved and reconstructed. Organizational, Product, and Vendor Considerations The guide discusses the characteristics of products in each of these categories and recommends that organizations consider organizational, product, and vendor issues when selecting IT security products. These issues are presented as specific questions to be asked by organizations selecting information technology security products: * Organizational considerations - Need for product to mitigate risk - Identification of user community - Relationship between product and organization's mission - Sensitivity of data to be protected - Support for security requirements in security plan, policies, and procedures - Identification of the organization's security requirements and comparison to product specifications - Consideration of threat environment and security functions needed to mitigate risks - Consideration of the use of tested products - Need for firewalls, intrusion detection systems, or other boundary controllers - Impact of product on operational environment, maintenance, and training - Requirements for support, plug-in components, or middleware * Product considerations - Review of lists of validated products, including those products validated under the joint NIST/Communications Security Establishment of Canada Cryptographic Module Validation Program (CMVP) and the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS), jointly managed by NIST and the National Security Agency - Review of product vulnerabilities - Test and implementation of patches - Review of protection profiles - Review of total life cycle costs, including acquisition and support - Ease of use, scalability, and interoperability requirements - Test requirements for acceptance and integration testing, and for configuration management - Known vulnerabilities of products - Implementation requirements for relevant patches - Requirements and methods for reviewing product specifications against existing and planned organizational programs, policies, procedures, and standards - Security critical dependencies with other products and interactions with the existing infrastructure * Vendor considerations - Impact of the selection of a particular product on future security choices - Vendor experience with the product - Vendor history in responding to security flaws in its products All of these considerations may not apply in all cases to all organizations. The questions posed in the guide can be modified to meet the specific conditions of organizations and help them reach decisions that support their requirements and that provide the appropriate level of protection. More Information For a list of references to publications and to web pages with information that can help you in planning and implementing a comprehensive approach to information technology security, consult Appendix A of NIST SP 800-36. NIST Special Publications, including the following, are available in electronic format from ITL's Computer Security Resource Center at http://csrc.nist.gov/publications. NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook, provides guidance on the fundamentals of information system security. NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, explains approaches and methods that can be used to secure information systems. NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems, discusses developing and updating security plans. NIST SP 800-21, Guideline for Implementing Cryptography in the Federal Government, provides guidance to federal agencies on selecting cryptographic controls to protect sensitive, unclassified information. NIST SP 800-23, Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products, discusses the concept of assurance in the acquisition and use of security products. NIST SP 800-26, Security Self Assessment Guide for Information Technology Systems, helps organizations determine the status of their information security programs and establish targets for improvement. NIST SP 800-27, Engineering Principles for Information Technology Security: A Baseline for Achieving Security, presents the system-level security principles that should be considered in the design, development, and operation of an information system (draft revision available at http://csrc.nist.gov/publications/drafts.html). NIST SP 800-30, Risk Management Guide for Information Technology Systems, discusses the risk-based approach to security and provides guidance on conducting risk assessments (draft revision available at http://csrc.nist.gov/publications/drafts.html). NIST SP 800-31, Intrusion Detection Systems (IDSs), and NIST SP 800-41, Guidelines on Firewalls and Firewall Policy, provide information on using and deploying IDSs and firewalls. NIST SP 800-33, Underlying Technical Models for Information Technology Security, provides information on IT security engineering principles and concepts for IT systems. NIST SP 800-35, Guide to Information Technology Security Services, covers evaluating, selecting, and managing security services throughout the system life cycle. NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, describes the fundamental concepts of the certification and accreditation processes, and details the various tasks in the processes (available in final draft at http://csrc.nist.gov/publications/drafts.html). NIST SP 800-42, Guidelines on Network Security Testing, describes available security testing techniques, their strengths and weaknesses, and the recommended frequencies for testing as well as strategies for deploying network security testing. NIST SP 800-44, Guidelines on Securing Public Web Servers, assists organizations in installing, configuring, and maintaining secure public web servers. NIST SP 800-53, Recommended Security Controls for Federal Information Systems, provides information about selecting security controls to meet the security requirements for the system (available in draft at http://csrc.nist.gov/publications/drafts.html). NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, provides guidance in assigning security categories and analyzing the impact of risks, based on security categorization definitions in FIPS 199 (available in draft at http://csrc.nist.gov/publications/drafts.html). NIST SP 800-64, Security Considerations in the Information System Development Life Cycle, discusses the analysis of system security requirements and methods for incorporating security into IT procurements. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. From isn at c4i.org Thu Apr 22 03:10:36 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 22 03:26:06 2004 Subject: [ISN] Hackers: Under the hood - Adrian Lamo Message-ID: http://www.zdnet.com.au/insight/security/0,39023764,39116620-4,00.htm Name: Adrian Lamo Handle(s): None Age: 23 Marital status: "Dating for over a year" Current residence: Living in exile in Sacramento, Ca., USA Job: Staff writer, American River Current and freelance journalist First computer: Commodore 64 Best known for: Hacking into The New York Times network Area(s) of expertise: "Seeing things differently" Don't let his baby face fool you. Adrian Lamo started hacking even before he could legally drive. Lamo's first thrill from a hack came when he figured out how to make both sides of a 5.25in floppy disk writable while playing around with his first computer -- a Commodore 64 he got when he was eight. "It was quite the discovery for me," he said. Unlike many so-called hackers, Lamo was never interested in impressing his peers. "I became deeply interested in the hacker culture, reading everything I could about it before ever actually encountering it," he said. "Once I encountered it, I was turned off by it, so I chose to go solo. Exploration need not be competition," he told ZDNet Australia in an interview last month. At 18, his parents decided to move to Sacramento from San Francisco but Lamo decided to stay put. He was the lead network administrator for a law firm at the time. "I stayed with friends, sometimes in abandoned buildings, sometimes in storage areas of office buildings I had access to. Sometimes, I'd just nod off at my desk," he recalled. After a while, he dipped into his savings and hit the road, spending the next two years wandering around the United States. "There's a lot to be said for just having your clothes, a backpack, and the ability to buy a bus ticket and not have anything to tie you down. "I spent time in New York, Washington DC, Philadelphia, Pittsburgh, Ohio, parts of California, Virginia, and points in between -- usually because I knew people there, or wanted to see the city, or other circumstances," he said. Lamo has travelled far and wide but ranks his time in Philadelphia as the best. "I'd wake up early, go for a walk, check my e-mail wirelessly from a window ledge that had a clear shot to an unsecure 802.11 [wireless network], wander around with friends and hack from university libraries, Kinkos, coffee shops, read in the sun all day, or just explore the city physically. I loved it." Over the years, Lamo has carved a reputation as someone who didn't care much for rules. He used his skills to gain access into high-profile networks owned by America Online, Microsoft, and many others. But there was never any malicious intent. After penetrating these networks, Lamo would contact the network maintainers and tell them how he did it. This modus operandi worked well for a while ... up until the time he hacked into The New York Times' network in 2002 and accessed its contributor database. It's important to remember that the average contributor to The New York Times isn't Joe Bloggs from down-the-road. Lamo reportedly accessed the social security numbers of many high profile public figures, including former US president Jimmy Carter, Hollywood actors Robert Redford and Warren Beatty, and former United Nations weapons inspector Richard Butler. Some of the entries in the database included home phone numbers. The Times, one of the world's most influential publications, was not impressed. US authorities issued a warrant for Lamo, who turned himself in and pleaded guilty to one charge of computer crime. Sentencing has been postponed until June. "I'll either get prison, or house arrest," Lamo predicts, before becoming philosophical. "I hope for the best ... [and] will make the best possible experience out of any sentence that's handed down. No experience we ever have is wasted." When he was arrested, he was dubbed the "homeless hacker" by media outlets due to the nature of his nomadic lifestyle. "I've never described myself as 'homeless'. It's something the media picked up," Lamo insisted. Lamo is currently living with his parents in Sacramento by order of the court. He draws parallels between his chosen lifestyle offline and his activities online. "I didn't, and don't, draw a clear distinction between the two kinds of exploration. I try to see things differently, no matter what venue I'm in. I'd be just as likely to spend the morning talking to a stranger who just got out of city jail, buy him breakfast, and learn about his life, as i would be to break into a company ... or just randomly explore the Net. It's all the same principle, the same desire to see things that other people gloss over in their daily lives." It's this curious mind that has led Lamo to his new passion -- journalism. He's currently a staff writer for the American River Current, a bi-weekly Californian newspaper, and a freelance writer on the side. "I'm interested in journalism because it's an extension of what i do: exploring, finding angles for things that others miss, sharing the uniqueness of the world. That's especially why i try to do my own photos when possible. It lets me capture moments in time in ways that words sometimes fail," he revealed. A similar path was taken by the legendary hacker Kevin Poulsen, who is now the editor of online security portal SecurityFocus.com -- which was acquired by anti-virus maker Symantec in 2002. Poulsen was best known for hacking a telephone system in order to rig a radio contest. He won a Porsche 944 S2 before being caught and eventually spent some time in prison. He delved into journalism after his release. Writing about security seems to hold less interest for Lamo. "I look to him [Poulsen] as a model of what I don't aspire to be: typecast, and locked into a one-trick career," Lamo said, while acknowledging his respect for Poulsen as a journalist. Lamo doesn't want to work in the security industry either, believing that accepting payment for his talents would amount to "whoring himself". "I don't believe it's an honest industry, which is why I've declined all security jobs offered to me. Journalism isn't an honest industry either, but at least I have some personal control over the degree of dishonesty levelled against my victims," he joked. It's no surprise that Lamo is accustomed to the lifestyle of a nomad -- which began from a relatively young age. During the interview, he eluded to, at least, some degree of financial hardship -- riches-to-rags style. "We were well-off, we were poor, we had a house, then we had a tiny apartment," he recalled. His parents have always been supportive, Lamo said, despite their concern over his his chosen lifestyle. "My parents are well-educated. My dad has a degree in anthropology and intercultural administration; my mom is a former English teacher. We moved around a lot, and they both tried to provide me a content-rich environment in which to grow up," he said. If you think that using "content-rich environment" sounds like a peculiar way to describe up-bringing, just remember that Linux creator Linus Torvalds captioned a photograph of his daughter "Linus v2.0" on his Web-site. In fact, Lamo insists he's not a "dork". "My curiosity isn't purely technological. Quite the opposite; I don't consider myself a tech person, I just see things differently and apply that to any environment I'm in. I spend a lot of time on my photography these days ... it acts as something of a surrogate to network intrusion," he said. For now Lamo awaits his sentence but remains fatalistic. "Actions have consequences. I never thought it was inevitable, but I always knew that something like that could happen." -- Patrick Gray From isn at c4i.org Thu Apr 22 03:10:50 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 22 03:26:07 2004 Subject: [ISN] Tower Records settles government charges over hacker attacks Message-ID: http://www.detnews.com/2004/technology/0404/22/technology-129882.htm By Ted Bridis AP Technology Writer April 22, 2004 WASHINGTON -- The company that operates the Web site for music retailer Tower Records has settled complaints by U.S. regulators that it allowed hackers in 2002 to steal personal information about thousands of its online customers. Under the agreement announced Wednesday, MTS Inc. of West Sacramento, Calif., must maintain a "reasonably designed" program to assure the security of customers to the Web site and hire outside consultants every two years during the next decade to test its security. The Federal Trade Commission said failure to abide by those terms could result in fines up to $11,000. The FTC said Tower Records, which emerged from bankruptcy last month, redesigned part of its Web site in November and December 2002 but failed to update one feature that customers used to check the status of their online purchase. Over eight days, hackers exploited the problem to view the names, addresses and purchase details for about 5,225 customers and sometimes wrote demeaning comments in Internet chat rooms about people's choices in music, the FTC said. Tower said in a statement that hackers did not steal any of its customers' credit card or Social Security numbers, that it corrected the problem and that it has not detected any subsequent break-ins. "We take the privacy and security of personal information collected from our customers very seriously," said Bill Baumann, Tower's chief information officer. The FTC, which traditionally prosecutes businesses for fraudulent and deceptive trade practices, sued Tower Records over its written assurances to customers that it protected their personal information using "state-of-the-art technology." Regulators said the vulnerability in the company's Web site was "commonly known and reasonably foreseeable." The case against Tower Records was the fourth of its kind by the FTC. "Companies must have reasonable procedures in place to make sure that changes do not create new vulnerabilities," said Howard Beales, director of the FTCs Bureau of Consumer Protection. "Just as consumers remodeling their homes would make sure that the doors still have locks, companies should make sure that sensitive data is still protected." From isn at c4i.org Thu Apr 22 03:11:04 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 22 03:26:08 2004 Subject: [ISN] Who Should Keep Out The Hackers? Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A32480-2004Apr21.html By Jonathan Krim April 22, 2004 The calm of a few months without a major attack of a computer worm, virus or other form of cyber-harassment was rattled hard this week. So dangerous are the latest vulnerabilities that the Department of Homeland Security took the rare step of briefing the media yesterday, warning that quick action by users and network operators was crucial to avoiding serious Internet disruption. This time the problem is with routers, the appliances that push traffic around the Internet. Routers made by Cisco Systems Inc., which has a major share of the market, have two separate security holes that could allow easy access for hackers to do their worst. It's another reminder that security threats are not likely to go away anytime soon and of the fragility of a world whose technology is so intertwined that a breach in one place can be exploited to bring down thousands or millions of systems around the world. All of which makes recent recommendations in a report by an industry task force unusual and worthy of close attention. In effect, the group is saying: Tech providers, heal thyselves and make safer products. That's a significant change for a technology industry that has spent considerable public-relations resources talking mostly about the need for better educating users and going after the bad guys. But the report, issued Monday, pulls few punches. "The lack of 'out-of-the-box' security in many products is staggering," the authors state. By not having software that is set to be secure from the start, "vendors are placing the entire burden of securing products on their users." Participants on the task force, one of several formed in December as part of an industry partnership with the Department of Homeland Security, included representatives of Oracle Corp., Microsoft Corp., Cisco, International Business Machines Corp., academics, banks and the military. Although the report was issued before the Cisco problems were revealed, the Cisco holes helped make the point. In one case, wireless network devices were all pre-set with the same easily discovered default user name and password. In some cases, the report tackles head-on what has thus far been industry mantra: That market forces, without government involvement, will produce the quickest and best solutions. For example, the report asks why there aren't more tools available for detecting malicious computer code. The fact that there are "not more code scanning tools readily available is, in part, a market failure," the report says. "Many venture capitalists would rather support bandage companies than vaccine companies." For some time, many security experts have scorned the public-private partnership as having been co-opted by the software industry as a way of insulating itself. Critics have argued for numerous steps to enforce production of safer products, including mandatory disclosure of security breaches and requiring corporate cyber-security audits. One of these critics, Alan Paller, head of the SANS Institute in Bethesda, a cyber-security think tank and training facility, was delighted at the new admission of accountability. "For the first time, the vendors have defined the most important security errors they have made, and continue to make," Paller said. "These are fundamental errors that are causing extreme pain and high cost for users. The admission that the vendors are making such mistakes, and that the mistakes must be corrected, are the essential first steps in improving cyber-security in America." Paller praised several of the report's recommendations, including better quality control, new security standards and more collaboration with customers. Already, however, the bristling has begun among some industry players. They say money is being directed at a wide range of security products, and they insist that better users, like safer drivers, are crucial. For many security experts and an increasingly concerned Congress, the question is, What happens now? The celebrated public-private partnership was created expressly with the hope of avoiding the need for regulation. As a result, none of the task forces recommended government intervention. But there is no single entity responsible for driving adoption of the numerous ideas. The Department of Homeland Security officials say they are not responsible for riding herd on industry. The technology trade associations leading the corporate side want the agency to use its bully pulpit to improve education but have been careful not to urge federal action directed at their own industries. In the meantime, worms and viruses are becoming so commonplace that they are losing their luster as news