From isn at c4i.org Thu Jul 1 07:31:39 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 1 08:11:47 2004 Subject: [ISN] Security UPDATE--Combined Attack Methods--June 30, 2004 Message-ID: ==== This Issue Sponsored By ==== Windows & .NET Magazine http://list.winnetmag.com/cgi-bin3/DM/y/egWw0CJgSH0CBw0BEuX0A6 10 Things Hackers Don't Want You To Know http://list.winnetmag.com/cgi-bin3/DM/y/egWw0CJgSH0CBw0BHNe0Ai ==================== 1. In Focus: Combined Attack Methods 2. Security News and Features - Recent Security Vulnerabilities - News: Vulnerable IIS Sites and IE Users Under Attack - News: AOL Engineer Charged with Selling Screen Names to Spammer - News: MasterCard and NameProtect Team to Stop Phishing 3. Instant Poll 4. Security Toolkit - FAQ - Featured Thread 5. New and Improved - Monitoring Software Bundle Reduces Prices ==================== ==== Sponsor: Windows & .NET Magazine ==== Get 2 Sample Issues of Windows & .NET Magazine! Every issue of Windows & .NET Magazine includes intelligent, impartial, and independent coverage of security, Active Directory, Exchange, scripting, and much more. Our expert authors deliver how-to articles and product evaluations that will help you do your job better. Try two, no-risk sample issues today, and find out why 100,000 IT professionals rely on Windows & .NET Magazine each month! http://list.winnetmag.com/cgi-bin3/DM/y/egWw0CJgSH0CBw0BEuX0A6 ==================== ==== 1. In Focus: Combined Attack Methods ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net The June 16 Security UPDATE includes a link to the news story "New IE Flaws Might Allow Code Injection," which describes a relatively new attack method being used by both intruders and purveyors of suspicious or malicious software to infest systems that use Microsoft Internet Explorer (IE). Jelmer Kuperus said that the attack uses Javascript, iframes, PHP, and timing techniques to gain access to the trusted intranet zone on a user's system. According to Kuperus, the exploit also "uses several known vulnerabilities and two previously unknown vulnerabilities." One of the vulnerabilities, for which no patch exists, involves ActiveX Data Objects (ADO). http://www.winnetmag.com/article/articleid/42959/42959.html Through this attack method that uses multiple vulnerabilities, many people's systems (possibly even the systems of some of you readers) have become infected with various sorts of software, most of which is annoying, if not outright dangerous. For example, nefarious entities have installed adware that generates an endless stream of pop-up windows on users' systems. That's the lighter side of the problem though. As you can learn by reading the news story "Vulnerable IIS Sites and IE Users Under Attack" below, yet another factor was added to the mix last week, this time involving Microsoft IIS. Using the IIS vulnerability described in Microsoft Security Bulletin MS04-011 (Security Update for Microsoft Windows) on systems that haven't yet been updated with a patch that's been available since mid-April, intruders can inject Javascript into a server's Web pages. The Javascript then uses a technique similar to the one I described above to get IE to download Trojan horse software onto an unsuspecting user's systems. The Trojan horse program then gathers ("phishes") log-on and financial information. So now instead of intruders having to establish their own Web sites to host malicious Javascript code, they're penetrating unpatched IIS systems around the Internet that host legitimate Web sites. As Bugtraq mailing list moderator David Amhad points out in a June 25 posting, these combined vulnerabilities have "no dependence on version or memory layout or any other such messy factors, firewalls are totally irrelevant and VPNs become basically a free ride in, [and] the browser doesn't end up crashing (i.e., the victim remains blissfully unaware that they've been owned)." These combined vulnerabilities have the potential to become devastating. http://www.securityfocus.com/archive/1/367120/2004-06-25/2004-07-01/0 Some preventive steps are obvious, and some aren't so obvious, depending on the user or administrator. Obviously, loading the IIS patch MS04-011 on your servers will stop intruders from manipulating the servers' Web pages into hosting malicious code. Turning off scripting in the IE security zones will also protect users to a certain extent. But in countless scenarios, turning scripting off just isn't possible. And sometimes scripting is essential to a Web site's usability. Many of you probably already know how to improve security in IE, but in case you don't, Microsoft has some recommendations that you can read at the following URL: http://www.microsoft.com/security/incident/settings.mspx One workaround if you can't turn off scripting is to disable ADO databases (ADODB) in IE. Drew Copley of eEye Digital Security wrote a simple registry script that does this very thing and one that undoes the changes. He also wrote an executable program that disables and re-enables ADODB. You can download the scripts and executable program at the eEye Web site. http://www.eeye.com/html/research/alerts/al20040610.html Another way of protecting IE systems against ADODB attacks is to use PivX Solutions' Qwik-Fix, which protects IE against a variety of intrusion methods. Recently, the company made available a version of Qwik-Fix for enterprise environments. I don't know of any other tool that provides the same sort of functionality. http://www.pivx.com ==================== ==== Sponsor: 10 Things Hackers Don't Want You To Know ==== Do you think all hackers use the same techniques to break into your network? Do you think they all guess your passwords? Do you think that an unpatched vulnerability is the only way to compromise your domain controllers? In this free web seminar, you will learn about the 10 (actually 14) things that very successful hackers will do to compromise your network. You will learn how hackers use these techniques, and how to prevent them. The techniques may surprise you, but your network health will improve greatly once you understand them. Sign up now! http://list.winnetmag.com/cgi-bin3/DM/y/egWw0CJgSH0CBw0BHNe0Ai ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html News: Vulnerable IIS Sites and IE Users Under Attack A new form of attack is spreading over the Internet. The attack affects unpatched Microsoft IIS systems, which then attack unprotected Microsoft Internet Explorer (IE) systems. http://www.winnetmag.com/article/articleid/43088/43088.html News: AOL Engineer Charged with Selling Screen Names to Spammer Jason Smathers, an America Online (AOL) engineer, has been arrested and charged with stealing tens of millions of AOL screen names (email addresses) and selling them. Sean Dunaway, who purchased the addresses from Smathers, has also been charged. He is accused of sending spam to AOL customers and selling the list of AOL screen names to other spammers. http://www.winnetmag.com/article/articleid/43070/43070.html News: MasterCard and NameProtect Team to Stop Phishing MasterCard International and NameProtect announced a partnership in which NameProtect will provide its services to MasterCard to help stop phishing scams and illegal credit card use. http://www.winnetmag.com/article/articleid/43061/43061.html ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) Free eBook--"The Expert's Guide for Exchange 2003: Preparing for, Moving to, and Supporting Exchange Server 2003" This eBook will educate Exchange administrators and systems managers about how to best approach the migration and overall management of an Exchange 2003 environment. The book will focus on core issues such as configuration management, accounting, and monitoring performance with an eye toward migration, consolidation, security, and management. http://list.winnetmag.com/cgi-bin3/DM/y/egWw0CJgSH0CBw0BJSm0Ax Now the Windows & .NET Magazine Network VIP Web Site/Super CD Really Does Have It All! Our VIP Web site/Super CD subscribers are used to getting online access to all of our publications, plus a print subscription to Windows & .NET Magazine and exclusive access to our banner-free VIP Web site. But now we've added even more content from the archives of SQL Server Magazine! You won't find a more complete and comprehensive resource anywhere--check it out! http://list.winnetmag.com/cgi-bin3/DM/y/egWw0CJgSH0CBw0BJEb0AY ==================== ==== 3. Instant Poll ==== Results of Previous Poll The voting has closed in the Windows & .NET Magazine Network Security Web page nonscientific Instant Poll for the question, "Where are your wireless Access Points (APs)?" Here are the results from the 59 votes. - 42% Inside the border firewall - 24% Outside the border firewall - 34% Between the border firewall and an internal firewall New Instant Poll The next Instant Poll question is, "Which Web browser does your company currently use for Internet (as opposed to intranet) browsing?" Go to the Security Administrator Web site and submit your vote for: - Microsoft Internet Explorer (IE) - Mozilla - Firefox - Opera - Other http://www.winnetmag.com/windowssecurity ==== 4. Security Toolkit ==== FAQ: How Can I Enable a Connection to a Machine over RDP and Through a Firewall? by John Savill, http://www.winnetmag.com/windowsnt20002003faq A. RDP operates over TCP port 3389. To enable connectivity to any machine on the network through a firewall, open this port on the firewall. To connect to a particular system on the LAN, configure port forwarding on the firewall to send traffic from port 3389 to that computer. Featured Thread: Running Multiple Antivirus Scanners (Three message in this thread) A reader wants to know whether running two different antivirus software packages on a network at the same time is a good idea. If yes, why? If no, why not? Lend a hand or read the responses: http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=122202 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) Get Smart! Evaluate Your Options in the Entry-Level Server Market Comparing the options in the server market, including the decision to purchase an OEM-supplied server versus building your own, can be a daunting task. This free Web seminar provides an introduction to entry-level servers, evaluates the current market of entry-level servers, and assesses the value of vendor-supplied service and support. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/egWw0CJgSH0CBw0BJSo0Az ==================== ==== 5. New and Improved ==== by Jason Bovberg, products@winnetmag.com Monitoring Software Bundle Reduces Prices GFI Software launched the GFI LANguard Security Event Log Monitor (SELM) and GFI Network Server Monitor bundle. Customers can now purchase GFI LANguard SELM 5.0 and GFI Network Server Monitor 5.5 together at a reduced price. GFI LANguard SELM performs networkwide event-log monitoring to alert you to important security events immediately, whereas GFI Network Server Monitor automatically detects network and server problems. The bundled software lets you monitor 10 servers through GFI LANguard SELM and unlimited servers through GFI Network Server Monitor for $1295 (as opposed to $1649 without the bundle pricing). Complete bundle pricing information is available at GFI's Web site. http://www.gfi.com/pricing/pricelist.asp?product=lanselm Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. ==================== ==== Sponsored Links ==== Argent Comparison Paper: The Argent Guardian Easily Beats Out MOM http://list.winnetmag.com/cgi-bin3/DM/y/egWw0CJgSH0CBw0BDWV0AY CommVault CommVault - Free White Paper: Managing the Infinite Inbox http://list.winnetmag.com/cgi-bin3/DM/y/egWw0CJgSH0CBw0BJKg0Aj VERITAS Software VERITAS White Paper: Reclaim 30% of Your Windows Storage Space Now! http://list.winnetmag.com/cgi-bin3/DM/y/egWw0CJgSH0CBw0BJJh0Aj ==================== Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@winnetmag.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z You received this email message because you asked to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Jul 1 07:33:11 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 1 08:11:49 2004 Subject: [ISN] E-Mail Snooping Ruled Permissible Message-ID: Forwarded from: Marjorie Simmons http://www.wired.com/news/politics/0,1283,64043,00.html By Kim Zetter June 30, 2004 E-mail privacy suffered a serious setback on Tuesday when a court of appeals ruled that an e-mail provider did not break the law in reading his customers' communications without their consent. The First Court of Appeals in Massachusetts ruled that Bradford C. Councilman did not violate criminal wiretap laws when he surreptitiously copied and read the mail of his customers in order to monitor their transactions. Councilman, owner of a website selling rare and out-of-print books, offered book dealer customers e-mail accounts through his site. But unknown to those customers, Councilman installed code that intercepted and copied any e-mail that came to them from his competitor, Amazon.com. Although Councilman did not prevent the mail from reaching recipients, he read thousands of copied messages in order to know what books customers were seeking and gain a commercial advantage over Amazon. Authorities charged Councilman with violating the Wiretap Act, which governs unauthorized interception of communication. But the court found that because the e-mails were already in the random access memory, or RAM, of the defendant's computer system when he copied them, he did not intercept them while they were in transit over wires and therefore did not violate the Wiretap Act, even though he copied the messages before the intended recipients read them. The court ruled that the messages were in storage rather than transit. The court acknowledged in its decision http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf that the Wiretap Act, written before the advent of the Internet, was perhaps inadequate to address modern communication methods. . . . From isn at c4i.org Thu Jul 1 07:33:30 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 1 08:11:50 2004 Subject: [ISN] PC World sells "new" hard drive with personal data on Message-ID: http://www.theinquirer.net/?article=16938 By Mike Magee 30 June 2004 A WESTERN DIGITAL hard drive sold as new in a major PC World outlet in London on Monday contained a couple's personal data including spreadsheets, VAT information and other sensitive information. We bought the Western Digital 20GB Caviar drive along with a CD drive from the Tottenham Court Road branch of PC World because we were building a new PC. But after the operating system software failed to install correctly, we examined the hard drive and found that it contained a number of Word documents and Excel wordsheets belonging to an individual and his partner, based in West London. The package was sold intact with a black and white security label saying "do not open before purchase", and was for sale with other new drives in the superstore. A representative for PC World said she was puzzled at how the incident could have occurred. She thought there were a couple of possibilities. Those were - that the drive was received in that condition from the manufacturer, or that the disk was returned by a customer as new and unused. She said that if the disk had been returned as defective it would have been returned to the warehouse. The Dixons Group has a returns policy where defective products go back to the manufacturer for replacement. The odds against an itinerant IT hack coming into the shop and picking up a drive like this must be pretty big. Wish we had the same luck on the nags or the lottery. From isn at c4i.org Thu Jul 1 07:33:48 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 1 08:11:51 2004 Subject: [ISN] Computer crime laws need updating Message-ID: http://news.bbc.co.uk/2/hi/technology/3853059.stm 30 June, 2004 The All-Party Internet Group wants to see changes to what it sees as an "outdated" Computer Misuse Act. The report calls for denial-of-service attacks - in which servers are deluged with information from thousands of PCs - to be made a specific crime. It also recommends an increase in the length of jail sentences for hackers. More needed It wants firms to have the right to take out private prosecutions to tackle cases that the police do not regard as priorities. Although a welcome first step, the recommendations do not go far enough says Simon Janes, a former head of Scotland Yard's Computer Crime Unit and now operations director of computer forensic firm ibas. He wants the government to address the chronic shortage of trained computer forensic experts in the UK. He is also concerned, as an ex-cyber cop, that a recommendation for the police to create a checklist on how to preserve electronic evidence could be fraught with danger. "Encouraging anyone to undertake any form of DIY preservation of electronic evidence is inviting potential disaster," he said. "You wouldn't direct a member of the public to erect a 'do not cross' tape around a crime scene and the same should apply in the digital world," he said. Difficult to legislate He is pleased that the report has acknowledged the need to criminalise the theft of data, although worries that the some firms are still not reporting cyber crimes. "Around 93-95% of all cyber crimes go unreported because companies rate unwanted publicity as potentially more damaging than the incident itself," he said. Making court proceedings confidential could help bring more criminals to justice, Mr Janes believes. The amount of cyber crime that is happening in the UK and around the world has been difficult to assess to date. The report calls for the government to find more effective ways of measuring cyber crime. Home Office action It is also immensely difficult to legislate against and not all the issues surrounding cyber crime can be dealt with under the Computer Misuse Act the report finds. Instead, a reform of the fraud laws could prove useful in cases such as illicit software which can be unwittingly downloaded by users when they open pay-per-view porn sites and which charges them at premium rates. The MPs hope that their recommendations will be acted upon by the Home Office. "This report represents the results of the first serious inquiry into computer misuse and denial-of-service attacks in particular," said Brian White, treasurer of APIG. "I hope the government responds positively to our recommendations," he added. -=- APIG'S RECOMMENDATIONS * Increase sentence for hacking from six months to two years * Director of Public Prosecutions to allow private prosecutions * Educational material about CMA on Home Office website * Improve statistical information on cyber crime * Introduce a new fraud bill * Law Commission to criminalise the theft of data From isn at c4i.org Thu Jul 1 07:34:06 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 1 08:11:52 2004 Subject: [ISN] Experts agree on method, not scope of IIS attacks Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,94221,00.html By Paul Roberts JUNE 30, 2004 IDG NEWS SERVICE One day after reports of Web site attacks surfaced, there was disagreement about how widespread the attacks were and how many Internet users were affected by them. Security experts on Friday said companies that failed to apply a recent software patch for Microsoft Corp.'s Internet Information Services (IIS) Version 5.0 Web server were vulnerable to a new Web-based attack from an online criminal hacking group, while Microsoft acknowledged that even individuals running the latest patches for IIS and the Internet Explorer Web browser could be affected if they did not make additional configuration changes. But there were widely different accounts of the attacks impact on companies and Internet users. Hackers are using a recently patched hole buffer overflow vulnerability in Microsoft's implementation of SSL (secure sockets layer) to compromise vulnerable Windows 2000 systems running IIS, Microsoft's Web server, said Stephen Toulouse, security program manager in Microsoft's Security Response Center. Microsoft patched that flaw in April when it released Security Bulletin MS04-011, so companies that installed the patch were not vulnerable to compromise, and attackers did not use an unknown or "zero day" hole to compromise IIS, he said. However, the story is more complicated for Internet users and Web surfers. The recent attacks used two vulnerabilities in Windows and the Internet Explorer Web browser to silently run the malicious code on machines that visited the compromised sites, redirecting the customers to Web sites controlled by the hackers and downloading a Trojan horse program that captures keystrokes and personal data, he said. One of those vulnerabilities was in code for Microsoft's Outlook Express e-mail client that interpreted a kind of URL known as a MIME Encapsulation of Aggregate HTML, or MHTML URL, which allows documents with MHTML-encoded content to be displayed in software applications like the Internet Explorer Web browser. That vulnerability was addressed in a security patch from Microsoft, MS04-013, also released in April, he said. The second vulnerability was discovered last week and Microsoft does not have a patch for it, Toulouse said. That hole, called a "cross zone scripting" vulnerability, allows attackers to trick Internet Explorer into loading insecure content using relaxed security precautions typically applied to files stored on the local hard drive or obtained from a trusted Web site such as www.microsoft.com, according to experts. Even Internet Explorer users who apply the MS04-013 patch could still be compromised, Toulouse said. Only setting the Internet Explorer security level to "high," and having up-to-date antivirus software to spot the Trojan horse program as it is downloaded can prevent infection, he said. "Due to the way this exploit utilizes an unpatched vulnerability we were just made aware of, the mitigation here is to follow our safe browsing guidance and have updated antivirus software," Toulouse said. At gift basket supplier Young's Inc. in Dundee, Mich., network administrators first became aware of the new threat on Thursday morning, when employees, including the company's CEO, received warnings about Trojan programs when they tried to load the company's Intranet Web page, said Ron Guyor, a systems administrator at Young's. The company uses IIS Version 5.0 with SSL and had not applied the April patch, which Guyor believes was the opening hackers used to compromise his Web server. After shutting down IIS, Guyor used searches for recently updated files in IIS and information from online system administrator newsgroups to locate and remove the malicious files installed by hackers, he said. While he is confident that desktop antivirus software from Symantec Corp. prevented the main Trojan horse file from being installed on his users' desktops, he's concerned about the unpatched hole in Internet Explorer and wary that other malicious code may have also been downloaded that Symantec's antivirus engine was not able to detect, he said. "Internet Explorer is a big concern. If there's something Symantec doesn't know about yet, all you have to do is hit the wrong Web site and [hackers] can install whatever they want to," he said. Microsoft hasn't seen evidence of widespread attacks, despite dire warnings from some security companies and a handful of tales like Guyor's, Toulouse said. "Our investigation is showing us that this is not widespread. We haven't seen or heard a lot about this," he said. That's the case at Network Associates Inc. (NAI), as well, according to Vincent Gullotto, vice president of research at NAI's McAfee Antivirus Emergency Response Team. "We don't have significant reports of Web sites compromised or of people sending us examples of the new Trojans," he said. "I'd rate this a low risk if you're patched and a medium risk if you're not." Still, other security companies reported widespread infections. "Hundreds of thousands of computers have likely been infected in the past 24 hours," said Ken Dunham, director of malicious code in an e-mail statement from iDefense Inc., a security intelligence company in Reston, Va. Managed security company NetSec Inc., in Herndon, Va., said it has seen infections across the majority of its customer accounts and knows of infections at large Web hosting farms, where a small number of IIS servers out of a large farm of servers have been compromised, said Dan Frasnelli, manager of NetSec's Technical Assistance Center. The confusion about the extent of attacks shouldn't be surprising, especially given the novelty of the attack, said Chris Kraft, a senior security analyst at Sophos PLC. "There tends to be confusion when something new and interesting happens. You get a broad disparity of what people say at the outset of the attack." Sophos didn't receive many reports from customers about the attacks. Still, Kraft thinks the strategy used by the virus writers makes the IIS attacks worth noting. "The interesting thing is the delivery mechanism. These hackers usurped Web sites that people normally consider safe, then exploited vulnerabilities in the Web browser to download a set of instructions," he said. If used successfully against a major Web site such as Yahoo.com or eBay.com, the same approach could net millions of computers in just a short time that could then be controlled using Trojan horse programs and used to launch denial of service attacks or distribute unsolicited commercial ("spam") e-mail, he said. NAI's Gullotto agrees, saying that the vulnerabilities, Trojan programs and exploits used in the attacks are well-known to IT security experts and have been circulating on the Internet. Their combined use in an attack is new. "We've had all this stuff for quite a while. The deal is that it happened -- that somebody put the pieces together," he said. From isn at c4i.org Thu Jul 1 07:34:28 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 1 08:11:53 2004 Subject: [ISN] High school students charged with hacking into psychologist's computer Message-ID: http://www.newsday.com/news/local/wire/ny-bc-ny--school-computerha0630jun30,0,7287416.story?coll=ny-ap-regional-wire June 30, 2004 HEMPSTEAD, N.Y. (AP) _ Two Long Island students were charged with illegally accessing a high school psychologist's computer and tampering with other students' psychological evaluations, officials said. Christopher Kabacinski, 18, and Ryan Webb, 16, both students at Carle Place High School, allegedly learned the psychologist's password and used it to log on to the school's computer network. Kabacinski then installed software on the network that allowed him to transfer dozens of student psychological profiles to his home computer between September and December 2003, Nassau County District Attorney Denis Dillon said Tuesday. Kabacinski was arraigned on charges of computer trespass, fourth-degree computer tampering and unauthorized use of a computer, Dillon said. He faces up to four years in prison if convicted. Webb was charged with unauthorized use of a computer. From wk at c4i.org Fri Jul 2 08:27:46 2004 From: wk at c4i.org (William Knowles) Date: Fri Jul 2 08:50:05 2004 Subject: [ISN] Hackers target DND computers, break into network Message-ID: http://www.canada.com/ottawa/ottawacitizen/news/story.html?id=9c7140f5-576f-4c2a-b6dd-d11126882264 By David Pugliese The Ottawa Citizen 2004.07.02 Defence Department employees are being targeted by suspicious e-mails designed to plant viruses and other malicious codes inside military computers, according to a report obtained by the Citizen. Most of the details about the incidents, code-named Snow Leopard by the Canadian Forces, are wrapped in secrecy. But Defence Department records confirm that hackers were able to gain access to military computers on at least 10 occasions last year. In total in 2003, the military's computer response team dealt with 160 incidents ranging from poor cyber security to unauthorized entry into high-level systems. According to one report produced in December, defence employees were hit by "suspicious e-mails that appear to be targeting DND individuals in an attempt to 'social engineer' the installation of malicious code." At least one computer was compromised by the mystery e-mail. Social engineering involves the use of deception to try to gain access to the password of a large computer system or network. For instance, it can be done through e-mails sent by a hacker posing as an organization's computer security official and requesting verification of an individual's password. Malicious code could refer to a variety of problems, including viruses and worms. Defence officials are refusing to discuss any aspect of the Snow Leopard case, so it is not known how many other department or federal government computers have been compromised, the extent of the attacks, or if they are continuing. "There's very much classified (information) around Snow Leopard and what it entails," said Canadian Forces spokesman Maj. Mike Audette. "We're not going to discuss in any terms any potential or ongoing communications computer network security operations." Patrick Naubert, a computer security specialist, said that even if a hacker obtains a password through social engineering, there are still numerous hurdles to overcome before gaining electronic access to the target's computer network. Even if access is gained, the hacker must know roughly what they are looking for, or they face the problem of filtering through thousands of filenames to find the information they want, noted Mr. Naubert of Tyger Team Consultants Ltd. "DND might not actually care about that, since just any hacker gaining read access to any machine on any of DND's network might be a PR nightmare, regardless of the fact that DND must have an airgap between their 'unprotected' network and their 'protected' network," Mr. Naubert explained. It's not the first time that military computers have been compromised. In 1999, it took a 17-year-old high school student in the U.S. just 10 minutes to breach the Defence Department's computer system. "The DND site was an easy target," Russell Sanford told the Citizen in 2002. "It was pretty weak." Mr. Sanford said he went in and out of the military computer network over a period of three days. When the Citizen story emerged, Defence officials acknowledged the breach but claimed the teenager was only able to infiltrate the department's Internet website which did not contain any classified information. But the teenager responded that he had hacked into one of the department's secure computers via its public website. While he did not access or intercept any classified data, Mr. Sanford claimed he could have done so if he had wanted to. Instead he left on the website tips on how the military could improve its computer security. In one of the Snow Leopard cases, an administrative assistant with the Defence Department's Director of Protocol and Foreign Liaison distributed a suspicious e-mail with an attachment. The malicious code was removed and military officials indicated in their December report that it did not appear the main Defence network computer had been compromised in that incident. Most details of the Snow Leopard report, released under the Access to Information law, have been censored for reasons of national security. But the incident prompted military officials to warn the Privy Council Office about the attempts to plant a malicious code on Defence computers. The Office of Critical Infrastructure Protection and Emergency Preparedness also issued a security advisory to other departments about the probes. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/donation.html *==============================================================* From isn at c4i.org Fri Jul 2 08:34:39 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 2 08:50:06 2004 Subject: [ISN] E-Mail Snooping Ruled Permissible Message-ID: Forwarded from: Mark Hoffer Hello: Coming from the ISP side of things, this is a great sigh of relief. Before this ruling, some could have interpreted the law in a way that the ISP could not scan for viruses or block spam. I agree that email should not be snooped on, but every user should know that the privacy of an email is like that of a postcard. Now about this wiretap law - is it unlawful for me to use a packet sniffer to troubleshoot a customer's connection and to watch for malicious traffic on my network? -Mark Hoffer ----- Original Message ----- From: "InfoSec News" To: Sent: Thursday, July 01, 2004 7:33 AM Subject: [ISN] E-Mail Snooping Ruled Permissible > Forwarded from: Marjorie Simmons > > http://www.wired.com/news/politics/0,1283,64043,00.html > > By Kim Zetter > June 30, 2004 > > E-mail privacy suffered a serious setback on Tuesday when a court of > appeals ruled that an e-mail provider did not break the law in > reading his customers' communications without their consent. > > The First Court of Appeals in Massachusetts ruled that Bradford C. > Councilman did not violate criminal wiretap laws when he > surreptitiously copied and read the mail of his customers in order > to monitor their transactions. > > Councilman, owner of a website selling rare and out-of-print books, > offered book dealer customers e-mail accounts through his site. But > unknown to those customers, Councilman installed code that > intercepted and copied any e-mail that came to them from his > competitor, Amazon.com. Although Councilman did not prevent the mail > from reaching recipients, he read thousands of copied messages in > order to know what books customers were seeking and gain a > commercial advantage over Amazon. From isn at c4i.org Fri Jul 2 08:35:25 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 2 08:50:07 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-27 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-06-24 - 2004-07-01 This week : 42 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: New Features at Secunia.com Secunia has implemented various statistical features at the websites for both Secunia advisories and Virus Information. Secunia Advisories Statistics: http://secunia.com/advisory_statistics/ Examples of Specific Product Statistics: http://secunia.com/product/11/ (Internet Explorer 6) http://secunia.com/product/761/ (Opera 7.x) http://secunia.com/product/1480/ (Mozilla 1.3) Secunia Virus Information Statistics: http://secunia.com/virus_statistics/ Furthermore, Secunia has made it possible for you to include all graphs available at secunia.com on your own website. This is described in detail at: http://secunia.com/secunia_image_inclusion/ ======================================================================== 2) This Week in Brief: ADVISORIES: Multiple browser have been proven vulnerable to a 6 year old vulnerability, which can be exploited by malicious people to inject information into other sites' frameset. The vulnerability was first reported (and corrected) in Internet Explorer 3 and 4 back in 1998. However, during the past week Internet Explorer 6.0 was proven vulnerable to this issue again. After this information surfaced, several other people reported to Secunia that many other browsers also are affected by this. Secunia has therefore constructed a test for this issue, allowing you to check your own browser. A link for the test can be found in the Secunia advisories below. Reference: http://secunia.com/SA11966 http://secunia.com/SA11978 VIRUS ALERTS: During the last week, Secunia issued two MEDIUM RISK virus alerts. Please refer to the grouped virus profile below for more information: Bagle.x!proxy - MEDIUM RISK Virus Alert - 2004-07-01 05:35 GMT+1 http://secunia.com/virus_information/8675/bagle.xproxy/ Korgo.T - MEDIUM RISK Virus Alert - 2004-06-27 14:46 GMT+1 http://secunia.com/virus_information/10230/korgo.t/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA11793] Internet Explorer Local Resource Access and Cross-Zone Scripting Vulnerabilities 2. [SA11900] Unreal Engine "secure" Query Buffer Overflow Vulnerability 3. [SA11966] Internet Explorer Frame Injection Vulnerability 4. [SA11956] Apache Input Header Folding Denial of Service Vulnerability 5. [SA11925] Lotus Domino/Notes Cross-Site Scripting and Arbitrary Code Execution 6. [SA11072] IBM Access Support ActiveX Controls Various Insecure Methods 7. [SA11830] Internet Explorer Security Zone Bypass and Address Bar Spoofing Vulnerability 8. [SA11928] php-exec-dir Command Execution Bypass Vulnerability 9. [SA11622] Mac OS X URI Handler Arbitrary Code Execution 10. [SA10395] Internet Explorer URL Spoofing Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA11966] Internet Explorer Frame Injection Vulnerability [SA11951] Cart32 "GetLatestBuilds" Cross-Site Scripting Vulnerability UNIX/Linux: [SA11971] HP-UX Netscape Multiple Vulnerabilities [SA11968] Mandrake update for apache [SA11946] Debian update for apache [SA11945] MPlayer GUI Filename Handling Buffer Overflow Vulnerability [SA11976] Gentoo update for pavuk [SA11975] Pavuk HTTP "Location:" Header Processing Buffer Overflow Vulnerability [SA11973] Gentoo update for krb5 [SA11962] Fedora update for ipsec-tools [SA11954] artmedic links "id" Parameter Arbitrary File Reading Vulnerability [SA11953] Confixx "/root" Directory Information Disclosure Vulnerability [SA11949] Gentoo update for freeswan/openswan/strongswan [SA11948] Various Products X.509 Certificate Validation Vulnerability [SA11969] HP-UX Object Action Manager WebAdmin Vulnerability [SA11967] Mandrake update for apache2 [SA11942] Gentoo update for gift-fasttrack [SA11941] giFT-FastTrack Unspecified Denial of Service Vulnerability [SA11937] vBulletin "newreply.php" Cross-Site Scripting Vulnerability [SA11955] HP Tru64 UNIX DCE RPC Buffer Overflow Vulnerability [SA11939] Gentoo update for gzip [SA11938] Fedora update for kernel [SA11936] Red Hat Linux Broadcom 5820 Cryptonet Driver Integer Overflow [SA11935] Sun StorEdge ESM Unspecified Privilege Escalation Vulnerability [SA11977] popclient "POP3_readmsg()" Off-By-One Buffer Overflow Vulnerability [SA11970] HP-UX ARPA Transport Unspecified Denial of Service Vulnerability [SA11940] Sun Solaris Kerberos Client Clear Text Password Logging Other: [SA11950] Juniper JUNOS Packet Forwarding Engine IPv6 Denial of Service [SA11963] D-Link DI-614+ DHCP Request Flooding Denial of Service [SA11961] D-Link DI-614+ DHCP Service "LEASETIME" Option Denial of Service Cross Platform: [SA11957] IBM HTTP Server mod_proxy "Content-Length:" Header Buffer Overflow [SA11978] Multiple Browsers Frame Injection Vulnerability [SA11974] phpMyAdmin Configuration Manipulation and Code Injection [SA11960] PowerPortal Multiple Vulnerabilities [SA11959] BEA WebLogic Role Interpretation Security Issue [SA11958] BEA WebLogic Crystal Reports Web Viewer Directory Traversal Vulnerability [SA11952] Help Desk Pro Login Validation SQL Injection Vulnerability [SA11947] Infinity WEB Login Validation SQL Injection Vulnerability [SA11944] phpmyfamily User Authentication Bypass Vulnerability [SA11964] CuteNews "id" Parameter Cross Site Scripting Vulnerabilities [SA11956] Apache Input Header Folding Denial of Service Vulnerability [SA11965] csFAQ "database" Parameter Path Disclosure ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA11966] Internet Explorer Frame Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2004-06-30 Mark Laurence has discovered a 6 year old vulnerability in Microsoft Internet Explorer, allowing malicious people to spoof the content of websites. Full Advisory: http://secunia.com/advisories/11966/ -- [SA11951] Cart32 "GetLatestBuilds" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-06-29 Dr Ponidi has reported a vulnerability in Cart32, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/11951/ UNIX/Linux:-- [SA11971] HP-UX Netscape Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2004-06-30 HP has acknowledged multiple vulnerabilities in Netscape for HP-UX, which potentially can be exploited by malicious people to cause a DoS (Denial of Service), gain knowledge of sensitive information, or compromise a user's system. Full Advisory: http://secunia.com/advisories/11971/ -- [SA11968] Mandrake update for apache Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2004-06-30 MandrakeSoft has issued an update for apache. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11968/ -- [SA11946] Debian update for apache Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-06-28 Debian has issued an update for apache. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11946/ -- [SA11945] MPlayer GUI Filename Handling Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-06-29 c0ntex has reported a vulnerability in MPlayer, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11945/ -- [SA11976] Gentoo update for pavuk Critical: Moderately critical Where: From remote Impact: System access Released: 2004-06-30 Gentoo has issued an update for pavuk. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11976/ -- [SA11975] Pavuk HTTP "Location:" Header Processing Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-06-30 A vulnerability has been reported in Pavuk, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11975/ -- [SA11973] Gentoo update for krb5 Critical: Moderately critical Where: From remote Impact: System access Released: 2004-06-30 Gentoo has issued an update for krb5. This fixes some vulnerabilities, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11973/ -- [SA11962] Fedora update for ipsec-tools Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-06-29 Fedora has issued an update for ipsec-tools. This fixes a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/11962/ -- [SA11954] artmedic links "id" Parameter Arbitrary File Reading Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-06-28 Adam Simuntis has reported a vulnerability in artmedic links, allowing malicious people to disclose the content of arbitrary files. Full Advisory: http://secunia.com/advisories/11954/ -- [SA11953] Confixx "/root" Directory Information Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-06-28 Dirk Pirschel has reported a vulnerability in Confixx, which potentially can be exploited by malicious users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11953/ -- [SA11949] Gentoo update for freeswan/openswan/strongswan Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2004-06-28 Gentoo has issued updates for freeswan/openswan/strongswan. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/11949/ -- [SA11948] Various Products X.509 Certificate Validation Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2004-06-28 Thomas Walpuski has reported a vulnerability in strongSwan, Openswan, and FreeS/WAN, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/11948/ -- [SA11969] HP-UX Object Action Manager WebAdmin Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-06-30 HP has acknowledged a vulnerability in HP-UX, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11969/ -- [SA11967] Mandrake update for apache2 Critical: Less critical Where: From remote Impact: DoS Released: 2004-06-30 MandrakeSoft has issued an update for apache2. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11967/ -- [SA11942] Gentoo update for gift-fasttrack Critical: Less critical Where: From remote Impact: DoS Released: 2004-06-25 Gentoo has issued an update for gift-fasttrack. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11942/ -- [SA11941] giFT-FastTrack Unspecified Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-06-25 Alan Fitton has discovered a vulnerability in giFT-FastTrack, allowing malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11941/ -- [SA11937] vBulletin "newreply.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-06-25 Cheng Peng Su has reported a vulnerability in vBulletin, allowing malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/11937/ -- [SA11955] HP Tru64 UNIX DCE RPC Buffer Overflow Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-06-28 A vulnerability has been reported in DCE/DFS for Tru64 UNIX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11955/ -- [SA11939] Gentoo update for gzip Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-06-25 Gentoo has issued an update for gzip. This fixes two vulnerabilities, which can be exploited by malicious, local users to escalate their privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/11939/ -- [SA11938] Fedora update for kernel Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation, DoS Released: 2004-06-25 Fedora as issued an update for the kernel. This fixes various vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service), gain knowledge of sensitive information, or gain escalated privileges. Full Advisory: http://secunia.com/advisories/11938/ -- [SA11936] Red Hat Linux Broadcom 5820 Cryptonet Driver Integer Overflow Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2004-06-24 infamous41md has reported a vulnerability in the Broadcom 5820 Cryptonet driver included with Red Hat Linux. This can potentially be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/11936/ -- [SA11935] Sun StorEdge ESM Unspecified Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-06-24 An unspecified vulnerability has been discovered in Sun StorEdge Enterprise Storage Manager, which can be exploited by malicious, local users to gain root privileges. Full Advisory: http://secunia.com/advisories/11935/ -- [SA11977] popclient "POP3_readmsg()" Off-By-One Buffer Overflow Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2004-06-30 A vulnerability has been reported in popclient, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11977/ -- [SA11970] HP-UX ARPA Transport Unspecified Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2004-06-30 A vulnerability has been discovered in HP-UX, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11970/ -- [SA11940] Sun Solaris Kerberos Client Clear Text Password Logging Critical: Not critical Where: Local system Impact: Exposure of sensitive information Released: 2004-06-25 A security issue has been discovered in Sun Solaris, which may disclose sensitive information to users. Full Advisory: http://secunia.com/advisories/11940/ Other:-- [SA11950] Juniper JUNOS Packet Forwarding Engine IPv6 Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-06-30 A vulnerability has been discovered in Juniper JUNOS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11950/ -- [SA11963] D-Link DI-614+ DHCP Request Flooding Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2004-06-29 Gregory Duchemin has reported a vulnerability in D-Link 614+, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11963/ -- [SA11961] D-Link DI-614+ DHCP Service "LEASETIME" Option Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2004-06-30 Gregory Duchemin has reported a vulnerability in D-Link DI-614+, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11961/ Cross Platform:-- [SA11957] IBM HTTP Server mod_proxy "Content-Length:" Header Buffer Overflow Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-06-29 IBM has acknowledged a vulnerability in IBM HTTP Server, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11957/ -- [SA11978] Multiple Browsers Frame Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2004-07-01 A 6 year old vulnerability has been discovered in multiple browsers, allowing malicious people to spoof the content of websites. Full Advisory: http://secunia.com/advisories/11978/ -- [SA11974] phpMyAdmin Configuration Manipulation and Code Injection Critical: Moderately critical Where: From remote Impact: Security Bypass, System access Released: 2004-06-30 Nasir Simbolon has reported two vulnerabilities in phpMyAdmin, allowing malicious people to manipulate certain configuration settings and inject arbitrary code. Full Advisory: http://secunia.com/advisories/11974/ -- [SA11960] PowerPortal Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, Exposure of sensitive information Released: 2004-06-29 DarkBicho has reported some vulnerabilities in PowerPortal, potentially allowing malicious people to reveal sensitive information and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/11960/ -- [SA11959] BEA WebLogic Role Interpretation Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-06-29 A security issue has been discovered in BEA WebLogic, potentially allowing unauthorised users to access affected web applications. Full Advisory: http://secunia.com/advisories/11959/ -- [SA11958] BEA WebLogic Crystal Reports Web Viewer Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, Exposure of sensitive information, Exposure of system information Released: 2004-06-29 A vulnerability has been discovered in BEA WebLogic, allowing malicious people to disclose the content of arbitrary files or delete these. Full Advisory: http://secunia.com/advisories/11958/ -- [SA11952] Help Desk Pro Login Validation SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-06-28 D'Amato Luigi has reported a vulnerability in Help Desk Pro, allowing malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/11952/ -- [SA11947] Infinity WEB Login Validation SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-06-28 D'Amato Luigi has reported a vulnerability in Infinity WEB, allowing malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/11947/ -- [SA11944] phpmyfamily User Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-06-28 Valerie Holfield has discovered a vulnerability in phpmyfamily, which can be exploited by malicious people to gain edit privileges. Full Advisory: http://secunia.com/advisories/11944/ -- [SA11964] CuteNews "id" Parameter Cross Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-06-29 DarkBicho has reported some vulnerabilities in CuteNews, potentially allowing malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/11964/ -- [SA11956] Apache Input Header Folding Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-06-28 Georgi Guninski has reported a vulnerability in Apache httpd, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11956/ -- [SA11965] csFAQ "database" Parameter Path Disclosure Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2004-06-30 DarkBicho has reported a weakness in csFAQ, allowing malicious people to see the installation path. Full Advisory: http://secunia.com/advisories/11965/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Jul 2 08:35:41 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 2 08:50:08 2004 Subject: [ISN] Military clashes with Coca-Cola over electronics used in promotion Message-ID: Forwarded from: Tcat Houser http://www.chron.com/cs/CDA/ssistory.mpl/tech/news/2658910 By ELLEN SIMON Associated Press July 1, 2004 NEW YORK - There's a new security threat at some of the nation's military bases - and it looks uncannily like a can of Coke. Specially rigged Coke cans, part of a summer promotion, contain cell phones and global positioning chips. That has officials at some installations worried the cans could be used to eavesdrop, and they are instituting protective measures. Coca-Cola Co. says such concerns are nothing but fizz. Mart Martin, a Coca-Cola spokesman, said no one would mistake a winning can from the "Unexpected Summer" promotion for a regular Coke. The cans have a recessed panel on the outside and a big red button, he said, adding, "It's very clear that there's a cell phone device." Winners activate it by pushing the button, which can only call Coke's prize center, he said. Data from the device can only be received by Coke's prize center. "It cannot be an eavesdropping device," he said. Nonetheless, military bases, including the U.S. Army Armor Center at Fort Knox, Ky., are asking soldiers to look over their Coke cans before going to classified meetings. "We're asking people to open the cans and not bring it in if there's a GPS in it," said Master Sgt. Jerry Meredith, a Fort Knox spokesman. Sue Murphy, a spokeswo-man for Wright-Patterson Air Force Base in Dayton, Ohio, said personal electronic devices aren't permitted in some buildings and conference rooms. The Marine Corps said all personnel had been advised of the cans and to keep them away from secure areas. Paul Saffo, research director at the Institute for the Future, a technology research firm, compared the concern about the Coke cans to when the Central Intelligence Agency banned Furbies, the stuffed toys that could repeat phrases. "There's things generals should stay up late at night worrying about," he said. "A talking Coke can isn't one of them." But Bruce Don, a senior analyst at the Rand Corp., said the military's concern is rational. "There's a lot of reason to worry about how that technology could be taken advantage of by a third party without Coke's knowledge," he said. From isn at c4i.org Fri Jul 2 08:35:57 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 2 08:50:09 2004 Subject: [ISN] Homeland Security Rapped On Wireless Security Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=QPAWJ2SISJPDGQSNDBCSKHY?articleID=22103346 By Eric Chabrow July 1, 2004 The Department of Homeland Security's Office of Inspector General contends the department has failed to establish adequate security controls over its wireless network. In a report made public Wednesday, the inspector general said wireless policy is incomplete, procedures don't establish a sound baseline for wireless security implementation, and the National Wireless Management Office isn't exercising its full responsibilities in addressing Homeland Security's wireless technologies. In addition, the report said, the department hasn't established adequate security measures to protect its wireless networks and devices. "Although the DHS security policy requires certification and accreditation for its systems to operate, none of the wireless systems reviewed had been certified or accredited," the 42-page report says. "As a result of these wireless network exposures, DHS cannot ensure that the sensitive information processed by its wireless systems are effectively protected from unauthorized accesses and potential misuse." Except for the contention that the National Wireless Management Office isn't exercising its full responsibilities, department CIO Steve Cooper generally concurred with the inspector general's assessment. Cooper asserts that the Wireless Management Office has made significant progress and is improving its outreach throughout the department so all offices become aware of its existence and responsibilities. In addition, Cooper said in a written response, the Wireless Management Office works closely with the department's chief information security officer to ensure that wireless security policy is properly formulated and disseminated, and that it's sufficient to ensure the department's wireless communications. Despite Cooper's response, the inspector general stands by his conclusion that oversight by the office of wireless functionality needs to be improved. The report cited a number of problems. For instance, the inspector general said his office performed random 802.11b detection scans at 10 department facilities to identify rogue wireless devices, verify signal coverage for access points, and review configuration settings to evaluate security controls. Of four department offices that use 802.11x technology, none monitored wireless activity. They also failed to set a schedule to review access-point logs to identify unauthorized login attempts or to determine whether rogue devices had been introduced into the network. In addition, the inspector general found several 802.11x security vulnerabilities. The inspector general offered five recommendations it says would help the department remedy the identified deficiencies. Specifically, the Homeland Security Department's CIO should: * Define the conditions and limitations for using wireless technologies in the department's security policy * Update the departmental IT Security Program Handbook for Sensitive Systems to include implementation procedures required by National Institute of Standards and Technology for the use of wireless technologies * Require the National Wireless Management Office to provide the necessary oversight and guidance to align components' wireless programs with DHS's wireless goals--something Cooper contends it's already doing * Implement a standardized configuration for wireless technologies on department networks * Complete certification and accreditation for each departmental system From isn at c4i.org Fri Jul 2 08:36:14 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 2 08:50:10 2004 Subject: [ISN] Usenix: Experts debate security through diversity Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,94250,00.html By Tom Krazit JULY 01, 2004 IDG NEWS SERVICE The sheer number of worms and viruses directed at Microsoft Corp.'s Windows operating system and Internet Explorer browser have many in the computer industry wondering whether the cyberworld would be more secure if more users relied on alternatives to Microsoft's products. That description appeared to fit about two-thirds of the few hundred system administrators and engineers attending a debate between two prominent security experts at the Usenix 2004 conference in Boston yesterday. A show of hands before and after the debate indicated that most of those in attendance would prefer a more diverse group of operating system and Web browser software. A monoculture, whether it be in biological terms or in computing terms, has been shown to be inherently dangerous to members of that group, said Dan Geer, chief scientist at Verdasys Inc. Geer was formerly chief technology officer at security company @stake Inc. until he was fired last year for authoring a report critical of Microsoft's dominance of the computing industry and the insecurity of its products that stems from that position. Microsoft is an @stake client. Operating-system diversity can be a relevant part of a secure network, but forcing companies to diversify their operating systems is a tough proposition in a time of declining IT budgets and heavy emphasis on return on investment, said Scott Charney, chief trustworthy computing strategist at Microsoft. Geer likened the evolution of the computing world to the evolution of life on Earth, putting the computer industry at around "the blue-green algae" stage of development. Early organisms were forced to evolve and diversify to deal with threats, and the computer industry must also diversify if it is to confront the serious threat presented by professional hackers, he said. "Nature has shown us that a monoculture is a primitive state, or a dying gasp," he said. Not every monoculture leads to strife, Charney countered. He pointed to Southwest Airlines Co., which uses only Boeing 737 airplanes in its fleet. This allows Southwest to take any one of its pilots or maintenance staff and put them to work on any plane in its arsenal, which saves training costs. The airline's reliance on the 737 is a bit of a gamble, since any directive from the U.S. Federal Aviation Administration grounding the 737 would effectively ground all of Southwest Airlines, Charney said. But this is a trade-off that Southwest views as acceptable given the cost savings it realizes from the decision to standardize on the Boeing 737. Likewise, enterprises that standardize on Microsoft products take a risk that if Microsoft products are vulnerable to attack, they could lose important data, Charney said. However, enterprises using products from a single vendor find it easier for their IT staffs to roll out patches and critical updates, and they can save the training and education costs required to teach those employees how to run other operating systems, he said. The problem with that argument is that there will always be a few companies or individuals that fail to patch their systems against new threats, and those infected systems can be used to create havoc across the entire Internet, Geer said. If that's going to happen, the companies that have chosen to rely on a different operating system or Web browser will be protected against attacks launched at the vulnerable products, he said. "I don't care what you get. I just don't want it," Geer said. Ultimately, software vendors must stand up and be accountable for their products, Charney said. In the past, customers haven't been as concerned about security and didn't demand that vendors secure their products. But that has changed drastically over the past few years, he said. Geer called the vulnerabilities in Microsoft's products "a national-security issue," claiming that the issue is far too important to the health of the Internet to leave up to the software vendors themselves. From isn at c4i.org Tue Jul 6 05:32:00 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 6 06:07:19 2004 Subject: [ISN] E-Mail Snooping Ruled Permissible Message-ID: Fowarded from: Thor I vehemently disagree... I can't imagine any scenario where anyone outside of a 3 letter agency would even begin to see this as a good thing. As an ISP, you need only stipulate your virus scans and spam blocks as part of the contractual agreement with your client- thus obtaining "consent" for those actions. The incredibly narrow interpretation of the term "in transit" by Kermit the Judge, even in light of acknowledging the nature of the required storage of electronic communications in some form, not only creates precedent for future atrocities in regard to the violation of our privacy in general, it grants specific sweeping powers to those who wish to bypass the spirit of the wiretap law. This a nothing but a Bad Thing (tm). t ----- Original Message ----- From: "InfoSec News" To: Sent: Friday, July 02, 2004 5:34 AM Subject: Re: [ISN] E-Mail Snooping Ruled Permissible > Forwarded from: Mark Hoffer > > Hello: > > Coming from the ISP side of things, this is a great sigh of relief. > Before this ruling, some could have interpreted the law in a way that > the ISP could not scan for viruses or block spam. I agree that email > should not be snooped on, but every user should know that the privacy > of an email is like that of a postcard. > > Now about this wiretap law - is it unlawful for me to use a packet > sniffer to troubleshoot a customer's connection and to watch for > malicious traffic on my network? > > -Mark Hoffer > > ----- Original Message ----- > From: "InfoSec News" > To: > Sent: Thursday, July 01, 2004 7:33 AM > Subject: [ISN] E-Mail Snooping Ruled Permissible > > > > Forwarded from: Marjorie Simmons > > > > http://www.wired.com/news/politics/0,1283,64043,00.html > > > > By Kim Zetter > > June 30, 2004 > > > > E-mail privacy suffered a serious setback on Tuesday when a court > > of appeals ruled that an e-mail provider did not break the law in > > reading his customers' communications without their consent. > > > > The First Court of Appeals in Massachusetts ruled that Bradford C. > > Councilman did not violate criminal wiretap laws when he > > surreptitiously copied and read the mail of his customers in order > > to monitor their transactions. > > > > Councilman, owner of a website selling rare and out-of-print > > books, offered book dealer customers e-mail accounts through his > > site. But unknown to those customers, Councilman installed code > > that intercepted and copied any e-mail that came to them from his > > competitor, Amazon.com. Although Councilman did not prevent the > > mail from reaching recipients, he read thousands of copied > > messages in order to know what books customers were seeking and > > gain a commercial advantage over Amazon. From isn at c4i.org Tue Jul 6 05:32:26 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 6 06:07:21 2004 Subject: [ISN] Microsoft's browser dominance at risk as experts warn of security holes Message-ID: http://news.independent.co.uk/world/science_technology/story.jsp?story=537951 By Charles Arthur Technology Editor 05 July 2004 Its curved blue "e" sits on almost every computer desktop in the world, but the global dominance of Microsoft's web browser could soon be over following a stark security warning from a senior panel of internet experts who say it opens the door to online criminals. They are urging all users of Internet Explorer (IE) to stop using the browser because they say it is vulnerable to hackers and credit card fraudsters. The alert, from the US Computer Emergency Response Team, comes as a blow to the global giant Microsoft, which has fought successfully to retain its dominance of the browser market - 95 per cent of internet surfers currently use IE. The team, which advises the US government and is a senior authority on Net weaknesses, said that flaws in the software expose users to criminals who can spy on their activities, steal their personal details or send junk e-mail from their computers without them knowing. It said internet users should consider dumping the Microsoft software - which comes as standard installed on PCs - and switching to another web browser, such as the free Mozilla or commercial Opera products. In its warning, under the technical title "Vulnerability Note 713878", the agency notes that IE has "significant vulnerabilities in technologies" but adds: "It is possible to reduce exposure to these vulnerabilities by using a different web browser." The advice - which echoes rising concern in the internet security community - follows a continuing tide of attacks taking advantage of holes in IE. In the past seven days, security experts have discovered criminals using two different "vulnerabilities" in IE to exploit Windows PCs. The first, called "Download.JECT", silently redirected the browser to a Russian website and made it download software that monitored key strokes and would send out spam. Last week researchers at the Internet Storm Centre discovered a malicious program that used a flaw in the software to install itself on the user's PC when a particular pop-up ad appeared. It would then monitor the user's typing when they visited any of 50 bank sites, including Barclays Bank, Citibank and Deutsche Bank. Neil Barrett, security consultant of Information Risk Management, which carries out internet security audits of companies and software, said: "The number and seriousness of the vulnerabilities is now getting past a joke. "Some of things that can be done to it are really powerful from the hacker's point of view. There are presently more than 30 attacks that it's vulnerable to which haven't been fixed by Microsoft." Johannes Ulrich, chief technology officer for the Sans Internet Security Centre in the US, said: "To keep on using IE is like playing the lottery. You're hoping the sites you visit aren't compromised." He said the most recent attacks were "a wake-up call for users to switch to another browser". The problems with IE are symptomatic of Microsoft's difficulties with security, experts said. The arrival of the internet has led hackers to concentrate on the most widely used products searching for weaknesses, and scores of flaws have surfaced in Windows, as well as Microsoft's IIS web server software and its Outlook Express e-mail software. In January 2002 Bill Gates, founder of Microsoft, e-mailed all employees saying that the company should alter the way it wrote software to incorporate greater security against such threats. But the damage may already have been done. Steve Linford, chief executive of the anti-spam organisation Spamhaus, said: "The problem is that Microsoft assumes its users are stupid, and it comes with everything wide open to attack. "Microsoft seems to think that if it has things turned off, people will never discover how to turn them on." Spamhaus estimates that more than 70 per cent of the 8 billion spam e-mails sent every day come from home and business PCs that have been subverted by programs downloaded over the Net. VULNERABILITIES IN EXPLORER * Pop-up ads can silently download software that will use your computer to send out spam or install "Trojans" that watch your typing. * E-mails by "phishers" can grab bank details by using malicious internet addresses preceded by a real one. If you open it with IE, you will only be shown the first part of the address, with the rest hidden. Users may trust the address and give the criminals their details. * Another "phishing" attack uses the "fake address" method above and puts a pop-up window with an image of a padlock on top of the window. This looks like a "secure" website. IE has no built-in means to block pop-up windows. * Some pornography websites use IE to silently download software that changes the computer's internet settings to dial a premium-rate number. * One pop-up ad installs software that monitors whether you visit any of 50 banking sites, including Barclays and Citibank. When you do, it monitors your keystrokes and sends them to a website in San Diego. From isn at c4i.org Tue Jul 6 05:32:47 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 6 06:07:23 2004 Subject: [ISN] SSH Users beware: The hazards of X11 forwarding Message-ID: +------------------------------------------------------------------+ | Linux Security: Tips, Tricks, and Hackery 05-July-2004 | | Published by Onsight, Inc. Edition | | | | http://www.hackinglinuxexposed.com/articles/20040705.html | +------------------------------------------------------------------+ This issue sponsored by LinuxQuestions.org. LinuxQuestions.org is a free, friendly and active Linux Community with over 100,000 members. Founded in 2000, LQ offers forums, reviews, a Linux hardware compatibility list, a Linux knowledge base in wiki format, Linux tutorials and more. LQ has forums for everything from Linux Newbies to Linux in the Enterprise and has over 15 officially recognized Linux distribution forums. -------------------------------------------------------------------- SSH Users beware: The hazards of X11 forwarding By Brian Hatch Summary: Logging into another machine can compromise your desktop... ------ The last two articles have discussed the security model of X11, the guts behind Linux window managers and all things graphical.[1] Essentially, if you can contact the X11 server process, you can do anything you want to it, such as sniffing all keystrokes, dumping or manipulating windows, etc. In order to access the server, you must have two things: 1. The MIT Magic Cookie that the server requires, if any. (Most distros set up X11 to require these, which is good.) 2. Access to the X11 server's socket, be it a network TCP socket or a unix domain socket. In my previous examples, I showed you how you can satisfy these requirements by being root on the machine on which the X11 server is running. I got lots of hate mail because of it, with arguments like the following: "But if they already have root, the game is lost!" "I don't let anyone on my machine, so it's a moot point!" "I don't have sshd running, so how could they get in anyway?" These are all valid (and anticipated) statements. Here's where I get to say "Trust me, I was getting somewhere important..." Enter SSH, a wonderful encrypted remote login/file transfer/port forwarding/you name it protocol. You probably use it when you log into to other Linux machines, such as your shell server, email account, etc.[2] SSH has the ability to tunnel X11 connections through it - this feature is called X11 Forwarding. In brief, if you are on your desktop attached to an X11 display (you can run xclock for example) then when you SSH to a different machine, it can tunnel X11 over the connection. You can run graphical X11 applications on the remote machine, but they display back on your desktop. Here's the nitty gritty: upon logging into the remote system, the ssh server process binds a TCP port (let's say 6010), creates you an MIT Magic Cookie on the server by running xauth, and then sets the $DISPLAY environment variable to point to it's port (for example $DISPLAY=localhost:10.0 [3]) When you run an X11 application, it reads the $DISPLAY variable, connects to the X11 server (in this case the sshd process on the remote system) and provides the magic cookie (by reading ~/.Xauthority). sshd verifies the cookie, and passes he data back to the ssh process on your desktop over the encrypted link. ssh on your desktop then forwards the data to the actual X11 server on your desktop, using the desktop's cookie. Now all of this happens behind the scenes -- all you notice is that you log into the remote machine, and when you run an X11 application, the window appears on your desktop. This is cool, this is great, this is secure - encrypted from end to end.[4] But even though the X11 application is secure, you've opened up a new vulnerability. If someone on the server can read your ~/.Xauthority file (hopefully only root, but if you have bad file permissions you're in trouble), and can connect to the port that sshd has bound (which anyone can) then they can access your desktop's X11 server, even if they're not anywhere near you! Let's reiterate: if you log in via SSH to a remote server with X11 forwarding, root on that server can access your desktop, sniff your keystrokes, abuse your windows, you name it. If you have bad permissions on your ~/.Xauthority file, then anyone on that server can control your desktop. OpenSSH used to have X11 forwarding enabled by default, but luckily newer versions have luckily changed this. Unfortunately, some Linux distributions still enable it by default in the global /etc/ssh/ ssh_config file.