stories. But they continue to cost companies and ordinary consumers millions of dollars a year. Jonathan Krim can be reached at krimj@washpost.com. From isn at c4i.org Thu Apr 22 03:11:16 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 22 03:26:09 2004 Subject: [ISN] Cisco warns of more critical software holes Message-ID: http://www.nwfusion.com/news/2004/0421ciscowarns.html By Paul Roberts IDG News Service 04/21/04 Cisco warned its customers about two critical security holes that affect almost every product the company makes. The vulnerabilities could be used by malicious hackers to create so-called "denial of service" (DoS) attacks, causing Cisco products to abruptly restart or drop active connections with other devices. Cisco issued advisories on Tuesday, revealing the impact on the company's products of a security hole in TCP (for IOS devices and non-IOS devices) and another serious vulnerability in the company's IOS that affects SNMP. The advisories are just the latest in a string of security warnings from the San Jose network equipment maker. Following warnings yesterday from the U.K.'s National Infrastructure Security Co-Ordination Centre (NISCC) and the U.S. Computer Emergency Readiness Team (US-CERT), Cisco issued two advisories regarding a security vulnerability in the standard implementation of TCP. Cisco is just one of a large number of software and hardware makers that are affected by the TCP hole. The TCP hole is found in all implementations of TCP that comply with the Internet Engineering Task Force's TCP specification. By exploiting the holes, malicious hackers could cause TCP sessions to end prematurely, creating a DoS attack. The TCP vulnerability could also disrupt communications among Internet routers by interrupting BGP (Border Gateway Protocol) sessions that use TCP, NISCC said Tuesday. In one advisory, Cisco published software updates for more than 47 of the company's products that contain the TCP vulnerability but do not use the IOS operating system. Cisco issued a separate advisory listing updates for scores of versions of the IOS operating system that are also affected by the TCP hole and provided workaround instructions for customers who are unable to update their operating system. In a third advisory, Cisco said that it patched a flaw in the way certain versions of IOS process SNMP traffic. The software vulnerability, which was introduced by a coding error to fix an earlier IOS problem, could cause memory on the Cisco devices running IOS to be corrupted, forcing the affected device to restart unexpectedly, Cisco said. The company said it fixed the SNMP problem and published information on updating IOS with new versions of the operating system. US-CERT also issued a warning about the Cisco SNMP hole and advised Cisco customers to upgrade their devices that use affected versions of IOS. The warnings are just the latest from Cisco, which has disclosed a number of serious vulnerabilities in recent weeks, including a hole in Cisco VPN hardware and software and in two products used to manage wireless LANs and e-business services in corporate data centers. From isn at c4i.org Thu Apr 22 03:11:32 2004 From: isn at c4i.org (InfoSec News) Date: Thu Apr 22 03:26:10 2004 Subject: [ISN] Net threat overstated, says security researcher Message-ID: http://news.com.com/2100-1002_3-5197184.html By Robert Lemos Staff Writer, CNET News.com April 21, 2004 VANCOUVER, British Columbia -- Widespread reports about a flawed communications protocol making the Internet vulnerable to collapse were overblown, according to the researcher credited with uncovering the security problem. A flaw in the most widely used protocol for sending data over the Net--TCP, or the Transmission Control Protocol--was addressed by most large Internet service providers during the last two weeks and presents little danger to major networks, said Paul Watson, a security specialist for industry automation company Rockwell Automation. If left unfixed, the weakness could have allowed a knowledgeable attacker to shut down connections between certain hardware devices that route data over the Net. "The actual threat to the Internet is really small right now," Watson said on Wednesday. "You could have isolated attacks against small networks, but they would most likely be able to recover quickly." Watson was responding to news reports that ran Tuesday, after Britain's national emergency response team, the National Infrastructure Security Co-ordination Centre, released an advisory about the issue based on his research. Watson, who's scheduled to present that research here at the CanSecWest 2004 conference this week, referred to the media reaction as an "inordinate level of attention in respect to the amount of risk." At greatest risk, he said, may be e-commerce sites that manage their own routers--those sites may not believe they're vulnerable to attack and may not have implemented a fix. Sites that have routers that share information on the most efficient paths through the Internet--using the Border Gateway Protocol, or BGP--are most vulnerable to the attacks. Networking-gear maker Cisco Systems said Wednesday that it had released updated software that addresses how the flaw affects its products. Other gear makers, including Juniper Networks, Hitachi and NEC, have been investigating the issue. Information on each company's conclusions can be found in the vendor information section of the NISCC's advisory. People have known for at least a decade about problems with the way Internet servers and network devices maintain connections with each other. "I am not the first person to notice the issues," Watson said. "I sort of pulled together all the pieces." The problem, said Watson, involves numbers that identify data packets being sent over the Net. Many network appliances and software programs rely on a continuous stream of packets from a single source--called a session. The packets are identified and grouped together using so-called sequence numbers, and, theoretically, if someone could guess the next number in a session and send a packet with that identifier, he or she could substitute illicit commands for authorized ones, Watson said. The odds against a correct guess were commonly thought to be staggering: about one in 4.3 billion. However--and here's the issue--Watson found that certain applications of TCP sessions, such as routers using the border gateway protocol, relied on long connection times, creating a much larger window of sequence numbers that could be valid. Instead of a one in 4 billion chance to guess the right number, a single-packet attack against a BGP connection might be successful once in 260,000 attempts. An attacker armed with a typical broadband connection could send all 260,000 possible attacks in less than 15 seconds. It's not simple or elegant, Watson admitted, but it's effective. Rather than unleashing the sort of massive packet flood that normally makes up a denial-of-service attack, an online vandal could send far fewer packets and still bring down a site. "You can take e-commerce sites offline, but instead of billions and billions of packets, you can do it with a whole lot less," he said. The U.S. Computer Emergency Response Team (US-CERT) has issued an advisory, referencing a similar warning released almost three years ago that mentioned comparable attacks. Although large Internet service providers are vulnerable "to a very low degree," large and medium-size businesses should make sure they have assessed their vulnerability to the issue, said Sean Hernan, senior member of the technical staff for US-CERT. "In addition to the core Internet, this TCP vulnerability affects any two endpoints," he said. The vulnerability could affect mail servers, the servers that handle domain names and act as the yellow pages for the Internet, and other major applications. However, in those instances, it is much harder to guess the right sequence numbers, Hernan said. "This issue turned out to be particularly pernicious against BGP," Hernan said. Both CERT and Watson recommend that companies add a random 128-bit number to each packet in a session to identify that data as part of the same session--the solution adopted by many major ISPs. Moreover, CERT also recommends that companies encrypt their data to further hide the information in the session from prying eyes. From wk at c4i.org Fri Apr 23 05:03:46 2004 From: wk at c4i.org (William Knowles) Date: Fri Apr 23 05:29:29 2004 Subject: [ISN] In cyberwar game, US Army confronts enemies within Message-ID: http://www.forbes.com/business/businesstech/newswire/2004/04/21/rtr1341011.html By Eric Auchard Reuters 04.21.04 WEST POINT, N.Y. (Reuters) - The mission: to secure an entire computer network for the United States and its allies against a vague enemy force. Hostile agents aim to wreak havoc on military plans, sabotaging databases, computer terminals and communications. But the cyber warriors planning a best defense aren't analysts hunkered down at the Pentagon. They are cadets at West Point competing against military academies and other schools in a four-day Cyber Defense Exercise this week. And the "enemy" isn't al Qaeda or Iraqi insurgents. It's a team led by none other than the National Security Agency. Cyber warfare, a subset of classic information war that goes back as far as ancient Chinese military strategist Sun Tzu, has pushed its way into U.S. military curricula as the Internet has become pervasive. "Anything hooked up to the Internet is vulnerable," said Emmanuel Eleyae, 22, a senior Army cadet from Chino, California, who is taking part in the war game. "I'm not really scared. I'm looking forward to the best exploits that the NSA can throw at us," said Eleyae, who, after graduating in May, is shipping out to officer training school, then off to a position with a U.S. armored unit in South Korea. Armchair information warfare theorists can check their attitudes at the door, event organizers say. The threats are more pedestrian, virtually speaking, the sort that many corporate network administrators must contend with every day. But in war, a cyber attack can leave armies fighting blind. Participants huddled around computers in this olive-green, camouflage-shrouded training room aren't too concerned with science fiction apocalypse scenarios. The cadets rely on widely available network defenses based on Linux software, the same automated tools in the arsenal of any company network manager. RULES OF THE GAME The NSA team, known as the "Red Cell," launches attacks on selected networks at the Air Force, Army, Coast Guard, Merchant Marine and Navy academies from an operations center somewhere in Maryland. The computer scenario plays out virtually inside the cadets' computers. Going on the offensive, or using so-called hackback techniques, is against competition rules. Also out-of-bounds are forms of sabotage in which computers can be turned into zombies and used to attack opponent machines with millions of data messages, shutting down communication. "This exercise is solely concerned with defending networks, not attacking them," said Maj. Ron Dodge, coach of the Army's 32-member team and a professor at the U.S. Military Academy at West Point. Security consultant Michael Erbschloe of Alexandria, Virginia, says the focus on vulnerability detection is the basis of all effective cyber defense. He estimates 99 percent of attacks exploit a few dozen known network weaknesses. "If you keep out 99 percent of those attacks, it's easier to guard against the 1 percent that make up the real threats to networks," said Erbschloe, author of "Information Warfare: How to Survive Cyber Attacks." The rules this year are designed to make the competition simulate more of a 24-hour operation, despite the reality that "Taps" still sounds at 2330 (11:30 p.m.) and cadets are required to be in bed with lights out by then. Overnight, the enemy can prey upon any network vulnerabilities with impunity. Army lost last year not because of a successful outside attack but from a self-inflicted wound in which an authorized network user accidentally knocked out service for several hours, costing precious points that helped Air Force prevail. Army cadets won the exercise during its first two years. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* From isn at c4i.org Fri Apr 23 05:19:41 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 23 05:29:31 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-17 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-04-15 - 2004-04-22 This week : 65 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia has launched a new service called Secunia Virus Information. Secunia Virus Information is based on information automatically collected from seven different anti-virus vendors. The data will be parsed and indexed, resulting in a chronological list, a searchable index, and grouped profiles with information from the seven vendors. Furthermore, when certain criteria are triggered virus alerts will be issued. You can sign-up for the alerts here: Example - Secunia Virus Alert for Netsky.Y: http://secunia.com/virus_information/8879/netsky.y/ Sign-up for Secunia Virus Alerts: http://secunia.com/secunia_virus_alerts/ Secunia Virus Information: http://secunia.com/virus_information/ ======================================================================== 2) This Week in Brief: ADVISORIES: During the last week there has been quite a lot of media hype regarding a vulnerability in the TCP specification (RFC793). Although, the vulnerability indeed could be exploited to cause a Denial of Service, the severity of such an attack would be very limited in most cases. For more information, please refer to the advisory referenced below. Reference: http://secunia.com/SA11440 -- Symantec has corrected a severe Denial of Service vulnerability in their Client Firewall products, where a successful attack will render a vulnerable system inoperable. Symantec reports that an updated version is available via the "LiveUpdate" feature. Reference: http://secunia.com/SA11102 -- Rafel Ivgi has discovered a vulnerability in BitDefender's online anti-virus scanner, which can be exploited to compromise a vulnerable user's system. BitDefender has reported that the vulnerability has been corrected. Users, who have used BitDefender's online anti-virus scanner in the past are therefore urged to visit BitDefender's website to get the updated ActiveX control. Reference: http://secunia.com/SA11427 VIRUS ALERTS: During the last week Secunia issued two MEDIUM RISK virus alerts for two different Netsky variants. Please refer to the grouped virus profiles below for more information: Netsky.Y - MEDIUM RISK virus alert - 2004-04-21 00:37 GMT+1 http://secunia.com/virus_information/8879/netsky.y/ Netsky.X - MEDIUM RISK virus alert - 2004-04-20 16:42 GMT+1 http://secunia.com/virus_information/8854/netsky.x/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA11064] Microsoft Windows 14 Vulnerabilities 2. [SA10395] Internet Explorer URL Spoofing Vulnerability 3. [SA11067] Microsoft Outlook Express MHTML URL Processing Vulnerability 4. [SA11386] PostNuke SQL Injection Vulnerabilities 5. [SA11387] Cisco IPsec VPN Implementation Group Password Disclosure 6. [SA11440] Cisco IOS TCP Connection Reset Denial of Service Vulnerability 7. [SA11362] Linux Kernel File Systems Information Leak and Denial of Service 8. [SA11361] Linux Kernel ISO9660 Buffer Overflow Privilege Escalation Vulnerability 9. [SA11065] Microsoft Windows RPC/DCOM Multiple Vulnerabilities 10. [SA10523] Internet Explorer showHelp() Restriction Bypass Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA11427] AvxScanOnline ActiveX Control Arbitrary File Execution Vulnerability [SA11430] Serv-U FTP Server LIST Command Denial of Service Vulnerability [SA11428] Fastream NETFile FTP/Web Server Invalid Credentials Denial of Service [SA11449] Kinesphere eXchange POP3 Buffer Overflow Vulnerability [SA11388] Zaep AntiSpam Cross Site Scripting Vulnerability UNIX/Linux: [SA11456] Mandrake update for xchat [SA11446] Debian update for xchat [SA11432] ArX libneon Client Code Format String Vulnerabilities [SA11423] Sun Cobalt update for mutt [SA11421] Mandrake update for libneon [SA11416] phpBugTracker Multiple Vulnerabilities [SA11413] Gentoo update for XChat [SA11412] Gentoo update for cadaver [SA11410] KAME Racoon ISAKMP Header Length Field Denial of Service [SA11409] XChat Socks-5 Buffer Overflow Vulnerability [SA11405] Slackware update for cvs [SA11401] Debian update for neon [SA11400] Debian update for cvs [SA11398] OpenPKG update for neon [SA11397] OpenPKG update for ethereal [SA11391] FreeBSD update for CVS [SA11390] Fedora update for OpenOffice [SA11389] Red Hat update for Subversion [SA11414] Gentoo update for monit [SA11406] PostNuke Multiple Vulnerabilities [SA11447] Cray UNICOS TCP Connection Reset Denial of Service Vulnerability [SA11441] Slackware update for xine [SA11433] Xine Playlists can Overwrite Arbitrary Files [SA11408] Slackware update for tcpdump [SA11403] Debian update for zope [SA11394] WIKINDX Exposure of Configuration File [SA11453] Red Hat update for kernel [SA11452] Fedora update for utempter [SA11438] NcFTP Client Password Leakage Security Issue [SA11429] Linux Kernel setsockopt MCAST_MSFILTER Integer Overflow Vulnerability [SA11426] Slackware update for utempter [SA11425] Mandrake update for utempter [SA11420] Mandrake update for xine-ui [SA11419] Mandrake update for mysql [SA11418] Mandrake update for samba [SA11417] utempter Device Path Handling Security Issue [SA11415] SquirrelMail Change_passwd Plugin Privilege Escalation Vulnerability [SA11454] Red Hat update for XFree86 [SA11404] Debian update for iproute [SA11402] Debian update for logcheck [SA11399] logcheck Insecure Creation of Temporary Directory Other: [SA11439] Sun Fire IP TOS Denial of Service Vulnerability [SA11448] SEIL TCP Connection Reset Denial of Service Vulnerability [SA11445] Blue Coat Products TCP Connection Reset Denial of Service [SA11444] Cisco Non-IOS Products TCP Connection Reset Denial of Service [SA11443] Check Point SecurePlatform TCP Connection Reset Denial of Service [SA11440] Cisco IOS TCP Connection Reset Denial of Service Vulnerability [SA11442] Cisco IOS SNMP Request Processing Vulnerability Cross Platform: [SA11393] Gemitel Arbitrary File Inclusion Vulnerability [SA11435] BEA WebLogic URL Restriction Bypass Security Issue [SA11407] Phorum SQL Injection Vulnerability [SA11396] SCT Campus Pipeline Attachment Script Insertion Vulnerability [SA11395] Helix Universal Server HTTP Request Handling Denial of Service [SA11386] PostNuke SQL Injection Vulnerabilities [SA11436] BEA WebLogic Unauthorised EJB Object Deletion Vulnerability [SA11431] Journalness Unauthenticated Post Manipulation Vulnerability [SA11392] Macromedia ColdFusion File Upload Denial of Service Vulnerability [SA11437] BEA WebLogic Exposure of Administrative Credentials [SA11387] Cisco IPsec VPN Implementation Group Password Disclosure [SA11434] phpBB IP Spoofing Issue ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA11427] AvxScanOnline ActiveX Control Arbitrary File Execution Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2004-04-20 Rafel Ivgi has discovered a vulnerability in BitDefender AvxScanOnline ActiveX Control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11427/ -- [SA11430] Serv-U FTP Server LIST Command Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-04-20 STORM has reported a vulnerability in Serv-U FTP Server, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11430/ -- [SA11428] Fastream NETFile FTP/Web Server Invalid Credentials Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-04-20 Donato Ferrante has reported a vulnerability in Fastream NETFile FTP/Web Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11428/ -- [SA11449] Kinesphere eXchange POP3 Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-04-22 securma massine has discovered a vulnerability in Kinesphere eXchange POP3, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11449/ -- [SA11388] Zaep AntiSpam Cross Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-04-16 Noam Rathaus has reported a vulnerability in Zaep AntiSpam, allowing malicious people to conduct Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/11388/ UNIX/Linux:-- [SA11456] Mandrake update for xchat Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-22 MandrakeSoft has issued updated packages for xchat. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11456/ -- [SA11446] Debian update for xchat Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-21 Debian has issued updated packages for xchat. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11446/ -- [SA11432] ArX libneon Client Code Format String Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-20 ArX is affected by some vulnerabilities in libneon, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11432/ -- [SA11423] Sun Cobalt update for mutt Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-20 Full Advisory: http://secunia.com/advisories/11423/ -- [SA11421] Mandrake update for libneon Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-20 MandrakeSoft has issued updated packages for libneon. These fix a vulnerability allowing malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11421/ -- [SA11416] phpBugTracker Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-04-19 JeiAr has reported some vulnerabilities in phpBugTracker, allowing malicious people to conduct SQL injection, Cross Site Scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/11416/ -- [SA11413] Gentoo update for XChat Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-19 Gentoo has issued an update for XChat. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11413/ -- [SA11412] Gentoo update for cadaver Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-19 Gentoo has issued an update for cadaver. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11412/ -- [SA11410] KAME Racoon ISAKMP Header Length Field Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-04-19 A vulnerability has been discovered in Racoon, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11410/ -- [SA11409] XChat Socks-5 Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-19 tsifra has discovered a vulnerability in XChat, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11409/ -- [SA11405] Slackware update for cvs Critical: Moderately critical Where: From remote Impact: System access, Exposure of sensitive information Released: 2004-04-19 Slackware has issued updated packages for CVS. These fix two vulnerabilities allowing malicious servers to compromise clients, and malicious users to retrieve arbitrary files from a vulnerable server. Full Advisory: http://secunia.com/advisories/11405/ -- [SA11401] Debian update for neon Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-19 Debian has issued updated packages for neon. These fix a vulnerability allowing malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11401/ -- [SA11400] Debian update for cvs Critical: Moderately critical Where: From remote Impact: System access, Exposure of sensitive information Released: 2004-04-19 Debian has issued updated packages for CVS. These fix two vulnerabilities allowing malicious servers to compromise clients, and malicious users to retrieve arbitrary files from a vulnerable server. Full Advisory: http://secunia.com/advisories/11400/ -- [SA11398] OpenPKG update for neon Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-19 OpenPKG has issued an updated package for neon. This fixes a vulnerability allowing malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11398/ -- [SA11397] OpenPKG update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-04-19 OpenPKG has issued an updated package for ethereal. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11397/ -- [SA11391] FreeBSD update for CVS Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2004-04-16 FreeBSD has issued a patch for CVS. This fixes two vulnerabilities allowing malicious servers to compromise clients, and malicious users to retrieve arbitrary files from a vulnerable server. Full Advisory: http://secunia.com/advisories/11391/ -- [SA11390] Fedora update for OpenOffice Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-16 Fedora has issued updated packages for OpenOffice. These fix a vulnerability allowing malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11390/ -- [SA11389] Red Hat update for Subversion Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-16 Red Hat has issued updated packages for Subversion. These fix some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11389/ -- [SA11414] Gentoo update for monit Critical: Moderately critical Where: From local network Impact: System access Released: 2004-04-19 Gentoo has issued an update for monit. This fixes multiple vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11414/ -- [SA11406] PostNuke Multiple Vulnerabilities Critical: Moderately critical Where: From local network Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2004-04-19 Janek Vind has reported some vulnerabilities in PostNuke. These can be exploited by malicious people to conduct Cross Site Scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/11406/ -- [SA11447] Cray UNICOS TCP Connection Reset Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-04-21 Cray has acknowledged a vulnerability in UNICOS, UNICOS/mk, and UNICOS/mp, which can be exploited by malicious people to reset established TCP connections on a vulnerable system. Full Advisory: http://secunia.com/advisories/11447/ -- [SA11441] Slackware update for xine Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2004-04-22 Slackware has issued updated packages for xine-ui og xine-lib. These fix a vulnerability, which potentially can be exploited by malicious, people to gain system access. Full Advisory: http://secunia.com/advisories/11441/ -- [SA11433] Xine Playlists can Overwrite Arbitrary Files Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2004-04-22 The vendor has reported a vulnerability in xine-ui and xine-lib, allowing malicious people to overwrite arbitrary files on a user's system. Full Advisory: http://secunia.com/advisories/11433/ -- [SA11408] Slackware update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2004-04-19 Slackware has issued updated packages for tcpdump. These fix two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11408/ -- [SA11403] Debian update for zope Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-04-19 Full Advisory: http://secunia.com/advisories/11403/ -- [SA11394] WIKINDX Exposure of Configuration File Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2004-04-16 Daniel Pozzi has reported a vulnerability in WIKINDX, allowing malicious people to view the configuration file. Full Advisory: http://secunia.com/advisories/11394/ -- [SA11453] Red Hat update for kernel Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation, DoS Released: 2004-04-22 Red Hat has issued updated packages for the kernel. These fix various vulnerabilities, which can be exploited by malicious people to gain escalated privileges, cause a DoS (Denial of Service) or gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11453/ -- [SA11452] Fedora update for utempter Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-22 Fedora has issued updated packages for utempter. These fix a security issue, which potentially can be exploited by malicious, local users to perform certain actions with higher privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/11452/ -- [SA11438] NcFTP Client Password Leakage Security Issue Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-04-22 Konstantin Gavrilenko has reported a security issue in NcFTP Client, which exposes the username and password to other local users. Full Advisory: http://secunia.com/advisories/11438/ -- [SA11429] Linux Kernel setsockopt MCAST_MSFILTER Integer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-20 Paul Starzetz and Wojciech Purczynski have reported a vulnerability in the Linux kernel, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11429/ -- [SA11426] Slackware update for utempter Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-20 Slackware has issued updated packages for utempter. These fix a security issue, which potentially can be exploited by malicious, local users to perform certain actions with higher privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/11426/ -- [SA11425] Mandrake update for utempter Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-20 MandrakeSoft has issued updated packages for utempter. These fix a security issue, which potentially can be exploited by malicious, local users to perform certain actions with higher privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/11425/ -- [SA11420] Mandrake update for xine-ui Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-20 MandrakeSoft has issued updated packages for xine-ui. These fix a vulnerability, which potentially can be exploited by malicious, local users to escalate their privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/11420/ -- [SA11419] Mandrake update for mysql Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-20 MandrakeSoft has issued updates packages for mysql. These fix two vulnerabilities, allowing malicious users to escalate their privileges. Full Advisory: http://secunia.com/advisories/11419/ -- [SA11418] Mandrake update for samba Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-20 MandrakeSoft has issued updated packages for Samba. These fix a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11418/ -- [SA11417] utempter Device Path Handling Security Issue Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-20 Steve Grubb has discovered a security issue in utempter, which potentially can be exploited by malicious, local users to perform certain actions with higher privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/11417/ -- [SA11415] SquirrelMail Change_passwd Plugin Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-20 Matias Neiff has reported a vulnerability in the Change_passwd plugin for SquirrelMail, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11415/ -- [SA11454] Red Hat update for XFree86 Critical: Not critical Where: Local system Impact: DoS Released: 2004-04-22 Full Advisory: http://secunia.com/advisories/11454/ -- [SA11404] Debian update for iproute Critical: Not critical Where: Local system Impact: DoS Released: 2004-04-19 Debian has issued updated packages for iproute. These fix a vulnerability, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11404/ -- [SA11402] Debian update for logcheck Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2004-04-19 Debian has issued updated packages for logcheck. These fix a security issue, which potentially can be exploited by malicious, local users to escalate their privileges. Full Advisory: http://secunia.com/advisories/11402/ -- [SA11399] logcheck Insecure Creation of Temporary Directory Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2004-04-19 Christian Jaeger has reported a security issue in logcheck, which potentially can be exploited by malicious, local users to escalate their privileges. Full Advisory: http://secunia.com/advisories/11399/ Other:-- [SA11439] Sun Fire IP TOS Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-04-21 Sun has issued updates for Sun Fire products. These fix a vulnerability allowing malicious people to cause a Denial of Service. Full Advisory: http://secunia.com/advisories/11439/ -- [SA11448] SEIL TCP Connection Reset Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-04-21 Internet Initiative Japan has acknowledged a vulnerability in the SEIL products, which can be exploited by malicious people to reset established TCP connections on a vulnerable device. Full Advisory: http://secunia.com/advisories/11448/ -- [SA11445] Blue Coat Products TCP Connection Reset Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2004-04-21 Blue Coat has acknowledged a vulnerability in some products, which can be exploited by malicious people to reset established TCP connections on a vulnerable device. Full Advisory: http://secunia.com/advisories/11445/ -- [SA11444] Cisco Non-IOS Products TCP Connection Reset Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2004-04-21 Cisco has acknowledged that multiple products are affected by a vulnerability in the TCP implementation, which can be exploited by malicious people to reset TCP connections on a vulnerable device. Full Advisory: http://secunia.com/advisories/11444/ -- [SA11443] Check Point SecurePlatform TCP Connection Reset Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2004-04-21 Check Point has acknowledged a vulnerability in SecurePlatform NG, which can be exploited by malicious people to reset established TCP connections on a vulnerable system. Full Advisory: http://secunia.com/advisories/11443/ -- [SA11440] Cisco IOS TCP Connection Reset Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-04-21 Paul A. Watson has published research about a somewhat known vulnerability in the TCP specification (RFC793), which can be exploited by malicious people to cause a DoS (Denial of Service). Cisco has acknowledged that Cisco IOS is affected. Full Advisory: http://secunia.com/advisories/11440/ -- [SA11442] Cisco IOS SNMP Request Processing Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-04-21 A vulnerability has been discovered in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11442/ Cross Platform:-- [SA11393] Gemitel Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-04-16 jaguar has reported a vulnerability in Gemitel, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11393/ -- [SA11435] BEA WebLogic URL Restriction Bypass Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-04-21 BEA has issued updates for WebLogic Server and WebLogic Express. These fix a weakness, which potentially allows malicious people to bypass URL restrictions. Full Advisory: http://secunia.com/advisories/11435/ -- [SA11407] Phorum SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-04-19 Janek Vind has reported a vulnerability in Phorum, allowing malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/11407/ -- [SA11396] SCT Campus Pipeline Attachment Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-04-16 Spiffomatic64 has reported a vulnerability in SCT Campus Pipeline, allowing malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/11396/ -- [SA11395] Helix Universal Server HTTP Request Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-04-16 A vulnerability has been discovered in Helix Universal Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11395/ -- [SA11386] PostNuke SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-04-15 pokleyzz has reported two vulnerabilities in PostNuke, allowing malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/11386/ -- [SA11436] BEA WebLogic Unauthorised EJB Object Deletion Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-04-21 BEA has issued an update for WebLogic Server and WebLogic Express. This fixes a vulnerability allowing malicious users to perform unauthorised deletion of objects. Full Advisory: http://secunia.com/advisories/11436/ -- [SA11431] Journalness Unauthenticated Post Manipulation Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-04-21 A vulnerability has been discovered in Journalness, which reportedly can be exploited by invalid users to create and edit posts. Full Advisory: http://secunia.com/advisories/11431/ -- [SA11392] Macromedia ColdFusion File Upload Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-04-16 Chip Self has discovered a vulnerability in ColdFusion, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11392/ -- [SA11437] BEA WebLogic Exposure of Administrative Credentials Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information Released: 2004-04-21 BEA has issued an update for WebLogic Server and WebLogic Express. This fixes a vulnerability allowing malicious, local users to gain knowledge of administrative credentials. Full Advisory: http://secunia.com/advisories/11437/ -- [SA11387] Cisco IPsec VPN Implementation Group Password Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-04-16 A vulnerability has been discovered in the Cisco's IPsec VPN implementation, allowing malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11387/ -- [SA11434] phpBB IP Spoofing Issue Critical: Not critical Where: From remote Impact: ID Spoofing Released: 2004-04-21 Wang has reported a vulnerability in phpBB, which can be exploited by malicious users to circumvent certain administrative user management features. Full Advisory: http://secunia.com/advisories/11434/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Apr 23 05:20:43 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 23 05:29:31 2004 Subject: [ISN] TCP, BGP, DoS, and BS Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" The sky is falling! We're all going to die! No, it's not. No, we're not The latest "death of the net" rumour has to do with a recent paper that discusses the fact that something called "session hijacking" can be used to force an end to a specific connection (connected sessions over the Internet use an arrangement called TCP). If the session is ended or disconnected, you will be effectively denied the service you were attempting to obtain. Connected sessions are used for everything from transferring files to connecting to the Internet in special ways to virtual private networks. Sometimes they are used to transfer information between the machines that decide where Internet traffic goes (called routers). If the routers can't keep up to date, the Internet will not be as effective as it should be. So you will have heard that there is a new threat to the Internet, that it is a denial of service attack, that it can disconnect you from the net, that it can kill your sessions, that it affects the routers (and a router protocol called BGP), and that sessions can be hijacked. None of this is new. What is new is a paper that was originally presented in England, caught the attention of the media there, and has spread, kinda like a hoax virus warning, from media outlets to bandwagon jumpers in the security field and back to the media, around the world. Denial of service attacks are not new. Session hijacking is not new. Using TCP resets and session hijacking in combination has not been used in specific attacks before, but all the parts of this attack are well known to people who deal with such things. There are even ways to protect against this attack, and some institutions use them. So, rather than talking about the death of the net, and "The Man Who Saved the Internet": Net not dead, but was coughing up blood last night. Phlegm at 11. ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Being in politics is like being a football coach. You have to be smart enough to understand the game and dumb enough to think it's important. http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Fri Apr 23 05:21:03 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 23 05:29:32 2004 Subject: [ISN] Hackers: Under the hood - Kevin Mitnick Message-ID: http://www.zdnet.com.au/insight/security/0,39023764,39116620-5,00.htm Name: Kevin Mitnick Handle(s): Condor, from the movie Three Days of the Condor Age: 40 Place of birth:California, USA Marital status: Divorced. Now lives with girlfriend and her eight year-old daughter Current residence: Las Vegas, USA Job: Chief executive of Defensive Thinking First computer: Toshiba 4400 SX laptop Best known for: His notoriety Area(s) of expertise: Social engineering Even though I was a hacker since the 70s, I used other people's computers," confessed Kevin Mitnick. He didn't have to buy his own computer until 1992! Perhaps the best known computer criminal in the world, Mitnick has used his mastery of social engineering -- or plain trickery -- to illegally penetrate networks all across the globe. His misdeeds was the subject of a book and subsequent movie of the same name, Takedown. After being imprisoned three times for hacking -- the third time spending four and a half years behind bars -- Mitnick has gone straight. He now writes books about security, travels the world as a professional speaker and runs Defensive Thinking, the company he built on the back of his notoriety. It's easy to picture him as a leather-clad cyberpunk or a narcissistic, cold, calculating cybervillain. So frankly it's a little disappointing to speak with him. Mitnick is -- on the telephone at least -- one of the least offensive or aggressive subjects one is likely to encounter. He is pleasant and polite, and considering his reputation as a master of deception, fairly easy to read. His generally upbeat demeanour doesn't waver, even when speaking of the hardest times in his life -- like when he spent around eight months in solitary confinement because a US court was convinced he could start a nuclear war by whistling into a telephone. As you speak to Mitnick, you get the impression his mild manner isn't obscuring from view a malicious menace to society, but someone who feels victimised. Someone who feels he was in the wrong place at the wrong time, and paid too high a price for his mistakes. Starting out as a prankster while in high school in the late 70s, Mitnick fell in love with phreaking -- hacking the public phone network -- before being drawn into hacking computers. "I was involved in phone phreaking before I was into computers. This was before AT&T was deregulated. I was pulling pranks on friends and family," Mitnick told ZDNet Australia in a recent interview. "I met this other kid, who knew about my shenanigans, who thought computers would interest me because phone companies were going from magnetic switches to computerised systems." While still in high school, his first hack came in the form of a login simulator he authored. When run, the program would display a normal login prompt, but when a user name and password was entered, the details would be captured before logging the user on. Mitnick used this technique to obtain his teacher's username and password. Looking back, he says he has been described as someone who had a terrible addiction to hacking, an all-consuming passion that wrecked his life. That's a bit of a stretch, he said. "I'd spend a great deal of time on it ... it was my hobby. I wouldn't characterise it as heroin. I spent more hours than the average person would spend on the computer though," he said. To him, Mitnick exhibited the same sort of enthusiasm as a child hooked on an Xbox or Playstation. He said his family has always been supportive of his passion for technology. "They encouraged it. They didn't know I was doing anything wrong until I got a visit from the FBI," he said. "I was in high school, I think I was 17. I don't remember why he visited me ... he didn't have any evidence, it was a part of an investigation." Unlike many of his ilk, Mitnick came from a working-class background. His mother worked long hours as a waitress to support him. These are details one never forgets ... and then some -- he recalls being locked up for the first time when he was "around 17 or 18". "I went to the California Youth Authority," he said, his tone shifting slightly. "It wasn't fun, it wasn't like what you see in the movies. It was like being in a brig." In 1988, he was back in the slammer for hacking into Digital Equipment -- which was acquired by Compaq Computer in 1998 -- to steal operating system source code. During that time he spent eight months in solitary confinement and until today, he attributes that stint to the failure of his marriage. Things went seriously pear-shaped for Mitnick in the early 90s. He went on the run after realising that authorities were investigating him for parole violation. While on the run, he used various aliases such as Eric Weiss -- which was the real name of legendary magician and escape artist Harry Houdini -- to gain employment. He even spent a considerable amount of time working as a systems administrator for a law firm. When the law caught up with him, he was thrown into prison for four and a half years. According to the US Department of Justice, Mitnick admitted to stealing software from Motorola, Novell, Fujitsu, Sun Microsystems, and Nokia. It's probably why he takes such a dim view of the imprisonment of terrorist suspects held -- without charge -- in Guantanamo Bay, Cuba by American authorities. "The United States is a police state. 