[5] This means that any time you SSH to another machine, that machine's administrators could attack you. Not good, definitely not good. Now is this something that occurs in the real world? Heck yes -- I've seen more than one free shell account provider with unethical administrators who used this feature to snoop passwords and other information addresses. Again, you may point out that they can already gather any of this data sent to the machine you've logged into. But the fact they can access keystrokes that are never going to their server at all is a very different and worrisome situation. So, when should you enable X11 forwarding? Only when you really really need to, and only to machines which you trust. In addition, if you must perform actions outside the X11 application (for example opening up a different terminal and logging in somewhere) you can enable the 'secure keyboard' feature of some programs (for example hitting 'ctrl right-button' in xterm and selecting the first option) to keep your keystrokes from being available to anything but that one window. But a malicious user could still perform all of the other tricks discussed last time, such as getting screenshots of those secure windows. It's best to enable X11 forwarding manually, ssh to the other system, run your X11 application, and log out as soon as possible. To turn off X11 forwarding by default, add the following to the bottom of your ~/.ssh/config file, or the global /etc/ssh/ssh_config file: Host * ForwardX11 no ForwardAgent no (Note: the last line also disables the SSH Agent forwarding - you can probably guess why that's a bad idea at this point.) If you need to have X11 forwarding for a connection, run ssh with the -X flag, for example: $ ssh -X server /usr/bin/display filename.jpg Following this method, you'll never accidentally log in with SSH X11 Forwarding enabled. SSH X11 Forwarding is a wonderful thing when you need it - it's much better than sending your connections back to your desktop in the clear - but you need to understand that you open your entire environment up to any attacker on the server. Use it wisely and sparingly. NOTES: [1] Ok, tis true, there are some things that let you have graphics even in plain text TTYs, such as w3m, the greatest text based web browser in the world. If you never go into X11, you can stop reading this article now. [2] From my desktop alone, I have 45 outbound SSH connections at the time I write this. Probably half of those are to bounce through firewalls and are running multiple SSH sessions via screen. Thank goodness for SSH -- I don't know how all those point-and-click users administer their machines. [3] Why is it localhost:10.0 instead of localhost:6010? Normally, the first X11 display is on port 6000, the next on port 6001, which get abbreviated as :0, :1 and so on. SSH binds higher than the number of actual physical displays that are expected (very few desktops run more than one X11 display, much less nine of them) which is why it starts at 6010 and works it's way up. [4] Those who try this over anything but a LAN connection will also note that this is slow... X11 can use a lot of bandwidth. [5] Just to be more confusing, some disable X11 forwarding on the server by default, which means the user has no ability to use it even if they want to, even though this could only be used to attack the user, not the server. Very weird -- I don't grasp the logic here. ------------- Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He looks back on his college days of playing xtank at 3am and wonders "Did anyone steal my passwords when we all ran 'xhost +' " ? Brian can be reached at brian@hackinglinuxexposed.com. -------------------------------------------------------------------- This newsletter is distributed by Onsight, Inc. The list is managed with MailMan (http://www.list.org). You can subscribe, unsubscribe, or change your password by visiting http://lists.onsight.com/ or by sending email to linux_security-request@lists.onsight.com. Archives of this and previous newsletters are available at http://www.hackinglinuxexposed.com/articles/ -------------------------------------------------------------------- Copyright 2004, Brian Hatch. From isn at c4i.org Tue Jul 6 05:33:00 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 6 06:07:26 2004 Subject: [ISN] US Air Force unveils cyberwar swords & shields Message-ID: http://www.theinquirer.net/?article=17008 By Doug Mohney 05 July 2004 OVER THE PAST month, U.S. Air Force briefers have been unveiling capabilities and strategies to wargeek pubs like Jane's and Aviation Week for "Information Operations", a term that encompasses computer network attack and defense together with more "traditional" electronic warfare activities and psychological warfare (psyops). IO is a relatively new invention recently applied to Iraq last year during the effort to oust Saddam Hussein. One success touted by a senior AF general was a combination of psyops leaflets dropped by airplanes together with e-mail pumped into the Iraqi military's computer network to dissuade Iraqi troops from fighting. IO operations was likely one of the main reasons Tom Clancy fans didn't see the use of the much-anticipated EMP bomb, a weapon designed to generate to disrupt (scramble) or destroy (fry) electronics with a burst of microwaves. Future IO missions are expected to e integrated to the existing range of "kinetic solutions" (i.e. dropping a 2,000 lb bomb) in a seamless set of solutions. Another capability the AF would like to de-classify is the ability to turn anti-aircraft missiles stupid, making them miss aircraft without bombs. "I look forward to the day when we can convince a surface-to-air missile that it is a Maytag in a rinse cycle," said General Hal Hornburg in an interview with Aviation Week. The capability is available in the computer network attack toolbox to penetrate and manipulate another military's communications network. Declassifying the capability would make it quicker to implement into future operations. Classified exercises have demonstrated the Air Force's ability to enter into an enemy's air defense computer network, see and monitor what the enemy radars could detect in real time, and the ability to take over the network as a systems administrator and start manipulating radars. Currently, this capability has been demonstrated on the EC-130 Compass Call aircraft, a slow 4 engine cargo plane loaded with electronic gear, but the Air Force has jawed up the ability of this mission to be taken up by the much more sexy and expensive F/A-22 fighter aircraft. Air Force computer network defence also falls under the IO mission. During Iraqi operations, Air Force defenders took such steps as blocking out chunks of Internet addresses known to be used by overseas hackers for attacks. Commanders are concerned hackers will pass through a U.S. Internet Service Provider to launch attacks, using the ISP as a legal shield. Under American law, the military is precluded from operating against U.S. civilian interests, so civilian law enforcement must be called in to investigate and take action. Needless to say, this takes time and bureaucracy. In the future, the Air Force would like to see the creation of a hot-pursuit capability that would allow them to go after attackers regardless of where they are coming from. From isn at c4i.org Tue Jul 6 05:33:20 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 6 06:07:27 2004 Subject: [ISN] Linux Security Week - July 5, 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 5, 2004 Volume 5, Number 27n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Security: The root of the problem", "Fighting Network threats with a Network Analyzer", "Wireless endpoint security: Tie up the loose ends" and "Seven habits of highly secure companies". >>> Need to Secure Multiple Domain or Host Names? Securing multiple domain or host names need not burden you with unwanted administrative hassles. Learn more about how the cost-effective Thawte Starter PKI program can streamline management of your digital certificates. Click here to download our Free guide: http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawte07 ---- LINUX ADVISORY WATCH: This week, advisories were released for apache, dhcp, kernel, mailman, gzip, Pavuk, Esearch and libpng. The distributors include Debian, Fedora, FreeBSD, Gentoo, Mandrake, Suse and Trustix. http://www.linuxsecurity.com/articles/forums_article-9467.html ---- Open Source Leaving Microsoft Sitting on the Fence? The open source model, with special regard to Linux, has no doubt become a formidable competitor to the once sole giant of the software industry, Microsoft. It is expected when the market share of an industry leader becomes threatened, retaliation with new product or service offerings and marketing campaigns refuting the claims of the new found competition are inevitable. However, in the case of Microsoft, it seems they have not taken a solid or plausible position on the use of open source applications as an alternative to Windows. http://www.linuxsecurity.com/feature_stories/feature_story-168.html -------------------------------------------------------------------- Interview with Brian Wotring, Lead Developer for the Osiris Project Brian Wotring is currently the lead developer for the Osiris project and president of Host Integrity, Inc.He is also the founder of knowngoods.org, an online database of known good file signatures. Brian is the co-author of Mac OS X Security and a long-standing member of the Shmoo Group, an organization of security and cryptography professionals. http://www.linuxsecurity.com/feature_stories/feature_story-164.html -------------------------------------------------------------------- Guardian Digital Launches Next Generation Secure Mail Suite Guardian Digital, the premier open source security company, announced the availability of the next generation Secure Mail Suite, the industry's most secure open source corporate email system. This latest edition has been optimized to support the changing needs of enterprise and small business customers while continually providing protection from the latest in email security threats. http://www.linuxsecurity.com/feature_stories/feature_story-166.html ---- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Another big Apache hole found June 30th, 2004 Linux and Unix vendors are releasing fixes for a critical bug in the popular Web server Apache that could allow attackers to crash the system or execute malicious code. The bug affects Apache 1.3.x installations configured to act as proxy servers, which relay requests between a Web browser and the Internet. http://www.linuxsecurity.com/articles/server_security_article-9460.html * Security: The root of the problem June 29th, 2004 It doesn't seem that a day goes by without someone announcing a critical flaw in some crucial piece of software or other. Is software that bad? Are programmers so inept? What the heck is going on, and why is the problem getting worse instead of better? One distressing aspect of software security is that we fundamentally don't seem to "get it." http://www.linuxsecurity.com/articles/server_security_article-9454.html * ISO endorses key security certification June 29th, 2004 The International Standards Organization last week gave its stamp of approval to the CISSP security certification for IT workers, and a half-dozen security managers said the endorsement should help enhance the certification's legitimacy and acceptance. http://www.linuxsecurity.com/articles/security_sources_article-9455.html +------------------------+ | Network Security News: | +------------------------+ * Fighting Network threats with a Network Analyzer July 2nd, 2004 This article shows how a network analyzer, historically used for network troubleshooting, can also be used to defend against the security threats. Certain features of a network analyzer can be set to monitor for virus and attack signatures and offer quick ways of isolating infected systems. For those organizations that are looking to invest in a network analyzer there are certain key features that should be considered. http://www.linuxsecurity.com/articles/intrusion_detection_article-9466.html * Cookie Path Best Practice July 1st, 2004 Cookies provide a method for creating a stateful HTTP session and their recommended use is formally defined within RFC2965 and BCP44. Although they are used for many purposes, they are often used to maintain a Session ID (SID), through which an individual user can be identified throughout their interaction with the site. For a site that requires authentication, this SID is typically passed to the user after they have authenticated and effectively maintains the authentication state. http://www.linuxsecurity.com/articles/documentation_article-9465.html * 802.11 Wireless LAN Fundamentals - Book Review June 30th, 2004 Wireless networks and technologies are no longer a new concept. The freedom of flexibility, increase of productivity and the much sought-after mobility are only few of the benefits that 802.11-based networks provide. This appeals to the enterprise and home users to take the next step and deploy a wireless network onto their network and business infrastructure. http://www.linuxsecurity.com/articles/security_sources_article-9458.html * Wireless endpoint security: Tie up the loose ends June 28th, 2004 Endpoint security transcends the use of personal firewalls and antivirus software. Endpoint devices such as laptops, home-office and remote desktops, and Internet-enabled handhelds are some of the biggest headache sources for security managers.It's hard enough keeping your in-house workstations and servers secure with up-to-date antivirus software and the latest patches and updates. http://www.linuxsecurity.com/articles/network_security_article-9450.html +------------------------+ | General Security News: | +------------------------+ * Usenix: Experts debate security through diversity July 2nd, 2004 The sheer number of worms and viruses directed at Microsoft Corp.'s Windows operating system and Internet Explorer browser have many in the computer industry wondering whether the cyberworld would be more secure if more users relied on alternatives to Microsoft's products. That description appeared to fit about two-thirds of the few hundred system administrators and engineers attending a debate between two prominent security experts at the Usenix 2004 conference in Boston yesterday. http://www.linuxsecurity.com/articles/host_security_article-9468.html * E-Mail Snooping Ruled Permissible July 1st, 2004 E-mail privacy suffered a serious setback on Tuesday when a court of appeals ruled that an e-mail provider did not break the law in reading his customers' communications without their consent. The First Court of Appeals in Massachusetts ruled that Bradford C. Councilman did not violate criminal wiretap laws when he surreptitiously copied and read the mail of his customers in order to monitor their transactions. http://www.linuxsecurity.com/articles/privacy_article-9462.html * Seven habits of highly secure companies June 30th, 2004 Companies, like the humans who make them run, are creatures of habit. Some of those habits can make information systems more secure, rather than less. There's no such thing as absolute security, of course. But the seven best practices of highly secure companies are a standard against which CEOs can measure their organizations. http://www.linuxsecurity.com/articles/network_security_article-9459.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From coryd at euler.com Fri Jul 2 12:33:08 2004 From: coryd at euler.com (Cory D) Date: Tue Jul 6 06:07:29 2004 Subject: [ISN] E-Mail Snooping Ruled Permissible In-Reply-To: Message-ID: -- You seem to be mis-inform on common wiretap laws. -- As for your sigh of relief, it bothers me. When reading the case, the individual(s) rights were violated. --- The Wiretap Act "Provider Exception" 18 U.S.C ? 2511(2)(a)(i) (i) It shall not be unlawful under this chapter for an operator of a switchboard, or on officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks... Sense he used the information for profit and gain; it seems to me that it did violate the wiretap law. As you can also see this informs you can use IDS equipment to protect yourself from unwanted trespassers. If you try to and say that the "Pen Register" and "Trap and Trace" statues allow you to do this you are wrong again. It only allows you to capture ports, header information, etc.. but, not the content of what is being delivered. Face it the judges had no idea what they where talking about when passing judgment. There reasoning is that they were capturing (copying) data stored in RAM and because of this it does not convey a violation of the wiretap laws. Well if that's the case then the government does not need a warrant then to "capture" any ones email and programs like "Carnivore" come to mind. That to me sounds way to close to "1984" and the fact that "Big Brother" is on the doorstep with the baton in hand. -- Cory Durand -----Original Message----- From: isn-bounces@attrition.org [mailto:isn-bounces@attrition.org]On Behalf Of InfoSec News Sent: Friday, July 02, 2004 7:35 AM To: isn@attrition.org Subject: Re: [ISN] E-Mail Snooping Ruled Permissible Forwarded from: Mark Hoffer Hello: Coming from the ISP side of things, this is a great sigh of relief. Before this ruling, some could have interpreted the law in a way that the ISP could not scan for viruses or block spam. I agree that email should not be snooped on, but every user should know that the privacy of an email is like that of a postcard. Now about this wiretap law - is it unlawful for me to use a packet sniffer to troubleshoot a customer's connection and to watch for malicious traffic on my network? -Mark Hoffer ----- Original Message ----- From: "InfoSec News" To: Sent: Thursday, July 01, 2004 7:33 AM Subject: [ISN] E-Mail Snooping Ruled Permissible > Forwarded from: Marjorie Simmons > > http://www.wired.com/news/politics/0,1283,64043,00.html > > By Kim Zetter > June 30, 2004 > > E-mail privacy suffered a serious setback on Tuesday when a court of > appeals ruled that an e-mail provider did not break the law in > reading his customers' communications without their consent. > > The First Court of Appeals in Massachusetts ruled that Bradford C. > Councilman did not violate criminal wiretap laws when he > surreptitiously copied and read the mail of his customers in order > to monitor their transactions. > > Councilman, owner of a website selling rare and out-of-print books, > offered book dealer customers e-mail accounts through his site. But > unknown to those customers, Councilman installed code that > intercepted and copied any e-mail that came to them from his > competitor, Amazon.com. Although Councilman did not prevent the mail > from reaching recipients, he read thousands of copied messages in > order to know what books customers were seeking and gain a > commercial advantage over Amazon. _________________________________________ Help InfoSec News with a donation: http://www.c4i.org/donation.html From wk at c4i.org Tue Jul 6 05:34:30 2004 From: wk at c4i.org (William Knowles) Date: Tue Jul 6 06:07:32 2004 Subject: [ISN] Call for donations! Message-ID: Call for donations for InfoSec News and C4I.org! http://www.c4i.org/donation.html Richard Clarke once said... "If you spend more on coffee than on IT security, then you will be hacked. What's more, you deserve to be hacked." InfoSec News is always in a cash crunch. While we could start accepting funds in lieu of sponsorship on the list, we would rather take donations from subscribers to keep InfoSec News advertising free. It's sorely needed and helps a good cause! For $1.00 at the local diner, you can buy a bottomless cup of coffee. At the local bookstore, a large three shot, double latte cappuccino is about $4.00. Ideally we'd like to see every InfoSec News subscriber sacrifice at least one or two days without his or her coffee to enable us to buy the equipment needed to not only continue the work we've been doing, but improve our services. In classic public broadcasting style, if you can make a donation of $50 or more, we'll include this year's swank C4I.org shirt and a sticker, and if you have donated $50 or more in the past, thank you very much, I will be contacting you shortly for your shirt size! Immediate and near term improvements such as a digest version of the list have been implemented, (spam & worms have been stopped dead) a server has been purchased, hosting has been taken care of and RSS feeds of InfoSec News and other crucial security mailing lists will be available soon, as well as the capability to run searches of past InfoSec News articles. A donation of $1 to $4 isn't a lot when you consider the work done behind the scenes here, such as dealing with Microsoft SMTPSVC, bounced mail, and dead addresses. Its no small feat finding, filtering, formatting, and analyzing the news stories that more than 3800 information security, homeland defense, and open source intelligence professionals depend on a daily basis. http://www.c4i.org/donation.html Through PayPal we can accept donations in the following currencies: U.S. Dollars, Canadian Dollars, Euro's, Pounds Sterling, & Yen. Using Amazon's Honor System, you can use your credit card without retyping it if Amazon already has it on file. However, Amazon keeps approximately 15 percent of each donation. If you don't trust either one of those methods, that's OK, the mailing address here is... C4I.org Post Office Box 24 Golf, Illinois 60029-0024 U.S.A Donations to C4I.org may be tax deductable, check with your tax advisor. Thank you for your consideration! William Knowles wk@c4i.org *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/donation.html *==============================================================* From isn at c4i.org Tue Jul 6 05:52:37 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 6 06:07:34 2004 Subject: [ISN] iPod is latest security risk for business, say analysts Message-ID: http://software.silicon.com/security/0,39024655,39121918,00.htm [Gartner rehashing old ISN posts? http://seclists.org/isn/2002/Mar/0002.html :) - WK] By Andrew Donoghue silicon.com July 06 2004 Companies should consider banning portable storage devices such as Apple's iPod from corporate networks as they can be used to introduce malware or steal corporate data, according to an analyst. Small portable storage products can bypass perimeter defenses like firewalls and antivirus at the mailserver, and introduce malware such as Trojans or viruses onto company networks, claimed analyst house Gartner in a report issued this week. Analysts have warned for some time of the dangers of using portable devices, but the report points out these also now include "disk-based MP3 players, such as Apple's iPod, and digital cameras with smart media cards, memory sticks, compact flash and other memory media." Another potential danger is that the devices - that typically make use of USB and FireWire - could be used to steal large amounts of company data as they are faster to download to than CDs. Also the size of the portable devices means they can be easily misplaced or stolen. Gartner advises that companies should forbid the use of uncontrolled, privately owned devices with corporate PCs and adopt personal firewalls to limit what can be done on USB ports. "Businesses must ensure that the right procedures and technologies are adopted to securely manage the use of portable storage devices like USB 'keychain' drives. This will help to limit damage from malicious code, loss of proprietary information or intellectual property, and consequent lawsuits and loss of reputation," the report stated. Andrew Donoghue writes for ZDNet UK From dedennin at nps.edu Tue Jul 6 19:48:20 2004 From: dedennin at nps.edu (Denning, Dorothy USA) Date: Wed Jul 7 06:45:40 2004 Subject: [ISN] E-Mail Snooping Ruled Permissible Message-ID: The ruling doesn't give the government blanket access because they are still constrained by the statutes that protect stored wire and electronic communications. To compel disclosure of unretrieved communications that have been in storage 180 days or less, the government needs a search warrant [Title 18, Sec. 2703(a)]. However, a non-public provider (e.g., private company) can voluntarily disclose such e-mail {Sec 2702(a)(1)]; a public provider generally cannot, but there are exceptions [(Sec 2702(b)]. Dorothy Denning -----Original Message----- From: isn-bounces@attrition.org [mailto:isn-bounces@attrition.org]On Behalf Of Cory D Sent: Friday, July 02, 2004 9:33 AM To: isn@attrition.org Subject: RE: [ISN] E-Mail Snooping Ruled Permissible -- You seem to be mis-inform on common wiretap laws. -- As for your sigh of relief, it bothers me. When reading the case, the individual(s) rights were violated. --- The Wiretap Act "Provider Exception" 18 U.S.C ? 2511(2)(a)(i) (i) It shall not be unlawful under this chapter for an operator of a switchboard, or on officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks... Sense he used the information for profit and gain; it seems to me that it did violate the wiretap law. As you can also see this informs you can use IDS equipment to protect yourself from unwanted trespassers. If you try to and say that the "Pen Register" and "Trap and Trace" statues allow you to do this you are wrong again. It only allows you to capture ports, header information, etc.. but, not the content of what is being delivered. Face it the judges had no idea what they where talking about when passing judgment. There reasoning is that they were capturing (copying) data stored in RAM and because of this it does not convey a violation of the wiretap laws. Well if that's the case then the government does not need a warrant then to "capture" any ones email and programs like "Carnivore" come to mind. That to me sounds way to close to "1984" and the fact that "Big Brother" is on the doorstep with the baton in hand. -- Cory Durand -----Original Message----- From: isn-bounces@attrition.org [mailto:isn-bounces@attrition.org]On Behalf Of InfoSec News Sent: Friday, July 02, 2004 7:35 AM To: isn@attrition.org Subject: Re: [ISN] E-Mail Snooping Ruled Permissible Forwarded from: Mark Hoffer Hello: Coming from the ISP side of things, this is a great sigh of relief. Before this ruling, some could have interpreted the law in a way that the ISP could not scan for viruses or block spam. I agree that email should not be snooped on, but every user should know that the privacy of an email is like that of a postcard. Now about this wiretap law - is it unlawful for me to use a packet sniffer to troubleshoot a customer's connection and to watch for malicious traffic on my network? -Mark Hoffer ----- Original Message ----- From: "InfoSec News" To: Sent: Thursday, July 01, 2004 7:33 AM Subject: [ISN] E-Mail Snooping Ruled Permissible > Forwarded from: Marjorie Simmons > > http://www.wired.com/news/politics/0,1283,64043,00.html > > By Kim Zetter > June 30, 2004 > > E-mail privacy suffered a serious setback on Tuesday when a court of > appeals ruled that an e-mail provider did not break the law in > reading his customers' communications without their consent. > > The First Court of Appeals in Massachusetts ruled that Bradford C. > Councilman did not violate criminal wiretap laws when he > surreptitiously copied and read the mail of his customers in order > to monitor their transactions. > > Councilman, owner of a website selling rare and out-of-print books, > offered book dealer customers e-mail accounts through his site. But > unknown to those customers, Councilman installed code that > intercepted and copied any e-mail that came to them from his > competitor, Amazon.com. Although Councilman did not prevent the mail > from reaching recipients, he read thousands of copied messages in > order to know what books customers were seeking and gain a > commercial advantage over Amazon. _________________________________________ Help InfoSec News with a donation: http://www.c4i.org/donation.html _________________________________________ Help InfoSec News with a donation: http://www.c4i.org/donation.html From wk at c4i.org Wed Jul 7 05:39:31 2004 From: wk at c4i.org (William Knowles) Date: Wed Jul 7 06:45:41 2004 Subject: [ISN] Call for donations! Message-ID: Call for donations for InfoSec News and C4I.org! http://www.c4i.org/donation.html Richard Clarke once said... "If you spend more on coffee than on IT security, then you will be hacked. What's more, you deserve to be hacked." InfoSec News is always in a cash crunch. While we could start accepting funds in lieu of sponsorship on the list, we would rather take donations from subscribers to keep InfoSec News advertising free. It's sorely needed and helps a good cause! For $1.00 at the local diner, you can buy a bottomless cup of coffee. At the local bookstore, a large three shot, double latte cappuccino is about $4.00. Ideally we'd like to see every InfoSec News subscriber sacrifice at least one or two days without his or her coffee to enable us to buy the equipment needed to not only continue the work we've been doing, but improve our services. In classic public broadcasting style, if you can make a donation of $50 or more, we'll include this year's swank C4I.org shirt and a sticker, and if you have donated $50 or more in the past, thank you very much, I will be contacting you shortly for your shirt size! Immediate and near term improvements such as a digest version of the list have been implemented, (spam & worms have been stopped dead) a server has been purchased, hosting has been taken care of and RSS feeds of InfoSec News and other crucial security mailing lists will be available soon, as well as the capability to run searches of past InfoSec News articles. A donation of $1 to $4 isn't a lot when you consider the work done behind the scenes here, such as dealing with Microsoft SMTPSVC, bounced mail, and dead addresses. Its no small feat finding, filtering, formatting, and analyzing the news stories that more than 3800 information security, homeland defense, and open source intelligence professionals depend on a daily basis. http://www.c4i.org/donation.html Through PayPal we can accept donations in the following currencies: U.S. Dollars, Canadian Dollars, Euro's, Pounds Sterling, & Yen. Using Amazon's Honor System, you can use your credit card without retyping it if Amazon already has it on file. However, Amazon keeps approximately 15 percent of each donation. If you don't trust either one of those methods, that's OK, the mailing address here is... C4I.org Post Office Box 24 Golf, Illinois 60029-0024 U.S.A Donations to C4I.org may be tax deductable, check with your tax advisor. Thank you for your consideration! William Knowles wk@c4i.org *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/donation.html *==============================================================* From isn at c4i.org Wed Jul 7 06:10:14 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 7 06:45:42 2004 Subject: [ISN] REVIEW: "Network Security Jumpstart", Matthew Strebe Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKNTSCJS.RVW 20030604 "Network Security Jumpstart", Matthew Strebe, 2002, 0-7821-4120-X, U$24.99/C$39.95/UK#18.99 %A Matthew Strebe mbs+jumpstart@connectic.net %C 1151 Marina Village Parkway, Alameda, CA 94501 %D 2002 %G 0-7821-4120-X %I Sybex Computer Books %O U$24.99/C$39.95/UK#18.99 800-227-2346 info@sybex.com %O http://www.amazon.com/exec/obidos/ASIN/078214120X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/078214120X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/078214120X/robsladesin03-20 %P 365 p. %T "Network Security Jumpstart" The introduction states that this book is suitable for anyone from the home user to the network administrator to the CEO. Which is a pretty tall order. Chapter one has a decent overview of why computers aren't secure, a scant computer security history, a few security concepts, and a fairly trivial set of "review" questions. There is a media level exposition on "hackers," in chapter two, a rough outline of intrusion procedures, and a list of specific attacks that I'm not sure the author fully understands. (Immediately following "Denial of Service" comes a separate entry for "Floods": flooding being a type of denial of service.) There is a terse introduction to cryptography, and not much more than chapter one gave us about authentication, in chapter three. The suggestions for policy creation, in chapter four, aren't bad for simple cases, but seriously understate the difficulty of establishing a full policy, even for home users. Chapter five describes firewalls (and seven tells a little bit more about using them at home). Chapter six makes the common mistake of assuming that all VPNs (Virtual Private Networks) are about confidentiality: some are merely about managing communications configurations. There is some correct and useful information about viruses in chapter eight, but it is unfortunately mixed in with a lot of garbage. Windows NT and its subsequent versions are *not* immune to viruses, although a rigorous set of file permissions can reduce your risk of file infectors (which are no longer a major category anyway). Signature scanners are *not* the only type of antiviral software. Viruses were *not* invented by accident, BRAIN *never* had an onscreen display and didn't infect program files, and neither Stoned nor Jerusalem (Friday the 13th is one variant) were based on BRAIN. Neither Stoned nor BRAIN relied on program sharing to propagate: data disks were quite sufficient. Viruses that only replicate are *not* benign (anybody ever have problems with Stoned? Melissa? Loveletter?), *will* be discovered, and scanning signatures *are* created. Fault tolerance, in chapter nine, is not quite business continuity planning (BCP), but does go beyond the usual UPS (Uninterruptable Power Supply) and backup recommendations. Although chapter ten lists a number of security mechanisms in Windows, a practical understanding of their use is not presented. The UNIX tools in eleven are described more usefully--but they only relate to file permissions. The network security tools for UNIX are in twelve--but are only enumerated. Chapter thirteen has good suggestions for Web server security--but doesn't say how to implement them. A random collection of email security tools and threats makes up chapter fourteen. IDS (Intrusion Detection System) concepts are not explained very well in chapter fifteen: Strebe apparently doesn't understand that all forms use audit data of one type or another, and doesn't list the major distinctions between either the engine type or sensor location. Even given all the faults, one has to admit that Strebe has not done a bad job with his ambitious intent. Certainly home users and CEOs can find better explanations here than in many of the other works aimed at them, however much I might wish that the book as a whole was more accurate. And, yes, even the network administrators might find some helpful points in the more conceptual material at the beginning of the book: most of them could do with a better understanding of the need for policy. This work isn't great, by any means, but it can fulfill a need for a quick guide to network threats, for a variety of audiences. copyright Robert M. Slade, 2004 BKNTSCJS.RVW 20030604 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Keep away from people who try to belittle your ambitions. Small people always do that, but the really great make you feel that you, too, can become great. - Mark Twain http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed Jul 7 06:11:43 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 7 06:45:43 2004 Subject: [ISN] CA sued (again): This time for $800m Message-ID: http://software.silicon.com/applications/0,39024653,39121939,00.htm Will Sturgeon silicon.com July 06, 2004 Computer Associates has been hit with an $800m lawsuit by a group of three Canadian security companies that claim the New York-based software giant ripped off their intellectual property when developing its own security applications. CA is also accused of serious breaches of contract in the court filing, though the company denies any wrongdoing and says the filing lacks any merit. NI Group, Scienton Technologies and Secure-IT claim CA stole concepts and software as well as failing to honour a contract to pay up for development and implementation work carried out for a number of CA customers. At the centre of the accusations are two CA products - eTrust 20/20 and Command Center. In both instances, it is claimed CA stole ideas and intellectual property from the complainants following previous work carried out with the Ontario-based companies. The lawsuit, filed with a federal court in New York, claims damages in excess of $800m and while a CA spokesman claimed the accusations have "no merit", its second major lawsuit in recent weeks is further evidence of the company's troubled and ongoing attempts to haul itself out of a two-year-long lawsuit and federal investigation-related malaise. Major investor and long-term boardroom agitator Sam Wyly recently announced his intention to seek damages of around $1bn from Computer Associates. From isn at c4i.org Wed Jul 7 06:13:06 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 7 06:45:44 2004 Subject: [ISN] Wendy's Drive-up Order System Information Disclosure Message-ID: Forwarded from: mi2g-research@hushmail.com To: full-disclosure@lists.netsys.com Cc: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org [Real mi2g, fake mi2g, whatever, it had me in stiches! :) - WK] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- SIPS EXCERPT -- ADVISORY -- SIPS EXCERPT -- ADVISORY -- Wendy's Drive-up Order System Information Disclosure Reporter: mi2g (http://www.mi2g.com/) Date: July 07, 2004 Severity: Medium to High Attack Class: Physical, Remote, Race Condition Vendor: Wendy's (http://www.wendys.com/) I. BACKGROUND Wendy's International, Inc. is one of the world's largest restaurant operating and franchising companies with more than 9,300 total restaurants and quality brands - Wendy's Old Fashioned Hamburgers?, Tim Hortons? and Baja Fresh? Mexican Grill. The Company invested in two additional quality brands during 2002 - Cafe Express? and Pasta Pomodoro?. II. DESCRIPTION Remote exploitation of the Wendy's Drive-up ordering system allows an attacker to gain sensitive information about the order of arbitrary customers. During customer/vendor "handshake", the customer vehicle must come to a stop beside the vendor menu ordering system which contains a large screen to display the current order. During this process, adequate protection is not given to the space between the vehicle and the menu allowing for a number of remote attackers to obtain sensitive order information. Once the victim has finished ordering, the information stays available on the screen for up to several minutes or until another customer has pulled forward. This creates a great window for exploitation and increases the chance of winning the "race condition". III. ANALYSIS Successful exploitation allows unauthenticated remote malicious arbitrary attackers to retrieve the contents of the previous customer's food order which is a serious breach of confidentiality. As proof of concept, this attack was carried out against mi2g CEO DK Matai. It was disclosed that he ordered a grilled chicken sandwich, large fries and a large Coca-Cola. IV. DETECTION mi2g has confirmed that all Wendy's with a Drive-up menu display are affected. Other vendors may be affected but were not tested. V. WORKAROUND Use a hard object such as a rock or baseball bat to disable the order display screen after the late night drive-thru has closed. VI. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-2934 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VII. DISCLOSURE TIMELINE 07/07/02 Exploit discovered by mi2g 07/08/02 mi2g clients (the "Inner Sanctum") notified 01/08/03 The Queen notified 03/22/03 bespoke security architecture updated 09/01/03 mi2g clients notified again 07/07/04 Public Disclosure 07/08/04 Vendor notified VIII. CREDIT Rear Admiral John Hilton and Geoffrey Hancock are credited with discovering this vulnerability. IX. SPECIAL THANKS Donny Werner for verifying Wendy's drive up systems are not vulnerable to XSS issues! X. LEGAL NOTICES Copyright (c) 2004 mi2g Limited. Permission is granted for the redistribution of this alert electronically provided a small royalty is paid. It may not be edited in any way without the express written consent of mi2g. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email mi2g-research@hushmail.