9-11 was a horrible tragedy for the world, and the Department of Justice has used it to trample on [our] rights," he said. "[Now] the government makes the call as to whether you qualify for certain rights." The tale of the hunt for Mitnick and his subsequent capture was documented into a book by security consultant Tsutomo Shimomura -- one of Mitnick's victims, and The New York Times journalist John Markoff. Mitnick attributes his rough treatment by the US authorities in part to the publicity generated by Markoff in both writing about his exploits for the New York Times and co-authoring Takedown with Shimomura. "They turned me into 'Osama bin-Mitnick,'" he said. "Not only did it demonise me, it was libellous," Mitnick said, obviously still annoyed over the way he was portrayed. "The only reason I didn't sue was because I was in custody at the time." But Mitnick's patience bore fruit. "What ended up happening is the movie came out in 1998 and I was able to get an attorney. I settled out of court for a large sum of money. Markoff is lucky, and Shimomura is lucky that there's a one year statute of limitations [on libel cases]," he explained. "They exploited me to make millions of dollars." After his release from prison, Mitnick started working on a book titled The Art of Deception , centred around social engineering -- the technique he mastered that allowed him to trick system administrators and others into divulging information he shouldn't have been allowed to have. This included usernames and passwords, system dial-in numbers and much, much more. He also wrote about his experience with Markoff and Shimomura, however his publisher refused to print the material. It has since found its way on to the Internet, known as the "Forbidden Chapter". Mitnick has come a long way since his days in incarceration. Currently working on his next book, tentatively called The Art of Intrusion , Mitnick is a sought-after public speaker and runs Defensive Thinking, a consultancy specialising in minimising the risks posed by social engineering. He freely admits that his notoriety is a big part of his recent success, but says his recent good fortune is what he's most proud of in life. Now living in "sin-city" Las Vegas, Mitnick enjoys the simple things in life. "I like travelling, going to movies and shows ... I'm going to Metallica [concert] this Saturday. Woz is coming up, we're going together," he said. And he certainly has some interesting friends . "Woz " is Apple co-founder Steve Wozniak. But what he relishes the most is spending time with his girlfriend and her daughter. "My best accomplishment was the ability to take all this negativity and completely turn my life around," he said. -- Patrick Gray From isn at c4i.org Fri Apr 23 05:21:46 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 23 05:29:33 2004 Subject: [ISN] Olympic security system late Message-ID: http://australianit.news.com.au/articles/0,7204,9353718%5E15321%5E%5Enbv%5E15306,00.html APRIL 22, 2004 GREEK police will not have time to learn how to operate a security system properly before the Athens Olympics opens in August, a senior government source admitted. The system is still not fully in place, and its late delivery leaves little time for training, the official added. "It's like putting a peasant who only knows how to drive a tractor behind the steering wheel of a luxury limousine," the source told reporters on condition of anonymity. "The system should ideally have been in place spring last year," the source added. After lengthy haggling, Greece finally awarded in March 2003 a 245 million euro ($397.73 million) tender for the supply of the IT security package to a consortium led by US firm Science Applications International Corporation (SAIC). Despite the tight deadlines, the firm said it could deliver the system within 12 months but the Athens News weekly, citing government sources, has said the system will be at best 85 per cent operational during the Games. But a senior police official was adamant they would be up and running on time. "The system will be in place," he said. SAIC's so-called C4I system encompasses a centralised command for a network of security cameras and communications devices linking security agencies and venues in different parts of the Greek capital. SAIC was also in charge of security at the 2002 Salt Lake Winter Olympics. Greece is spending 650 million euro ($1.06 billion) - an Olympic record - on security. From isn at c4i.org Fri Apr 23 05:22:02 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 23 05:29:34 2004 Subject: [ISN] Phoney captain fools RAF base for five months Message-ID: http://portal.telegraph.co.uk/news/main.jhtml?xml=/news/2004/04/23/nraf23.xml By Chris Boffey Filed: 23/04/2004 When Kelsey McMillan arrived for duty at RAF Valley the soldiers guarding the airbase snapped a salute after taking note of her captain's uniform and checking her identity card. She told them she was a medical officer arriving for a retraining course and they pointed her in the direction of the duty adjutant and the officers' mess. For more than five months she was welcomed at the RAF base in Anglesey, north Wales, motto In Adversis Perfugium ("refuge in adversity") and showed her mettle on training missions in Sea King helicopters and in the hospital block, where she sat in on medical examinations. The 35-year-old was also popular in the officers' mess; always generous in the bar, even running up a ?300 bill. But "Captain" McMillan sparked off a major security appraisal after it was discovered that she was an impostor with an obsession for uniforms; her only connection with the Armed Forces being as a private in the Territorial Army. Yesterday, the RAF admitted being duped. A spokesman said: "She presented herself very well and turned up in an impeccable captain's uniform and with Army identification. She was very plausible. "However, we have already taken steps to make sure that this does not happen again, not just at Valley but at all military bases across the UK. McMillan is, at the moment, still a member of the TA and is being investigated by military police." McMillan's five months of subterfuge began in October last year when she turned up at the main gate of RAF Valley claiming to be on detachment from the Army. She also said her fianc? lived on the airfield. She moved into the officers' mess, putting all her bills on credit and explaining that her Army pay had been delayed because of the transfer. As a medic she was assigned to 22 Squadron's search and rescue unit and flew on training missions. She also sat in on examinations in the hospital block but did not administer treatment. McMillan was finally found out when, knowing that she might have stretched the limits of her credibility at RAF Valley, she applied for a transfer to the Royal Navy Air Station Culdrose, near Helston, Cornwall. Within four days of joining the base she was arrested by military police. The civilian police were called in and she was given a caution but no charges were brought. TA members can be subjected to court martial but it is understood that she will be spared that ordeal and at the end of the investigation will be thrown out of the military. She has already been stripped of her ID card. Her parents have settled the outstanding mess bill. From isn at c4i.org Mon Apr 26 02:32:09 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 26 02:50:13 2004 Subject: [ISN] TCP, BGP, DoS, and BS Message-ID: Forwarded from: Kurt Seifried Please note: According to the Cisco presentation afterwards, Cisco's RST behavior makes it non vulnerable as there is a wait period after a certain number of bad RST packets are recieved. Thus Cisco IOS is basically not affected. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ From isn at c4i.org Mon Apr 26 02:32:36 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 26 02:50:14 2004 Subject: [ISN] Linux Advisory Watch - April 23rd 2004 Message-ID: +----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | April 23rd, 2004 Volume 5, Number 17a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for cvs, neon, perl, logcheck, kernel, iproute, xchat, ident2, utempter, cadaver, libneon, MySQL, samba, utempter, OpenSSL, tcp, IA64, XFree86, tcpdump, and xine. The distributors include Debian, Fedora, Gentoo, Mandrake, NetBSD, Red Hat, Slackware, and Trustix. ---- >> Free Trial SSL Certificate from Thawte << Take your first step towards giving your online business a competitive advantage. Test-drive a Thawte SSL certificate 02 our easy online guide will show you how. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawten04 ---- Data Classification One of the biggest problems in security today is that business managers and security administrators do not have a good idea of how much their organization's proprietary data is worth. Consider the example of a company's client details or schematics for a new product. How much money should be spent to protect it? Who should access it? If this information is leaked to competitors, how much impact would if have on the business? If you aren't asking these types of questions, you should be. One of the first steps in risk management in any organization is determining the assets. Later, a value is assigned to each asset and known risks are either accepted, transferred, or mitigated. When determining the value of an organization's information, it can very easily become infinitely complex. A technique commonly used to assist with the valuation of information is data classification. The concept involves assigning a label and in some cases a classification to a piece of information, or a document. For example, documents in any government agency will be assigned labels such as unclassified, classified, secret, or top secret. Sometimes labeling is more granular including labels such as unclassified but sensitive, or internal. Most governments implement this in slightly different ways. A security classification describes who the information is intended for. For example, a budgeting document could be labeled classified and only intended for the finance and accounting departments. This means that the document's label is classified and the classification is finance and accounting. In theory, only those individuals in the finance and accounting departments with classified clearance should be able to access that particular document. Assigning labels to information gives security administrators a logical way to create a protection strategy. Appropriately applying security controls can be easier if similar data is held in similar places. Back to the budgeting document example, because it is classified and intended only for finance or accounting, it should only be stored on a confidential, accounting or finance data-store/server. It is not always necessary to have separate servers for each label. Segmentation can be done just as easily by assigning group permissions to specific directories on a single server. Data classification allows managers to more easily determine the type and quantity of information used by an organization. Also, it can simplify the security administrator's role of providing consistent access control across all information used. Until next time, cheers! Benjamin D. Thomas ben@linuxsecurity.com ---- Guardian Digital Launches Next Generation Internet Defense & Detection System Guardian Digital has announced the first fully open source system designed to provide both intrusion detection and prevention functions. Guardian Digital Internet Defense & Detection System (IDDS) leverages best-in-class open source applications to protect networks and hosts using a unique multi-layered approach coupled with the security expertise and ongoing security vigilance provided by Guardian Digital. http://www.linuxsecurity.com/feature_stories/feature_story-163.html -------------------------------------------------------------------- Interview with Siem Korteweg: System Configuration Collector In this interview we learn how the System Configuration Collector (SCC) project began, how the software works, why Siem chose to make it open source, and information on future developments. http://www.linuxsecurity.com/feature_stories/feature_story-162.html -------------------------------------------------------------------- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 4/17/2004 - cvs Multiple vulnerabilities Patch fixes bugs for both server and client which allows the creation of arbitrary files. http://www.linuxsecurity.com/advisories/debian_advisory-4243.html 4/17/2004 - neon Format string vulnerability These vulnerabilities could exploited by a malicious WebDAV server to execute arbitrary code with libneon's privileges. http://www.linuxsecurity.com/advisories/debian_advisory-4244.html 4/19/2004 - perl Information leak vulnerabilities DSA 431-1 incorporated a partial fix for this problem. This advisory includes a more complete fix which corrects some additional cases. http://www.linuxsecurity.com/advisories/debian_advisory-4245.html 4/19/2004 - logcheck Insecure temporary directory This bug may be exploited to write or read arbitrary directories to which the user has access. http://www.linuxsecurity.com/advisories/debian_advisory-4246.html 4/19/2004 - kernel 2.4.17 Multiple vulnerabilities This patch takes care of multiple kernel vulnerabilities, specifially for kernal 2.4.17 on the PowerPC/apus and S/390 architectures. http://www.linuxsecurity.com/advisories/debian_advisory-4247.html 4/19/2004 - kernel 2.4.19 Multiple vulnerabilities Several serious problems have been discovered in the Linux kernel. This update takes care of Linux 2.4.17 for the MIPS architecture. http://www.linuxsecurity.com/advisories/debian_advisory-4248.html 4/19/2004 - zope Arbitrary code execution vulnerability A flaw in the security settings of ZCatalog allows anonymous users to call arbitrary methods of catalog indexes. The vulnerability also allows untrusted code to do the same. http://www.linuxsecurity.com/advisories/debian_advisory-4249.html 4/19/2004 - iproute Denial of service vulnerability Herbert Xu reported that local users could cause a denial of service against iproute, a set of tools for controlling networking in Linux kernels. http://www.linuxsecurity.com/advisories/debian_advisory-4250.html 4/21/2004 - xchat Buffer overflow vulnerability This bug allows an attacker to execute arbitrary code on the users' machine. http://www.linuxsecurity.com/advisories/debian_advisory-4263.html 4/22/2004 - ident2 Buffer overflow vulnerability This vulnerability could be exploited by a remote attacker to execute arbitrary code with the privileges of the ident2 daemon (by default, the "identd" user). http://www.linuxsecurity.com/advisories/debian_advisory-4269.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 4/21/2004 - utempter Improper directory traversal vulnerability An updated utempter package that fixes a potential symlink vulnerability is now available. http://www.linuxsecurity.com/advisories/fedora_advisory-4265.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 4/19/2004 - cadaver Multiple format string vulnerabilities There are multiple format string vulnerabilities in the neon library used in cadaver, possibly leading to execution of arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4251.html 4/19/2004 - XChat Stack overflow vulnerability XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4252.html 4/19/2004 - monit Multiple vulnerabilities Two new vulnerabilities have been found in the HTTP interface of monit, possibly leading to denial of service or execution of arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4253.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 4/19/2004 - utempter Multiple vulnerabilities Incorrect path validation and denial of service vulnerabilities are patched here. http://www.linuxsecurity.com/advisories/mandrake_advisory-4257.html 4/20/2004 - libneon Format string vulnerabilities A number of various format string vulnerabilities were discovered in the error output handling of Neon. http://www.linuxsecurity.com/advisories/mandrake_advisory-4259.html 4/20/2004 - xine-ui Temporary file vulnerability Format string vulnerabilities This problem could allow local attackers to overwrite arbitrary files with the privileges of the user invoking the script. http://www.linuxsecurity.com/advisories/mandrake_advisory-4260.html 4/20/2004 - MySQL Temporary file vulnerabilities An attacker could create symbolic links in /tmp that could allow for overwriting of files with the privileges of the user running the scripts. http://www.linuxsecurity.com/advisories/mandrake_advisory-4261.html 4/20/2004 - samba Privilege escalation vulnerability A user can use smbmnt along with a remote suid program to gain root privileges remotely. http://www.linuxsecurity.com/advisories/mandrake_advisory-4262.html 4/22/2004 - utempter Update to patch MDKSA-2004:031 This patch corrects some small problems with the original utempter patch, released April 19th. http://www.linuxsecurity.com/advisories/mandrake_advisory-4270.html 4/22/2004 - xchat Improper execution vulnerability Successful exploitation could lead to arbitrary code execution as the user running XChat. http://www.linuxsecurity.com/advisories/mandrake_advisory-4271.html +---------------------------------+ | Distribution: NetBSD | ----------------------------// +---------------------------------+ 4/21/2004 - OpenSSL Denial of service vulnerabilities This patch fixes two seperate Denial of Service vulnerabilities. http://www.linuxsecurity.com/advisories/netbsd_advisory-4267.html 4/21/2004 - tcp Denial of service vulnerability Patch modifies the TCP/IP stack to minimize the probability of a disconnection or data injection attack, even without using IPSec. http://www.linuxsecurity.com/advisories/netbsd_advisory-4268.html +---------------------------------+ | Distribution: Openwall | ----------------------------// +---------------------------------+ 4/19/2004 - kernel Multiple vulnerabiltiies Descriptions and links for the newest kernel patches. http://www.linuxsecurity.com/advisories/openwall_advisory-4256.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 4/21/2004 - kernel Multiple vulnerabilities Updated kernel packages that fix several minor security vulnerabilities are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4266.html 4/22/2004 - kernel Buffer overflow vulnerability Updated kernel packages that fix a security vulnerability which may allow local users to gain root privileges are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4272.html 4/22/2004 - IA64 kernel Multiple vulnerabilities Updated IA64 kernel packages fix a variety of security vulnerabilities. http://www.linuxsecurity.com/advisories/redhat_advisory-4273.html 4/22/2004 - XFree86 Denial of service vulnerability Flaws in XFree86 4.1.0 allows local or remote attackers who are able to connect to the X server to cause a denial of service. http://www.linuxsecurity.com/advisories/redhat_advisory-4274.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 4/19/2004 - tcpdump Denial of service vulnerability Upgraded tcpdump packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix denial-of-service issues. http://www.linuxsecurity.com/advisories/slackware_advisory-4254.html 4/19/2004 - cvs Arbitrary file creation vulnerabilities Two seperate cvs vulnerabilities, one for the client and one for the server, allow the creation of files at arbitrary paths. http://www.linuxsecurity.com/advisories/slackware_advisory-4255.html 4/20/2004 - utempter Insecure symlink vulnerability Steve Grubb has identified an issue with utempter-0.5.2 where under certain circumstances an attacker could cause it to overwrite files through a symlink. http://www.linuxsecurity.com/advisories/slackware_advisory-4258.html 4/21/2004 - xine Insecure temporary file vulnerability This release fixes a security problem where opening a malicious MRL could write to system (or other) files. http://www.linuxsecurity.com/advisories/slackware_advisory-4264.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 4/16/2004 - ppp/squid ACL escape vulnerability Insecure temporary file vulnerability The PPP fix is a simple bugfix. The Squid fix involves the ability to craft a URL to be ignored by Squid's ACLs. http://www.linuxsecurity.com/advisories/trustix_advisory-4241.html 4/16/2004 - kernel Multiple vulnerabilities This patch fixes a variety of kernel sercurity holes, some filesystem related. http://www.linuxsecurity.com/advisories/trustix_advisory-4242.html 4/22/2004 - kernel Integer overflow vulnerability A successful exploit could lead to full superuser privileges. http://www.linuxsecurity.com/advisories/trustix_advisory-4275.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Apr 26 02:32:57 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 26 02:50:15 2004 Subject: [ISN] Hackers: Under the hood - Peiter Mudge Zatko Message-ID: http://www.zdnet.com.au/insight/security/0,39023764,39116620-6,00.htm Name: Peiter Mudge Zatko Handle(s): Mudge, PeiterZ Marital status: Single Current residence: New England, USA Job: Chief Scientist, Intrusic First computer: Tektronix 4051 Best known for: Creating L0phtCrack Area(s) of expertise: "Thinking outside of the box" It's hard to tell if Peiter Mudge Zatko was born eccentric or whether he's just a stickler for privacy. Take the response to ZDNet Australia's request for his age as an example: "[I'm] not trying to be coy, but my age, race, religion, etcetera, are always items I try not to divulge. The rationale is probably quite different than what most people infer. It is as follows: without irrelevant information such as skin colour and the aforementioned items, people are stripped of data that normally would encourage functional fixation." It seems Zatko's brain has been over-clocking from a very young age. "When I was growing up, around the age of five or so, I couldn't wrap my head around 'life'. "The notion of death being an accepted unknown without any further details drove me bonkers," he told ZDNet Australia. Some may argue that existentialist dilemmas such as these belong to adults, or at the very least in the adolescent domain. But Zatko was introduced to a myriad of advanced concepts at an extremely tender age. "In my crib, as an infant, my father sanded down the edges of early 60s-type computer components ... like the face plates of systems with glowing [amber] numeric 'vacuum tube style' readouts," he recalled. The way Zatko speaks of him suggests that his father was his mentor in life. "I asked my father what he believed in -- what his religious beliefs were. He refused to tell me. Instead, he started taking me to churches of different denominations each Sunday and would ask me what my interpretations were. "Several years later I came up with my own 'codified' religious beliefs," Zatko said. And he's fanatical about getting the job done. "Anything that I do, I must engross myself in totally," he said. To Zatko, there's no distinction between work and personal life, and readily admits that his life knows no balance. "There's also no difference between business and personal relationships. When I decided to get into Golden Gloves Boxing and Muay Thai [boxing] it was to master them. When I deal with computers it is to entirely comprehend the socio-psychological interactions and weaknesses they introduce," he revealed. His parents, while educated, came from fairly blue-collar backgrounds. He said his mother "experienced the depression" while his father grew up working on a farm. As a child, Zatko was given musical training, and was taught science and mathematics while maintaining a "respect for manual labour and living off the land". He still holds dear to his heart the values his parents instilled in him while growing up. "I was intentionally given freedom and a feeling of independence at a young age. In looking back the rationale was obvious: learn decision making and life choices while you are still able to be protected paternally," he explained. "I watched people self destruct at the tail-end of high school and in college -- where it was obvious that that was their first taste of freedom." In 2000, Zatko was invited to participate in a security summit chaired by former US President Bill Clinton. "I was afforded the rare opportunity to hang out with him afterwards and engage in some private conversations," he said. "I have tons of stories but they're too long." As one of the founding members of grey hat outfit L0pht Heavy Industries -- which later became the foundation for security firm @Stake -- he was responsible for the creation of L0phtCrack, a product still sold by @Stake. L0pht Crack is a simple product and a remarkably affective password cracker for Windows-based systems. Zatko insists he wrote it to prove a point and not for commercial reasons. "When I first created and wrote it, one of the goals was to show that the Microsoft systems being deployed could not embody 'secure' encrypted passwords ... not that there were some passwords that were stronger than others. "This didn't mean that people should not use Microsoft technology but rather they should understand where their security perimeters needed to be in order to take advantage of the [Microsoft] platform without exposing undue risk to infrastructures," he said. "Is something like L0phtCrack still useful? Yes. Is this an example of people misinterpreting what a tool is showing them and potentially having a false sense of security because of it? Unfortunately, the answer is again yes," he added. Zatko believes that example -- the misuse of a tool like L0phtCrack -- applies to many security products. He has some advice to help improve the situation, though: "Share, be open, communicate, ask questions to all, share the answers that help you with [everyone], do not think in black and white, do not hurt others or yourself. Improve the world, not your own self image -- the former is possible, and the latter is not accomplished without being a part of the former." -- Patrick Gray From isn at c4i.org Mon Apr 26 02:33:15 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 26 02:50:16 2004 Subject: [ISN] Feds Making Plans for Security Clearinghouse Message-ID: http://www.eweek.com/article2/0,1759,1572951,00.asp By Dennis Fisher April 25, 2004 The federal government is developing plans for a secure network operations center for all security information flowing to and from the government. The security operations center would be separate from other such facilities at federal agencies and would not necessarily be concerned with monitoring the operations of production government networks. Instead, the SOC would be a clearinghouse that gathers and analyzes data from the private sector, mainly the Information Sharing and Analysis Centers in several major vertical industries. The new facility will likely be located in northern Virginia, according to sources familiar with the plans. The plans are part of the Department of Homeland Security's efforts to engage the private sector more fully in the process of defending the nation's critical infrastructure. This is a key concern for the department because the lion's share of the infrastructure is owned privately; the government must rely on ISPs, carriers and large enterprises for help in securing it. The SOC would be run jointly by personnel from the DHS and a civilian contractor that would help build the facility. The physical location of the SOC will probably be in a government-owned building, said sources close to the plan. DHS officials said that even though there are less formal information-sharing efforts between government and private industry, there still is a need for a more structured program. "We're trying to operationalize the public/private partnership. It's been largely intangible up till now," said Amit Yoran, director of the National Cyber Security Division at DHS, in an interview here last week. "We want the rules of the road to be clear on this stuff. The private sector genuinely wants to make progress on this. I think, as we get more considerate of the private sector in terms of the FOIA [Freedom of Information Act] exemption, things will come along." One of the carrots the government has used to entice enterprises into sharing more data on attacks, vulnerabilities and other security concerns is an exemption to the FOIA for information pertaining to critical infrastructure protection. This exemption guarantees that data the companies turn over won't be subject to FOIA requests by news organizations. The FOIA exemption for security information is a key part of the government's plans going forward. In the past, most enterprises and other organizations have been reluctant to hand over information about security breaches, virus attacks or other incidents they've been involved with for fear that word might leak to the press and erode customer confidence in their business. Yoran and other government officials said they hope that the FOIA protection will allay these fears and produce more valuable data. Still, skepticism remains over the government's efforts in general and the plans for the SOC specifically. Relations between some of the ISACs and the DHS, based in Washington, and other agencies have been strained at times, and some security experts involved with the ISACs said there's not much reason to think the establishment of the SOC will affect any of that. "The information flows one way right now: from us to them. I don't see how this is going to change that," said one member of the Financial Services ISAC who requested anonymity. "You want to replace one thing that doesn't really work with another one? Whatever. I can't think of a single time that they've known about something before we did. The only real value is for them." The ISACs, which were first built in 2000, are designed to allow organizations in industries such as health care, financial services and IT to exchange information about ongoing security issues. Most are run independently, although some, including the FS-ISAC, are run by contractors. Officials said they hope to have plans for the SOC finalized soon and intend to fund the initiative out of the current fiscal year's budget, which runs out Sept. 30. From isn at c4i.org Mon Apr 26 02:33:30 2004 From: isn at c4i.org (InfoSec News) Date: Mon Apr 26 02:50:17 2004 Subject: [ISN] US defends cybercrime treaty Message-ID: http://www.theregister.co.uk/2004/04/24/us_defends_cybercrime_treaty/ By Kevin Poulsen, SecurityFocus Published Saturday 24th April 2004 Critics took aim this week at a controversial international treaty intended to facilitate cross-boarder computer crime probes, arguing that it would oblige the US and other signatories to cooperate with repressive regimes - a charge that the Justice Department denied. The US is one of 38 nations that have signed onto the Council of Europe's "Convention on Cybercrime," but the US Senate has not yet ratified the measure. In a letter to the Senate last November, President Bush called the pact "the only multilateral treaty to address the problems of computer-related crime and electronic evidence gathering." The treaty, "would remove or minimize legal obstacles to international cooperation that delay or endanger U.S. investigations and prosecutions of computer-related crime," he said. Drafted under strong US influence, the treaty aims to harmonize computer crime laws around the world by obliging participating countries to outlaw computer intrusion, child pornography, commercial copyright infringement, and online fraud. Another portion of the treaty requires each country to pass laws that permit the government to search and seize email and computer records, perform Internet surveillance, and to order ISPs to preserve logs in connection with an investigation. A "mutual assistance" provision then obligates the county to use those tools to help out other signatory countries in cross-border investigations: France, for example, could request from the US the traffic logs for an anonymous Hushmail user suspected of violating French law. Dual criminality. Not That worries civil libertarians. The treaty is open to any country, with the approval of those that have already ratified it, and some fear that it could put the United States' surveillance capabilities at the disposal of foreign governments with poor human rights records, who may be investigating actions that are not considered crimes elsewhere. "There is no requirement that the act that is being investigated be a crime both in a nation that is asking for assistance, and the nation that is providing assistance," said the ACLU's Barry Steinhardt, speaking at the Computers Freedom and Privacy Conference in Berkeley, California on Thursday. The US and other countries will be asked to use the electronic snooping powers mandated by the treaty to track political dissidents, he said. Betty Shave, who heads the Justice Department's international computer crime division, admitted that the treaty mostly lacks so-called "duel criminality" provisions, but she countered that other language in the pact would prevent abuses. One clause in the treaty allows a country to refuse to cooperate in an investigation if its "essential interests" are threatened by the request: Shave says that would allow the US to bow out of a probe targeting free speech or other actions protected by the U.S. Constitution. Moreover, political offenses are specifically excluded from some types of mutual assistance requests available under the treaty. The treaty is necessary because "crime and terrorism, like everything else, are moving onto the Net and are increasingly difficult to investigate, and a lot of crime is international," said Shave. "Many crimes are deliberately staged through various countries just to make it difficult to investigate." Privacy International's Gus Hosein argued the international community should have produced model legislation to harmonize computer crime laws, instead of a treaty with mutual obligations. "You create a treaty, suddenly you have all these interests come in." Thirty-four European nations, plus Canada, Japan, South Africa and the United States have signed onto the treaty, but only five have thus-far ratified it: Albania, Croatia, Estonia, Hungary and Lithuania. If ratified, no new domestic laws would be have to be passed to bring the US into line with the treaty, according to the Justice Department. Steinhardt was skeptical. "The treaty is already being used as a pretext in some developing nation to pass some pretty draconian laws," he said. "I wouldn't be surprised to see it used in the US that way." From isn at c4i.org Tue Apr 27 07:12:20 2004 From: isn at c4i.org (InfoSec News) Date: Tue Apr 27 07:22:08 2004 Subject: [ISN] TCP, BGP, DoS, and BS Message-ID: Forwarded from: Kurt Seifried BTW as far as the SYN Problem goes, if you can send 10k's per second of SYN packets you get two basic options, either the remote end is configured to handle SYN flooding, or it isn't, if not you certainly don't need the sliding window issue to mess up remote systems. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ From isn at c4i.org Tue Apr 27 07:12:44 2004 From: isn at c4i.org (InfoSec News) Date: Tue Apr 27 07:22:09 2004 Subject: [ISN] Linux Security Week - April 26th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | April 26th, 2004 Volume 5, Number 17n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Securing a Fresh Linux Install," "Securing The IP Telephony Perimeter," and "Your Next Mission-Critical Application." ---- >> Free Trial SSL Certificate from Thawte << Take your first step towards giving your online business a competitive advantage. Test-drive a Thawte SSL certificate, a our easy online guide will show you how. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawten04 ---- LINUX ADVISORY WATCH: This week, advisories were released for cvs, neon, perl, logcheck, kernel, iproute, xchat, ident2, utempter, cadaver, XChat, libneon, MySQL, samba, utempter, OpenSSL, tcp, IA64, XFree86, tcpdump, and xine. The distributors include Debian, Fedora, Gentoo, Mandrake, NetBSD, Red Hat, Slackware, and Trustix. http://www.linuxsecurity.com/articles/forums_article-9220.html ---- Guardian Digital Launches Next Generation Internet Defense & Detection System Guardian Digital has announced the first fully open source system designed to provide both intrusion detection and prevention functions. Guardian Digital Internet Defense & Detection System (IDDS) leverages best-in-class open source applications to protect networks and hosts using a unique multi-layered approach coupled with the security expertise and ongoing security vigilance provided by Guardian Digital. http://www.linuxsecurity.com/feature_stories/feature_story-163.html ---- >> Bulletproof Virus Protection << Protect your network from costly security breaches with Guardian Digital's multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn04 -------------------------------------------------------------------- Interview with Siem Korteweg: System Configuration Collector In this interview we learn how the System Configuration Collector (SCC) project began, how the software works, why Siem chose to make it open source, and information on future developments. http://www.linuxsecurity.com/feature_stories/feature_story-162.html ---- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Reducing Spam April 23rd, 2004 Spam is a common, and often frustrating, side effect to having an email account. Although you will probably not be able to eliminate it, there are ways to reduce it. http://www.linuxsecurity.com/articles/privacy_article-9224.html * Securing a fresh Linux install, part 3 April 22nd, 2004 Telnet transmits information, including passwords, in plain text, which can easily be intercepted and read. SSH performs much the same task as Telnet, but it does so through an encrypted tunnel and is therefore much more secure. http://www.linuxsecurity.com/articles/documentation_article-9218.html * STAT Scanner 5.27 Reviewed April 21st, 2004 A security scanner is one of the most important software titles in a network administrator's toolbox so naturally I was happy to try out a new one. When I got Harris Corporation's STAT Scanner I noticed that it is the first vulnerability assessment scanner to receive Common Criteria certification, a rigorous international standard for information technology security evaluation and certification. http://www.linuxsecurity.com/articles/host_security_article-9210.html * Securing a Fresh Linux Install April 21st, 2004 Most Linux distros provide a wide variety of server applications, and many network-aware apps are enabled by default when you install the operating system. Before you put your new Linux machine online, there are a number of steps you should take to make your network secure. Use these tips every time you perform a fresh install; none of these steps will help to secure a machine that has already been compromised. http://www.linuxsecurity.com/articles/host_security_article-9208.html +------------------------+ | Network Security News: | +------------------------+ * Installing Nessus 2.0 on SuSE 9.0 Pro with KDE 3.1 April 23rd, 2004 The following is a simple how-to guide for installing the Nessus vulnerability scanner, server daemon, and client on SuSE Linux. The instructions do not include in depth explanations as it is assumed that you are familiar with features and benefits of Nessus and have a general working knowledge of Linux. http://www.linuxsecurity.com/articles/documentation_article-9223.html * HNS Learning Session: Session Hijacking Explained April 22nd, 2004 For the first learning session on Help Net Security, we've got Caleb Sima, SPI Dynamics CTO and co-founder, discussing session hijacking attacks. While session hijacking can be applied to a lot of areas, this learning session is concentrated to the attacks on web applications. http://www.linuxsecurity.com/articles/network_security_article-9216.html * Securing The IP Telephony Perimeter April 22nd, 2004 Networking battles never die; they just move to another layer in the OSI stack. That networking adage is as true with IP telephony security devices today as it was years ago with bridges and routers. http://www.linuxsecurity.com/articles/network_security_article-9215.html * Vulnerability Issues in TCP April 20th, 2004 Almost three quarters of office workers in an impromptu man-on-the-street survey were willing to give up their passwords when offered the bribe of a chocolate bar. The organizers of the conference Infosecurity Europe 2004 plans to announce on Tuesday that they surveyed office workers at Liverpool Street Station in England, and found that 71 percent were willing to part with their password for a chocolate bar. http://www.linuxsecurity.com/articles/network_security_article-9205.html +------------------------+ | General Security News: | +------------------------+ * Your Next Mission-Critical Application April 23rd, 2004 Emerging regulations require that businesses save virtually all e-mail. The results can be overwhelming-that is, unless you have the right intelligent management solution. http://www.linuxsecurity.com/articles/host_security_article-9222.html * Security holes force firms to rethink coding processes April 23rd, 2004 Microsoft's issuance last week of 14 security patches raised fears that worm-based attacks would follow and sparked discussion on how to better build code. http://www.linuxsecurity.com/articles/general_article-9225.html * "Subversive Software" - O'Dowd's Linux Security Controversy Continues April 19th, 2004 "There are plans to rely on Linux to control our most advanced future defense systems," writes Dan O'Dowd this morning, referring to systems such as the Army's Future Combat Systems (FCS), the Joint Tactical Radio System (JTRS), and the Global Information Grid (GIG). http://www.linuxsecurity.com/articles/general_article-9198.