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkDrk18ACgkQa74Q1wBemg8ZEACfTaxcsaq/mkOAWZ8A5TPRhM/gq8gA n0pcaILhtSzHGnGbdBi1BCHQCi7s =YRgk -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From isn at c4i.org Wed Jul 7 06:42:25 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 7 06:45:45 2004 Subject: [ISN] Applying Pressure Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=FFF3VRUN3SBXMQSNDBCCKHY?articleID=22103604 By John Foley, George V. Hulme, Steven Marlin InformationWeek July 5, 2004 What began as an uncoordinated din of IT professionals complaining about computer security has turned into a collective movement that's spanning entire industries. For evidence, consider the actions taken by BITS, a powerful financial-industry organization that recently crafted a detailed security policy on how it expects technology companies to respond to the needs of its member firms. Two weeks ago, the nonprofit consortium squeezed concessions from Microsoft. Now, other big-name vendors are in its sights. BITS acted because the costs and risks associated with rising software vulnerabilities have become "untenable," senior director John Carlson says. Coping with software vulnerabilities has become a $1 billion-a-year problem for the financial industry, according to BITS, whose heavyweight roster includes Bank of America, Citigroup, Fidelity Investments, and Wells Fargo. "We clearly anticipated that the costs are going to increase over time unless something is done," Carlson says. Dissatisfied with the pace at which IT vendors were moving to address security problems, BITS decided to engage them on its own terms. "There's almost no one who's immune," says Larry Seibel, information security director at Huntington National Bank, whose chairman and CEO, Thomas Hoaglin, is on BITS's board of directors. "I don't think anyone believes we're going to have a quick fix." Just last week, the SANS Institute's Internet Storm Center reported an attack in which hackers attempted to capture, via Internet Explorer, user-login information from customers of dozens of financial institutions. BITS held an invitation-only meeting in February for its members and some undisclosed software companies, and, in late April, it unveiled a sweeping plan to encourage IT vendors to show a "higher duty of care" in delivering foolproof products. A detailed policy statement, issued jointly with the affiliated Financial Services Roundtable, calls on vendors to make security a fundamental part of software design, support older versions of products, make upgrades easier, improve the patch-management process, and give companies with "critical infrastructure" advance notice of new vulnerabilities. The group hopes to influence product development and support across the technology industry. Prominent names are at the top of its list: Cisco Systems, Computer Associates, Hewlett-Packard, IBM, Microsoft, Oracle, and PeopleSoft. "There are lots of potential weak links," Carlson says. "Our members said, 'These are important companies to engage.'" InformationWeek surveyed some of those leading technology companies to assess their readiness to meet BITS's specific proposals. To see their answers, go to informationweek.com/996/ responses.htm. BITS supports incentives, including tax breaks, to encourage vendors to put more research and development into security, and it promises to help protect industry groups from antitrust laws as they collaborate on security measures. It's also wielding a stick by encouraging regulators to share some of the information they already gather on the security practices of software companies. Security professionals believe there's something to be gained by bringing the collective weight of an industry to bear on the issues they face every day. "These efforts present a united front and focused pressure, rather than each of us working on our own to improve software and to get change," says Gene Fredriksen, VP of information security with Raymond James & Associates, co-chair of BITS's software-security working group, and a member of its security and risk-assessment executive committee. It doesn't hurt that BITS has the backing of some big guns. Thomas Renyi, chairman and CEO of the Bank of New York, is chairman of BITS's board of directors. According to Cisco, its CEO, John Chambers, has met directly with the industry group. BITS is rallying companies from other industries around the same set of issues. Technology executives from the telecommunications, chemical, and electric-utility industries were invited to its closed-door February meeting, and the group coordinated with the influential Business Roundtable on the details of its software-security policy and the timing of its release. "Everyone's looking at everyone else's work, saying, 'What can we do working in collaboration with each other to solve this problem?'" Carlson says from his Washington office, where he had just returned from a meeting last week of the House Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census. Last month, the chairman of that subcommittee, Rep. Adam Putnam, R-Fla., co-authored an amendment to the 1996 Clinger-Cohen Act that would make information security a required consideration when government agencies buy computer systems. Putnam is monitoring self-regulation efforts by groups such as BITS in the private sector. Microsoft's arrangement with BITS was the first of its kind, but it won't be the last, says Gytis Barzdukas, director of product management with the vendor's security business and technology unit. After six months of discussions, BITS talked Microsoft into providing more-favorable terms for Windows NT 4.0 custom support and making Windows support personnel available to BITS's members in their local offices. Both sides say further cooperation is planned. With new security threats popping up weekly, banks have kept one eye on the perpetrators and the other on regulators. Marguerite Gear, VP and sourcing manager at Bank of America, says the risks to a bank's reputation can equal or surpass losses from lawsuits or penalties. "In financial services, trust is paramount," she says. "Identity thefts, firewall attacks, viruses, or intrusions can devastate a bank." Under Basel II, an accord reached last month by international banking authorities, large banks must be able to measure by the end of 2007 their exposure to operational risk, including software flaws, in addition to credit and market risk. Large financial institutions have had Basel II preparations under way for at least a year, beginning with compiling data about previous cyberattacks and formulating scenarios about potential new ones. Conscious of the need to proceed without disrupting ongoing business activities, teams of IT, compliance, legal, and audit specialists are working to formulate plans combining all these elements. The hope is that by working collaboratively, they can present business heads with a single plan of action. "We don't want to go to them with one set of compliance questions and another set of security questions," says an information security executive at a large multinational bank. When reviewing software products, this executive says, "we ask [vendors] to show us their model for providing software updates and patch distribution, both during the ordinary course of business and during emergencies." Vendors are grilled on their response procedures in the event of a crisis. Bank of America's Gear says banks routinely write into contracts clauses that specify software products are warranted as being free of malicious code. "It's a huge, huge issue," she says. BITS has set the security bar high with its own stringent set of criteria for product certification, introduced in 1999 and reintroduced two years ago after being aligned more closely with the international security evaluation standard known as the Common Criteria. So far, only two products--HP's VirtualVault and Archer Technologies' SmartSuite Framework--have passed muster. "It tells us software companies have a lot of work to do in terms of meeting the targeted needs of our profiles," Carlson says. Carlson and many security professionals agree that vendors have shown an increased willingness to address their concerns and acknowledge that IT departments bear much of the responsibility for securing their systems and networks. But they say vendor efforts haven't yet passed the most important test: There's been no decline in the number of security threats or attacks, or in costs associated with them (see story, Under Attack). What comes next? BITS is working to define best practices for patch-management and on security issues associated with spyware, wireless technologies, and remote access. Users would also like to see increased collaboration among technology suppliers themselves. "Ultimately, I would like to see the industry get to the point where we have common security baselines among vendors," says Raymond James' Fredriksen. Oracle is thinking along the same lines. "The next frontier is for vendors to drop their competitiveness," says Mary Ann Davidson, Oracle's chief security officer. "Developing secure code is not a trade secret. Vendors need to start calling each other up and sharing development techniques. The hackers certainly share attack and vulnerability information." If the vendors can ever outpace the hackers, their customers will deserve part of the credit. From isn at c4i.org Wed Jul 7 06:44:13 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 7 06:45:46 2004 Subject: [ISN] Govt scores poorly in security test Message-ID: http://www.bangkokpost.com/Database/07Jul2004_data02.php Karnjana Karnjanatawe 07 July 2004 Government web sites could be at risk from security threats, according to a recent survey, which found that only 12% of 267 surveyed agencies used data encryption technology, and only one organisation _ Krung Thai Bank _ utilised digital signatures. The survey by the National Electronics and Computer Technology Centre (Nectec) covered 267 government deparment-level agencies, universities and state organisations. It also found that almost half of the web sites surveyed relied on only a user name and a password to authenticate users, while 12%, or 32 agencies, secured information with SSL or data encryption technology. "Some agencies do not even have a firewall to protect against hackers. This is a weakness of the government," said Nectec director Dr Thaweesak Koanantakool, adding that agencies needed to be more concerned with security and provide secure transactions to the public. ICT Ministry permanent secretary Dhipavadee Meksawan said to help ease security concerns, the ministry plans to invest up to eight million baht to provide 50,000 digital signatures for government officers by September. "The digital signatures will be issued by the Government IT Service, TOT Corp and the CAT Telecom," she said, adding that they will help reduce document fraud and provide secure transactions. The survey, conducted between 14 January and 31 March this year, aimed to find out the e-service readiness of the web sites. It also tracked information provided by the sites, including basic organisation information, history, email, news and links to other agencies. More than half (64%) are bilingual web sites but only two organisations (1%) had features for easier accessibility, such as captions for pictures and clear fonts and colours. Most of the agencies (91%) updated their information once a week while the remaining 9%, or 25 agencies, updated the information more than once a week. Some 77% of sites offer interactive functions such as an email form (82%), web board (74%), FAQ (39%) and internal search service (47%), while 55% or 145 agencies have transaction functions including log-in forms (54%), data transactions (10%) and online payments (6%). None of the government agencies provides applications on their web site and only seven percent (19 agencies) have implemented basic intelligence that can provide information based on a user's log-in. Most of these were web sites of universities, said Dr Thaweesak. "We want to see more integration and intelligence from the government web sites in the future," he said. Meanwhile the ICT Ministry permanant secretary said the survey would be used to reflect the status of government agencies to Cabinet and for allocating its ICT budget. Nectec also plan to extend its survey to cover the web sites of provincial administrative offices, schools and ministries in the future. From isn at c4i.org Thu Jul 8 05:36:44 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 8 07:08:26 2004 Subject: [ISN] Security UPDATE-- Disabling the ADODB.Stream Object--July 7, 2004 Message-ID: ==== This Issue Sponsored By ==== Free Security White Paper from Postini http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0BJha0AC Security Administrator http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0BFMs0Ax ==================== 1. In Focus: Disabling the ADODB.Stream Object 2. Security News and Features - Recent Security Vulnerabilities - News: Firewall Permissions Code for XP SP2 - Feature: On the Net, Awareness = Safety - Feature: Performing Forensic Analyses, Part 2 3. Security Toolkit - FAQ - Featured Thread 4. New and Improved - New Security Administration Book - Intrusion Scanner Eliminates Trojan Horses ==================== ==== Sponsor: Free Security White Paper from Postini ==== How to Preemptively Eliminate the Top 5 Email Security Threats Are worries about spam and virus attacks to your enterprise email system keeping you up at night? See why spam and viruses are only the "tip of the iceberg" when it comes to email security threats. Learn how you can eliminate the top 5 security threats to your email system, including the silent killer -- directory harvest attacks. The good news is there's an easy and effective way to arm your organization against all threats, even the latest spam and email attacks. Find out how to completely and preemptively protect against major threats including spam, viruses, directory harvest attacks (DHA), denial-of-service (DoS) attacks, as well as internal policy violations. Download this free white paper today! http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0BJha0AC ==================== ==== 1. In Focus: Disabling the ADODB.Stream Object ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net Last week, I wrote about two ways to quickly and easily work around problems with Microsoft ADO databases (ADODB). One solution is a registry script from eEye Digital Security and the other is PivX Solutions' Qwik-Fix. As far as I know, both of these solutions can disable parts of ADODB. If you missed last week's newsletter, you can read about the solutions at http://www.winnetmag.com/article/articleid/43131/43131.html The combined attack method that I wrote about last week involves the use of the ADODB.Stream object, which Microsoft says is essentially a memory-based file. Now Microsoft has released an official fix to disable ADODB.Stream for Windows Server 2003, Windows XP, and Windows 2000. You can download the "Critical Update for Microsoft Data Access Components - Disable ADODB.Stream object from Internet Explorer" fix at: http://www.microsoft.com/downloads/details.aspx?familyid=4d056748-c538-46f6-b7c8-2fbfd0d237e3&displaylang=en According to the related Microsoft article "How to disable the ADODB.Stream object from Internet Explorer," the fix makes changes to the registry that prevent the ADODB.Stream object from accessing the local disk drives via Microsoft Internet Explorer (IE). However, other applications that use the object can still access the disk if necessary. http://support.microsoft.com/?kbid=870669 In addition to installing the Microsoft fix, which I think most security professionals would recommend, you might want to consider other configuration changes to your IE installations. Another Microsoft article, "How to strengthen the security settings for the Local Machine zone in Internet Explorer," describes how to disable ActiveX controls and Java applets, prompt the user before running scripts, prompt the user before accessing a database in another zone, control how zone security is applied (e.g., per user or the same settings for all users, whether users can change those settings), and use Group Policy to control IE security zone settings. Be aware that you might experience unwanted effects (as noted in the article) when you make some of the recommended changes. http://support.microsoft.com/?kbid=833633 Two other articles--"How to Stop an ActiveX Control from Running in Internet Explorer" and "How to Remove an ActiveX Control in Windows"--describe how to prevent IE from using particular ActiveX controls and how to remove ActiveX controls if you need to do that for whatever reason. By using some or all of the recommended IE security settings, you can significantly increase browser security. http://support.microsoft.com/?kbid=240797 http://support.microsoft.com/?kbid=154850 Microsoft said that in the coming weeks it will release a series of security updates for IE that will provide additional protection; however, the company hasn't said what those updates might actually entail. The company also said that it's working on a "comprehensive update for all supported versions of Internet Explorer [which] will be released once it has been thoroughly tested and found to be effective across a wide variety of supported versions and configurations of Internet Explorer." The company also said that the upcoming XP Service Pack 2 (SP2) will better protect users against attacks and unwanted content, including downloads. So in addition to the already-mentioned fixes and configuration changes, more help is on the way. ==================== ==== Sponsor: Security Administrator ==== Try a Sample Issue of Security Administrator! Security Administrator is the monthly newsletter from Windows & .NET Magazine that shows you how to protect your network from external intruders and control access for internal users. Sign up now to get a 1-month trial issue--you'll feel more secure just knowing you did. Click here! http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0BFMs0Ax ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html News: Firewall Permissions Code for XP SP2 Mitch Denny has written some sample code that lets developers more easily interact with the new firewall design that's part of Windows XP Service Pack 2 (SP2). Denny says that his code, FirewallPermission, "is a custom permission and associated declarative security attribute which uses the Windows Firewall COM interfaces to check whether a program has inbound access on a port enabled." http://www.winnetmag.com/article/articleid/43096/43096.html Feature: On the Net, Awareness = Safety Given "phishing" (email messages that appear to be from reputable companies and that ask customers to confirm personal information such as credit card and bank account numbers), Web-site redirection, and outright browser hijack attempts, reading email and browsing the Web is fraught with dangers that passive protections such as firewalls can't really stop. David Chernicoff explains ways to help your users protect themselves. http://www.winnetmag.com/article/articleid/43067/43067.html Feature: Performing Forensic Analyses, Part 2 In "Performing Forensic Analyses, Part 1," http://www.winnetmag.com/article/articleid/42445/42445.html , Matt Lesko shows how to create a bootable CD-ROM that contains the Penguin Sleuth Kit and how to use that CD-ROM to create a digital copy, or image, of a compromised hard disk. In this second article, Lesko looks at how to perform a forensic analysis on that image by using the Penguin Sleuth Kit on your CD-ROM. http://www.winnetmag.com/article/articleid/42810/42810.html ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) Online Resource for SQL Server DBAs and Developers Visit the SQL Server Magazine Web site and experience a helpful resource offering the easy-to-find SQL Server solutions, news, guidance, and how-to information you're looking for. Reference lists of active forums, hot topic discussions, keyword searches, free Web seminars, FAQs, and much more. The site also features Web-exclusive columns by Itzik Ben-Gan. Check it out: http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0KQO0AQ New Free Web Seminar--Securing Your Windows and Exchange Environments Everyone has a network-configured firewall and an up-to-date antivirus scanner, yet malware attacks still happen. In this free Web seminar, Roger Grimes and Steve Bryant will address Windows Server 2003 and Exchange Server 2003 security challenges and help secure your systems the right way. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0BJgs0AT Did You Miss the Live Microsoft Security Strategies Roadshow? Microsoft has teamed with Avanade and Network Associates to bring you the on-demand Webcast from the Microsoft Security Strategies Roadshow tour. Join industry guru Mark Minasi and learn more about tips to secure your Windows Server 2003 and Windows 2000 network, plus more! Register now. http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0BELe0Ah ==================== ==== Hot Release ==== SSL123 - New from thawte The full 128-bit capable digital certificate issued within minutes for US$159.00. Free reissues and experienced 24/5 multi-lingual support included for the life of the certificate. Click here to read more: http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0BJhb0AD ==================== ==== 3. Security Toolkit ==== FAQ: How Can I Start the Microsoft Management Console (MMC) Active Directory Users and Computers Snap-In so That It Points to a Specific Domain Controller (DC)? by John Savill, http://www.winnetmag.com/windowsnt20002003faq A. When you start the Active Directory Users and Computers snap-in, it tries to connect to the nearest DC in the current domain. To connect to a specific DC, run the command: dsa.msc /server= You can also use this command syntax to create a shortcut to a specific DC on your desktop or on the Start menu. Featured Thread: Removing a Backdoor IRC Bot (Two messages in this thread) Mike writes that one of his systems is infected with a Trojan horse program and he can't remove the Trojan horse's msrll.exe file from the infected system's %systemroot%\system32\mfm folder. He can delete the jtram.comf file from the folder, but the file is recreated soon after he deletes it. Norton AntiVirus corporate edition found the msrll.exe file but couldn't quarantine or remove it. Mike also tried removing the msr11.exe file by booting to Safe Mode but wasn't successful. He wonders if anyone can help him remove the Trojan horse. http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=123027 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) Free Roadshow in Your City Soon--HP Wireless & Mobility Roadshow 2004 In this free Roadshow, you'll discover trends in the wireless and mobility industry and come away with a better understanding of wireless and mobility solutions. And, talk first hand about your wireless projects with leaders in the industry. See proven wireless and mobile solutions in action. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0BJgt0AU ==================== ==== 5. New and Improved ==== by Jason Bovberg, products@winnetmag.com New Security Administration Book Syngress Publishing published "Check Point Next Generation with Application Intelligence Security Administration" by Chris Tobkin and Daniel Kligerman. The 600-page book covers Check Point Software Technologies' Check Point Next Generation product, from simple firewall setup to advanced VPN and firewall scenarios. The book also serves as a study tool for the Check Point Certified Security Administrator (CCSA) exam. This third volume in Syngress's series about Check Point products costs $59.95. For more information, contact Syngress on the Web. http://www.syngress.com Intrusion Scanner Eliminates Trojan Horses ATShield released Anti-Trojan Shield 1.2, a virus/intrusion scanner that identifies and eliminates Trojan horses running in memory, as well as infected system files and registry entries. Anti-Trojan Shield's resident monitor checks your PC each time you start up and each time you launch a program. It also checks all new files downloaded from Microsoft Internet Explorer (IE) 5.0 and 6.0, Microsoft Outlook Express, and ICQ, ensuring that no malicious code enters your computer. The software's reports and log files keep track of all the activities the program performs. Anti-Trojan Shield 1.2 runs on Windows 2003/XP/2000/Me/9x and costs $29.95. For more information, contact ATShield on the Web. http://www.atshield.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. ==================== ==== Sponsored Links ==== Argent Comparison Paper: The Argent Guardian Easily Beats Out MOM http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0BDWV0Ac ==================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== ==== Contact Our Sponsors ==== Primary Sponsor: Postini -- http://www.postini.com -- 1-888-584-3150 Hot Release Sponsor: thawte -- http://www.thawte.com -- 1-650-426-7400 ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z You received this email message because you asked to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Jul 8 06:50:56 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 8 07:08:29 2004 Subject: [ISN] iPod is latest security risk for business, say analysts Message-ID: Forwarded from: Richard Forno Obviously the person writing this advisory isn't a security person nor had much experience in the real world of operational IT business life. I also wonder where this person has been for the last several years....portable storage devices are hardly a "new" security concern. Let's not forget that floppy disks and CDs still come-and-go freely in many organizations, and I've encountered only a handful of enterprises that block known (and actively seek out unknown) webmail account providers that otherwise serve as a nice conduit to "bypass perimeter defenses." And that's just for starters. If one takes this fellow's guidance to its logical conclusion, companies need to either get rid of all computers, get rid of all employees, or strip-search everyone as they come and go each day. While that definitely increases security, methinks it 'might' -- just might -- kill productivity. :( -rick Infowarrior.org > From: InfoSec News > Reply-To: isn@c4i.org > Date: Tue, 6 Jul 2004 04:52:37 -0500 (CDT) > To: isn@attrition.org > Subject: [ISN] iPod is latest security risk for business, say analysts > > http://software.silicon.com/security/0,39024655,39121918,00.htm > > [Gartner rehashing old ISN posts? > http://seclists.org/isn/2002/Mar/0002.html :) - WK] > > > By Andrew Donoghue > silicon.com > July 06 2004 > > Companies should consider banning portable storage devices such as > Apple's iPod from corporate networks as they can be used to > introduce malware or steal corporate data, according to an analyst. > > Small portable storage products can bypass perimeter defenses like > firewalls and antivirus at the mailserver, and introduce malware > such as Trojans or viruses onto company networks, claimed analyst > house Gartner in a report issued this week. Analysts have warned for > some time of the dangers of using portable devices, but the report > points out these also now include "disk-based MP3 players, such as > Apple's iPod, and digital cameras with smart media cards, memory > sticks, compact flash and other memory media." From isn at c4i.org Thu Jul 8 06:52:28 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 8 07:08:30 2004 Subject: [ISN] E-Mail Snooping Ruled Permissible Message-ID: Forwarded from: Cory D You seem to be missing the point. By their ruling they state that because the MDA (procmail) was storing the message for process, this is what justified as electronic storage, thus they did not intercept any wire communication between the points of communication, therefore they did not violate the wiretap law. What bothers me is that the MDA is still in process of delivering the message to the recipient, sense the delivery is not complete, the message should still be consider in transit. By this definition the wiretap act was violated, because; the message did not reach its intended recipient for the e-mail was still in-transit. As for the government this ruling opens a hole up for them, they can use their "Carnivore" program to gather messages before it goes to a MDA the "electronic storage" argument has no merit and thus no warrant is need per Title 18, Sec. 2703(a). Title 18, Sec. 2703(a) is also typical for places storing the messages, sense the argument could be stated that the message are temporary no warrant is needed because the burden of electronic storage again is not met. My rant is done for now, but hopefully I widen some eyes, for the complexity of this issues should not be complex, but simple, when electronic communication is stated at one point and directed towards another it should be consider still in transit until delivered to the recipient. Cory Durand -----Original Message----- From: isn-bounces@attrition.org [mailto:isn-bounces@attrition.org]On Behalf Of Denning, Dorothy USA Sent: Tuesday, July 06, 2004 6:48 PM To: isn@c4i.org; isn@attrition.org Subject: RE: [ISN] E-Mail Snooping Ruled Permissible The ruling doesn't give the government blanket access because they are still constrained by the statutes that protect stored wire and electronic communications. To compel disclosure of unretrieved communications that have been in storage 180 days or less, the government needs a search warrant [Title 18, Sec. 2703(a)]. However, a non-public provider (e.g., private company) can voluntarily disclose such e-mail {Sec 2702(a)(1)]; a public provider generally cannot, but there are exceptions [(Sec 2702(b)]. Dorothy Denning -----Original Message----- From: isn-bounces@attrition.org [mailto:isn-bounces@attrition.org]On Behalf Of Cory D Sent: Friday, July 02, 2004 9:33 AM To: isn@attrition.org Subject: RE: [ISN] E-Mail Snooping Ruled Permissible -- You seem to be mis-inform on common wiretap laws. -- As for your sigh of relief, it bothers me. When reading the case, the individual(s) rights were violated. --- The Wiretap Act "Provider Exception" 18 U.S.C ? 2511(2)(a)(i) (i) It shall not be unlawful under this chapter for an operator of a switchboard, or on officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks... Sense he used the information for profit and gain; it seems to me that it did violate the wiretap law. As you can also see this informs you can use IDS equipment to protect yourself from unwanted trespassers. From isn at c4i.org Thu Jul 8 06:54:09 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 8 07:08:31 2004 Subject: [ISN] IE Exploit Attacks Another Piece of ActiveX Message-ID: http://www.eweek.com/article2/0,1759,1620855,00.asp By Steven J. Vaughan-Nichols July 7, 2004 Using Internet Explorer hasn't gotten any safer in the past few days as a Dutch security hacker, Jelmer Kuperus, pointed out yet another unblocked security problem in the popular Web browser. The latest exploit, an attack on a Windows ActiveX component called Shell.Application, is similar to the Download.Ject attack, also called JS.Scob.Trojan. In that exploit, crackers broke into IIS servers on several popular but still unnamed sites and used them to spread keyboard loggers, proxy servers and other malware through IE's ActiveX scripting technology. Indeed, attackers used the spyware technique of installing a pop-up ad program, except this one silently installed a Trojan and a BHO (Browser Help Object) designed to swipe login information from several dozen financial sites. The sites that spread the malware have since been fixed, but there has been no master shipping solution for the underlying IE vulnerabilities. Disabling Active scripting and ActiveX controls in the Internet Zone and Local Machine Zone will prevent exploitation of these holes, but at the cost of seriously affecting IE's functionality. Microsoft shipped a "patch" Friday that addressed part of this security problem by disabling the Windows component called ADODB.Stream. Because of these developments, CERT (the U.S. Computer Emergency Readiness Team) and some IT professionals are recommending that users consider using other browsers such as Opera, Mozilla and Firefox. Others, noting how so much business depends on ActiveX-powered Web sites, are sticking with Internet Explorer in the hopes that forthcoming Microsoft IE security patches and Windows XP SP2 (Service Pack 2) will protect their systems from the newly exploited IE security holes. XP SP2 is expected to stop such attacks by hardening the barriers between processes running on the Internet Zone and on the far more dangerous Local Machine Zone, according to Thor Larholm, senior security researcher at PivX Solutions LLC, a security firm based in Newport Beach, Calif. But in the meantime, Kuperus has published code that he claims can be used to break into Windows systems running IE with the Shell.Application exploit. The possibility of attacks using Shell.Application has been known in security circles since at least January 2004, when it was reported in the @RISK newsletter from The SANS Institute, a cooperative security research and education organization. The Shell.Application exploit, like Download.Ject before it, makes it possible for crackers to create malicious, self-executing HTML files that can install and run an executable on the Web browser's PC. At this time, however, there have been no reported attacks using the Shell.Application exploit. Microsoft is working on security updates for Internet Explorer that will address this and other ActiveX security problems. Larry Seltzer contributed to this story. From isn at c4i.org Thu Jul 8 06:54:21 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 8 07:08:32 2004 Subject: [ISN] Two more from NIST Message-ID: http://www.fcw.com/fcw/articles/2004/0705/web-nist-07-07-04.asp By Florence Olsen July 7, 2004 Two new publications from the National Institute of Standards and Technology provide technical help for government agencies and businesses that are required to protect information systems. One publication offers a starting point for organizations to understand basic information security principles. The other gives technical tips for setting up electronic authentication using guidelines issued by Office of Management and Budget officials. The first publication, NIST Special Publication 800-27 Revision A, is titled "Engineering Principles for Information Technology Security." The second is NIST SP 800-63, "Electronic Authentication Guideline," which defines technical requirements for identity proofing and registration, identity tokens, authentication protocols and security assertions. NIST SP 800-27 Revision A http://csrc.nist.gov/publications/nistpubs/800-27A/SP800-27-RevA.pdf NIST SP 800-63 http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63v6_3_3.pdf From isn at c4i.org Thu Jul 8 06:54:36 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 8 07:08:33 2004 Subject: [ISN] Lax data security seen at many Japanese companies Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,94368,00.html By Martyn Williams JULY 07, 2004 IDG NEWS SERVICE A Japanese government report published yesterday says at least 40% of companies surveyed are taking no special measures to ensure the privacy and security of personal data stored on computers. Results of the survey were included in the government's annual White Paper on Information and Communications in Japan, which was published by the Ministry of Public Management, Home Affairs, Posts and Telecommunications (MPHPT). It comes after several incidents in the last year in which personal information on customers, sometimes numbering into the millions of people, has been leaked or stolen from Japanese companies. Around 2,000 companies and 300 public organizations and educational establishments were surveyed for the report and responses were received from around 900, it said. They were asked about measures being taken at an organizational level, such as staff training on how to handle such information, and at a technical level, such as restricting employee access and encryption of data. In the area of structural and organizational measures, the largest positive response came when companies were asked if they had clarified the purpose for which the information was being used and collected. Just under a quarter of companies said that this was being or had been done. Just over one-fifth of responses, or 21%, said internal staff training had been enhanced to include instruction on handling of personal information and 16.7% of companies said they had narrowed the amount of information requested from customers. Only 14.4% of companies said they had appointed a person in charge of protecting personal information and 10.5% of companies said they had a privacy policy. In the area of organizational measures, 37.2% of companies said they are taking no special measures. Asked about technical measures, the responses were not vastly different. Just over 27% of companies said they were managing the ability of staff to use personal information and 21.7% said they ensured physical destruction of data when PCs were disposed of. Companies that maintained a history of what information was used, and when, numbered 15.5%. Only 1.1% of companies said they had a system in place to detect intrusions into databases holding personal information and 5% said they encrypted data when it was being stored or transported. Just under 42% of companies said no special technical measures were being taken. Japan has seen a number of cases in which personal information has been leaked from major companies so far this year. One of the biggest involved broadband Internet provider Softbank BB Corp., which said last February that data on 4.5 million customers, including their names, addresses, telephone numbers, e-mail addresses and broadband service application date, had been obtained by people outside of the company. Leaks at other companies have also made local headlines this year. Cosmo Oil Co. leaked data on an estimated 2.2 million customers while tour operator Hankyu Express International Co. said data on more than 600,000 clients was leaked outside of the company. Credit card company Sanyo Shinpan Finance Co. leaked data on more than a million cardholders and fellow card-issuer Nippon Shinpan Co. said information on up to 100,000 of its clients was leaked. A poll of 159 major Japanese companies conducted by Kyodo News in April this year found that nearly one in 10 companies had experienced a leak or loss of customer personal information in the previous two years. The survey found 15 of the companies, or 9.4%, said data relating to 260,000 customers, including their names, addresses and phone numbers, was leaked. "It is likely that there will be a higher dependancy on networks and a higher possibility of leaks," said Takaaki Saeki, deputy director of the MPHPT's economic research office. "This might affect confidence therefore companies will need to take further measures to protect information." Indeed, much of the rest of the white paper highlights the broadening of Japan's network society. Broadband subscribers in Japan, who numbered around 15 million at the end of 2003, enjoy the world's cheapest Internet access, the report said, quoting a recent survey by the International Telecommunication Union (ITU). Ranked by price per 100k bps (bits per second) of bandwidth per month, Japan leads the world at 9 cents, thanks to high-speed, low-price services. Penetration of mobile Internet services is also the highest in the world at 89.5% of all mobile phone users. Just under 17 million people had third-generation (3G) mobile phones at the end of April of this year and more than 60% of mobile phones in use have a digital camera function, the report said. From isn at c4i.org Thu Jul 8 07:07:47 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 8 07:08:34 2004 Subject: [ISN] VoIP hackers gut Caller ID Message-ID: http://www.theregister.co.uk/2004/07/07/hackers_gut_voip/ By Kevin Poulsen SecurityFocus 7th July 2004 Hackers have discovered that implementation quirks in Voice over IP make it easy to spoof Caller ID, and to unmask blocked numbers. They can make their phone calls appear to be from any number they want, and even pierce the veil of Caller ID blocking to unmask an anonymous phoner's unlisted number. At root, the issue is one of what happens to a nugget of authentication data when it leaves the tightly-regulated realm of traditional telephony, and passes into the unregulated domain of the Internet. On the old-fashioned phone network, Caller ID works this way: your local phone company or cell phone carrier sends your "Calling Party Number" (CPN) with every call, like a return address on an envelope. Transmitted along with your CPN is a privacy flag that tells the telephone switch at the receiving end of the call whether or not to share your number with the recipient: if you have blocking on your line, the phone company you're dialing into knows your number, but won't share it with the person you're calling. This arrangement relies on telephone equipment at both ends of the call being trusted: the phone switch providing you with dial tone promises not to lie about your number to other switches, and the switch on the receiving end promises not to reveal your number if you've asked that it be blocked. In the U.S. that trust is backed by FCC regulations that dictate precisely how telephone carriers handle CPNs, Caller ID and blocking. Most subscribers have come to take Caller ID for granted, and some financial institutions even use Caller ID to authenticate customers over the phone. Despite that, the system has long been open to manipulation. "A lot of times you can offer any number you want, and carriers won't validate that," says Lance James, chief security office of Secure Science Corporation. But in the past, the power to misrepresent your number came with a high price tag: you typically had to be a business able to pay the local phone company for a high-volume digital connection. On the other side of the equation, companies who pay for toll free numbers can often access an incoming caller's phone number even if it's blocked. VoIP networks, currently outside FCC regulation, place those capabilities in the hands of ordinary netizens. In a telephone interview with SecurityFocus, 21-year-old phone hacker "Lucky 225" demonstrated how he could spoof his Caller ID to appear to be phoning from the reporter's office. In another demonstration, the reporter phoned Lucky's associate "Natas" from a residential phone with Caller ID blocked. Natas was able to rattle off the unlisted phone number. As described by Lucky, who's scheduled to give a talk on the subject at the DefCon hacker convention later this month, much Caller ID chicanery can be accomplished by taking advantage of implementation quirks in Voice over IP networks that try, but fail, to implement Caller ID properly. "There are little exploits that you can do," says Lucky. But the most powerful tool for manipulating and accessing CPN data is the open-source Linux-based PBX software Asterisk, used in combination with a permissive VoIP provider. "It's fully configurable, you can pretty much do anything you want with it," says Lucky. "That's why Voice over IP is changing things." Natas used Asterisk in conjunction with the NuFone Network for his demonstration of Caller ID unmasking. NuFone chief Jeremy McNamara didn't return phone calls for this story. Privacy advocates, who had reservations about Caller ID when it was introduced in the 90s, aren't happy that it's becoming easier to subvert. "A worse case scenario is if you have a blocked number, and you're a victim of stalking, and you're duped into calling a number the stalker set up that was routed through a VoIP line," says Jordana Beebe of the San Diego-based Privacy Right's Clearinghouse. "It could put their life in danger." Callers with life-or-death anonymity concerns might consider spoofing just to get a little privacy. For now, Lucky says pranks among friends are the most common use that he's seen of VoIP spoofing, but he believes that identity thieves and other swindlers could have a field day. "I've used it myself to activate my own credit cards, because I never give credit card companies my real number," he says. "One simple spoof, and it's like saying, if you have the guy's phone number, that piece of information is more important than his mother's maiden name and date of birth. If you have the phone number, you don't need anything else." From dedennin at nps.edu Thu Jul 8 11:45:46 2004 From: dedennin at nps.edu (Denning, Dorothy USA) Date: Fri Jul 9 06:54:02 2004 Subject: [ISN] E-Mail Snooping Ruled Permissible Message-ID: I was perhaps not clear. I was responding to your statement about the government not needing a warrant, which you deleted in your response to my message. This is what you said: "There [sic] reasoning is that they were capturing(copying) data stored in RAM and because of this it does not convey a violation of the wiretap laws. Well if that's the case then the government does not need a warrant then to "capture" any ones email and programs like "Carnivore" come to mind.", I was merely trying to say that even if the ruling is upheld, the government still has some legal hurdles to get your e-mail. To compel disclosure, they need a search warrant. Now it is easier to get a search warrant than a wiretap warrant, but it offers some legal protection. Also, I don't follow your reference to Carnivore. Carnivore is just software and a separate issue from what warrants are needed to use it. I personally think this ruling was unfortunate, but I haven't studied it enough to tell if the problem is with the wiretap law itself (which could be resolved through amendment) or just the court's interpretation of it (in which case the ruling could be overturned by a higher court). Dorothy -----Original Message----- From: isn-bounces@attrition.org [mailto:isn-bounces@attrition.org]On Behalf Of InfoSec News Sent: Thursday, July 08, 2004 3:52 AM To: isn@attrition.org Subject: RE: [ISN] E-Mail Snooping Ruled Permissible Forwarded from: Cory D You seem to be missing the point. By their ruling they state that because the MDA (procmail) was storing the message for process, this is what justified as electronic storage, thus they did not intercept any wire communication between the points of communication, therefore they did not violate the wiretap law. What bothers me is that the MDA is still in process of delivering the message to the recipient, sense the delivery is not complete, the message should still be consider in transit. By this definition the wiretap act was violated, because; the message did not reach its intended recipient for the e-mail was still in-transit. As for the government this ruling opens a hole up for them, they can use their "Carnivore" program to gather messages before it goes to a MDA the "electronic storage" argument has no merit and thus no warrant is need per Title 18, Sec. 2703(a). Title 18, Sec. 2703(a) is also typical for places storing the messages, sense the argument could be stated that the message are temporary no warrant is needed because the burden of electronic storage again is not met. My rant is done for now, but hopefully I widen some eyes, for the complexity of this issues should not be complex, but simple, when electronic communication is stated at one point and directed towards another it should be consider still in transit until delivered to the recipient. Cory Durand -----Original Message----- From: isn-bounces@attrition.org [mailto:isn-bounces@attrition.org]On Behalf Of Denning, Dorothy USA Sent: Tuesday, July 06, 2004 6:48 PM To: isn@c4i.org; isn@attrition.org Subject: RE: [ISN] E-Mail Snooping Ruled Permissible The ruling doesn't give the government blanket access because they are still constrained by the statutes that protect stored wire and electronic communications. To compel disclosure of unretrieved communications that have been in storage 180 days or less, the government needs a search warrant [Title 18, Sec. 2703(a)]. However, a non-public provider (e.g., private company) can voluntarily disclose such e-mail {Sec 2702(a)(1)]; a public provider generally cannot, but there are exceptions [(Sec 2702(b)]. Dorothy Denning -----Original Message----- From: isn-bounces@attrition.org [mailto:isn-bounces@attrition.org]On Behalf Of Cory D Sent: Friday, July 02, 2004 9:33 AM To: isn@attrition.org Subject: RE: [ISN] E-Mail Snooping Ruled Permissible -- You seem to be mis-inform on common wiretap laws. -- As for your sigh of relief, it bothers me. When reading the case, the individual(s) rights were violated. --- The Wiretap Act "Provider Exception" 18 U.S.C ? 