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Apr 27 07:13:18 2004 From: isn at c4i.org (InfoSec News) Date: Tue Apr 27 07:22:10 2004 Subject: [ISN] MPs ponder whether 'benign' hacking should be legal Message-ID: http://news.zdnet.co.uk/internet/security/0,39020375,39153024,00.htm Graeme Wearden ZDNet UK April 26, 2004 With Britain's Computer Misuse Act heading for a revision, some MPs want to explore whether ethical hacking should be allowed Should UK citizens ever should have the right to launch a hack attack against a computer or a network? A group of tech-savvy MPs are poised to consider this question, as the All-Party Internet Group (APIG) launches an investigation into Britain's cybercrime laws. APIG has recognised that the Computer Misuse Act (CMA), which came into law in 1990, needs to be updated to cover attacks upon the Internet and on other computer networks. Like many experts, the group is concerned that the existing legislation may not apply to denial-of-service attacks -- where a network is driven offline by a flood of Web traffic. "As it stands, the Computer Misuse Act suffers from a lack of a network focus. Today, the primary threat from hackers is to the network, rather than to individual computers, and if the network goes down we've got problems," said Richard Allan MP, joint vice-chairman of APIG. APIG has already received written evidence from interested parties, and is taking further oral evidence at a session in parliament on Thursday. The Home Office has said it is revising the CMA at present, and APIG wants to feed the views of the UK IT industry into this process. And while Allan is adamant that tough action is needed against denial of service attacks, he's also keen to examine whether ethical hacking should be protected in law. He cited the law on criminal damage, where a defendant can claim that they acted to avoid a worse event taking place. "If a successor to David Blunkett was going to introduce tough censorship laws on the use of the Internet in the UK, should someone be able to justify a hacking attack against the IT involved because they opposed that censorship," asked Allan, who is the liberal democrat MP for Sheffield Hallam. The idea of a draconian home secretary smashing our human rights may be far-fetched -- or not, depending on your take on the ID Card issue -- but Allan points out that such suppression is already thriving in other parts of the world. "When the Chinese government blocked access to the BBC Web site, people very rightly sought to subvert that censorship. As a legislator, am I prepared to support legislation that says benign hacking can result in several years in prison?" Other issues that should be covered at this Thursday's oral evidence session are whether the CMA should be revised to meet Britain's international treaty obligations with other countries, and whether the level of penalties within the CMA are sufficient to deter today's criminals. The rise in organised e-crime makes these issues increasingly relevant. E-envoy Andrew Pinder is due to attend this session, as are representatives from the home office and the ISP industry, as well as legal experts and security providers. From isn at c4i.org Tue Apr 27 07:13:37 2004 From: isn at c4i.org (InfoSec News) Date: Tue Apr 27 07:22:11 2004 Subject: [ISN] DOD decentralizes Wi-Fi Message-ID: http://www.fcw.com/fcw/articles/2004/0426/web-wifi-04-26-04.asp By Frank Tiboni April 26, 2004 The Defense Department's new wireless fidelity policy seeks help from many of its agencies to ensure their employees and contractors use caution when operating wireless computer devices at military installations. The chief information officer and DOD's Office of Networks and Information Integration (NI2) oversee and monitor the new Wi-Fi policy. But the undersecretary of Defense for Intelligence, the Chairman of the Joint Chiefs of Staff, the U.S. Strategic Command, the Defense Information Systems Agency and department staff officials all get roles in the new policy. It mandates that military and industry officials do not use wireless devices to store, process and transmit classified information without approval from the various agencies and department officials. Deputy Defense Secretary Paul Wolfowitz issued the directive in an April 14 Defense Department directive titled, "Use of Commercial Wireless Devices, Services, and Technologies in the Department of Defense Global Information Grid." Wireless devices include notebook computers with Internet or intranet communications, personal digital assistants, cellular/personal communications systems, portable electronic devices, audio and video-recording machines, messaging and scanning devices and remote sensors. They do not include Global Positioning System receivers, receive-only pagers, hearing aids, pacemakers, personal life support systems or other implanted medical devices, the directive said. Wolfowitz explained the role of military agencies in enforcing the new Wi-Fi policy: * NI2 and CIO: Oversee policy, monitor it and work with military agencies to understand and enforce it. * Undersecretary of Defense for Intelligence: Work with the Defense Intelligence Agency, the Defense Security Service and the National Security Agency to enforce the policy with employees and contractors including regular inspections. NSA officials must also implement a capability to assess risks and vulnerabilities with wireless devices. * Chairman of the Joint Chiefs of Staff: Coordinate, develop and implement policy and procedures regarding operations between the services and department agencies. * U.S. Strategic Command: Develop defensive measures to detect, deter and defeat computer network attacks against military wireless systems. * DISA: Incorporate wireless communications considerations into military information assurance efforts. * OSD Principal Staff Assistants: Ensure procurement of wireless technologies include interoperability and security. From isn at c4i.org Tue Apr 27 07:13:57 2004 From: isn at c4i.org (InfoSec News) Date: Tue Apr 27 07:22:12 2004 Subject: [ISN] More attack code surfaces for recent MS security holes Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,92696,00.html By Paul Roberts APRIL 26, 2004 IDG NEWS SERVICE Just days after Microsoft Corp. warned its customers about the release of code that can exploit a hole in its Secure Sockets Layer (SSL) library, new code that claims to exploit another recently disclosed hole surfaced on a French-language Web site. The computer code can be used by a remote attacker to trigger a buffer overrun vulnerability in the Local Security Authority Subsystem (LSASS), according to a message posted to www.k-otik.com. Microsoft released a patch for the LSASS vulnerability, MS04-011, on April 13, along with fixes for the SSL problem and a number of other vulnerabilities. The code was released on Saturday, according to the K-Otik Web site, which hosts the exploit. It was unclear today whether the exploit code works, but notes attached by its author say some modifications may be necessary before the code can be used by a remote attacker to compromise Windows machines. LSASS is used to authenticate users locally and in client/server environments. LSASS also has features used by Active Directory utilities. An attacker who could exploit the LSASS vulnerability could remotely attack and take total control of Windows 2000 and Windows XP systems, according to Microsoft. Unlike e-mail worms and viruses, no user interaction would be necessary to trigger the LSASS buffer overflow, according to Johannes Ullrich, chief technology officer at the SANS Institute's Internet Storm Center. The Internet Storm Center hasn't received any reports of the LSASS exploit code being used to compromise Windows systems on the Internet, he said. Internet Security Systems Inc. is also aware of the new code but said it doesn't pose an immediate threat because it requires modification to work on computer networks. "The exploit is unreliable and not for use in the wild," said Neel Mehta, a research engineer at ISS. But that's not true for exploit code that targets the Microsoft SSL hole, which was released last week. ISS has seen a significant number of exploits using that flaw since Wednesday, Mehta said -- activity that is often a precursor to an exploit being used by a worm. The Internet Storm Center has received "a couple" of reports from organizations that had Windows systems attacked using that code, which leaves a unique signature in computer logs on compromised machines. The attacks were isolated and don't appear to be linked to a worm or virus outbreak. However, there is evidence that malicious hackers have coupled the SSL exploit code with automated scanning tools, Ullrich said. "It looks like, in some cases, all affected servers in part of a company got attacked. It seems like somebody picked a netblock [of network IP addresses] and started scanning those addresses and hitting all the affected systems," he said. On Thursday, Microsoft warned customers to "immediately install" MS04-011, citing "credible and serious" reports of the release of exploit code. Any Windows XP, 2000 or Windows Server 2003 machine that runs applications that use SSL are vulnerable, including Microsoft Internet Information Server, Microsoft Exchange Server and third-party products, the company said. ISS released an advisory Friday that warned customers of the SSL exploit and cautioned that the severity of the Microsoft vulnerability was compounded by the fact that SSL is used to secure communications involving confidential or valuable financial information. Also, companies that use SSL must leave Port 443, the port that is targeted by the exploit, open. Systems that use SSL for secure communications are often "production-critical" machines. Organizations take longer to patch such systems because of fears that applying the patch will interfere with critical services, Ullrich said. Microsoft, ISS and other companies also have published work-arounds for the SSL vulnerability for organizations that can't patch systems immediately, Mehta said. From wk at c4i.org Wed Apr 28 05:24:30 2004 From: wk at c4i.org (William Knowles) Date: Wed Apr 28 05:55:52 2004 Subject: [ISN] DHS, NSA team on cybersecurity Message-ID: http://www.fcw.com/fcw/articles/2004/0426/web-nsa-04-27-04.asp By Frank Tiboni April 27, 2004 The National Security Agency and the Homeland Security Department will work together on educational initiatives to strengthen the country's computer infrastructure. On April 22, officials from NSA and DHS announced the formation of the National Centers of Academic Excellence in Information Assurance Education. It stems from NSA's Centers of Academic Excellence in Information Assurance Education Program, which started in 1998 and recognizes 50 universities in 26 states. "America is already reaping benefits from the current centers," said Daniel Wolf, director of NSA's Information Assurance Directorate, in a statement. "Graduates steeped in information assurance education are now entering the federal and greater American workforce. Those graduates, and graduates to come, are forming the cornerstone for America, taking cybersecurity to the very edges of the National Information Infrastructure and the Global Information Grid." The National Strategy to Secure Cyberspace, issued in 2002 by the Bush administration, directs the government to foster training and education programs that support computer security needs and responsibilities, and improve existing information assurance programs. Earlier this month, NSA officials announced they would hire 1,500 people by September and 1,500 employees each year for the next five years. Agency jobs include information technology and acquisition positions in addition to traditional code-making and code-breaking roles, according to an April 7 statement. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* From isn at c4i.org Wed Apr 28 05:44:33 2004 From: isn at c4i.org (InfoSec News) Date: Wed Apr 28 05:55:53 2004 Subject: [ISN] File and email encryption with GnuPG (PGP) part six Message-ID: +------------------------------------------------------------------+ | Linux Security: Tips, Tricks, and Hackery 27-April-2004 | | Published by Onsight, Inc. Edition | | | | http://www.hackinglinuxexposed.com/articles/20040427.html | +------------------------------------------------------------------+ This issue sponsored by EFF: Defending Freedom in the Digital World The Electronic Frontier Foundation (EFF) is a membeship organization that needs your help. EFF works to protect civil liberties taht relate to new technologies. Our lawyers engage in cases that champion online freedoms, our site archive is a comprehensive digital rights resource, and we've developed a powerful media presence. Check out http://www.eff.org/ to learn more. -------------------------------------------------------------------- File and email encryption with GnuPG (PGP) part six By Brian Hatch Summary: Signing public keys is your way of telling GnuPG and other people that you've verified the owner of the key. ------ Last time I showed you how to exchange and verify public PGP keys with an individual. After you've verified a user's key (KeyID, bits, type, fingerprint, and user's actual identity) you should sign their key. Signing a key tells the PGP software (GnuPG in most cases for us Linux heads) that you've acknowledged the key is legitimate when verifying the signature. Let's take a look at the different verification possibilities. Here's the mutt[1] header of a PGP signed email, where we've never downloaded the key at all: gpg: Signature made Wed Apr 14 18:59:36 2004 PDT using DSA key ID D5D3BDA6 gpg: Can't check signature: public key not found Compare to the next one, where we do have a copy of their public key, but have never signed the key: gpg: Signature made Wed Apr 14 18:59:36 2004 PDT using DSA key ID D5D3BDA6 gpg: Good signature from "John Doe (My First PGP Key) " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B53F E57B D0C1 F689 FCE2 5623 5B9A A5F8 801E A932 Or this one, where the public key is on our keyring, and the key is signed by us: gpg: Signature made Wed Apr 14 18:59:36 2004 PDT using DSA key ID D5D3BDA6 gpg: Good signature from "John Doe (My First PGP Key) " And, to round things out, one where the key is on our keyring, signed and all, but the signature is invalid (the message was corrupted in transit, most likely) gpg: Signature made Wed Apr 14 18:59:36 2004 PDT using DSA key ID D5D3BDA6 gpg: BAD signature from "Jon Doe (My First PGP Key) " The third example above is what we'd like to see - messages signed by other parties whom we've verified, received with a valid signature, assuring us that the message came unaltered from the owner of the PGP key. When you see this success, either the individual sent it and all is well, or their key has been compromised, no other possibilities exist. Naturally, we're hoping they haven't been compromised... Before we sign the key, let's check out the existing signatures on this key on our keyring: # Show the key, and all the signatures too $ gpg -kvv D5D3BDA6 pub 1024D/D5D3BDA6 2003-12-14 John Doe (My First PGP Key) sig 3 D5D3BDA6 2003-12-14 John Doe (My First PGP Key) sub 1024g/26F8D783 2003-12-14 sig D5D3BDA6 2003-12-14 John Doe (My First PGP Key) Yup, the key is just signed by John himself, no one else yet. Now it's time for us to sign his key, so GnuPG will stop telling us that it's untrusted, and so we can introduce John to other people: $ gpg --sign-key jdoe@example.com pub 1024D/D5D3BDA6 created: 2003-12-14 expires: never trust: -/f (1). John Doe (My First PGP Key) pub 1024D/D5D3BDA6 created: 2003-12-14 expires: never trust: -/f Primary key fingerprint: 0E43 DC31 C484 431C 5B07 3875 7B2D D3D8 D5D3 BDA6 John Doe How carefully have you verified the key you are about to sign actually belongs to the person named above? If you don't know what to answer, enter "0". (0) I will not answer. (default) (1) I have not checked at all. (2) I have done casual checking. (3) I have done very careful checking. Your selection? At this point you get to tell GPG how thorough you were in verifying the key owner's identity. If you followed the procedures in the previous article, you probably verified their identity by looking at their driver's license, passport, doing a fingerprint scan and DNA test, etc. In my opinion, if you can't honestly say #3 above, then you shouldn't be signing the key at all.[2] Ok, so, let's get this finished up: Are you really sure that you want to sign this key with your key: "Jane Doe (Home Key) >" I have checked this key very carefully. Really sign? yes You need a passphrase to unlock the secret key for user: "Jane Doe (Home Key) " 1024-bit DSA key, ID 42851101, created 2004-01-01 Passphrase: (type passphrase) Note the utter lack of output in the event that you've typed the passphrase correctly - good old Unix tradition at work. So, let's check out the key now and see our new signature on it. # Show the key, and all the signatures too $ gpg -kvv D5D3BDA6 pub 1024D/D5D3BDA6 2003-12-14 John Doe (My First PGP Key) sig 3 D5D3BDA6 2003-12-14 John Doe (My First PGP Key) sig 3 42851101 2004-04-19 Jane Doe (Home Key) sub 1024g/26F8D783 2003-12-14 sig D5D3BDA6 2003-12-14 John Doe (My First PGP Key) So you can now see that Jane has signed John's key on 19-Apr-2004 with her key, 0x42851101. At this point it's a good idea to send the newly signed key back to John, and if he has no objections upload it to the keyservers as well so everyone can benefit from her signature. We covered this previously, but here's a reminder: # Send all keys to keyservers $ gpg --send-keys # Or just the one key $ gpg --send-key "john doe" # Extract and email him his signed key $ gpg --export -a 'john doe' > john_keys.asc $ mutt -a john_keys.asc jdoe@example.com There are, of course, other ways you can get the keys to owner if you want. For example rather than attaching the key manually as I have above with mutt[3] you could attach the key using esc k from the message creation screen. Incidentally, if someone sends you keys in email, you can import them using ctrl-k in mutt. So, by this point we have all the important parts of PGP/GPG/GnuPG in our hands. You can create your keys, verify and sign the keys of others, verify and/or encrypt data. Many tools have built in PGP support to save you from working on the command line, which will make work with PGP as seamless as working with your editor.