2511(2)(a)(i) (i) It shall not be unlawful under this chapter for an operator of a switchboard, or on officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks... Sense he used the information for profit and gain; it seems to me that it did violate the wiretap law. As you can also see this informs you can use IDS equipment to protect yourself from unwanted trespassers. _________________________________________ Help InfoSec News with a donation: http://www.c4i.org/donation.html From isn at c4i.org Fri Jul 9 06:36:59 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 9 06:54:04 2004 Subject: [ISN] Security hole found in Mozilla browser Message-ID: http://news.com.com/Security+hole+found+in+Mozilla+browser/2100-1002_3-5262676.html By Robert Lemos and John Borland Staff Writer, CNET News.com July 8, 2004 update: Developers at the open-source Mozilla Foundation have confirmed that the latest version of their Web browsers have a security flaw that could allows attackers to run existing programs on the Windows XP operating system. The flaw, known as the "shell" exploit, was publicized Wednesday on a security mailing list, along with a link to a fix for the problem. Updated versions of the affected software programs, which include the Mozilla, Firefox and Thunderbird browsers, have been released. Developers said the flaw affected only Windows users, not computers running either the Macintosh or Linux operating systems. Like recent Internet Explorer vulnerabilities, this flaw only allows the attacker the ability to run an existing program and requires that security problems in other applications be exploited to gain further access. The flaw can be used to pass a file extension to the operating system. Windows XP will then run the helper application corresponding to that file extension. The main threat comes from the ability of an attacker to pass parameters to exploit vulnerabilities in a specific helper application, which could give an outsider access to the system. A shell problem could also cause the computer to freeze. The news comes as Microsoft has been dealing with a string of security flaws found in its Internet Explorer browser during the past several weeks. Some researchers had begun recommending that people worried about online security stop using the IE browser altogether. Microsoft recommends that Web surfers using Internet Explorer keep abreast of the latest security warnings, and go to the company's Protect Your PC site. Mozilla developers said that future versions of the Firefox Web browser would have automatic update notifications that would make it easier to notify users about security fixes. From isn at c4i.org Fri Jul 9 06:48:26 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 9 06:54:05 2004 Subject: [ISN] NIST helps on security budgets Message-ID: http://www.fcw.com/fcw/articles/2004/0705/web-nist-07-08-04.asp By Florence Olsen July 8, 2004 Agency officials struggling to include information-security outlays in their budget requests may find help in a publication released today by the National Institute of Standards and Technology. The draft document, NIST Special Publication 800-65, presents seven steps to ensure that information technology budget requests meet the requirements of the Federal Information Security Management Act of 2002. Under FISMA, federal agencies must make information security planning part of their capital budgeting process for the first time. NIST technical experts wrote the new document to help agencies identify high-priority security needs that should get priority funds. NIST officials will accept comments on the document though Aug. 12 at sec-cpic@nist.gov. -=- Draft Special Publication 800-65, Integrating Security into the Capital Planning and Investment Control Process http://csrc.nist.gov/publications/drafts/draft-SP800-65.pdf From isn at c4i.org Fri Jul 9 06:48:40 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 9 06:54:06 2004 Subject: [ISN] Guilty plea on computer hacking Message-ID: http://sanjose.bizjournals.com/sanjose/stories/2004/07/05/daily29.html Silicon Valley/San Jose Business Journal July 8, 2004 A Chinese citizen, Yan Ming Shan, 34, of Daqing, China, has pleaded guilty in federal court in San Jose to a one-count indictment charging him with gaining unauthorized access to the computers of a Silicon Valley business in an attempt to steal proprietary software programs and source code, according to the U.S. Attorney's office for Northern California. According to the criminal complaint and other court filings, Mr. Shan worked for 3DGeo Development, Inc., a Mountain View company that develops software used to survey land for sources of natural gas and oil from April to September 2002. 3DGeo employed Mr. Shan under an agreement with one of its customers, PetroChina, a Chinese company with a division named DaQing Oil, which arranged for Mr. Shan to travel to California for training on 3DGEO's software. In pleading guilty to the indictment, Mr. Shan admitted that he gained unauthorized access to 3DGeo's computer system with an intent to defraud the company. The maximum statutory penalty he faces is five years in prison and a fine of $250,000. Sentencing is scheduled before U.S. District Judge Jeremy Fogel in San Jose on Sept. 7. From isn at c4i.org Fri Jul 9 06:50:57 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 9 06:54:07 2004 Subject: [ISN] Microsoft to pitch security as 'competitive advantage' Message-ID: http://www.nwfusion.com/news/2004/0708microtopi.html [Actions speak louder than words, words that were already hashed out at the 2003 Worldwide Partner Conference which Ballmer said basically the very same stuff, yet no one has yet to see it. http://www.microsoft.com/presspass/exec/steve/2003/10-09wwpc.asp - WK] By Joris Evers IDG News Service 07/08/04 Microsoft will pitch security as a "competitive advantage" at its worldwide partner conference in Toronto next week, but it may be a tough sell to attendees who are still waiting for the software maker to deliver on some of last year's security-related promises Microsoft's second annual Worldwide Partner Conference kicks off Sunday. The three-day event is focused on helping its partners to sell more Microsoft products. Attendees at last year's event, in New Orleans, cheered when Microsoft CEO Steve Ballmer addressed head-on some of the security challenges the software maker faces and outlined steps it said it would take to address them. However, Microsoft has yet to deliver on most of the promises Ballmer made. For example, customers are still waiting for a single patching experience and an update to the Software Update Services (SUS) patch management tool, both of which Ballmer said would be out in the first half of 2004, and both of which have been delayed. Additionally, Ballmer promoted the security enhancements in Service Pack 2 for Windows XP. That update was scheduled to be released in the first half of the year but has also been delayed and is now expected some time in the third quarter. As a result, many of Microsoft's partners will come to Toronto with the same concerns about security that they had last year, said Paul DeGroot, an analyst at Directions on Microsoft. The concerns may have even grown because of the recent attacks on Microsoft's Internet Explorer Web browser, he said. "There have been enough fires between now and last year's Worldwide Partner Conference; security is still going to be a preoccupation for partners," DeGroot said. "The things that Ballmer promised progress on haven't been achieved." IDC Research Director Marilyn Carr agreed. "You can expect to hear the same issues tabled this year, as they have not gone away," she said. Partners, just like end-users, want Microsoft to make it less of a headache to keep up with security patches, she said. Microsoft has planned 10 sessions in a special security breakout track at the event. The introduction to the track on Microsoft's Web site makes it seem as though the vendor believes its security challenges are a thing of the past. "Clearly security has become a competitive advantage as we engage with our mutual customers," it reads. Ballmer is set to address the partner audience on Tuesday, the final day of the conference. He will be joined on stage by Mike Nash, head of Microsoft's Security Business and Technology Unit. A security-related announcement is expected, but Microsoft declined to comment ahead of the event. Partners come to the event looking for guidance on Microsoft's strategy and for information that will make it easier for them to sell their products. It includes keynote speeches, breakout sessions and hands-on labs, as well as an extensive opportunity to network with other partners and Microsoft experts. Over 5,000 paid attendees have registered this year, about 20% more than last year, according to Microsoft. Tracks that include some of the sessions include sales and marketing, business leadership, application platform opportunities and vertical markets. Aside from security, another challenge for Microsoft is persuading users to upgrade to the latest versions of its software. Microsoft sells most of its software through its partners, so it is important for it to give them the right training. Sessions have been planned on moving customers from Windows NT 4.0 and Exchange 5.5 to newer editions of those products. On the desktop, Microsoft has made it a priority to sell more copies of Office 2003 and Windows XP. At the event it will discuss its latest "desktop deployment initiative" and a tool called the "solution accelerator for business desktop deployment" to make it easier for partners to deliver systems with those products. Microsoft will also try to motivate partners to sell annuity licensing contracts in a session called "How to succeed at selling Software Assurance ... and profit from managing it." Some users have balked at Software Assurance, saying it doesn't deliver enough value for money. The plan includes support and upgrades in exchange for a three-year contract and an annual fee. This year's partner conference will be the second event to combine Microsoft's "traditional" partners with those that it inherited when it bought Great Plains and Navision, applications vendors that are now part of Microsoft Business Solutions (MBS). Microsoft has also been consolidating its various partner programs into a single, global Microsoft Partner Program, announced in October. The new program went into effect in January and will be implemented in phases through 2005. MBS partners started to join this month, and the transition has not gone completely smoothly. "Microsoft is at a very transitional stage," Directions on Microsoft's DeGroot said of the vendor's partner organization. "I expect them to announce a few additional services for partners at the conference, but I think they are in a situation where they probably don't want to significantly tweak the partner program." Manufacturing Resource Partners (MRP), one of Microsoft's MBS partners, is looking to learn more about the new partner scheme in Toronto. "I expect a lot of focus on increasing the MBS partners' understanding of the new Microsoft Partner Program," said Dan Abernathy, managing director at MRP, in Reno, Nev. Abernathy also hopes that Microsoft will provide clear guidance on its marketing plans for ERP products. "Microsoft has done a poor job of differentiating the ERP products from the marketing of the operating system and desktop products. We still have prospects that do not know Microsoft has ERP solutions," he said. Andrew Grose, president and CEO of Microsoft partner Nortec Communications, in Falls Church, Va., is heading to Toronto primarily to network and to attend sessions about business development, he said. "I wanted to see more business development content. I don't have an opportunity to go away for two or three days all the time," he said. Grose asked for the sessions to be led by non-Microsoft speakers, and Microsoft responded by booking a sales expert from Huthwaite, the company run by Neil Rackham, author of a sales strategy book called Spin Selling. Microsoft's Worldwide Partner Conference starts Sunday and ends Tuesday. From isn at c4i.org Fri Jul 9 06:52:04 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 9 06:54:08 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-28 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-07-01 - 2004-07-08 This week : 47 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: New Features at Secunia.com Secunia has implemented various statistical features at the websites for both Secunia advisories and Virus Information. Secunia Advisories Statistics: http://secunia.com/advisory_statistics/ Examples of Specific Product Statistics: http://secunia.com/product/11/ (Internet Explorer 6) http://secunia.com/product/761/ (Opera 7.x) http://secunia.com/product/1480/ (Mozilla 1.3) Secunia Virus Information Statistics: http://secunia.com/virus_statistics/ Furthermore, Secunia has made it possible for you to include all graphs available at secunia.com on your own website. This is described in detail at: http://secunia.com/secunia_image_inclusion/ ======================================================================== 2) This Week in Brief: ADVISORIES: IBM Lotus Domino Web Access (formerly iNotes) is vulnerable to an issue, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error when processing mails and can be exploited by sending a mail containing an overly large, specially crafted JPG image attachment (about 12 MB) to a vulnerable system. Successful exploitation reportedly crashes the whole Domino server, when the mail is opened. http://secunia.com/SA12007 Mozilla and Mozilla Firefox are vulnerable to an issue, which allows malicious websites to trick users into accepting security dialog boxes. The problem is that it may be possible to trick users into typing or clicking on a XPInstall / Security dialog box, using various interactive events, without the user noticing the dialog box. Successful exploitation may allow a malicious website to perform tasks that require user interaction. http://secunia.com/SA12007 VIRUS ALERTS: During the last week, Secunia issued two MEDIUM RISK virus alerts. Please refer to the grouped virus profile below for more information: Bagle.AD - MEDIUM RISK Virus Alert - 2004-07-04 21:48 GMT+1 http://secunia.com/virus_information/10430/bagle.ad/ Lovgate.Y - MEDIUM RISK Virus Alert - 2004-07-02 02:29 GMT+1 http://secunia.com/virus_information/10388/lovgate.y/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA11978] Multiple Browsers Frame Injection Vulnerability 2. [SA11966] Internet Explorer Frame Injection Vulnerability 3. [SA11793] Internet Explorer Local Resource Access and Cross-Zone Scripting Vulnerabilities 4. [SA10395] Internet Explorer URL Spoofing Vulnerability 5. [SA11999] Mozilla XPInstall Dialog Box Security Issue 6. [SA11996] Linux Kernel File Group ID Manipulation Vulnerability 7. [SA11856] Mozilla Browser Address Bar Spoofing Weakness 8. [SA11901] Opera Address Bar Spoofing Security Issue 9. [SA11830] Internet Explorer Security Zone Bypass and Address Bar Spoofing Vulnerability 10. [SA12020] MySQL Authentication Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA12006] Easy Chat Server Multiple Vulnerabilities [SA12026] Comersus Shopping Cart Cross-Site Scripting and Price Manipulation [SA12016] Fastream NETFile FTP/Web Server Directory Traversal Vulnerability [SA12011] Mbedthis AppWeb Multiple Vulnerabilities [SA11985] Easy Chat Server Directory Traversal Vulnerability [SA11988] WinGate Proxy File Retrieval Vulnerability [SA12012] 12Planet Chat Server Cross-Site Scripting Vulnerability [SA12022] UnrealIRCd IP Cloaking Bypassing Weakness UNIX/Linux: [SA12023] Red Hat update for httpd [SA12017] Open WebMail "vacation.pl" Arbitrary Program Execution Vulnerability [SA12005] Debian update for webmin [SA12002] Debian update for pavuk [SA11989] Fedora update for mailman [SA11982] Fedora update for kernel [SA11980] Linux Kernel Netfilter TCP Option Matching Denial of Service Vulnerability [SA12004] Gentoo update for apache2 [SA12001] Gentoo update for pure-ftpd [SA12000] Netegrity IdentityMinder Cross-Site Scripting Vulnerability [SA11993] Fedora update for rsync [SA11992] Pure-FTPd Multiple Connection Denial of Service Vulnerability [SA12025] Mandrake update for kernel [SA12019] Gentoo update for xfree [SA11998] Red Hat update for kernel [SA11997] Fedora update for kernel [SA11996] Linux Kernel File Group ID Manipulation Vulnerability [SA12009] SuSE update for kernel [SA12003] Gentoo update for kernel [SA11991] Gentoo esearch Insecure Temporary File Creation Vulnerability [SA11990] IBM Informix I-Spy "runbin" Privilege Escalation Vulnerability [SA11986] RSBAC Privilege Escalation Vulnerabilities [SA11983] FreeBSD Linux Compatibility Mode System Call Handling Vulnerability [SA11981] Linux Kernel Sbus PROM Driver Multiple Integer Overflow Vulnerabilities [SA12021] Linux VServer procfs Permission Weakness [SA12008] Oracle 10g Installer Insecure Temporary File Creation Other: [SA12014] Enterasys XSR Routers "Record Route" Option Denial of Service [SA12018] D-Link DI-624 Multiple Vulnerabilities [SA11994] NetScreen 5GT Firewall AV Scan Engine Cross-Site Scripting Vulnerability [SA11984] ZyXEL Prestige Routers Denial of Service Vulnerability Cross Platform: [SA12013] IBM WebSphere Application Server Denial of Service [SA12007] IBM Lotus Domino Web Access Message Handling Denial of Service [SA11999] Mozilla XPInstall Dialog Box Security Issue [SA11987] Centre Inclusion of Arbitrary Files and SQL Injection [SA12024] Ethereal Multiple Vulnerabilities [SA12020] MySQL Authentication Vulnerabilities [SA12015] SCI Photo Chat Cross-Site Scripting Vulnerability [SA12010] Brightmail Unauthorised Access to Filtered Mails [SA11995] Lotus Domino IMAP Quota Manipulation Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA12006] Easy Chat Server Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2004-07-05 Multiple vulnerabilities have been reported in Easy Chat Server, allowing malicious people to cause a DoS (Denial of Service), conduct cross-site scripting attacks, and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12006/ -- [SA12026] Comersus Shopping Cart Cross-Site Scripting and Price Manipulation Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-07-08 Thomas Ryan has reported some vulnerabilities in Comersus Shopping Cart, which can be exploited by malicious people to conduct cross-site scripting attacks or manipulate orders. Full Advisory: http://secunia.com/advisories/12026/ -- [SA12016] Fastream NETFile FTP/Web Server Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2004-07-06 aT4r ins4n3 has reported a vulnerability in Fastream NETFile FTP/Web Server, allowing malicious people to retrieve arbitrary files. Full Advisory: http://secunia.com/advisories/12016/ -- [SA12011] Mbedthis AppWeb Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, Exposure of sensitive information Released: 2004-07-07 Multiple vulnerabilities have been discovered in Mbedthis AppWeb. Some currently have an unknown impact and others may be exploited by malicious people to gain knowledge of sensitive information or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12011/ -- [SA11985] Easy Chat Server Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Exposure of system information Released: 2004-07-02 Dr_insane has reported a vulnerability in Easy Chat Server, which can be exploited by malicious people to read arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/11985/ -- [SA11988] WinGate Proxy File Retrieval Vulnerability Critical: Moderately critical Where: From local network Impact: Security Bypass, Exposure of sensitive information Released: 2004-07-02 iDefense has reported a vulnerability in WinGate, allowing malicious people to retrieve arbitrary files. Full Advisory: http://secunia.com/advisories/11988/ -- [SA12012] 12Planet Chat Server Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-07-05 Donato Ferrante has reported a vulnerability in 12Planet Chat Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12012/ -- [SA12022] UnrealIRCd IP Cloaking Bypassing Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2004-07-06 bartavelle has reported a weakness in UnrealIRCd, which can be exploited by malicious users to bypass certain security features. Full Advisory: http://secunia.com/advisories/12022/ UNIX/Linux:-- [SA12023] Red Hat update for httpd Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-07-06 Red Hat has issued an update for httpd. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12023/ -- [SA12017] Open WebMail "vacation.pl" Arbitrary Program Execution Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-07-06 Ken Girrard has reported a vulnerability in Open WebMail, which can be exploited by malicious users to execute arbitrary application. Full Advisory: http://secunia.com/advisories/12017/ -- [SA12005] Debian update for webmin Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2004-07-05 Debian has issued an update for webmin. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12005/ -- [SA12002] Debian update for pavuk Critical: Moderately critical Where: From remote Impact: System access Released: 2004-07-05 Debian has issued an update for pavuk. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12002/ -- [SA11989] Fedora update for mailman Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2004-07-02 Fedora has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to retrieve members' passwords. Full Advisory: http://secunia.com/advisories/11989/ -- [SA11982] Fedora update for kernel Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-07-01 Fedora has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11982/ -- [SA11980] Linux Kernel Netfilter TCP Option Matching Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-07-01 Adam Osuchowski and Tomasz Dubinski have reported a vulnerability in the Linux kernel, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11980/ -- [SA12004] Gentoo update for apache2 Critical: Less critical Where: From remote Impact: DoS Released: 2004-07-05 Gentoo has issued an update for apache2. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12004/ -- [SA12001] Gentoo update for pure-ftpd Critical: Less critical Where: From remote Impact: DoS Released: 2004-07-05 Gentoo has issued an update for pure-ftpd. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12001/ -- [SA12000] Netegrity IdentityMinder Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-07-05 HEXVIEW has reported a vulnerability in Netegrity IdentityMinder, allowing malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12000/ -- [SA11993] Fedora update for rsync Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2004-07-02 Fedora has issued an update for rsync. This fixes a vulnerability, potentially allowing malicious people to write files outside the intended directory. Full Advisory: http://secunia.com/advisories/11993/ -- [SA11992] Pure-FTPd Multiple Connection Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-07-05 A vulnerability has been discovered in Pure-FTPd, allowing malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11992/ -- [SA12025] Mandrake update for kernel Critical: Less critical Where: From local network Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information, Privilege escalation Released: 2004-07-07 MandrakeSoft has issued an update for the kernel. This fixes multiple vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions, gain knowledge of sensitive information or escalate privileges. Full Advisory: http://secunia.com/advisories/12025/ -- [SA12019] Gentoo update for xfree Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-07-06 Gentoo has issued an update for xfree. This fixes a security issue, which potentially may allow malicious users to gain unintended access to a system. Full Advisory: http://secunia.com/advisories/12019/ -- [SA11998] Red Hat update for kernel Critical: Less critical Where: From local network Impact: Manipulation of data Released: 2004-07-02 Red Hat has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious users to bypass certain security restrictions Full Advisory: http://secunia.com/advisories/11998/ -- [SA11997] Fedora update for kernel Critical: Less critical Where: From local network Impact: Manipulation of data, Privilege escalation, DoS Released: 2004-07-02 Fedora has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions, cause a DoS (Denial of Service) or potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/11997/ -- [SA11996] Linux Kernel File Group ID Manipulation Vulnerability Critical: Less critical Where: From local network Impact: Manipulation of data Released: 2004-07-02 SuSE has discovered a vulnerability in the Linux kernel, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/11996/ -- [SA12009] SuSE update for kernel Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information, Privilege escalation Released: 2004-07-05 SuSE has issued an update for the kernel. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges, cause a DoS (Denial of Service), or gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12009/ -- [SA12003] Gentoo update for kernel Critical: Less critical Where: Local system Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS Released: 2004-07-05 Gentoo has issued an update for the kernel. This fixes multiple vulnerabilities, which can be exploited by malicious users to gain escalated privileges, cause a DoS (Denial of Service), or gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12003/ -- [SA11991] Gentoo esearch Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2004-07-02 Tavis Ormandy has discovered a vulnerability in esearch for Gentoo Linux, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/11991/ -- [SA11990] IBM Informix I-Spy "runbin" Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-07-02 A vulnerability has been discovered in IBM Informix I-Spy, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11990/ -- [SA11986] RSBAC Privilege Escalation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-07-02 Two vulnerabilities have been reported in RSBAC, potentially allowing malicious, local users to escalate their privileges. Full Advisory: http://secunia.com/advisories/11986/ -- [SA11983] FreeBSD Linux Compatibility Mode System Call Handling Vulnerability Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information, Privilege escalation Released: 2004-07-02 Tim Robbins has discovered a vulnerability in FreeBSD, which can be exploited by malicious, local users to gain knowledge of sensitive information or gain escalated privileges. Full Advisory: http://secunia.com/advisories/11983/ -- [SA11981] Linux Kernel Sbus PROM Driver Multiple Integer Overflow Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2004-07-02 infamous41 has reported some vulnerabilities in the Linux kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/11981/ -- [SA12021] Linux VServer procfs Permission Weakness Critical: Not critical Where: Local system Impact: Exposure of sensitive information, DoS Released: 2004-07-06 Veit Wahlich has reported a weakness in Linux VServer, which can be exploited by certain malicious, local users to cause a DoS (Denial of Service) or gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12021/ -- [SA12008] Oracle 10g Installer Insecure Temporary File Creation Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2004-07-05 Knud Erik H?jgaard has reported a security issue in Oracle Database 10g, allowing malicious users to manipulate temporary files. Full Advisory: http://secunia.com/advisories/12008/ Other:-- [SA12014] Enterasys XSR Routers "Record Route" Option Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-07-06 Frederico Queiroz has reported a vulnerability in Enterasys XSR-1800 and XSR-3000 Series, which can be exploited by malicious people to cause a Denial of Service. Full Advisory: http://secunia.com/advisories/12014/ -- [SA12018] D-Link DI-624 Multiple Vulnerabilities Critical: Moderately critical Where: From local network Impact: DoS, Cross Site Scripting Released: 2004-07-06 Gregory Duchemin has reported multiple vulnerabilities in D-Link DI-624, which can be exploited by malicious people to cause a DoS (Denial of Service) or conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12018/ -- [SA11994] NetScreen 5GT Firewall AV Scan Engine Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-07-02 A vulnerability has been discovered in NetScreen ScreenOS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/11994/ -- [SA11984] ZyXEL Prestige Routers Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-07-01 Sami Gasc?n has reported a vulnerability in ZyXEL Prestige, allowing malicious people to cause a Denial of Service. Full Advisory: http://secunia.com/advisories/11984/ Cross Platform:-- [SA12013] IBM WebSphere Application Server Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-07-06 Leandro Meiners has reported a vulnerability in IBM WebSphere, allowing malicious people to cause a Denial of Service. Full Advisory: http://secunia.com/advisories/12013/ -- [SA12007] IBM Lotus Domino Web Access Message Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-07-05 Andreas Klein has reported a vulnerability in IBM Lotus Domino Web Access (formerly iNotes), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12007/ -- [SA11999] Mozilla XPInstall Dialog Box Security Issue Critical: Moderately critical Where: From remote Impact: System access Released: 2004-07-05 Jesse Ruderman has reported a security issue in Mozilla and Mozilla Firefox, allowing malicious websites to trick users into accepting security dialog boxes. Full Advisory: http://secunia.com/advisories/11999/ -- [SA11987] Centre Inclusion of Arbitrary Files and SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data, System access Released: 2004-07-02 Manip has reported two vulnerabilities in Centre, allowing malicious people to include arbitrary files and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/11987/ -- [SA12024] Ethereal Multiple Vulnerabilities Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-07-07 Three vulnerabilities have been discovered in Ethereal, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12024/ -- [SA12020] MySQL Authentication Vulnerabilities Critical: Moderately critical Where: From local network Impact: Security Bypass, Privilege escalation Released: 2004-07-06 Chris Anley has reported two vulnerabilities in MySQL, allowing malicious people to gain access to the database or the local system. Full Advisory: http://secunia.com/advisories/12020/ -- [SA12015] SCI Photo Chat Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-07-06 Donato Ferrante has reported a vulnerability in SCI Photo Chat, potentially allowing malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12015/ -- [SA12010] Brightmail Unauthorised Access to Filtered Mails Critical: Not critical Where: From remote Impact: Exposure of sensitive information Released: 2004-07-05 Thomas Springer has reported a privacy issue in Brightmail, potentially allowing malicious users to read arbitrary mails. Full Advisory: http://secunia.com/advisories/12010/ -- [SA11995] Lotus Domino IMAP Quota Manipulation Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2004-07-02 Andreas Klein has reported a weakness in Lotus Domino, which can be exploited by malicious users to manipulate certain configuration options. Full Advisory: http://secunia.com/advisories/11995/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Jul 9 06:52:32 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 9 06:54:09 2004 Subject: [ISN] ITL Bulletin for July 2004 Message-ID: Forwarded from: Elizabeth Lennon GUIDE FOR MAPPING TYPES OF INFORMATION AND INFORMATION SYSTEMS TO SECURITY CATEGORIES By William C. Barker Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce Introduction In response to the requirements of Title III of the E-Government Act (Public Law 107-347), titled the Federal Information Security Management Act (FISMA), ITL recently published NIST Special Publication (SP) 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. Summarized in this ITL Bulletin, the guide was developed to assist federal government agencies to categorize information and information systems with respect to a range of levels of impact or consequences that might result from the unauthorized disclosure, modification, or loss of availability of the information or information system. SP 800-60 applies to all federal systems other than national security systems as defined in FISMA and NIST SP 800-59, Guideline for Identifying an Information System as a National Security System. SP 800-60 and its appendices: * Review the security categorization terms and definitions established by Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems; * Recommend a security categorization process; * Describe a methodology for identifying types of federal information and information systems; * Suggest provisional security impact levels for common information types; * Identify information attributes that may result in variances from the provisional impact level assignment; and * Describe how to establish a system security categorization based on the system's use, connectivity, and aggregate information content. SP 800-60 is intended as a reference resource rather than as a tutorial. Not all of the material will be relevant to all agencies. SP 800-60 includes two volumes: Volume I is a basic guideline and Volume II contains appendices. Users should review the guidelines provided in Volume I, then refer to only the material from the appendices that is applicable. The provisional impact assignments contained in the appendices are only the first step in impact assignment and subsequent risk assessment processes. The impact assignments are not intended to be used by auditors as a definitive checklist for information types and impact assignments. The primary source for the information types is the Office of Management and Budget's Federal Enterprise Architecture Program Management Office June 2003 publication, The Business Reference Model Version 2.0 (BRM). The BRM describes functions relating to the: - Purpose of government (missions, or services to citizens), - Mechanisms the government uses to achieve its purpose (modes of delivery), - Support functions necessary to conduct government (support services), and - Resource management functions that support all areas of the government's business (management of resources). The information types associated with support services and management of resources functions are included in the management and support types. Some additional information types have been added at the request of federal agencies. The information types associated with services to citizens and modes of delivery functions are included in the mission-based information types. Volume II lists legal and executive sources that establish sensitivity and/or criticality characteristics for specific types of information processed by the federal government. Citations from the United States Code and Executive Orders are listed in Appendix E. Security Categorization of Information and Information Systems FIPS 199 defines the security categories, security objectives, and impact levels to which SP 800-60 maps information types. FIPS 199 also describes the context of use for this guideline. The impact levels for the management and support information common to many agencies are strongly affected by the mission-based information with which it is associated. Each organization should review the provisional information impact levels in the context of its own operational environment, then accept or revise impact levels accordingly. The impact level of information can be defined only within the context of an organization's operational environment. Generally, information systems process many types of information. Not all of these information types are likely to have the same impact levels. The compromise of some information types will jeopardize system functionality and agency mission more than the compromise of other information types. System impact levels must be assessed in the context of system mission and function as well as on the basis of the aggregate of the component information types. FIPS 199 establishes three impact levels relevant to securing federal information for three security objectives (confidentiality, integrity, and availability). A loss of confidentiality is the unauthorized disclosure of information. A loss of integrity is the unauthorized modification or destruction of information. A loss of availability is the disruption of access to or use of information or an information system. The generalized format for expressing the security category, or SC, of an information type is: SCinformation type = {(confidentiality, impact), (integrity, impact), (availability, impact)} where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE. Mapping Information Types to Security Controls and Impact Levels SP 800-60 specifies the following step-by-step methodology for mapping information types and information systems to security controls and impact levels: * Identify information systems. An information system may be a general support system, a major application, or a local or special purpose system. Agencies should develop their own policies regarding system identification for security categorization purposes. * Identify information types. The user should identify all of the information types that are input, stored, processed, and/or output from each system. * Select provisional impact levels. The user should select the provisional impact levels for each identified information type from Appendices C and D. * Review and adjust provisional impact levels. The user should review the appropriateness of the provisional impact levels recommended for each information type based on the organization, environment, mission, use, and connectivity associated with the system under review. After reviewing the provisional impact levels, adjustments should be made to the impact levels as appropriate. * Assign system security category. The user establishes the level of confidentiality, integrity, and availability impacts associated with the system under review. The adjusted impact levels for information types are reviewed with respect to the aggregate of all information processed in or by each system. Following completion of the system security categorization process, the resulting impact level can be used as an input to a system risk assessment and in selection of the security controls necessary for each system. The minimum security controls recommended for each system security category will be found in DRAFT NIST SP 800-53, Recommended Security Controls for Federal Information Systems. Information Type Identification SP 800-60 suggests a methodology that can be employed for identification of information types: * Identify the fundamental business areas (management and support) or mission areas (mission-based) supported by the system under review; * Identify, for each business or mission area, the operations or lines of business that describe the purpose of the system in functional terms; * Identify the subfunctions necessary to carry out each area of operation or line of business; * Select basic information types associated with the identified subfunctions; and where appropriate; and * Identify any information type processed by the system that is required by statute, Executive Order, or agency regulation to receive special handling (e.g., with respect to unauthorized disclosure or dissemination). This information may be used to adjust the information type or system impact level. Once a set of information types has been selected, the agency should review the information processed by the system to see if additional types need to be identified for impact assessment purposes. Selection of Provisional Impact Levels Appendix C suggests provisional confidentiality, integrity, and availability impact levels for management and support information types, and Appendix D provides examples of provisional impact levels for some mission-based information types. Where an information type processed by a system is not categorized by this guideline, an initial impact determination will need to be made based on FIPS 199 criteria. An agency may identify information types not listed in SP 800-60 or may choose not to select provisional impact levels from Appendix C (for management and support information types) or Appendix D (for mission-based information types). In such cases, the agency should employ the following criteria to determine provisional impact levels. - The potential impact is low if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. - The potential impact is moderate if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. - The potential impact is high if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Review and Adjustment/Finalization of Information Impact Levels Particularly where security categorization impact levels recommended in Appendix D are adopted as provisional levels, the agency should review the appropriateness of the provisional impact levels in the context of the organization, environment, mission, use, and connectivity associated with the system under review. The confidentiality, integrity, and availability impact levels may be adjusted one or more times in the course of the review. Once the review and adjustment process is complete for all information types, the mapping of impact levels by information type can be finalized. The impact of compromise of information of a particular type can be different in different agencies or in different operational contexts. Also, the impact for an information type may vary throughout the life cycle. System Security Categorization Once the impact levels have been selected for individual information types processed by a system, it is necessary to assign a system security category. Determining the security category of an information system requires additional analysis and must consider the security categories of all information types resident on the information system. The potential impact values assigned to each security objective (confidentiality, integrity, availability) are the highest values (i.e., high water mark) for any one of these objectives that has been determined for the types of information resident on the information system. While the value of not applicable can apply to specific information types processed by systems, this value cannot be assigned to any security objective for an information system. There is a minimum provisional impact (i.e., low water mark) for a compromise of confidentiality, integrity, and availability for an information system. This is necessary to protect the system-level processing functions and information critical to the operation of the information system. The generalized format for expressing the security category, or SC, of an information system is: SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, or HIGH. Variations in sensitivity/criticality with respect to time may need to be factored into the impact assignment process. Some information loses its sensitivity in time (e.g., economic/commodity projections after they've been published). Other information is particularly critical at some point in time (e.g., weather data in the terminal approach area during aircraft landing operations). Other factors that SP 800-60 addresses with respect to making system-level impact decisions include aggregation, critical system functionality, web page integrity, catastrophic loss of system availability, critical infrastructures and key national assets, privacy information, and trade secrets. NIST SP 800-60 is available for download at our Computer Security Resource Center at http://csrc.nist.gov/publications/. Other publications mentioned in this bulletin are also available at this website. Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 840-1357 From isn at c4i.org Mon Jul 12 04:42:34 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jul 12 05:06:43 2004 Subject: [ISN] CASE STUDY PROPOSALS STILL BEING ACCEPTED (ACSAC 20) Message-ID: Forwarded from: ACSAC announce-admin CASE STUDY PROPOSALS STILL BEING ACCEPTED =============================================================== Annual Computer Security Applications Conference (ACSAC 20) December 6-10, 2004 Hilton Tucson El Conquistador Golf & Tennis Resort Tucson, Arizona USA http://www.acsac.org =============================================================== The technical sessions on December 8-9, 2004, will also include a Case Studies track. Presentations in this track will allow providers and users of products, programs, or services an opportunity to describe the innovative ways in which the products, programs, or services are being used to implement secure systems. Case studies presentations are not marketing presentations. Some areas appropriate for case studies solve customer problems in such areas as: Access control Insider threat protection Applied cryptography Integrity Audit and audit reduction Intellectual property rights protection Biometrics Incident response planning Certification and accreditation Intrusion detection and event correlation Database security Middleware and distributed systems security Denial of service protection Mobile security Defensive information warfare Modeling and simulation related to security Electronic commerce security Network security Enterprise security Operating systems security Firewalls/other boundary control devices Forensics Product evaluation criteria & compliance Identification and authentication Risk/vulnerability assessment Information survivability Security engineering Security management Software safety and program correctness Wireless security Privacy To propose a Case Study, please simply submit a brief abstract of the proposal with title and the biography of the presenter to the Case Studies chair at: CaseStudies_chair@acsac.org If you have any questions please call or write Steve Rome 410-684-6692 rome_steven@bah.com From isn at c4i.org Mon Jul 12 04:43:00 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jul 12 05:06:45 2004 Subject: [ISN] Linux Advisory Watch - July 9, 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 9, 2004 Volume 5, Number 27a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for webmin, pavuk, kernel, mailman, rsync, Esearch, Apache, XFree86, libpng, Shorewall, tripwire and httpd. The distributors include Debian, Fedora, FreeBSD, Gentoo, Mandrake, Red Hat and Suse. ----- >> Need to Secure Multiple Domain or Host Names? << Securing multiple domain or host names need not burden you with unwanted administrative hassles. Learn more about how the cost-effective Thawte Starter PKI program can streamline management of your digital certificates. Click here to download our Free guide: http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawte07 ----- Kerberos, Part I Introduction Kerberos is an authentication system developed by the Athena Project at MIT. When a user logs in, Kerberos authenticates that user (using a password), and provides the user with a way to prove her identity to other servers and hosts scattered around the network. This authentication is then used by programs such as rlogin to allow the user to login to other hosts without a password (in place of the .rhosts file). This authentication method can also used by the mail system in order to guarantee that mail is delivered to the correct person, as well as to guarantee that the sender is who he claims to be. The overall effect of installing Kerberos and the numerous other programs that go with it is to virtually eliminate the ability of users to "spoof" the system into believing they are someone else. Unfortunately, installing Kerberos is very intrusive, requiring the modification or replacement of numerous standard programs. Implementation Implementing Kerberos on the client isn't too difficult, however, it's a different story implementing a server. The document The Moron's Guide to Kerberos does a good job of explaining Kerberos in more detail, as well as guiding users and administrators through the process of creating and using the server. It is available at the following URL: http://www.isi.edu/gost/brian/security/kerberos.html Most distributions include support for Kerberos. Distributions that use PAM are much easier to configure. Applications normally require recompiling to support using Kerberos as the authentication mechanism, but PAM resolves those issues by allowing you to 'plug-in' a Kerberos authentication module. Kerberos isn't for everyone. Install the client support for your distribution if you require it to connect to a Kerberos server on your network. Install the Kerberos server if you have to support a large number of distributed clients and require the extra authentication. Generally, using the Secure Shell is a fine alternative for authenticating users before logging into remote machines or transferring files. Next week, we will explore how Kerberos actually works. Security Tip Written by Dave Wreski (ben@guardiandigital.com) Additional tips are available at the following URL: http://www.linuxsecurity.com/tips/ ----- Open Source Leaving Microsoft Sitting on the Fence? The open source model, with special regard to Linux, has no doubt become a formidable competitor to the once sole giant of the software industry, Microsoft. It is expected when the market share of an industry leader becomes threatened, retaliation with new product or service offerings and marketing campaigns refuting the claims of the new found competition are inevitable. However, in the case of Microsoft, it seems they have not taken a solid or plausible position on the use of open source applications as an alternative to Windows. http://www.linuxsecurity.com/feature_stories/feature_story-168.html -------------------------------------------------------------------- Guardian Digital Launches Next Generation Secure Mail Suite Guardian Digital, the premier open source security company, announced the availability of the next generation Secure Mail Suite, the industry's most secure open source corporate email system. This latest edition has been optimized to support the changing needs of enterprise and small business customers while continually providing protection from the latest in email security threats. http://www.linuxsecurity.com/feature_stories/feature_story-166.html -------------------------------------------------------------------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 7/8/2004 - webmin Multiple vulnerabilities This patch addresses an ACL bypass and the ability to use brute force to get IDs and passwords. http://www.linuxsecurity.com/advisories/debian_advisory-4548.html 7/8/2004 - pavuk Buffer overflow vulnerability An oversized HTTP 305 response sent by a malicious server could cause arbitrary code to be executed with the privileges of the pavuk process. http://www.linuxsecurity.com/advisories/debian_advisory-4549.html +---------------------------------+ | Distribution: Fedora: | ----------------------------// +---------------------------------+ 7/2/2004 - kernel Privilege change vulnerability During an audit of the Linux kernel, SUSE discovered a flaw in the Linux kernel that inappropriately allows an unprivileged user to change the group ID of a file to his/her own group ID. http://www.linuxsecurity.com/advisories/fedora_advisory-4532.html 7/2/2004 - mailman Password leak vulnerability Mailman subscriber passwords could be retrieved by a remote attacker. http://www.linuxsecurity.com/advisories/fedora_advisory-4533.html 7/2/2004 - rsync Path escape vulnerability A writing, non-chrooted rsync daemon could write outside of a module's path. http://www.linuxsecurity.com/advisories/fedora_advisory-4534.html 7/8/2004 - kernel Corrected md5 sums This posting gives the correct md5 sums for the previous kernel update. http://www.linuxsecurity.com/advisories/fedora_advisory-4547.html +---------------------------------+ | Distribution: FreeBSD | ----------------------------// +---------------------------------+ 7/2/2004 - kernel Improper memory access vulnerability It may be possible for a local attacker to read and/or overwrite portions of kernel memory, resulting in disclosure of sensitive information or potential privilege escalation. http://www.linuxsecurity.com/advisories/freebsd_advisory-4531.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 7/2/2004 - Esearch Insecure temp file vulnerability Non-check for symlinks makes it possible for any user to create arbitrary files. http://www.linuxsecurity.com/advisories/gentoo_advisory-4530.html 7/8/2004 - kernel Multiple vulnerabilities This patch addresses a large number of kernel vulnerabilities. http://www.linuxsecurity.com/advisories/gentoo_advisory-4541.html 7/8/2004 - Apache 2 Denial of service vulnerability A remote attacker to perform a Denial of Service attack and possible heap based buffer overflow. http://www.linuxsecurity.com/advisories/gentoo_advisory-4542.html 7/8/2004 - Pure-FTPd Denial of service vulnerability 2 Denial of service vulnerability Pure-FTPd contains a bug potentially allowing a Denial of Service attack when the maximum number of connections is reached. http://www.linuxsecurity.com/advisories/gentoo_advisory-4543.html 7/8/2004 - XFree86 Improper access vulnerability This bug may allow authorized users to access a machine remotely via X, even if the administrator has configured XDM to refuse such connections. http://www.linuxsecurity.com/advisories/gentoo_advisory-4544.html 7/8/2004 - libpng Buffer overflow vulnerability Vulnerability allows attacker to perform a Denial of Service attack or even execute arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4545.html 7/8/2004 - Shorewall Insecure temp file vulnerability This can allow a non-root user to overwrite arbitrary system files. http://www.linuxsecurity.com/advisories/gentoo_advisory-4546.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 7/8/2004 - tripwire Format string vulnerability A format string vulnerability in tripwire could allow a local user to execute arbitrary code with the rights of the user running tripwire (typically root). http://www.linuxsecurity.com/advisories/mandrake_advisory-4539.html 7/8/2004 - kernel Multiple vulnerabilities This patch addresses a large number of vulnerabilities, uncluding the ability for a user to set the gid of arbitrary files. http://www.linuxsecurity.com/advisories/mandrake_advisory-4540.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 7/8/2004 - kernel (e-3) File metadata change vulnerability Using NFS, a user could make unauthrized changes to files' GID. http://www.linuxsecurity.com/advisories/redhat_advisory-4536.html 7/8/2004 - kernel (e-2.1) File metadata change vulnerability Using NFS, a user could make unauthrized changes to files' GID. http://www.linuxsecurity.com/advisories/redhat_advisory-4537.html 7/8/2004 - httpd Multiple vulnerabilities Updated httpd packages that fix a buffer overflow in mod_ssl and a remotely triggerable memory leak are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4538.html +---------------------------------+ | Distribution: Suse | ----------------------------// +---------------------------------+ 7/8/2004 - kernel Multiple vulnerabilities Multiple security vulnerabilities are being addressed with this security update of the Linux kernel. http://www.linuxsecurity.com/advisories/suse_advisory-4535.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Jul 12 04:43:16 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jul 12 05:06:46 2004 Subject: [ISN] Alleged hacker is Microsoft employee Message-ID: http://www.smh.com.au/articles/2004/07/12/1089484274240.html By Allison Linn Seattle July 12, 2004 A man accused of hacking into search engine company AltaVista's computer systems about two years ago is now employed by Microsoft Corp, reportedly working on search technology. Laurent Chavet, 29, was arrested by FBI agents a week ago in Redmond, Washington, acting on a warrant issued in San Francisco. Federal prosecutors allege that Chavet hacked into AltaVista's computer system to obtain software blueprints called source code and recklessly caused damage to AltaVista's computers. Microsoft spokeswoman Tami Begasse said today that Chavet, who lives in Kirkland, a suburb of Seattle on the UD west coast, was an employee of Microsoft. She declined further comment on the nature of Chavet's employment or when he started at the company, citing Microsoft policy on not discussing personnel matters. Generally speaking, Begasse said: "We're confident in our policies and procedures we have in place to protect our code and to ensure that employees do not bring third party code into the work place." The Seattle Post-Intelligencer, citing anonymous sources, reported that Chavet had been working on Microsoft's MSN Search effort. In a research paper on search technology published in IBM Systems Journal, Chavet is listed as a search expert who works at Microsoft and was previously with AltaVista. In 2003, AltaVista, based in Sunnyvale, California, was acquired by search company Overture Services, Inc, which in turn was acquired by Yahoo Inc later that year. Microsoft's MSN website currently uses both Overture's and Yahoo's search technology. But the Redmond company has begun an aggressive effort to develop its own search technology as it tries to compete with search engine leaders Google and Yahoo. Microsoft, which has acknowledged it lags in search, hopes to play catch-up with a broadbased search tool that allows users to also scour through emails, documents and even big databases. Court documents say Chavet worked at AltaVista from approximately June 1999 to February 2002. Beginning in late March 2002, the US attorney's office alleges in court documents, Chavet began accessing AltaVista's computers without permission, causing about $US5,000 ($A7,000) in damage over a one year period. A spokeswoman for Overture declined to comment on Chavet's case. Assistant US Attorney Chris Sonderby, who is in charge of the California unit prosecuting the case, said The Associated Press that the allegations against Chavet "do not pertain to Microsoft". Chavet was released on a $US10,000 ($A13,900) bond and is expected to make a court appearance on July 20 in San Francisco. Both charges carry a maximum penalty of five years in prison and a $US250,000 ($A347,500) fine. From isn at c4i.org Mon Jul 12 05:05:12 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jul 12 05:06:47 2004 Subject: [ISN] For Hackers, Shop Talk, a Warning and Advice Message-ID: http://www.nytimes.com/2004/07/12/technology/12hack.html By NICHOLAS THOMPSON July 12, 2004 Stephen Wozniak, a founder of Apple Computer, was speaking to the choir Saturday at a conference in Midtown Manhattan, recalling an era when the word "hackers" referred to technological wizards, not rogue computer users. His choir was a group of self-described hackers, about 2,000 of them, listening to Mr. Wozniak's keynote speech at the H.O.P.E. conference - Hackers on Planet Earth - put on by the hacker magazine 2600 News. Mr. Wozniak described his relationship with John T. Draper, a man who became known as "Captain Crunch" 35 years ago when he showed how a plastic whistle that came in Cap'n Crunch cereal boxes could be used to manipulate the national phone system. Mr. Wozniak said he had not cared that the technology could save him a few dimes. Rather, he said, he found it wonderful that a simple tool, cleverly used, could control something complicated and powerful in a forbidden way. In an interview before the speech, Mr. Wozniak, 53, lamented that people now "think of hackers as terrorists" and argued that this fear had caused the government to give undeservedly harsh punishments to violators of computer fraud statutes. In his speech, Mr. Wozniak supported this argument by pointing out the many pranks he had pulled with his technical talents. For example, Mr. Wozniak said he once used his skills with the telephone system to place a free call to the pope. Another trick Mr. Wozniak said he enjoyed was using a device that could jam and unjam television reception, manipulating it so that the image would become clear only when other people did strange things to their screens. He once did this to a college classmate until his target thought the only way to keep the picture focused was to place a hand on the center of the monitor and keep one foot propped up on a chair. The hacking that many people fear, Mr. Wozniak said, "is often just some kid trying to do something funny." Much of the conference was focused on making arguments for less monitoring and control of computer networks by the government. Speakers stood at lecterns in front of large red posters declaring "Big Brother is watching you." Many sessions aimed to help hackers improve their technical skills, like their ability to send encrypted e-mail messages. Other events focused on tools that could help secure computer systems or break into them. One workshop trained participants how to pick locks. Many participants and speakers acknowledged that they had used their technical skills to violate the law. But they rationalized their actions, saying their main goal was to expose flaws in corporate computer systems to spur better data protection and thus privacy for everyone. "We point out weak security," said Emmanuel Goldstein, the chief organizer of the conference. Mr. Draper, 62, said, "If a hacker breaks into a company's system, and that system isn't properly secured, that company should be held liable." Government authorities dispute the idea that hackers should set their own criteria for right and wrong and can justify violating the law by claiming service to a greater goal. A Justice Department Web page aimed at young hackers describes the punishment meted out to a hacker who had used the Internet to disrupt the phones at an airport and knock out service for 600 homes in Boston. "Hacking can get you in a whole lot more trouble than you think and is a completely creepy thing to do," the site warns. But the illegality of hacking is also an attraction. "It's a game. You want to get into the best system, leave your mark," and then get out, said Jason Schorr, 18, from the Bronx. "There's always an attraction to being naughty," said Robert Osband, a hacker from Florida who had, like Mr. Wozniak, learned his skills on the old phone system. Like many older hackers, Mr. Wozniak reveled in his past exploits and warned young people intrigued by the dark possibilities of hacking to avoid doing harm, despite the temptation. "There are two kinds of people here," said Mike Roadancer, the conference's head of security, while shuttling between two groups of hackers - one trying to break into the conference's computer network and the other trying to protect it. "There are the old-timers. A lot of those guys are running their own venture capital operations or have made millions in the security business. Then you have the ones I consider to be kids that just really need to be turned over somebody's knee." Dave Walker, a 19-year-old hacker from Rochester, who sat with friends, all tapping at laptops, insisted that he was not one of the people attacking the conference network. But he did not deny that he might try later. "It's a hacker conference. At some point, you've got to try to hack the system," he said. From isn at c4i.org Tue Jul 13 04:23:35 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 13 04:57:52 2004 Subject: [ISN] PHRACK #62 HAS BEEN RELEASED Message-ID: Tue Jul 13 00:58:42 UTC - PHRACK #62 HAS BEEN RELEASED. *** NOW AVAILABLE AT HTTP://WWW.PHRACK.ORG **** *** NOW AVAILABLE AT HTTP://WWW.PHRACK.ORG **** *** NOW AVAILABLE AT HTTP://WWW.PHRACK.ORG **** PHRACK MAGAZINE is one of the longest running electronic magazines in existence. Since 1985, PHRACK MAGAZINE has been providing the hacker community with information on operating systems, network technologies and telephony, as well as relaying features of interest for the international computer underground. PHRACK MAGAZINE is made available to the public, as often as possible, free of charge. __^__ __^__ ( ___ )-------------------------------------------------------------( ___ ) | / | 0x01 Introduction phrackstaff 0x08 kb | \ | | / | 0x02 Loopback phrackstaff 0x05 kb | \ | | / | 0x03 Linenoise phrackstaff 0x21 kb | \ | | / | 0x04 Phrack Prophile on scut phrackstaff 0x0b kb | \ | | / | 0x05 Bypassing Win BO Protection Anonymous 0x25 kb | \ | | / | 0x06 Kernel Mode Backdoor for NT firew0rker 0x81 kb | \ | | / | 0x07 Advances in Windows Shellcode sk 0x31 kb | \ | | / | 0x08 Remote Exec grugq 0x3b kb | \ | | / | 0x09 UTF8 Shellcode greuff 0x32 kb | \ | | / | 0x0a Attacking Apache Modules andi 0x5e kb | \ | | / | 0x0b Radio Hacking shaun2k2 0x36 kb | \ | | / | 0x0c Win32 Portable Userland Rootkit kdm 0x48 kb | \ | | / | 0x0d Bypassing Windows Personal FW's rattle 0x59 kb | \ | | / | 0x0e A DynamicPolyalphabeticSubstitutionCipher veins 0x42 kb | \ | | / | 0x0f Playing Cards for Smart Profits ender 0x1a kb | \ | | / | 0x10 Phrack World News phrackstaff 0x55 kb | \ | |___|_____________[ PHRACK, NO FEAR & NO DOUBT ]_________________|___| (_____)-------------------------------------------------------------(_____) ^ ^ Enjoy the magazine! Phrack Magazine Vol 11 Number 62, Build 2, Jul 13, 2004. ISSN 1068-1035 Contents Copyright (c) 2004 Phrack Magazine. All Rights Reserved. Nothing may be reproduced in whole or in part without the prior written permission from the editors. Phrack Magazine is made available to the public, as often as possible, free of charge. |=-----------=[ C O N T A C T P H R A C K M A G A Z I N E ]=---------=| Editors : phrackstaff@phrack.org Submissions : phrackstaff@phrack.org Commentary : loopback@phrack.org Phrack World News : pwn@phrack.org Note: You must put the word 'ANTISPAM' somewhere in the Subject-line of your email. All others will meet their master in /dev/null. We reply to every email. Lame emails make it into loopback. |=-----------------------------------------------------------------------=| Submissions may be encrypted with the following PGP key: (Hint: Always use the PGP key from the latest issue) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.1 (GNU/Linux) mQGiBD8t3OARBACWTusKTxboeSode33ZVBx3AlgMTQ8POA+ssRyJkyVVbrruYlLY Bov43vxEsqLZXrfcuCd5iKKk+wLEjESqValODEwaDeeyyPuUMctrr2UrrDlZ2MDT f7LvNdyYFDlYzFwSc9sesrNQ78EoWa1kHAGY1bUD2S7ei1aEU9r/EUpFxwCgzLjq TV6rC/UzOWntwRk+Ct5u3fUEAJVPIZCQOd2f2M11TOPNaJRxJIxseNQCbRjNReT4 FG4CsHGqMTEMrgR0C0/Z9H/p4hbjZ2fpPne3oo7YNjnzaDN65UmYJDFUkKiFaQNb upTcpQESsCPvN+iaVkas37m1NATKYb8dkKdiM12iTcJ7tNotN5IDjeahNNivFv4K 5op7A/0VBG8o348MofsE4rN20Qw4I4d6yhZwmJ8Gjfu/OPqonktfNpnEBw13RtLH cXEkY5GY+A2AapDCOhqDdh5Fxq9LMLKF2hzZa5JHwp6HcvrYhIyJLW8/uspVGTgP ZPx0Z3Cp4rKmzoLcOjyvGbAWUh0WFodK+A4xbr8bEg9PH5qCurQlUGhyYWNrIFN0 YWZmIDxwaHJhY2tzdGFmZkBwaHJhY2sub3JnPohfBBMRAgAfBQI/LdzgBQkDFwQA BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRC8vwVck0UfSeo1AJ42bPrG2L0Nlun1Fthn gYlx/9nUiACeJo5tMKlr/JcdKqeEfpNIm4GRmLq5Ag0EPy3dChAIALK9tVpuVImJ REXqf4GeR4RkxpAO+8Z2RolTgESW6FfJQcCM8TKeLuGWE2jGKGWKtZ68m+zxgYBK z+MOKFvlduktqQpyCJP/Mgdt6yy2aSEq0ZqD1hoqiGmoGdl9L6+VD2kUN6EjWCiv 5YikjgQaenSUOmZZR0whuezxW9K4XgtLVGkgfqz82yTGwaoU7HynqhJr7UIxdsXx dr+y7ad1clR/OgAFg294fmffX6UkBjD5c2MiX/ax16rpDqZii1TJozeeeM7XaIAj 5lgLLuFZctcWZjItrK6fANVjnNrEusoPnrnis4FdQi4MuYbOATNVKP00iFGlNGQN qqvHAsDtDTcABAsH/1zrZyBskztS88voQ2EHRR+bigpIFSlzOtHVDNnryIuF25nM yWV10NebrEVid/Um2xpB5qFnZNO1QdgqUTIpkKY+pqJd3mfKGepLhQq+hgSe29HP 45V6S6ujLQ4dcaHq9PKVdhyA2TjzI/lFAZeCxtig5vtD8t5p/lifFIDDI9MrqAVR l1sSwfB8qWcKtMNVQWH6g2zHI1AlG0M42depD50WvdQbKWep/ESh1uP55I9UvhCl mQLPI6ASmwlUGq0YZIuEwuI75ExaFeIt2TJjciM5m/zXSZPJQFueB4vsTuhlQICi MXt5BXWyqYnDop885WR2jH5HyENOxQRad1v3yF6ITAQYEQIADAUCPy3dCgUJAxcE AAAKCRC8vwVck0UfSfL/AJ9ABdnRJsp6rNM4BQPKJ7shevElWACdHGebIKoidGJh nntgUSbqNtS5lUo= =FnHK -----END PGP PUBLIC KEY BLOCK----- phrack:~# head -22 /usr/include/std-disclaimer.h /* * All information in Phrack Magazine is, to the best of the ability of * the editors and contributors, truthful and accurate. When possible, * all facts are checked, all code is compiled. However, we are not * omniscient (hell, we don't even get paid). It is entirely possible * something contained within this publication is incorrect in some way. * If this is the case, please drop us some email so that we can correct * it in a future issue. * * * Also, keep in mind that Phrack Magazine accepts no responsibility for * the entirely stupid (or illegal) things people may do with the * information contained herein. Phrack is a compendium of knowledge, * wisdom, wit, and sass. We neither advocate, condone nor participate * in any sort of illicit behavior. But we will sit back and watch. * * * Lastly, it bears mentioning that the opinions that may be expressed in * the articles of Phrack Magazine are intellectual property of their * authors. * These opinions do not necessarily represent those of the Phrack Staff. */ |=[ EOF ]=---------------------------------------------------------------=| From isn at c4i.org Tue Jul 13 04:25:10 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 13 04:57:53 2004 Subject: [ISN] REVIEW: "Bluetooth Security", Christian Gehrmann/Joakim Persson/Ben Smeets Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKBLTSEC.RVW 20040622 "Bluetooth Security", Christian Gehrmann/Joakim Persson/Ben Smeets, 2004, 1-58053-504-6, U$79.00/C$114.95 %A Christian Gehrmann %A Joakim Persson %A Ben Smeets %C 685 Canton St., Norwood, MA 02062 %D 2004 %G 1-58053-504-6 %I Artech House/Horizon %O U$79.00/C$114.95 617-769-9750 artech@artech-house.com %O http://www.amazon.com/exec/obidos/ASIN/1580535046/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1580535046/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1580535046/robsladesin03-20 %P 204 p. %T "Bluetooth Security" Part one presents the basics of Bluetooth security. Chapter one is an introduction to the Bluetooth protocol suite (mostly at the packet level), and also mentions a few security concepts (in a somewhat haphazard manner). The overview of Bluetooth security, in chapter two, could be clearer: some minutia (such as the bit lengths of various components of key generation) obscure the basic concepts, while other specifics (such as the algorithms used) are missing where they could support the text. Pairings and key management rely on a considerable amount of alphabet soup, making frequent references to the list of acronyms a necessity. The detailed descriptions make the explanations difficult, but would make cryptographic analysis possible for the determined reader. The algorithms are laid out in chapter four: although most are based on SAFER+ the greatest emphasis is given to the E(0) stream cipher. Chapter five looks at the encryption used in a broadcast to all members of a piconet. The discussion of security policy and access control, in chapter six, deals mostly with the services required, rather than provided. A lot of time is spent analysing cryptographic strength of the algorithms, in chapter seven, only to come to the conclusion that the greatest problem lies in pairing and tracking. Part two deals with Bluetooth security enhancements, still in development. Chapter eight discusses anonymity, in terms of varying the device address to avoid tracking, and the requirements for such a scenario. Improved key management, using asymmetric encryption or challenge-response type systems, is considered in chapter nine. Chapter ten deliberates on refinement of some standard Bluetooth applications. Bluetooth security is not well known, despite the proliferation of Bluetooth enabled devices. While this book has a number of shortcomings in terms of writing, the material provides an introduction to a number of important considerations. copyright Robert M. Slade, 2004 BKBLTSEC.RVW 20040622 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu If you can't say anything good about someone, sit right here by me. - Alice Roosevelt Longworth http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Tue Jul 13 04:25:33 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 13 04:57:54 2004 Subject: [ISN] Linux Security Week - July 12, 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 12, 2004 Volume 5, Number 28n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Windows vs. Linux security: No unbiased reports", "Are You Prepared For Disaster? Is Your Data Really Protected?", "Automate backups on Linux" and "Surviving Distributed Denial of Service Attacks" ---- >> Bulletproof Virus Protection << Protect your network from costly security breaches with Guardian Digital's multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn04 ---- LINUX ADVISORY WATCH: This week, advisories were released for webmin, pavuk, kernel, mailman, rsync, Esearch, Apache, XFree86, libpng, Shorewall, tripwire and httpd. The distributors include Debian, Fedora, FreeBSD, Gentoo, Mandrake, Red Hat and Suse. http://linuxsecurity.com/articles/forums_article-9490.html ---- Catching up with Wietse Venema, creator of Postfix and TCP Wrapper Wietse Venema is best known for the software TCP Wrapper, which is still widely used today and is included with almost all unix systems. Wietse is also the author of the Postfix mail system and the co-author of the very cool suite of utilities called The Coroner's Toolkit or "TCT". He is currently working at the Thomas J. Watson Research Center and he has gratiously agreed to allow us to catch up with him and and see what he's been up to lately. http://www.linuxsecurity.com/feature_stories/feature_story-169.html --------------------------------------------------------------------- Open Source Leaving Microsoft Sitting on the Fence? The open source model, with special regard to Linux, has no doubt become a formidable competitor to the once sole giant of the software industry, Microsoft. It is expected when the market share of an industry leader becomes threatened, retaliation with new product or service offerings and marketing campaigns refuting the claims of the new found competition are inevitable. However, in the case of Microsoft, it seems they have not taken a solid or plausible position on the use of open source applications as an alternative to Windows. http://www.linuxsecurity.com/feature_stories/feature_story-168.html -------------------------------------------------------------------- Interview