[4] NOTES: [1] Greatest email program in the world [2] There is a second kind of signature, called a local signature. This type of signature won't be exported to any keyservers, so no one would know you signed their key. This is useful if you want to stop getting "untrusted signature" warnings on keys that you're fairly sure are legit, but don't want to have others believe you have actually verified. The PGP key that comes with your Linux distribution would be a good candidate for local signing. To sign locally, you'd use gpg --edit-key and then lsign, but I won't cover that further. [3] I simply cannot plug this email client enough... [4] And, naturally, that editor should be vim. ;-) ------------- Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He's currently debugging a problem in a monitoring product that thinks it's in standby mode when it should be active. Luckily, it's buggy, and as such will always send notifications even in standby mode, when it shouldn't. So it's broken because it's in standby mode by mistake, but it's working because it's buggy and notifies of problems anyway. Look - two wrongs do make a right! I'm going to go get some tea and pretend this never happened... Brian can be reached at brian@hackinglinuxexposed.com. -------------------------------------------------------------------- This newsletter is distributed by Onsight, Inc. The list is managed with MailMan (http://www.list.org). You can subscribe, unsubscribe, or change your password by visiting http://lists.onsight.com/ or by sending email to linux_security-request@lists.onsight.com. Archives of this and previous newsletters are available at http://www.hackinglinuxexposed.com/articles/ -------------------------------------------------------------------- Copyright 2004, Brian Hatch. From isn at c4i.org Wed Apr 28 05:45:40 2004 From: isn at c4i.org (InfoSec News) Date: Wed Apr 28 05:55:54 2004 Subject: [ISN] Exploit binary released as Symantec finds more code Message-ID: http://www.smh.com.au/articles/2004/04/28/1083103523103.html By Sam Varghese April 28, 2004 A binary for one of the exploits released to target a flaw in the Private Communications Transport (PCT) protocol implementation in the Microsoft Secure Socket Layer library, has been released on the net. The compiled version makes it easier for the category of attackers known as script kiddies to utilise. Attackers who use this flaw to break in could gain complete control of servers handling credit card and banking data for online transactions. Meanwhile, network security and A-V software vendor Symantec says it has discovered more malicious code that targets the same vulnerability. Symantec said in a media release that the malicious code - currently called backdoor.mipsiv -- opened ports on a system, implemented a denial-of-service attack against a third-party DNS server system and also receives command/control instructions via internet relay chat (IRC) channels. "Symantec has detected attempts at compromising systems on our monitored global sensor network and has raised its ThreatCon Rating to Level 3 as a precautionary measure. Symantec Security Response experts are analysing the heavily encrypted code and will provide more details as they become available," the company said. "The team is also determining if the code is a worm or a bot (a program used to performs repetitive functions including searching for news or information)." Vincent Weafer, senior director, Symantec Security Response, said: "We're seeing an increase in the number of exploits, attempts and an increase in reconnaissance attacks through our DeepSight sensors and Managed Security Services devices. We encourage our customers to expedite their patching if they haven't already." On April 14, a French group, k-otik, released code to exploit another vulnerability in Windows which was also patched this month. From isn at c4i.org Wed Apr 28 05:45:54 2004 From: isn at c4i.org (InfoSec News) Date: Wed Apr 28 05:55:56 2004 Subject: [ISN] Multinational team cracks crypto puzzle Message-ID: http://news.com.com/2100-7355-5201037.html By CNET News.com Staff April 27, 2004 RSA Security on Tuesday said that over three months of consistent effort helped a team of mathematicians from Europe and North America solve the company's latest encryption puzzle. The multinational team of eight experts used about 100 workstations to crack the code that won them a $10,000 prize. The contestants' task was to determine the two prime numbers that have been used to generate eight "challenge" numbers, which are central to RSA's 576-bit encryption code. RSA's contest is designed to help test the robustness of the lengthy algorithms used for electronic security. The competition is intended to encourage research into computational number theory and the practical difficulty of factoring large integers. "The information received during these challenges is a valuable resource to the cryptographic community and can be helpful for organizations in choosing appropriate cryptographic measures for a desired level of security," said Burt Kaliski, chief scientist and director at the RSA Laboratories. RSA-576 is a smaller-scale example of the types of cryptographic keys that are recommended for securing Internet and wireless transactions. Typical keys are at least 1,024 bits (310 decimal digits); RSA-576 is 576 bits (174 decimal digits). Larger numbers are considered to provide significantly greater security. The next challenge number in the series is RSA-640. The experts involved in the project represented two German research groups, the Scientific Computing Institute and the Pure Mathematics Institute, and one from the Netherlands, the National Research Institute for Mathematics and Computer Science. Number theorists from Canada, the United States and the United Kingdom also participated. From isn at c4i.org Fri Apr 30 03:30:01 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 30 04:01:49 2004 Subject: [ISN] Hacker Hits License Plate Database Message-ID: http://cbs2chicago.com/topstories/local_story_120165420.html Apr 29, 2004 CHICAGO (AP) The FBI and secretary of state police were trying to determine how a hacker tapped into as many as 200,000 temporary license plate records in an Illinois secretary of state computer database over the weekend, officials said. Only the temporary registration permit database was compromised, not the main drivers' license system that includes Social Security numbers, secretary of state spokesman Dave Druker said Wednesday. "The only thing we think possibly could have occurred was somebody was able to look at records and print copies," Druker said. "We don't know what they viewed." The hacker is believed to have gotten in after 7:30 a.m. Saturday. State employees in Springfield reported that morning that the system wasn't working, prompting White's office to contact Microsoft and Symantec, a security provider. It was the first time a secretary of state computer system has been hacked during Jesse White's tenure, Druker said. The office issues about 1.2 million temporary plates a year. The database includes plate numbers, addresses and vehicle information. Druker declined to comment on a motive for the attack. From isn at c4i.org Fri Apr 30 03:30:16 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 30 04:01:50 2004 Subject: [ISN] Mobile flaws expose executives to bugging Message-ID: http://business.timesonline.co.uk/article/0,,8209-1092789,00.html By Steve Boggan April 30, 2004 EXECUTIVES at some of Britain's biggest companies are using mobile phones that can be secretly tracked and bugged, despite a series of Times investigations demonstrating gaping holes in handset security. During tests at the offices of Shell, BP, HSBC and Goldman Sachs, The Times identified 95 phones potentially vulnerable to a new form of hacking known as "bluesnarfing". Under the process, which threatens mobile phones that use Bluetooth wireless technology, hackers can download text messages, phone lists and even remotely tamper with handsets to enable them to be used as listening devices. Last week The Times identified 46 phones that could have been vulnerable to attack during a 12-minute test in the central lobby of the Palace of Westminster. During our latest experiment, we had the ability to access the phone of a Shell employee supplying aviation fuel to aircraft companies and bug the handsets of chauffeurs driving executives. At the offices of Shell, a passive scan showed that 19 phones would have accepted an unauthorised Bluetooth connection. None was made, to avoid infringement of the Computer Misuse Act. Of these, 13 were Nokias and five were Ericssons. The Nokia 6310 and 6310i, the most popular business phones in the UK, and the Ericsson T610, one of the best-selling picture phones, have proved to be the most insecure. Outside, a group of chauffeurs were waiting in seven identical and consecutively-numbered Volvos. An attack on any of their phones would have allowed us to set up a divert to a handset of our choice. We could then have instructed their phones to call us secretly, leaving a channel open through which we could have heard executives? conversations in the cars. At BP?s office in St James?s Square, Westminster, we identified 24 potentially vulnerable phones while at Goldman Sachs in Fleet Street, the figure was 35 phones. We scanned in a smoking area outside the offices of HSBC in Canary Wharf during a ten-minute period. Seventeen potentially vulnerable phones were identified. The latest cause for concern involving the Nokia 6310s and Sony Ericsson T610s involves secret tracking. Commercial companies offer phone tracking services to businesses and individuals who want to locate sales forces quickly. An SMS message is sent to the relevant mobile phone with an activation code. Once activated, the phone?s location is shown on an internet website map. Bluesnarfing allows the activation code to be diverted to an attacker, so that an account is set up without the handset owner?s knowledge. He or she could then be tracked, without their knowledge, 24 hours a day. Nokia admits there are problems with its 6310s and 8910s but says it is working on a solution that will be available to users from this summer. Sony Ericsson says it has cured the text message and divert problems in new phones but phone lists, calendars and pictures can still be accessed. It promises a cure for that problem in the second half of the year. Shell and BP said they never commented on security; Goldman Sachs was aware of the problem and had issued advice to staff; and HSBC said its technical staff were looking into the problem. From isn at c4i.org Fri Apr 30 03:30:31 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 30 04:01:51 2004 Subject: [ISN] Yoran: Locals must lead IT security Message-ID: http://www.fcw.com/geb/articles/2004/0426/web-secure-04-29-04.asp By Diane Frank April 29, 2004 Local officials must take the lead in securing the information infrastructure within their jurisdictions, but the Homeland Security Department is standing by ready to help, according to Amit Yoran, director of the department's National Cyber Security Division. Cybersecurity is still several steps behind physical security when it comes to the attention and priority of officials at all levels of government, officials stressed at the midyear conference of the National Association of State Chief Information Officers in Chicago. One of the most worrying examples of this is the lack of mention of information infrastructure in grants guidance from DHS' Office of Domestic Preparedness, said Randy Potts, the chief information security officer for Nevada. "It has been all about boots and suits for a very long time," agreed Aldona Valicenti, the former president of NASCIO and CIO of Kentucky, now with Oracle Corp. She urged Yoran to use his and other's political influence to make cybersecurity more visible in the official language and requirements for homeland security at the federal level. Some states are already putting cybersecurity among the top issues on their homeland security lists. Indiana has created three task forces for particularly urgent areas within the state: agriculture, transportation and cybersecurity. The cybersecurity task force has taken a bit longer than the others to get off the ground because of confusion over where the industry viewpoint fits in, said Clifford Ong, homeland security director for Indiana. "We haven't really defined the population or what it is we want to try to do," he said. However, the state has already dedicated $1 million to an intrusion detection system for all of the state's information networks while the task force gets going, Ong said. The guidance for passing on federal homeland security grant funding to local jurisdictions also includes a requirement that cybersecurity must be involved in the solution, he said. At the federal level, the NCSD and its parent organization, the Information Analysis and Infrastructure Protection Directorate, are doing what they can to make sure that the physical experts are also thinking about the cyber vulnerabilities and consequences, Yoran said. Exercises seem to be one of the best ways to foster this type of broader understanding, said Stuart McKee, CIO for the state of Washington. The TopOff exercise conducted in part of that state last year significantly changed the perspective of many officials about the importance of cybersecurity, and that change has lasted, he said. There are further exercises planed - DHS just announced TopOff 3 will take place in April 2005 - but even for smaller-scale exercises the division is working with the rest of the department "to make sure that noncyber exercises incorporate or include some form of cybersecurity thinking," Yoran said. The department's resources and expertise in local issues are limited, but Yoran said he would love to do regional or local exercises. The key will be for officials at the state and local levels to get the ball rolling, determine what their needs are and what they want to get out of the exercise, and then DHS "would be happy to participate," he said. From isn at c4i.org Fri Apr 30 03:31:29 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 30 04:01:52 2004 Subject: [ISN] Hack Your Way to Hollywood Message-ID: http://www.wired.com/news/culture/0,1284,63147,00.html [Stories like this frost me to no end, what does it show? lie, cheat, steal, scam or hack, and you will be rewarded for it in the end. What kind of message does this send out? There is a definate lack of ethics education in the schools and at home. - WK] By Xeni Jardin Apr. 29, 2004 LOS ANGELES -- An America Online customer service rep illicitly surfs the company's customer database, ferrets out private data on celebrity members and then hunts them down online under a false identity, seeking fame and fortune in Hollywood. Sound like a prelude to prison? Not in the case of Heather Robinson. The former AOL employee managed to parlay privacy violations into useful contacts in Hollywood. With the help of those contacts, Robinson, 25, landed a movie deal, and she's using her toehold in the industry to advance another. Later this week, Universal Pictures will start filming Robinson's first movie, The Perfect Man, a romantic comedy staring Hillary Duff and Heather Locklear. The film is about a teenage daughter who tries to create a "nonexistent boyfriend for her dejected mother," Robinson said. The story is based on another of her youthful indiscretions when she was 16 -- this one involving a stolen credit card and thousands of dollars of purchases. Some would say it takes Robinson's level of moxie to succeed in Hollywood. In fact, the favorite legend in the movie business is that of a hard-working kid who starts in the mail room and through ambition, flexible ethical standards and political skill becomes a mogul. Judging by her exploits so far, Robinson is well on her way. "Although she's, at best, a scam artist, you have to grudgingly admire this young woman," said Mark Ebner, co-author of Hollywood, Interrupted, a book in which Robinson's exploits get a chapter. "In a town of liars, cheats and thieves, it's small wonder she's been welcomed." Hired by AOL in 1997, her $6-an-hour job involved answering subscriber questions, resetting lost passwords and solving billing problems. With access to screen names, phone numbers, addresses and credit card numbers through AOL's customer database, she gathered information on politicians and movie industry power brokers to pursue her career dreams. During about a year and a half of employment at AOL, the woman, known by the AOL screen name "HooterR," contacted or struck up online relationships with Goldie Hawn, Carrie Fisher, Tom Hanks, Meg Ryan, producer Lauren Shuler Donner and the late comedian Chris Farley, according to Robinson and Ebner. "I asked my AOL supervisor, 'Are we allowed to contact people?' -- and the answer was yes, as long as I followed specific policies," Robinson said. "It's hard to get into the entertainment industry. If I weren't a good person they would have told me to go away." She baited celebrities into online conversations by using private information she had collected about them without their knowledge, sometimes assuming false identities -- for instance, that of a lonely female airline pilot. Some of these online encounters led to sexually explicit chat sessions. Robinson said she even had a real-world rendezvous with an influential Hollywood producer that resulted in a back-seat sexual assault. She claims to have evidence locked away in Arizona: a stained shirt, ? la Lewinsky. AOL declined to discuss details of Robinson's employment, but spokesman Andrew Weinstein said activities described in Hollywood, Interrupted and a subsequent New York Observer interview would constitute a violation of current and former company policy. A document obtained by Wired News shows that Robinson was disciplined at least once at AOL for inappropriate use of customer data. A "Corrective Action Business Conduct" letter addressed to Robinson three months after she was hired placed her on a 90-day probation after a customer complained about repeated misuse of confidential account information. Weinstein said internal security is tighter seven years later. He declined to state whether the company will pursue legal action against Robinson, but said AOL's legal department is currently reviewing the matter. The one-time AOL employee may also have broken state privacy laws. "There could be a variety of legal complaints under state law, and the celebrities themselves could potentially bring tort claims under various state laws," said Pam Dixon of the World Privacy Forum. "She's essentially an electronic stalker. It's unfair, unethical and in some states, probably illegal." Those issues aside, Robinson is attempting to turn the online snooping into her second movie deal within a year. She's now shopping a new semi-autobiographical feature film called E-Girl. A press release promises the movie "will only depict the clever, amazing and heart-rending aspects" of her "cyber subterfuge with major personalities and power players." Robinson had a colorful past even before she started at AOL. The Perfect Man chronicles some of it. The movie is a sugarcoated retelling of an episode in Robinson's teen years that resulted in felony charges of fraud, theft and forgery, according to Tucson Police Department documents. In late 1994, Robinson teamed up with a high-school friend and concocted a scam to assume the identity of an imaginary Air Force colonel to romance Robinson's single mother, Janet Robinson. Heather obtained access to an Air Force base near her Tucson home and sent her mother photographs and love letters from a fictional Col. Cunningham, duping the recent divorc?e into believing she was carrying on a virtual affair with an officer. Heather perpetrated the fake affair for three months. She went so far as to send her mom a marriage proposal consecrated with the delivery of a ring, which she bought with a stolen credit card and altered ID swiped from an employee at the Air Force base. The girls were arrested Feb. 10, 1995, and confessed to having used stolen credit cards to make more than $4,000 worth of attempted purchases. Because Robinson had no prior criminal record, charges were later reduced from felony to misdemeanor, resulting in a 120-hour community service sentence. "We were 16 years old, and I wanted to do something good for my mom," Robinson said. "After the court stuff was done, my mom put her arm around me and said, 'I understand why you did it and maybe some day they'll make a movie about it.'" And they are. Perfect Man is slated for release in 2005. From isn at c4i.org Fri Apr 30 03:32:02 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 30 04:01:53 2004 Subject: [ISN] Windows & .NET Magazine Security UPDATE--New Exploits--April 28, 2004 Message-ID: ==================== ==== This Issue Sponsored By ==== Postini Preemptive Email Protection http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BHea0Am Windows Scripting Solutions http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BFyu0AQ ==================== 1. In Focus: New Exploits and a New Security Toolkit 2. Security News and Features - Recent Security Vulnerabilities - News: Remote Root Exploit Against IIS Servers - News: TCP Vulnerabilities - Feature: Exchange Server SMTP AUTH Attacks 3. Security Toolkit - FAQ - Featured Thread 4. New and Improved - Secure Your Passwords ==================== ==== Sponsor: Postini Preemptive Email Protection ==== Free Whitepaper: Top 10 Reports for Email Admins This paper will show you the top ten reports every email administrator really shouldn't live without including, dashboard views of inbound email activity, SMTP connection, and delivery monitoring, as well as outbound email and content. Assuring comprehensive email security and management for your enterprise requires real-time monitoring and detailed, flexible reporting. Postini provides an award-winning web console "dashboard" that helps email administrators manage their email protection more effectively and efficiently with a host of monitoring and trending reports. Reports show inbound spam by domain and recipient, as well as viruses by name and overall traffic by domain and recipient. http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BHea0Am ==================== ==== 1. In Focus: New Exploits and a New Security Toolkit ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net One of the security patches that Microsoft released in the Microsoft Security Bulletin MS04-011 on April 13 fixes a serious problem in the Private Communications Technology (PCT) protocol, which is part of Microsoft's Secure Sockets Layer (SSL) implementation. If you haven't patched your production systems yet, consider doing so immediately because exploits have already been released that can provide remote access to an intruder. So your unpatched systems are sitting ducks. http://www.winnetmag.com/article/articleid/42438/42438.html If you can't load the patch for some reason, consider disabling PCT, which you can do by adjusting a particular registry key. For more information about disabling PCT, see "Information about code that attempts to exploit PCT in SSL" at http://www.microsoft.com/security/incident/pctdisable.asp You also need to be aware of the recently reported TCP-reset vulnerability, which affects many devices, including routers. As you'll learn in the related news story below, exploiting the vulnerability causes routers to drop connections, including important border gateway protocol (BGP) sessions. A new Windows-based exploit tool was recently released, so be sure to check with your router vendors to determine whether their particular products are affected. If they are, install the latest updates. http://www.winnetmag.com/article/articleid/42437/42437.html You should ensure your Intrusion Detection System (IDS) has the most recent rules and signatures available. For example, new Snort rules became available on April 25 as I was writing this editorial. So if you use Snort, be sure to obtain the last rules files. http://www.snort.org/dl/rules A New Security Toolkit I don't think a person can ever have enough security tools. If you share that opinion, you might want to download a copy of the recently released version 1.0.4 of Network Security Toolkit (NST), which is the creation of Paul Blankenbaker and Ron Henderson. NST is available on a bootable CD-ROM or is downloadable as an International Organization for Standardization (ISO) image and is based