with Brian Wotring, Lead Developer for the Osiris Project Brian Wotring is currently the lead developer for the Osiris project and president of Host Integrity, Inc.He is also the founder of knowngoods.org, an online database of known good file signatures. Brian is the co-author of Mac OS X Security and a long-standing member of the Shmoo Group, an organization of security and cryptography professionals. http://www.linuxsecurity.com/feature_stories/feature_story-164.html ---- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Windows vs. Linux security: No unbiased reports July 12th, 2004 Forrester Research published a report last March that came to the unlikely conclusion that Linux is no more secure than Windows. Last month, Danish security firm Secunia compared security across operating systems and concluded that Windows was more secure than many people think. Both studies are easy to counter with a little research and common sense, but that still leaves us without any meaningful third-party operating system security assessment. http://www.linuxsecurity.com/articles/general_article-9495.html * Are You Prepared For Disaster? Is Your Data Really Protected? July 7th, 2004 Whether it be hurricane, flood, fire or simply a member of staff accidentally hitting the delete key, your company's data is constantly at risk from being permanently wiped out. Companies need to ask themselves, `Do we have the strategy in place to cope with a disaster?' http://www.linuxsecurity.com/articles/network_security_article-9481.html * HNS Audio Learning Session: SQL Injection Attacks July 5th, 2004 SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries without stripping potentially harmful characters first. Despite being remarkably simple to protect against, there is an astonishing number of production systems connected to the Internet that are vulnerable to this type of attack. http://www.linuxsecurity.com/articles/hackscracks_article-9470.html +------------------------+ | Network Security News: | +------------------------+ * Mozilla Patches Security Hole July 9th, 2004 According to the Mozilla Foundation, the vulnerability was posted on Thursday to Full Disclosure, a public security mailing list. The same day, the foundation's security team confirmed the report and developed a fix. http://www.linuxsecurity.com/articles/projects_article-9493.html * HNS Audio Learning Session: Digital Certificates Explained July 9th, 2004 In this 3:43 minutes long audio learning session, Dr. Phillip Hallam-Baker, Principle Scientist and Web Services Security Architect at Verisign, talks about Public Key Cryptography and introduces the listeners to the importance of digital certificates. http://www.linuxsecurity.com/articles/cryptography_article-9492.html * 5 Steps to Setting Up a Wireless Network July 8th, 2004 Wireless networks are becoming faster, more affordable and easier to adopt than ever. Growing small businesses that have adopted a wireless solution are already reporting immediate paybacks in higher productivity, flexible application mobility and greater worker satisfaction. http://www.linuxsecurity.com/articles/network_security_article-9484.html * Securing the Mobile Real-Time Enterprise July 8th, 2004 Mobile technologies have ushered in sweeping productivity gains at enterprises across the globe. In many cases, they have been central to the creation of the so-called "real-time enterprise." These same technologies, however, have also increased enterprises' exposure to security risks that are frequently underestimated or misunderstood. http://www.linuxsecurity.com/articles/network_security_article-9486.html * SSH Users beware: The hazards of X11 forwarding July 6th, 2004 The last two articles have discussed the security model of X11, the guts behind Linux window managers and all things graphical. Essentially, if you can contact the X11 server process, you can do anything you want to it, such as sniffing all keystrokes, dumping or manipulating windows, etc. http://www.linuxsecurity.com/articles/documentation_article-9477.html +------------------------+ | General Security News: | +------------------------+ * Automate backups on Linux July 12th, 2004 The loss of critical data can prove devastating. Still, millions of professionals ignore backing up their data. While individual reasons vary, one of the most common explanations is that performing routine backups can be a real chore. Because machines excel at mundane and repetitive tasks, the key to reducing the inherent drudgery and the natural human tendency for procrastination, is to automate the backup process. http://www.linuxsecurity.com/articles/host_security_article-9494.html * The Allure and Curse of Complexity July 8th, 2004 The Microsoft columnists have it easy. Scott Granneman wrote a great article a few weeks back titled Time to Dump Internet Explorer, which (in case you've been living in a cave for the past few weeks) talks about the recent mass exploitation of some un-patched vulnerabilities in Internet Explorer. http://www.linuxsecurity.com/articles/host_security_article-9487.html * INDUCE Act targets P2P application creators July 7th, 2004 US Senator Orrin Hatch (R-UT), a long-time ally of the RIAA and MPAA, has formally introduced the INDUCE Act to the US Senate Judiciary Committee. Following in the footsteps of the Pirate Act, the INDUCE Act would give the green light for copyright holders to sue the creators of peer-to-peer applications. http://www.linuxsecurity.com/articles/privacy_article-9482.html * Hacker college July 7th, 2004 "It's an amazing thing how insecure the big corporations are," said Echemendia during a break in the weeklong seminar. "It's just amazing how easy it is." Hackers are believed to cost global businesses billions of dollars every year, and the costs to defend against them are soaring. http://www.linuxsecurity.com/articles/projects_article-9479.html * Surviving Distributed Denial of Service Attacks July 6th, 2004 Distributed denial of service (DDoS) attacks aim to disrupt the service of information systems by overwhelming the processing capacity of systems or by flooding the network bandwidth of the targeted business. Recently, these attacks have been used to deny service to commercial web sites that rely on a constant Internet presence for their business. http://www.linuxsecurity.com/articles/network_security_article-9476.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Jul 13 04:28:27 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 13 04:57:55 2004 Subject: [ISN] 'Easter egg' cheats cracking casinos? Message-ID: http://www.canada.com/national/nationalpost/news/story.html?id=a42827a1-3f66-4512-805e-10b308498393 Tom Blackwell National Post July 12, 2004 Canada's gambling industry has never been so large. In a two-part series, Post writer Tom Blackwell examines who's playing at slots, who's winning -- and why. Today, experts reveal how they think some players effortlessly cheat the system. - - - As the middle-aged mother from Illinois plunked away at buttons on the electronic poker machine, something unusual happened. The machine, usually so adept at parting gamblers from their money, fell under the spell of the player. The woman had manipulated the video lottery terminal at an Edmonton casino into letting her win on command, recalls Zues Yaghi, a computer programmer and gaming machine expert who watched the scene. "She had been doing it for four years and had put her kids through university, was driving a Mercedes 500. She was all decked out," Mr. Yaghi recalled. "She thought she was the queen of the underground.... It's so easy, so easy to run 10 grand from these machines." Mr. Yaghi says the woman was tapping into what he and some other experts call an "easter egg": a line of digital code allegedly embedded on to the machine's computer chip by rogue programmers, allowing informed players to cheat the games out of their booty. Mr. Yaghi reported the problem to gaming authorities after discovering it himself. But four years later, rather than being hailed a hero, he is living a legal nightmare over the issue, facing a $10-million libel suit filed by the American maker of the machine on which he first found an easter egg. Meanwhile, he and other experts allege that some compromised machines are still out there today, raising questions about the fairness of a diversion on which Canadians spend billions of dollars a year. "It's like the guy in the saloon ... slipping aces out of his sleeve," he says. "You're looking at whole rows, whole sections [of VLTs] and you see how many people are sitting there pumping money into it and you're seeing how many of them are senior citizens, how many are widows and you think 'There is no integrity here. This is a major problem.' " He alleges that Illinois woman was just one among an entire subculture of gamblers who know about the glitches and use them to illicitly enrich themselves. He said he has witnessed more than 40 people seek out and exploit easter eggs in casinos and believes they frequent gaming venues across North America. Mr. Yaghi said he has found five separate easter eggs in a selection of gambling machines. Although he discovered them in 2000 and some of the problems have since been addressed by manufacturers and gambling operators, he is convinced some are still ripe for the picking today. Other experts say they have also found evidence of the phenomenon. But gambling operators say such glitches, if they exist, are simply programming anomalies, not deliberately planted cheating mechanisms, and far less widespread than Mr. Yaghi and a handful of other experts maintain. "At the end of the day, it is software put out by human hand," acknowledged Bill Hennessey of Hi-Tech Gaming, Canadian distributor of the most popular line of gaming machines. "But there are tons of checks and balances to ensure it's all random and that you have just as much chance of winning as the person who comes after you ... There isn't much buzz about [easter eggs] in the industry at all." In Canada's largest gambling jurisdiction, Ontario's regulator and operator of slot machines both said they have found no such anomalies. Yet when Mr. Yaghi alerted gaming authorities in Alberta about the first easter egg, it touched off a flurry of activity. The province replaced 200 machines of the model affected, at the manufacturer's expense, while authorities in Michigan, Iowa and Illinois took similar action. At a casino in Detroit, a team manipulated a glitch like the one discovered by Mr. Yaghi, making away with a "very large" sum. "They were loaded for bear," Patrick Leen of the Michigan Gaming Control Board said at the time. Roger Horbay, a problem gambling and slot machine expert in Ontario, said he has noticed during visits to Ontario casinos the kind of anomaly -- such as buttons lit up on machines when they should not be -- that could indicate games equipped with easter eggs. Mr. Horbay, the owner of consulting company Game Planit Interactive Inc., has even had discussions with U.S. government officials about the potential security threat posed by the anomalies. A terrorist in the know could conceivably fund operations by cheating slot machines and leave behind no money trail, he said. Bob Haase, whose former company in London, Ont., produced electronic slot machines in the 1990s, said he has proof easter eggs do exist: He has created them. Mr. Haase had his own programmers install hidden codes in products he sold to a casino in the Caribbean as a special feature the casino operator could activate for the amusement of valued customers. "I said [to the casino owner], 'Don't tell anybody the sequence, for goodness sake, it's only for you, it's only for a special occasion. You're not cheating anybody, you're actually giving them four or five hundred bucks to keep playing.' " Whether slot machines are secretly programmed to cheat or not, the idea of programmers hiding features in software is nothing new. Many non-gambling video games have cheat codes that players trade among themselves or post on Web sites. Most major computer programs contain hidden bits of usually innocuous software, often touting the programmer's name, says Kevin Harrigan, a computer science professor at the University of Waterloo. There is even a Web site, called www.eeggs.com, that lists easter eggs found in everything from cellphones to electric coffee makers. "Would someone program them intentionally into a slot machine so, under a sequence of events that only they knew about, they would make money?" Prof. Harrigan asks. "I would say it's fairly reasonable to think that might happen." Mr. Yaghi said he became intrigued with the issue after an aborted attempt to develop an Internet casino. During testing of his online gambling software, he discovered one of his programmers had inserted an easter egg that would have let someone cheat. He later tried using similar manipulations on slot machines in Alberta and made his surprising discovery. Mr. Yaghi demonstrated the problem to the Alberta Gaming and Liquor Commission, starting with a machine loaded with 250 tokens. "It took me a minute and a half to empty it," he recalls. "So they pick another one and I empty that one in a matter of minutes. It worked out to $600." He proposed hiring himself out to examine all of the province's machines, and envisaged becoming a consultant to North America's many gambling operators. But he failed to come to terms with Alberta, and posted some angry messages on an Internet chatroom about the manufacturer of one machine he said was infested with an easter egg. The company responded with the lawsuit. He, in turn, has also sued Alberta Gaming and Liquor Commission and countersued the manufacturer. From isn at c4i.org Tue Jul 13 04:28:49 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 13 04:57:56 2004 Subject: [ISN] From the Strange File: Archive.org Hacking in Civil Lawsuit? Message-ID: http://research.yale.edu/lawmeme/modules.php?name=News&file=article&sid=1543 By James Grimmelmann July 12, 2004 I'm not really sure what to make of this one. BNA mentioned a case named Flynn v. Healthcare Advocates (not publicly online yet, but keep checking here). It's just a garden-variety civil lawsuit around a business venture that never went anywhere. The plaintiff is accusing the defendants of using the negotiations as a ploy to ferret out various trade secrets and other confidential information. Nothing particularly interesting there: just your normal run-of-the-mill "unfair competition, trademark/service mark infringement, violations of the Lanham Act (15 U.S.C. ? 1125(a)), breach of contract, unjust enrichment, tortious interference with existing and prospective contractual relations, conspiracy, fraud, misappropriation of trade secrets and copyright infringement" claims. No, what's strange about this case is that the plaintiff tried to amend its complaint to accuse on of the defendant's lawyers of hacking Archive.org. More details inside . . . First, the relevant portions of the new complaint (HAS is the plaintiff, and the Law Firm is representing one of the defendants): 49. Between July 8, 2003, and July 15, 2004, the Law Firm "hacked" into [HAS, Inc.'s] archived materials on a website known as www.archive.org. The forgoing website is effectively a library of all web pages and other information which appears on the internet. The website gathers information contained on the internet, which is thereafter archived by the website and can be searched through search engines on the website. 50. Not all of the information contained on www.archive.org is available to the public. Any owner of a website can notify www.archive.org that it does not want its past website material to be made public on www.archive.org and, according to the policies and procedures of the website, as well as the security safeguards implemented by www.archive.org and each website's owner's terms of use, such information is not available to the general public. 51. [HAS, Inc.] notified www.archive.org that it wanted its archival material to remain private and confidential and www.archive.org complied with [HAS, Inc's] request by blocking access to [HAS, Inc.'s] archival information. 52. As a result of the security put into place by www.archive.org, any person attempting to retrieve information regarding [HAS, Inc.] received a message advising the person attempting to obtain the information that the owner of the website had elected to deny access to the site to third parties. 53. The Law Firm attempted to obtain information regarding [HAS, Inc.] through www.archive.org; however, when it attempted to obtain the information it received the notice that the information was not available at the request of the owner. 54. Rather than honor this notice, or the terms of use on [HAS, Inc.'s] website, or www.archive.org's website, the Law Firm devised a methodology to defeat the security system that was put into place by www.archive.org. 55. Computer records demonstrate that between July 8 and July 15, 2003, the Law Firm made approximately 849 attempts to access the information regarding [HAS, Inc.] through www.archive.org. Notwithstanding the fact that the Law Firm knew that security was in place to prevent it from obtaining access to [HAS, Inc.'s] information, and the Law Firm actually received notices from www.archive.org that the information was not available, the Law Firm devised a methodology, using multiple computers at its offices, to defeat the security which was put into place by the website for the benefit of companies like [HAS, Inc.]. 56. The Law Firm was successful in breaching the security put into place by www.archive.org on approximately 112 occasions. From a technological standpoint, this meant that the Law Firm was also receiving information directly from [HAS, Inc's] website on each of these occasions, as www.archive.org retrieved or attempted to retrieve information from [HAS, Inc.'s] website each time it was successful in breaching the security. It was a result of this communication between www.archive.org and [HAS, Inc.'s] website that [HAS, Inc.] obtained the web logs memorializing the hacking activity. This conduct constituted unlawful "hacking" activity in violation of both federal and state law, as described more fully below. 57. The Law Firm was successful in executing old HTML pages from the [HAS, Inc.] website without authorization from www.archive.org or [HAS, Inc.], and made copies of the copyrighted materials contained therein. As hinted in there, HAS is of the opinion that this behavior was illegal in five different ways. The court completely ducked the issue by ruling that even if all of this was true, it wasn't relevant enough to the original lawsuit to justify hauling the lawyers into court, too. (Mmm, FRCP 15). As a pragmatic decision, this strikes me as right, because if yourlawyers become your co-defendants, they can't be your lawyers any more. In general, the American system bends over backwards to let people choose the lawyers they want to represent them, and won't undo that choice without damn good reason. The issue may not go away, of course. (Despite the above, lawyers can't just get away with anything.) It could show up in disciplinary proceedings against the lawyers, or, more likely, in a motion for sanctions in the case against the defendants for misconduct, and in a motions to exclude anything these Archive.org hits turned up. Which means that the court may well at some point confront the question in my mind as soon as I saw the case, namely, "What the frick?" I mean, I think I can tell what was going on. HAS wanted to keep information that used to be on its web site out of the case, either because it would hurt HAS's case (by negating the "secret" part of a trade secret claim, for example) or because it had slipped up and put something confidential there that it wanted to retract. Therefore, HAS both changed its site and asked Archive.org to remove them from its index. The other side's lawyers wanted to get at this information, presumably for the same reasons HAS wanted it secret. And then they found some way to "defeat the security" at Archive.org. By this, I am puzzled. Did they actually hack into Archive.org's servers? The complaint seems to suggest not; rather, it was something involving "multiple computers" that convinced Archive.org to serve up old HAS pages (while at the same time making requests for new ones from the HAS servers) I can't really tell whether this involved exploiting a bug in Archive.org, or whether HAS simply screwed up and didn't fill out its robots.txt properly, or something else entirely. But I can say this: HAS is raising a striking issue here: third party standing to sue over violation of various computer security statutes. Take for example the DMCA claim. It presumably runs something like this. Access to our copyrighted works (the web pages) is effectively controlled by the technological measures in place at Archive.org. You circumvented those measures. We were injured as a result (I can see copyright infringement, plus possibly some of the other claims from the underlying lawsuit). Therefore, under sections 1201(a) and 1203(a) of the DMCA, you're liable to us. Ka-pow. In the normal hacking situation where third parties' information is leaked, two things happen. First, the hackee does what it can to come down on the hacker like a ton of bricks. And second, the third parties do what they can to the hackee, a legal fight that usually turns on terms of service or whatever other legal standard the hackee got the information in the first place. It's not the norm for the hackee to be blase in a situation where the third party can find the hacker and haul him or her into court. One for the radar screens . . . From isn at c4i.org Tue Jul 13 04:29:04 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 13 04:57:57 2004 Subject: [ISN] Microsoft products also vulnerable to Mozilla flaw Message-ID: http://www.nwfusion.com/news/2004/0712microprodu.html By Paul Roberts IDG News Service 07/12/04 Popular Microsoft products may be vulnerable to a security vulnerability that is similar to one patched for the Mozilla Web browsers last week. Microsoft's MSN Messenger and Word word processing application both support a feature that could give remote users access to functions that could be used launch applications on Windows computers, according to an alert from Secunia, which tracks software vulnerabilities. A Microsoft spokeswoman said the company is investigating the reports, but is not aware of any attacks using the vulnerabilities. The applications both fail to restrict access to the "shell:" Universal Resource Identifier, a feature that allows Windows users or software applications to launch programs associated with specific file extensions such as DOC (associated with Word) or TXT (associated with Notepad, the Windows text editing program), said Secunia, of Copenhagen. Malicious hackers could launch programs associated with specific extensions using links embedded in Word documents or instant messages sent using MSN. However, the vulnerability does not allow attackers to pass instructions to the programs, which would allow more sophisticated attacks, Secunia said. On Thursday, the Mozilla Foundation issued patches for a similar flaw in Windows versions of its Web browsers, Firefox and Thunderbird, and the Mozilla Application Suite. News of the Mozilla flaws came amid increasing interest in alternative Web browsers after news broke about a number of serious security vulnerabilities in Microsoft's Internet Explorer Web browser that were being used in stealthy Web-based attacks. According to data compiled by WebSideStory, a San Diego Web measurement company, Internet Explorer's share of the browser market dropped by 1% in the last month, the first noticeable decline since the company began tracking the browser market in late 1999. On July 2, Microsoft released a software update that disables a Windows component called ADODB.Stream, which was used in the Web attacks, and promised more updates for Windows and Internet Explorer to address the security issues. If necessary, Microsoft could issue a fix for the MSN Messenger and Word flaws through its monthly software update process or an emergency patch, the company spokeswoman said. The Redmond, Wash., software company expressed displeasure at the release of information on the product vulnerabilities, which were first publicized in the Full-Disclosure discussion list, a public online forum for those interested in computer software vulnerabilities. "We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities with no exposure to malicious attackers while the update is being developed," the company said in an e-mail statement. From isn at c4i.org Tue Jul 13 04:55:56 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 13 04:57:59 2004 Subject: [ISN] More classified devices go missing at Los Alamos Message-ID: http://www.abqtrib.com/archives/news04/071004_news_lanl.shtml By Sue Vorenberg Tribune Reporter July 10, 2004 Los Alamos National Laboratory continues to be plagued with missing computer devices. On Wednesday, the lab discovered two missing devices - called CREMs - from its Weapons Physics Directorate. This on the heels of a May announcement that another device was missing and several announcements in 2003 that a total of 10 devices had vanished. "Security is of the utmost importance at the laboratory," said Lab Director Pete Nanos. "In order to operate effectively, this apparent lack of attention to CREM issues must be dealt with swiftly and decisively. At my direction there will be a full inquiry into how and why this has occurred." That might include the firing of those found accountable during the investigation, he said. CREM is an acronym for Classified Removable Electronic Media, which is used to transfer data on computer systems. They can be a variety of things including CDs, floppy disks and flash memory cards. For security reasons, Los Alamos could not release what type of media they were, or what was on them, spokesman Kevin Roarke said. "It's a very serious issue," Roarke said. "The past two CREM incidents before this in the last eight months or so were part of larger groups of items slated for destruction. This is different. These items were in use at the lab and not slated for destruction." Roarke said it is too soon to tell whether the devices were stolen. Why they were taken, or what happened to them, will come out in the investigation, Roarke added. Pete Stockton, a senior investigator at the Project on Government Oversight, says his group recommended the Department of Energy stop using the devices in 2001, because of the potential for data theft. "We recommended that to the National Nuclear Security Administration and they squashed the idea," Stockton said. "Now it's coming up again - only several years behind, but what the hell." The University of California, which operates the lab, and Nanos are working toward eliminating the use of the devices. "We're estimating it will cost somewhere between $26 million and $30 million over a three- to four-year time period," Roarke said. "But Director Nanos has said he wants to be very aggressive about this." The ongoing problems could be problematic for the University of California, which is competing for the contract to operate Los Alamos. The contract goes up for bid in late 2005. The Department of Energy decided to open that contract for bid - even though the university has operated Los Alamos for 60 years - in the wake of a series of security scandals dating back to 1999. "When folks look at the competition the emphasis will be on the science and technology at the lab, which we're proud of, and not just security," said Chris Harrington, a university spokesman. "But security is important, and that's why we're trying to implement several new policies and procedures to fix these problems." Eliminating the devices is part of the policy changes, as is adding more training classes for employees on the proper use of computer media, Harrington added. The National Nuclear Security Agency has sent a team to Los Alamos to investigate the incident. About 20 people had access to the device, but that doesn't mean all or even most of them are guilty, Roarke said. "Everybody deserves a chance at due process," he said. Those that are responsible can expect harsh consequences, Nanos said. "Our ability to safeguard classified materials rests first and foremost with the individual staff members who handle, maintain and use these items," Nanos said. "In all cases, they have been given a special confidence and trust that requires meticulous attention to detail, strict adherence to all relevant standards and procedures and, most importantly, an attitude of zero tolerance." From isn at c4i.org Wed Jul 14 01:48:56 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 14 02:00:08 2004 Subject: [ISN] Group Offers to Sell Supposed Dragon IDS Code Message-ID: http://www.eweek.com/article2/0,1759,1623245,00.asp By Dennis Fisher July 13, 2004 A group calling itself the Source Code Club is offering to sell files that it claims contain the source code for Enterasys Networks Inc.'s Dragon IDS (intrusion detection system) software. The asking price: $16,000. The group's rudimentary Web site, which is registered under a Ukrainian domain name, lists hundreds of files that appear as though they could indeed be source-code files. There is no way to tell whether the group actually has the code, although it claims to have obtained it by breaking into the Enterasys network. Officials at Enterasys, based in Andover, Mass., were unaware of the group's site when asked to comment and said they would review the site. The group also claims to have the source code for the Napster client and server software, which it is offering for sale at $10,000. Someone using the name Larry Hobbles posted a message to the Full Disclosure security mailing list Monday night saying that both the Dragon and Napster code were available for sale. "The Source Code Club is now open for business. SCC is a business focused on delivering corporate intel to our customers. Our main focus is selling source code and design documents, but there are many other facets to our business," the message reads. "To get the ball rolling, we are now offering the souce [sic] code/design docs for both Enterasys Intrusion Detection System (NIDS/HIDS) and Napster server and clients." The files listed on SCC's site appear to be from version 6.1 of Dragon; the current release is 6.3. In an e-mail interview, the SCC member who posted the message to Full Disclosure said the group is made up of professional hackers who are simply in it for the money. "The Enterasys and Napster code were both acquired via a remote penetration of said corporate networks. SCC is not worried about the legal consequences of such actions for a number of reasons: 1) The countries where we originate from do not have hacking laws. 2) Our team has over 10 years in the information security industry. We know what we are doing," he said. "Our motivation for selling the property is money and to put our skills to use. We do not only offer source code; there are many hacking services that we provide. We do not wish to continue offering source code publicly, but it is something that must be done initially to ensure the public that we are real." Both the message and the group's Web site provide an e-mail address registered to a South African domain. The group's site says customers have the option of buying the code all at once or in smaller chunks, which supposedly allows the buyer to verify the authenticity of the code before committing to buying the entire archive. Dragon is Enterasys' flagship security product and is one of the more popular and well-regarded IDS systems on the market. It is both a network and host IDS. From isn at c4i.org Wed Jul 14 01:49:09 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 14 02:00:10 2004 Subject: [ISN] New York man indicted for hacking into Verizon computers Message-ID: http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,94512,00.html By Linda Rosencrance JULY 13, 2004 COMPUTERWORLD An East Chester, N.Y., man has been indicted on charges that he hacked into computers owned by Verizon Communications Inc. Federal law enforcement officials filed the complaint yesterday in the U.S. District Court for the Southern District of New York in Manhattan against William Quinn. The indictment alleges that from January through April of this year, Quinn, who used the name "decoder," obtained passwords to Verizon's Direct Access Testing Units (DATU) -- computers that technicians use to disable Verizon telephone numbers while performing tests on a telephone line. Prosecutors allege that Quinn used the passwords to break into Verizon's system at least 100 times, allowing him to test and disable telephone numbers within various area codes across the country. Prosecutors also claim that Quinn posted the passwords for various Verizon DATUs, along with instructions on how to use them to break into Verizon's computers, on Web sites devoted to "phreaking," which is the practice of hacking into telephone company systems. The indictment further alleges that Verizon was forced to spend $120,000 to restore the security of its DATU systems, which included changing the telephone numbers for each of its DATUs nationwide and paying employees overtime to reprogram the multidigit passwords for each of those DATUs. Quinn is scheduled to be arraigned Thursday. If convicted, he faces up to five years in prison and a maximum fine of $250,000. Quinn's attorney, Roland Thau, couldn't be reached for comment today. From isn at c4i.org Wed Jul 14 01:49:22 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 14 02:00:11 2004 Subject: [ISN] Hackers breached Defence Department computers: report on security lapses Message-ID: http://www.mytelus.com/news/article.do?pageID=cp_tech_home&articleID=1662066 July 13, 2004 OTTAWA (CP) - Determined computer hackers broke through federal firewalls several times last year, gaining access to Defence Department networks. A newly obtained report on security breaches at the department in 2003 also reveals dozens of internal lapses. Computer security has become a high-profile concern in federal circles in light of cyber-terrorism, operations mounted by foreign intelligence services and, more often, the sloppy practices of employees. The Defence Department's Computer Incident Response Team tracked a total of 160 events - from digital break-ins to dodgy e-mail procedures - last year. Located in Ottawa at the Canadian Forces network operations centre, the team defends department computers by monitoring intrusion detection systems, zeroing in on threats and issuing alerts. A declassified version of the team's report was released to The Canadian Press under the Access to Information Act. It provides an indication of the difficulties faced by federal agencies such as the Defence Department in keeping their sprawling information holdings secure from interlopers. The Canadian Security Intelligence Service has warned that it is almost impossible to eliminate network vulnerabilities entirely because computer systems and attack tools are in a constant state of evolution. Other documents released by Defence underscore the high degree of confidentiality attached to such issues. Many of the records are classified top secret, with much of the information withheld from release due to its perceived sensitivity. The response team's report notes five instances of "unauthorized privileged access" to Defence networks, considered the most serious of seven categories of breaches. They also logged five cases of "unauthorized limited access" and 35 instances of "malicious logic" - the attempted introduction of viruses, worms or other unwanted programs into a computer system. There were 110 cases of "poor security practice" on the part of employees, by far the most common problem last year. Of these, the majority involved concerns about the security of e-mail transmissions. Others stemmed from use of Internet Relay Chat messaging and the popular KaZaa file-sharing service, inappropriate storage of materials, and unauthorized Web postings. Another case involved improper access to a network. No one from the Defence Department was available Tuesday to discuss the security cases. Several of the documents released by Defence were prepared by the Communications Security Establishment, the highly secretive federal agency with the dual role of electronic spy service and protector of federal computer systems. The records indicate CSE focused on issues including the potential exploitation of wireless communication networks, suspicious probes of systems and the general methods employed by hackers. It appears CSE also undertook an analysis of the so-called Blaster worm that infected computers last August. From isn at c4i.org Wed Jul 14 01:49:36 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 14 02:00:12 2004 Subject: [ISN] UK military denies ban on iPods Message-ID: http://news.bbc.co.uk/2/hi/technology/3891421.stm By Alfred Hermida BBC News Online technology editor 13 July, 2004 The Ministry of Defence has denied reports that it has banned Apple's iPod due to fears it could be used to steal sensitive files. News reports said the music player and other portable storage devices had been banned from most sections of its headquarters in the UK and abroad. But a MOD spokesman told BBC News Online that was there no outright ban on the iPod. "Certainly it is not the case that the MOD has banned these," he said. Security fears The potential security risks posed by portable storage devices that plug into a PC's USB or FireWire ports has been highlighted recently in a couple of reports. Last week, analysts Gartner said businesses were increasingly putting themselves at risk by allowing the unauthorised and uncontrolled use of these gadgets. And on Tuesday, a survey by a British security firm showed that many companies saw removable media devices like the iPod as a security threat. "The research has revealed some worrying attitudes towards corporate security," said Andy Campbell, managing director of Reflex Magnetics. "Whilst businesses recognise a problem exists, they are taking few practical measures to protect themselves from the risks associated with removable media devices." Data to go As well as holding thousands of songs, an iPod can also act as an external hard drive. And small USB memory sticks are becoming increasingly popular with staff, due to the ease with which they can be used to move files between the home and office. Press reports suggested that this had led the British military to stop the use of iPods and similar gadgets. "With USB devices, if you plug it straight into the computer you can bypass passwords and get right on the system," RAF Wing Commander Peter D'Ardenne told Reuters. "That's why we had to plug that gap." But the MOD has insisted that iPods are welcomed "We have a flexible management approach in regards to iPods and similar devices that can move data from official systems," said a MOD spokesman. "In each area, the risks are assessed and, when appropriate, measures are taken to mitigate that risk." "There is not a case that there is an outright ban on these," he said, although he added that there were some areas where portable storage devices would not be allowed. From isn at c4i.org Wed Jul 14 01:49:50 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 14 02:00:13 2004 Subject: [ISN] GCHQ code challenge cracked