on Red Hat Linux 9.0. The CD-ROM contains dozens upon dozens of tools and, according to the NST Web site, can "transform most x86 systems into a system designed for network traffic analysis, intrusion detection, network packet generation, a virtual system service server, or a sophisticated network/host scanner. This can all be done without disturbing or modifying any underlying sub-system disk. NST can be up and running on a typical x86 notebook in less than a minute by just rebooting with the NST ISO CD. The notebook's hard disk will not be altered in any way." Head over to the NST Web site and have a look at NST's contents and capabilities. At the site, you'll also find the link to download the 194MB package. http://www.networksecuritytoolkit.org/nst/index.html ==================== ==== Sponsor: Windows Scripting Solutions ==== Try a Sample Issue of Windows Scripting Solutions Windows Scripting Solutions is the monthly newsletter from Windows & .NET Magazine that shows you how to automate time-consuming, administrative tasks by using our simple downloadable code and scripting techniques. Sign up for a sample issue right now, and find out how you can save both time and money. Click here! http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BFyu0AQ ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html News: Remote Root Exploit Against IIS Servers On April 21, a member of the Full Disclosure mailing list posted a message that revealed the existence of a new tool that can be used to exploit Microsoft IIS servers. By using Secure Sockets Layer (SSL) to target unpatched IIS servers, an attacker can cause the server to open a port that allows remote access to the system. http://www.winnetmag.com/article/articleid/42438/42438.html News: TCP Vulnerabilities US-CERT and the UK National Infrastructure Security Co-ordination Centre (NISCC) published information about vulnerabilities in the TCP protocol. The problems can affect a wide array of platforms, including many types of routers, such as those used to operate the Internet at top-tier ISPs. http://www.winnetmag.com/article/articleid/42437/42437.html Feature: Exchange Server SMTP AUTH Attacks If you run Microsoft Exchange Server to process incoming Internet email, spammers might be using your mail server as a relay, even though your server isn't an open relay. How is this possible? Spammers authenticate to your email server, then use your server to send mail. Alan Sugano outlines how you can determine whether someone is using your system as a mail relay, how to close the hole, and how to test the measures you've taken to prevent such attacks in an article at the first URL below. Paul Robichaux wrote about the attack last fall in the article at the second URL below. http://www.winnetmag.com/article/articleid/42406/42406.html http://www.winnetmag.com/article/articleid/40507/40507.html ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) Try a Sample Issue of Exchange & Outlook Administrator! If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and downtime. Request a sample issue today, and discover tools you won't find anywhere else to help you migrate, optimize, administer, and secure Exchange and Outlook. Order now! http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BEf10Aw Discover the Basics of Active Directory Fundamentals In this free Web seminar, we'll look at the logical concepts as they relate to domain, trees, and forests and the physical concepts of domain controllers and sites. We'll also explain the relationship between Active Directory and the Domain Naming Service, as well as cover some operation functions. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BHb40Ay SQL Web Seminar--Tactics for Protecting Microsoft SQL Server It is crucial to protect Microsoft SQL Server from outside forces, including weather, user error, or system outage, that can jeopardize application and associated data. Register now for a free, 1-hour Web seminar on May 4 and learn about the solutions associated with protecting SQL Server. Register now and receive a free evaluation version of Double-Take and a free white paper titled, "Protecting Your Microsoft SQL Server DataSign." http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BG8V0Ap ==================== ==== Hot Release ==== Symantec Free White Paper: "Enterprise Systems and Storage Management Convergence using File Systems Virtualization" Download this free technical white paper now, courtesy of Symantec and Windows & .NET Magazine's White Paper Central: http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BHfW0Ad ==================== ==== 3. Security Toolkit ==== FAQ: Controlling Access to IISADMPWD by John Savill, http://www.winnetmag.com/windowsnt20002003faq Q: How can I control access to the IISADMPWD virtual directory? A. When you use the default IISADMPWD virtual directory to enable a Web page on which users can change passwords (which I discussed in the FAQ "Does Windows Server 2003 provide a way to let users change their passwords remotely on the Web?"), the Microsoft IIS system sends the user's password information unencrypted over the network, which creates a security risk. To avoid transmitting unencrypted passwords, you must enable Secure Sockets Layer (SSL) by following these steps: 1. Start a command prompt by clicking Start, Run and typing cmd.exe 2. Navigate to the C:\inetpub\adminscripts directory. 3. At the command prompt, type adsutil.vbs set w3svc/1/PasswordChangeFlags 0 This command runs the adsutil.vbs script with the Set command. The w3svc/1 parameter specifies the first default Web site. The PasswordChangeFlags option with the 0 value means that SSL is required. (Setting the PasswordChangeFlags value to 1 specifies that SSL isn't used, and setting the value to 2 disables the user's ability to change the password.) 4. Restart the IIS server to effect the change. A new tool lets intruders exploit unpatched IIS servers that use SSL (see the first News item above). Be sure to patch your server. Featured Thread: BlackBerry Server Behind ISA Server (One message in this thread) A reader writes that he needs to set up BlackBerry Server behind a Microsoft ISA Server firewall. He's having trouble opening the correct port, which is TCP port 3101. He created a packet filter by selecting the following properties: IP Protocol: TCP, Direction: Outbound, Local Port: Fixed Port, Local Port Number 3101, Remote Port: All Ports, Remote Ports: subdued. It doesn't work, and he wants to know how to correct the problem. Lend a hand or read the responses: http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=119881 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) Sign Up for 2 Great Roadshows About Security and Exchange Don't miss 2 free roadshow tours covering hot security and Exchange topics. Learn how to simplify your life with Windows Server 2003 and Exchange Server 2003 and protect your infrastructure and applications against security threats. Coming to your city soon. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BHb50Az ==================== ==== 4. New and Improved ==== by Jason Bovberg, products@winnetmag.com Secure Your Passwords TK8 Productions released TK8 Safe, Windows password-management software that simplifies the safe storage and retrieval of user IDs, passwords, serial numbers, and other confidential information that Web sites and software applications require. TK8 Safe stores all of a user's private information in an encrypted database that's accessible only by its owner, and the software supports multiple users on the same computer. TK8 Safe costs $19.95 for a single-user license, and multiuser discounts are available. For more information, contact TK8 Productions on the Web. http://www.tk8.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. ==================== ==== Sponsored Links ==== Argent Comparison Paper: The Argent Guardian Easily Beats Out MOM http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BDWV0AJ Microsoft(R) TechNet Microsoft(R) TechNet Webcasts: essential guidance, industry experts http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BG360AE Microsoft Security Knowledge Improves Security. Visit www.securitywhitepaper.com. http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BHSy0As ==================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== ==== Contact Our Sponsors ==== Primary Sponsor: Postini -- http://www.postini.com Hot Release Sponsor: Symantec -- http://www.symantec.com ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z You received this email message because you asked to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Apr 30 03:40:20 2004 From: isn at c4i.org (InfoSec News) Date: Fri Apr 30 04:01:54 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-18 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-04-22 - 2004-04-29 This week : 28 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia has launched a new service called Secunia Virus Information. Secunia Virus Information is based on information automatically collected from seven different anti-virus vendors. The data will be parsed and indexed, resulting in a chronological list, a searchable index, and grouped profiles with information from the seven vendors. Furthermore, when certain criteria are triggered virus alerts will be issued. You can sign-up for the alerts here: Sign-up for Secunia Virus Alerts: http://secunia.com/secunia_virus_alerts/ Secunia Virus Information: http://secunia.com/virus_information/ ======================================================================== 2) This Week in Brief: ADVISORIES: Rodrigo Gutierrez discovered a vulnerability in Windows Explorer and Internet Explorer, which potentialle can be exploited to compromise a vulnerable user's system. The vulnerability was reported to Microsoft a long time ago, and Microsoft reported that the vulnerability was fixed in the latest service packs for Windows 2000 and Windows XP. However, Secunia, Rodrigo Gutierrez, and several others have confirmed that this is not the case; both operating systems have been tested and are still vulnerable. Additionally, several other Microsoft operating systems have also been reported vulnerable: Windows 95, Windows 98, Windows ME, and Windows NT 4.0 Please refer to the Secunia advisory below for more information and alternative solution to the vulnerability. Reference: http://secunia.com/SA11482 VIRUS ALERTS: During the last week, Secunia issued four MEDIUM RISK virus alerts and one HIGH RISK virus alert for two Netsky variants and two Bagle variants. Please refer to the grouped virus profiles below for more information: BAGLE.Z - HIGH RISK Virus Alert - 2004-04-29 03:37 GMT+1 http://secunia.com/virus_information/9048/bagle.z/ BAGLE.Z - MEDIUM RISK Virus Alert - 2004-04-28 18:13 GMT+1 http://secunia.com/virus_information/9048/bagle.z/ Netsky.AB - MEDIUM RISK Virus Alert - 2004-04-28 10:58 GMT+1 http://secunia.com/virus_information/9040/netsky.ab/ Netsky.z - MEDIUM RISK Virus Alert - 2004-04-27 23:40 GMT+1 http://secunia.com/virus_information/8909/netsky.z/ Bagle.Y - MEDIUM RISK Virus Alert - 2004-04-26 22:44 GMT+1 http://secunia.com/virus_information/8994/bagle.y/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA11482] Windows Explorer / Internet Explorer Long Share Name Buffer Overflow 2. [SA11064] Microsoft Windows 14 Vulnerabilities 3. [SA10395] Internet Explorer URL Spoofing Vulnerability 4. [SA11464] Linux Kernel CPUFREQ Proc Handler Kernel Memory Disclosure Vulnerability 5. [SA11471] McAfee ePolicy Orchestrator Unspecified Command Execution Vulnerability 6. [SA11102] Symantec Client Firewall Products Denial of Service Vulnerability 7. [SA11406] PostNuke Multiple Vulnerabilities 8. [SA11483] Sun Solaris TCP/IP Networking Stack Denial of Service Vulnerability 9. [SA10736] Internet Explorer File Download Extension Spoofing 10. [SA11486] Linux Kernel Framebuffer Driver Direct Userspace Access Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA11482] Windows Explorer / Internet Explorer Long Share Name Buffer Overflow [SA11471] McAfee ePolicy Orchestrator Unspecified Command Execution Vulnerability [SA11490] DiGi WWW Server Long Request Denial of Service Vulnerability [SA11477] MSMS Core Exposure of System Information UNIX/Linux: [SA11485] Gentoo update for sSMTP [SA11484] Sun Cobalt update for ProFTPD [SA11476] Gentoo update for net-firewall/ipsec-tools [SA11468] HP update for Apache HTTP Server [SA11487] Gentoo update for LCDproc [SA11489] paFileDB Cross Site Scripting Vulnerability [SA11488] Gentoo update for xine [SA11467] pisg Script Insertion Vulnerability [SA11491] Mandrake update for kernel [SA11470] Fedora update for kernel [SA11469] Red Hat update for kernel [SA11464] Linux Kernel CPUFREQ Proc Handler Kernel Memory Disclosure Vulnerability [SA11486] Linux Kernel Framebuffer Driver Direct Userspace Access Vulnerability [SA11483] Sun Solaris TCP/IP Networking Stack Denial of Service Vulnerability Other: [SA11492] Siemens S55 SMS Send Prompt Bypass Weakness Cross Platform: [SA11472] Netegrity SiteMinder Affiliate Agent Heap Overflow Vulnerability [SA11481] OpenBB Multiple Vulnerabilities [SA11478] Protector System Multiple Vulnerabilities [SA11475] artmedic hpmaker Arbitrary File Inclusion Vulnerability [SA11465] Phprofession Multiple Vulnerabilities [SA11479] Network Query Tool Cross Site Scripting Vulnerability [SA11474] Fusion news "id" Cross Site Scripting Vulnerability [SA11466] PostNuke Cross Site Scripting Vulnerabilities [SA11480] phpwsBB Reveals Non-Anonymous Labels ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA11482] Windows Explorer / Internet Explorer Long Share Name Buffer Overflow Critical: Highly critical Where: From local network Impact: System access Released: 2004-04-26 Rodrigo Gutierrez has discovered a vulnerability in Windows and Internet Explorer, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11482/ -- [SA11471] McAfee ePolicy Orchestrator Unspecified Command Execution Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-04-23 An unspecified vulnerability has been discovered in McAfee ePolicy Orchestrator, which can be exploited by malicious people to execute arbitrary commands on a vulnerable system. Full Advisory: http://secunia.com/advisories/11471/ -- [SA11490] DiGi WWW Server Long Request Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-04-28 Donato Ferrante has reported a vulnerability in DiGi WWW Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11490/ -- [SA11477] MSMS Core Exposure of System Information Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2004-04-26 CyberTalon has reported a vulnerability in MSMS Core, allowing malicious people to view details about the system. Full Advisory: http://secunia.com/advisories/11477/ UNIX/Linux:-- [SA11485] Gentoo update for sSMTP Critical: Highly critical Where: From remote Impact: System access Released: 2004-04-27 Gentoo has issued updated packages for ssmtp. These fix two vulnerabilities, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11485/ -- [SA11484] Sun Cobalt update for ProFTPD Critical: Highly critical Where: From remote Impact: Unknown Released: 2004-04-27 Full Advisory: http://secunia.com/advisories/11484/ -- [SA11476] Gentoo update for net-firewall/ipsec-tools Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-04-24 Gentoo has issued updates for net-firewall/ipsec-tools. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11476/ -- [SA11468] HP update for Apache HTTP Server Critical: Moderately critical Where: From remote Impact: Manipulation of data, DoS Released: 2004-04-27 HP has acknowledged some vulnerabilities in their version of the Apache HTTP Server. These can be exploited by malicious people to cause a DoS (Denial of Service) and insert certain potentially malicious characters in log files. Full Advisory: http://secunia.com/advisories/11468/ -- [SA11487] Gentoo update for LCDproc Critical: Moderately critical Where: From local network Impact: System access Released: 2004-04-27 Gentoo has issued an update for LCDproc. This fixes multiple vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11487/ -- [SA11489] paFileDB Cross Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-04-28 DarkBicho has reported a vulnerability in paFileDB, allowing malicious people to conduct Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/11489/ -- [SA11488] Gentoo update for xine Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2004-04-27 Gentoo has issued updates for xine-ui and xine-lib. These fix a vulnerability, which potentially can be exploited by malicious people to gain system access. Full Advisory: http://secunia.com/advisories/11488/ -- [SA11467] pisg Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-04-23 shr3kst3r has reported a vulnerability in pisg, allowing malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/11467/ -- [SA11491] Mandrake update for kernel Critical: Less critical Where: Local system Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS Released: 2004-04-28 MandrakeSoft has issued updated packages for the kernel. These fix some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges, gain knowledge of sensitive information, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11491/ -- [SA11470] Fedora update for kernel Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation, DoS Released: 2004-04-23 Fedora has issued updated packages for the kernel. These fix various vulnerabilities, which can be exploited by malicious people to gain escalated privileges, to cause a DoS (Denial of Service) or gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11470/ -- [SA11469] Red Hat update for kernel Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-23 Red Hat has issued updated packages for the kernel. These fix various vulnerabilities, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11469/ -- [SA11464] Linux Kernel CPUFREQ Proc Handler Kernel Memory Disclosure Vulnerability Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information Released: 2004-04-23 Brad Spengler has reported a vulnerability in the Linux kernel, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11464/ -- [SA11486] Linux Kernel Framebuffer Driver Direct Userspace Access Vulnerability Critical: Not critical Where: Local system Impact: Security Bypass, DoS Released: 2004-04-28 Arjan van de Ven has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11486/ -- [SA11483] Sun Solaris TCP/IP Networking Stack Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2004-04-26 A vulnerability has been discovered in Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11483/ Other:-- [SA11492] Siemens S55 SMS Send Prompt Bypass Weakness Critical: Not critical Where: Local system Impact: Security Bypass Released: 2004-04-28 The Phenoelit Group has reported a vulnerability in Siemens S55 cell phones, which potentially can be exploited by malicious Java applications to trick users into sending SMS messages unknowingly. Full Advisory: http://secunia.com/advisories/11492/ Cross Platform:-- [SA11472] Netegrity SiteMinder Affiliate Agent Heap Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-04-24 Jeremy Jethro has reported a vulnerability in Netegrity SiteMinder Affiliate Agent, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11472/ -- [SA11481] OpenBB Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2004-04-26 Some vulnerabilities have been reported in OpenBB, allowing malicious people to conduct Cross Site Scripting, SQL injection and script insertion attacks. Full Advisory: http://secunia.com/advisories/11481/ -- [SA11478] Protector System Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2004-04-26 Janek Vind has reported some vulnerabilities in Protector System, allowing malicious people to conduct Cross Site Scripting, SQL injection and bypass the protection filters. Full Advisory: http://secunia.com/advisories/11478/ -- [SA11475] artmedic hpmaker Arbitrary File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-23 DarkBicho has reported a vulnerability in artmedic hpmaker, allowing malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11475/ -- [SA11465] Phprofession Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2004-04-23 Janek Vind has reported some vulnerabilities in Phprofession. These can be exploited by malicious people to conduct Cross Site Scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/11465/ -- [SA11479] Network Query Tool Cross Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2004-04-26 Janek Vind has reported a vulnerability in Network Query Tool, allowing malicious people to conduct Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/11479/ -- [SA11474] Fusion news "id" Cross Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-04-23 DarkBicho has reported a vulnerability in Fusion news, allowing malicious people to conduct Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/11474/ -- [SA11466] PostNuke Cross Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2004-04-23 Janek Vind has reported some vulnerabilities in PostNuke, allowing malicious people to conduct Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/11466/ -- [SA11480] phpwsBB Reveals Non-Anonymous Labels Critical: Not critical Where: From remote Impact: Exposure of sensitive information Released: 2004-04-26 Stephen Adler has reported a security issue in phpwsBB and phpwsContacts, allowing malicious people to view labels. Full Advisory: http://secunia.com/advisories/11480/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ========================================================================