by internet chatterers Message-ID: http://portal.telegraph.co.uk/news/main.jhtml?xml=/news/2004/07/13/ngchq13.xml By Chris Boffey Filed: 13/07/2004 The Government's intelligence communications headquarters, GCHQ, is being foiled by a silent enemy in its attempt to attract potential recruits. GCHQ, which employs more than 4,000 of Britain's brightest minds, set a fiendishly difficult cryptic challenge on its recruitment website, testing mathematical prowess and intelligence. However, the spooks have been beaten by the power of the internet. Anyone logging on to chat rooms specialising in code-breaking can find many of the answers, courtesy of millions who revel in crosswords and mind teasers. Despite the challenge being posted on the home page of GCHQ less than three weeks ago, the agency has received hundreds of answers. The experts who developed the crytography were so confident that it would be difficult they announced that a help page would be posted on Aug 2. Yesterday, GCHQ was trying to put on a brave face, saying: "We have had an excellent response." However, the experts who monitor internet chatter for the Government could not resist a giggle at their colleagues. Contestants are presented with a series of codes that represent extracts from written works. The challenge is to decipher the codes, identify the work, and find a six-letter word hidden in the answers. Some of the written works include a book from the Bible, a passage from a spy thriller that was turned into a film, and an extract from a Sherlock Holmes story. Current GCHQ vacancies are for linguists fluent in Albanian, Arabic, Chinese, Korean, Macedonian, Nepalese, Persian, Russian, Turkish, Urdu and Punjabi. The organisation is recruiting information technology specialists for the twin roles of gathering signals intelligence and protecting government communication and information systems from hackers and maintaining the safety of power and water supplies and communications links. GCHQ reports to the Foreign Secretary and works closely with MI5 and MI6 but it also serves a wide range of other government departments. The role of the Cheltenham-based headquarters is endorsed by Tony Blair on its website. He says: "Secret intelligence gives the Government a vital edge in tackling some of the most difficult problems we face . . . intelligence forewarns us of threats to our national security; helps the Government promote international stability, provides support and protection to our forces; contributes to our economic health and strengthens our efforts against terrorrism and serious crime." GCHQ was spawned from the code-breaking establisment at Bletchley Park, Buckinghamshire, that cracked the German "Enigma" code in the Second World War. It was decided that Bletchley was unsuitable as a permanent venue in peacetime and in 1947 it moved to the Benhall buildings in Cheltenham, which were offices for the Ministry of Pensions. Now GCHQ is moving to new offices to the west of Cheltenham. The building is costing ?330 million, and is locally known as the "doughnut" because of its shape. The move is particularly difficult given that moving such complex systems has never been undertaken in this country. Outsiders would find it difficult to imagine the sheer power of the super computers at GCHQ, which are amongst the most secure in the world. From isn at c4i.org Wed Jul 14 01:50:07 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 14 02:00:14 2004 Subject: [ISN] Microsoft Releases New Batch of Patches Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A47383-2004Jul13.html By Brian Krebs washingtonpost.com Staff Writer July 13, 2004 Microsoft Corp. today issued two "critical" software updates for its Windows operating system, bringing to 12 the total number of critical software fixes the company has released so far in 2004 and putting the focus once again on the security of Microsoft's widely used Internet Explorer Web browser. The two patches deal with security holes in the Windows 2000 and Windows XP operating systems. The first involves a flaw in "task scheduler," a program that allows Windows users to run applications at scheduled intervals. The other resides in Microsoft's built-in "HTML Help" function, which offers tips on using Windows programs. Stephen Toulouse, Microsoft's security program manager, said both vulnerabilities could be exploited via Internet Explorer if hackers can trick computer users into visiting a Web site designed to target the security holes. If left unpatched, Microsoft said computers running the vulnerable Windows versions could be remotely controlled by hackers. Microsoft rates security flaws as "critical" if they can be easily exploited, such as by an Internet worm that can infect a computer without a user having to click on an infected e-mail attachment or download a file from the Internet. Microsoft also released five other patches today, including a fix for the software it makes to power Web sites. Rated by the company as "important," the patch fixes a flaw that could allow hackers to seize control over Web sites powered by Microsoft's Internet Information Services (IIS) Web server version 4. Last month, at least two separate attacks targeted hundreds of Web sites powered by the IIS software. Those attacks leveraged a combination of Internet Explorer and IIS flaws to surreptitiously plant spyware on PCs. The spyware program was designed to steal personal information like passwords and account numbers when an infected computer was used to access one of several online banking sites. In a departure from its regular schedule of monthly patch releases, Microsoft issued a fix to remedy that problem on July 2. But security experts later demonstrated that the vulnerability could still be targeted using a slightly different method; one of the patches released today seeks to fix the original patch. Experts say attacks that rely on tricking Internet Explorer users into visiting certain Web sites are particularly dangerous because many security systems protecting corporate Web sites are configured to permit Web browsers to access files and upload information. "When an attack is coming through the Web browser, at that point it's pretty much already gotten past whatever security or firewalls you have in place," said Marc Maiffret, a security expert at eEye Digital Security in Aliso Viejo, Calif. Vincent Weafer, senior director of Symantec Security Response, said Web browser exploits are fast becoming a preferred attack method for hackers because they're stealthy and can be targeted to an individual user. Weafer said browser-based attacks are particularly appealing for those interested in conducting Internet fraud scams or planting spyware on PCs. "Without a doubt, these are the types of attacks that we're going to be seeing a lot more of for some time," Weafer said. A total of seven patches were released by Microsoft today, along with an automated tool that scans PCs for signs of infections from last month's browser attack. The various patches are for Windows Server 2003, Windows XP, Windows 2000, Windows NT 4.0, Windows ME and Windows 98. All the patches can be accessed through www.microsoft.com/security. Microsoft also encourages Windows users to visit its Windows Update site (windowsupdate.microsoft.com) and allow it to scan their computers for needed software updates. From isn at c4i.org Wed Jul 14 01:57:46 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 14 02:00:16 2004 Subject: [ISN] Gov't, Private Sectors Exposed to Chinese Hacker Attacks Message-ID: http://english.chosun.com/w21data/html/news/200407/200407130036.html July 13,2004 The National Intelligence Service (NIS) confirmed Tuesday that major government organizations and private sectors have been exposed to hacker attacks that came from China and declared the attack a ??threat to national security.?? As a result, the NIS warned the public to protect their computers from hacking. The NIS also said that based on their judgment, the attack was not carried out by individuals but involved an organization of some size, they will collaborate with other government agencies such as the Foreign Ministry, Information and Communications Ministry, Defense Security Command, and National Police Agency to actively cope with it. Through official press releases, the NIS said that the two hacking programs, Peep Trojan and its variation Bacdoor Revacc, have broken into 211 computers in 10 government agencies. Among those computers attacked are 77 computers in the National Maritime Police Agency, 69 at the National Assembly, 50 in the Korea Atomic Energy Research Institute, nine in the Korea Institute for Defense Analysis, one each in the Agency for Defense Development, Air Force Academy, and the Maritime Ministry, the Small and Medium Business Administration, the Unification Education Center, and the Korea Astronomy Observatory. In the National Assembly, information on 122 people, including former and incumbent lawmakers and parliamentary workers, were stolen due to negligent management. Sixty-seven computers at private companies, universities, and media firms have also been infiltrated and information of some reporters has been stolen, causing serious damage. The NIS said that so far a total of 278 computers have been affected by the hacker attack, which was confirmed to have been launched from China. Since the NIS announced on June 19 that a hacker attacked 116 computers, including 64 computers in the public sector and 52 computers in the private sector, an additional 162 computers have been attacked in some 20 days. The government assesses that since more and more organizations -- not only security-related institutes and major companies but also universities and media firms -- have been affected, there is high possibility that a lot of important government information may have been drained out. It has been learned, however, that the NIS has had difficulty in assessing the amount of information stolen due to the lack of cooperation of related government agencies and technological limitations. The NIS said, ??We think that the hacker attack would have a serious effect on national security. Thus, the entire public should be on an alert and strengthen their own computer security to prevent important national data and secret industrial data from being stolen.?? In particular, because it was confirmed that the attack was launched from China, the NIS has asked China to cooperate with investigations through the Foreign Ministry while the Police Agency is trying to carry out joint investigations with Interpol and Chinese police to crack down on hacker groups. From wk at c4i.org Thu Jul 15 04:09:54 2004 From: wk at c4i.org (William Knowles) Date: Thu Jul 15 04:45:25 2004 Subject: [ISN] Al Qaeda Messages Posted on U.S. Server Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A47681-2004Jul13.html By David McGuire washingtonpost.com Staff Writer July 13, 2004 An Internet computer server operated by an Arkansas government agency was transformed last weekend into the online home of dozens of videos featuring Osama bin Laden, Islamic jihadist anthems and terrorist speeches. State government officials removed the files from a computer operated by the Arkansas Highway and Transportation Department shortly after they were discovered, a government spokesman said. The case highlights an increasing trend of hackers hijacking vulnerable Web servers for the purpose of advocating radical political and terrorist ideologies. Links to the files were posted to a message board of a group called al Ansar. The Web site features photos of bin Laden, leader of the al Qaeda terrorist network, and the Sept. 11, 2001, hijackers, as well as basic facts about the tenets of Islam and links to chatrooms and other Islamic Web sites. The person who posted the links identified himself as "Irhabi 007"-- or "Terrorist 007" -- said Laura Mansfield, who tracks pro-al Qaeda Web sites for Northeast Intelligence Network, an Erie, Pa.-based private group of analysts that monitors the Internet for terrorist activity. Arkansas Transportation Department spokesman Randy Ort confirmed that approximately 70 unauthorized files were posted on Sunday to a "File Transfer Protocol" (FTP) site that the agency operates for contractors. FTP sites are widely used throughout the Internet as a way to transfer large files quickly. Ort would not describe the files, except to say that they were labeled "in a foreign language." He said the department shut the site down on Monday morning after a CNN reporter called to ask what the materials were doing there. Ort said that the FBI has confiscated the server where the files were located. FBI spokesman Joe Parris confirmed that the agency took the computers, but would not say whether it was investigating the incident. Mansfield said hijacking unsecured FTP sites is standard procedure for al Qaeda sympathizers, but it was unusual for them to take over a government site. "Basically, what they do is they go out, they find a Web site, and they borrow the bandwidth until they get caught and somebody kicks them off," Mansfield said. "Companies and organizations would do well to shut down their anonymous FTP servers nowadays, because they are being misused." According to a 23-year CIA veteran who has anonymously criticized U.S. counterterrorism policy in a recently published book, "Al Qaeda's most important growth since the 11 September attacks has not been physical but has been, rather, its expansion into the Internet." In his book, "Imperial Hubris: Why the West is Losing the War on Terror," [1] the author says the United States and its allies have staged "information warfare attacks" on some Internet sites, "thereby forcing them off-line and making their producers hunt for new host servers." However, it was not clear whether the person who hijacked the Arkansas server was an actual al Qaeda terrorist or someone with other motivations. Ken Dunham, malicious code manager for iDefense Inc., an Internet security firm based in Reston, said a growing number of computer crimes are being committed in the name of political causes, with some hackers seeking to identify themselves with terrorism in a bid to boost their importance in the hacker subculture. Mansfield, who said she speaks fluent Arabic and has tracked Terrorist 007's activities since February, said the poster admitted online that he does not speak Arabic. His postings in Arabic bear signs of being run though an electronic translator, she said. She said the person has posted at least 900 items on the al Ansar Web site. In a statement posted on the Northeast Intelligence Network's Web site yesterday, Mansfield described the poster as "a self-proclaimed U.S.-based terrorist." In addition to the links to the Arkansas computer server, the al Ansar site featured downloadable copies of video depicting the beheading of American businessman Nicholas Berg, an al Qaeda-produced video called "Wills of Martyrs" and video of a deadly car bomb attack on a housing complex in Riyadh, the Saudi Arabian capital, Mansfield said. The al Ansar site is a popular destination for al Qaeda sympathizers and is often one of the first places where videos of terrorist attacks and ultimatums are posted, Mansfield said. James Lewis, a senior fellow at the Center for Strategic and International Studies, said that sites run by al Qaeda and its sympathizers change addresses often and rely on word of mouth for publicity. He added that the practice of taking advantage of unsecured computer space to host information is a common tactic of al Qaeda backers. Terrorist 007 apparently moved the same material to other locations on the Internet, Mansfield said. Earlier this year, a person identifying himself as Terrorist 007 posted similar material to an FTP server run by The George Washington University in Washington, D.C., Mansfield said. University spokesman Matt Nehmer said security officials at the university had no knowledge of any such intrusion, and had not been contacted by law enforcement officials. [1] http://www.amazon.com/exec/obidos/ASIN/1574888498/c4iorg *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/donation.html *==============================================================* From isn at c4i.org Thu Jul 15 04:39:48 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 15 04:45:27 2004 Subject: [ISN] U.S. Command Denies Hacker Attacks on Its Computer Systems Message-ID: http://www.yonhapnews.co.kr/Engnews/20040715/300700000020040715142714E6.html 2004/07/15 SEOUL, July 15 (Yonhap) -- The U.S. military command in South Korea Thursday denied press reports that its Web site was attacked by Chinese hackers. "While USFK networks have hundreds of scans or probes from the Internet daily, our networks are heavily defended. There is no evidence of USFK networks hacked by either Korean or Chinese sources at any time," the U.S. command said in a news release. USFK stands for U.S. Forces in Korea. From isn at c4i.org Thu Jul 15 04:40:10 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 15 04:45:28 2004 Subject: [ISN] Group Offers to Sell Supposed Dragon IDS Code Message-ID: http://server.splitto.com.ua/scc/index.html [Interesting first attempt at selling corporate secrets, you would have expected a group like this to have researched other delivery methods, like Blacknet: http://www.c4i.org/erehwon/blacknet.html - WK] To whomever it may concern: Thank you for your interest in SCC. We regret to inform that SCC has temporarily suspended operations. Our business model is currently being re-designed to alleviate some of the initial fears our customers faced. Selling corporate secrets is a very tricky, and we believe it is an area that we can conquer. Look for us in the near future as we re-emerge to bring you all kinds of secrets. Sincerely, SCC Team > http://www.eweek.com/article2/0,1759,1623245,00.asp > > By Dennis Fisher > July 13, 2004 > > A group calling itself the Source Code Club is offering to sell > files that it claims contain the source code for Enterasys Networks > Inc.'s Dragon IDS (intrusion detection system) software. The asking > price: $16,000. > > The group's rudimentary Web site, which is registered under a > Ukrainian domain name, lists hundreds of files that appear as though > they could indeed be source-code files. There is no way to tell > whether the group actually has the code, although it claims to have > obtained it by breaking into the Enterasys network. [...] > Someone using the name Larry Hobbles posted a message to the Full > Disclosure security mailing list Monday night saying that both the > Dragon and Napster code were available for sale. > > "The Source Code Club is now open for business. SCC is a business > focused on delivering corporate intel to our customers. Our main > focus is selling source code and design documents, but there are > many other facets to our business," the message reads. "To get the > ball rolling, we are now offering the souce [sic] code/design docs > for both Enterasys Intrusion Detection System (NIDS/HIDS) and > Napster server and clients." > > The files listed on SCC's site appear to be from version 6.1 of > Dragon; the current release is 6.3. [...] From isn at c4i.org Thu Jul 15 04:40:23 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 15 04:45:29 2004 Subject: [ISN] Executives Still Open File Attachments Message-ID: http://www.techweb.com/wire/story/TWB20040714S0006 July 14, 2004 TechWeb News Maybe they should add another course to MBA programs: E-mail Security 101. While more than three out of four senior corporate executives said that security is their top priority, they don't practice good security themselves, according to a survey released Wednesday by a division of the British magazine The Economist. The survey of 254 executives from around the world revealed that 78 percent worry most about network security. But that same percentage also admitted that they've opened file attachments received from people they don't know. E-mail file attachments are the No. 1 way attackers use to drop malicious payloads onto users' computers, but obviously the drumbeat of 'don't open' hasn't reached upper management. Other results of the survey done for AT&T include a slow-but-steady climb in security expenditures, the belief that most attacks originate within the company, and a fear of wireless. On average, the firms polled devoted 9 percent of their IT budgets to security in 2002, and 11 percent in 2003. This year, they anticipate putting about 13 percent of the total IT budget into security. The executives surveyed said they thought 83 percent of the attacks their organizations had suffered stemmed from insiders, including sabotage, espionage, and the catch-all ?human error? category. And these people are spooked by wireless. More than 80 percent believe that their goals of giving remote workers access to networks and the data stored on them leave their firms vulnerable or extremely vulnerable to security breaches. From isn at c4i.org Thu Jul 15 04:40:37 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 15 04:45:30 2004 Subject: [ISN] MS hatches July patch batch Message-ID: http://www.theregister.co.uk/2004/07/14/ms_july_patches/ By John Leyden 14th July 2004 Microsoft released seven new patches yesterday. There's some help for IE users worried about last month's Download.Ject security scare, but you are going to have to wait for a comprehensive fix. Two of the fixes - involving flaws with Windows Task Manager (MS04-022 (http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx)) and the HTML help function used by Internet Explorer (MS04-023 (http://www.microsoft.com/technet/security/bulletin/MS04-023.mspx)) and - are deemed to be critical. Either of these flaws could be used to take control of vulnerable systems, Microsoft warns. Redmond also released a patch MS04-021 (http://www.microsoft.com/technet/security/bulletin/MS04-021.mspx) for a less serious flaw involving older versions of its Internet Information Services Web server software (IIS 4.0). This along with fixes for flaws involving the user interface, or shell, or Microsoft Windows (MS04-024 (http://www.microsoft.com/technet/security/bulletin/MS04-024.mspx)); Microsoft Windows Utility Manager (MS04-019 (http://www.microsoft.com/technet/security/bulletin/MS04-019.mspx)) and POSIX Subsystem of Microsoft Windows (MS04-020 (http://www.microsoft.com/technet/security/bulletin/MS04-020.mspx)) are described by Microsoft at important. Finally there?s an update designed to fix a moderate vulnerability with Outlook Express (MS04-018 (http://www.microsoft.com/technet/security/bulletin/MS04-018.mspx)). Separately Microsoft released a tool (http://www.microsoft.com/security/incident/download_ject.mspx) to clean up machines infected during last month's Download.Ject security flap. Users visiting a website contaminated with Download.Ject activated a script that downloaded a Trojan horse (called Berbew) from a website in Russia. This website was rapidly taken down, but the underlying vulnerability in Internet Explorer used in the Download.Ject attack remains unpatched, despite a workaround from Microsoft designed to limit the scope for mischief. Redmond released these configuration changes earlier this month and yesterday followed up tool to remove variants of the Berbew Trojan from infected systems. Berbew (http://www.lurhq.com/berbew.html) (AKA Webber or Padodor) is capable of extracting passwords and login details from victims and forwarding this confidential data to crackers. The risk posed by future Download.Ject-style attacks prompted security clearing house US-CERT advise users to ditch IE, a call repeated by security experts today. Thomas Kristensen, CTO at security firm Secunia, told El Reg: "There are a variety of vulnerabilities with Internet Explorer that have been around for a while and are been actively exploited. Several are unpatched. We recommend our customers to use another browser for general web surfing and to limit their use of IE to trusted websites where its functionality is required, such as banking websites." From isn at c4i.org Thu Jul 15 04:40:57 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 15 04:45:31 2004 Subject: [ISN] Hactivism and How It Got Here Message-ID: http://www.wired.com/news/infostructure/0,1377,64193,00.html By Michelle Delio July 14, 2004 NEW YORK -- Hacktivism isn't found in the graffiti on defaced Web pages, in e-mail viruses bearing political screeds or in smug take-downs of government or organizational networks. These sorts of activities are nothing more than reverse censorship and "the same old cheap hacks elevated to political protest," according to Cult of the Dead Cow member Oxblood Ruffin. Hacktivism, as defined by the Cult of the Dead Cow, the group of hackers and artists who coined the phrase, was intended to refer to the development and use of technology to foster human rights and the open exchange of information. Speaking this past weekend at the Hackers on Planet Earth gathering, Ruffin pointed to the growing partnership against censorship between hackers, human rights activists and the academic community as proof that real hacktivism -- grass-roots resistance enabled by technology -- is a viable way to battle repression. The general idea of hacktivism was first articulated by John Perry Barlow, co-founder of the Electronic Frontier Foundation, in his 1996 "Declaration of Independence in Cyberspace." But no one called technology-enabled political activism "hacktivism" until 1998, when cDc members Omega, Reid Fleming and Ruffin were chatting online and were, Ruffin said, "bouncing some wacky ideas around about hacking and political liberation, mostly in the context of working with Chinese hackers post-Tiananmen Square." "The next morning Omega sent an e-mail to the cDc listserv and included for the first time the word hacktivism in the post," Ruffin said. "Like most cDc inventions, it was used seriously and ironically at the same time -- and when I saw it my head almost exploded." Professor Ronald Deibert from the University of Toronto's Citizen Lab, which sponsors and develops technology used by activists, said he can't recall when he first heard the term hacktivism, but said he immediately began using it to describe his work at the Citizen Lab, which he describes as a "hacker grow-op." "The combination of hacking in the traditional sense of the term -- not accepting technologies at face value, opening them up, understanding how they work beneath the surface, and exploring the limits and constraints they impose on human communications -- and social and political activism is a potent combination and precisely the recipe I advocate to students and use to guide my own research activities," said Deibert. Deibert said real hacktivism is fast becoming understood and accepted by more mainstream human rights activists and is now being supported by large foundations like the Soros Foundation, Markle Foundation and Ford Foundation, which fund groups such as Privaterra, eRiders and Indymedia, which use technology to defend civil rights. But that's not to say that hacktivism has to be somber, serious and all grown-up to be effective. "The cDc has developed a reputation for its unique combination of irreverence, ingenuity and ethics," Deibert said. "Sure, there are many hackers out there who have stuck it to the authorities with their killer toolz, but cDc does so while armed with Article 19 of the U.N. Declaration of Human Rights. That's unique." Article 19 of the U.N. Universal Declaration of Human Rights states: "Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers." Hacktivismo, an autonomous cDc group formed to support hacktivism and develop tools that can be used by hacktivists, uses Article 19 as the centerpiece of its statement of purpose. The group has developed tools that enable people to access and share information that their government doesn't approve of. Patrick Ball, director of human rights programs at Benetech, a non-profit organization that uses technology to address pressing social problems, said he first heard about hacktivism on mailing lists in spring 2001. "I thought it was a very interesting idea -- especially the part about finding technical workarounds to bad government policies. (It) was not a new idea, but these guys (cDc) were going to build actual software instead of blowing blue-sky smoke." Ball spoke about hacktivism at hacker conference Defcon in the summer of 2001, and during his talk made a disparaging comment about Slobodan Milosevic, former president of Serbia and of the Federal Republic of Yugoslavia. Ball later testified against Milosevic at Milosevic's war crimes trial in the Hague. When Milosevic cross-examined Ball, one of the first questions he asked him was "Who is this Dead Cow Cult?" "My under-oath spin to Slobo was that hacktivism is an opportunity for engaged young programmers to do cool and socially beneficial stuff with their technical skill and curiosity -- instead of getting in trouble," said Ball. "And I actually believe that." The cDc, which celebrated its 20th anniversary at HOPE, was founded in July 1984 in Lubbock, Texas, by Grandmaster Ratte and Franken Gibe, "who used to hang out in an abandoned abattoir and talk computers and art and world domination," Ruffin said. "G-Ratte ran a bunch of (bulletin boards) that attracted pretty much the cream of the hacking community from the mid-'80s. That situation has maintained itself to date. We've always been the most popular girls at the prom." Lately the cDc has been quietly building relationships with grass-roots and traditional human rights groups, Ruffin said. And in addition to their hacktivism activities, cDc also publishes an online magazine. "Almost no one knows that the longest running e-zine on the Net is the cDc text-file collection. The files are nuts and go everywhere from 'Sex with Satan' to really serious stuff," said Ruffin, who recently contributed a text file on hacktivism to the collection. "But the overall message is 'Go out there and do it and be yourself.' Be daring. That's what the t-files and hacktivism are all about." From isn at c4i.org Fri Jul 16 03:26:33 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 16 03:32:18 2004 Subject: [ISN] Security UPDATE--More Bugs and Preemptive Fixes--July 14, 2004 Message-ID: ==== This Issue Sponsored By ==== Free Download! New Sitekeeper(R) 3.1 http://list.winnetmag.com/cgi-bin3/DM/y/eggi0CJgSH0CBw0BJt30Aa Free Security White Paper from Postini http://list.winnetmag.com/cgi-bin3/DM/y/eggi0CJgSH0CBw0BJt40Ab ==================== 1. In Focus: More Bugs and Preemptive Fixes 2. Security News and Features - Recent Security Vulnerabilities - News: Extended Version of XCACLS Available - News: Two New Tools and One Updated Tool for ISA Server 2004 3. Instant Poll 4. Security Toolkit - FAQ - Featured Thread 5. New and Improved - Insulate Your Network - Reduce Network Security Threats ==================== ==== Sponsor: Executive Software ==== Free Download! New Sitekeeper(R) 3.1 Keeping track of your software licenses and staying up-to-date with the latest patches is a pain -- especially if you have to do it manually. But unless you stay on top of licenses and patches, you're opening your site up to legal action and security breaches. *** NEW Sitekeeper 3.1 is the simple, affordable way to automate your systems management. Sitekeeper handles hardware and software inventories, license compliance reports and software/patch installation with just a few clicks of your mouse. No special training or dedicated hardware needed -- in fact, you can start managing within minutes of installation. It's systems management software -- simplified! Try Sitekeeper FREE -- click on http://list.winnetmag.com/cgi-bin3/DM/y/eggi0CJgSH0CBw0BJt30Aa ==================== ==== 1. In Focus: More Bugs and Preemptive Fixes ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net Another problem was recently discovered in Microsoft Internet Explorer (IE): An intruder could use the Shell.Application object to launch a command shell on an affected system. This capability could lead to all sorts of dangerous activity. To protect systems, you can disable the object by navigating to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{13709620-C279-11CE-A49E-444553540000} registry subkey and setting the Compatibility Flags entry (type REG_DWORD) to 00000400. Yesterday, Microsoft released Microsoft Security Bulletin MS04-024 (Vulnerability in Windows Shell Could Allow Remote Code Execution) and a related patch for that problem, so you can now load the patch instead of editing the registry. The company also released six other bulletins and patches as part of its monthly security patch release. The patches fix vulnerabilities in HTML-based Help files, the Task Scheduler, Microsoft IIS 4.0, the POSIX subsystem, and Utility Manager (all of which might allow the execution of remote code), and Microsoft Outlook Express (for which the company issued a cumulative patch for Denial of Service--DoS--conditions). You can learn more about these fixes at Microsoft's TechNet Security Web site. http://www.microsoft.com/technet/security After the Shell.Application bug was published on various security mailing lists, researchers began checking the Mozilla Web browser for a similar problem, and it turns out that Mozilla is affected to some extent. According to Mozilla's security advisory, it's possible to use the shell: URL scheme to launch executables on a remote user's system. The developers issued a workaround for the problem, which is available at the Mozilla Web site. http://www.mozilla.org/security/shell.html The discovery of these serious security risks points out the need to regularly adjust your defenses to protect against attack. Sometimes you need to apply a vendor patch, and other times you can perform a configuration workaround. Another tactic you can use to mitigate unforeseen security problems is to employ the security tools available from various vendors. For example, security scanners might find the shell problem as well as the ADO databases (ADODB) problem I've discussed in recent issues of this newsletter. Scanning tools that find these problems probably also would let you make registry adjustments to protect against attacks. Another tool, which I've mentioned recently, is PivX Solutions' Qwik-Fix Pro. Qwik-Fix Pro doesn't scan your systems; instead, it lets you change configuration settings to strengthen the overall security of various applications, including IE. Alex Tosheff, chief technology officer at PivX, told me that the company plans an official release of the enterprise version of Qwik-Fix Pro on August 2 (the product has been in public beta testing for quite some time). The enterprise version integrates with Active Directory (AD), uses Group Policy to define security configuration settings, and includes a Microsoft Management Console (MMC) snap-in. According to Thor Larholm, a lead researcher at PivX, the release version will include features such as strengthened security for IE security zones (e.g., My Computer, Trusted Sites, Internet), which Microsoft Outlook also uses. Larholm also said that the product will be expanded to include application protection for Microsoft Office, Microsoft IIS, Apache HTTP Server, Mozilla, Opera Software's Opera, Microsoft SQL Server, MySQL, Windows .NET Framework, Instant Messaging (IM) applications, IBM's Lotus Notes, and other popular Windows applications. The company is also working on features that will perform "runtime process modification and virtual application patching, ... generic C runtime and Win32 API replacements, ... generic buffer overflow protection, and generic process privilege compartmentalization." I've pointed out before that I don't know of any products that offer the same functionality as Qwik-Fix Pro. I'm sure some other products offer some of the features, but as far as I know, the solution is rather unique in its approach. And it clearly defends against hundreds of known and untold numbers of unknown attack methods well in advance of their release. If you haven't tested Qwik-Fix Pro already, then you might want to take a close look at the release version when it becomes available. http://www.pivx.com/qwikfix ==================== ==== Sponsor: Postini ==== The Silent Killer: How spammers are stealing your email directory Have you ever had your end users complain about how slow your email system seems to be responding when you have no visible reason for this problem in performance? Are your Microsoft Exchange server deferral queues constantly full, slowing server performance to a crawl? All of these are signs that spammers are probing your email system in an attempt to identify and "harvest" legitimate email addresses from your organization. This is what is known as the "silent killer" or "directory harvest attack" (DHA). Download this whitepaper now and learn how you can protect your organization against the "silent killer". http://list.winnetmag.com/cgi-bin3/DM/y/eggi0CJgSH0CBw0BJt40Ab ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html News: Extended Version of XCACLS Available Microsoft released an updated version of Extended Change Access Control List (xcacls.exe), a tool that can help view and modify permissions for files and directories. The new version, xcacls.vbs, is a Visual Basic script that runs via the cscript.exe version of the Windows Script Host (WSH). http://www.winnetmag.com/article/articleid/43182/43182.html News: Two New Tools and One Updated Tool for ISA Server 2004 Microsoft released new and updated tools that help administrators manage Microsoft Internet Security and Acceleration Server 2004 (ISA Server). The new tools help you configure client systems, quarantine clients, and monitor and change ISA Server firewall configurations. http://www.winnetmag.com/article/articleid/43248/43248.html ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) New! The Shifting Tactics of Spammers: How to Stop the Newest Email Threats Stopping new spam techniques requires detection and prevention in real time at the SMTP connection point. In this free Web seminar, you'll learn how spam filters operate as well as real-world examples of spammers new attacks and threats so that you can learn what you must do to protect your organization. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/eggi0CJgSH0CBw0BJoa0AH We're Bringing the Experts Directly to You with 2 New IT Pro Workshop Series About Security and Exchange Don't miss two intense workshops designed to give you simple and free tools to better secure your networks and Exchange servers. Discover how to prevent attackers from attacking your network and how to perform a security checkup on your Exchange Server deployment. Get a free 12-month subscription to Windows & .NET Magazine and enter to win an Xbox! Register now. http://list.winnetmag.com/cgi-bin3/DM/y/eggi0CJgSH0CBw0BJoS0A2 ==================== ==== Hot Release ==== Need to Secure Multiple Domain or Host Names? Securing multiple domain or host names need not burden you with unwanted administrative hassles. Learn more about how the cost-effective Thawte Starter PKI program can streamline management of your digital certificates. Click here to download our free guide: http://list.winnetmag.com/cgi-bin3/DM/y/eggi0CJgSH0CBw0BJt50Ac ==================== ==== 3. Instant Poll ==== Results of Previous Poll The voting has closed in the Windows & .NET Magazine Network Security Web page nonscientific Instant Poll for the question, "Which Web browser does your company currently use for Internet (as opposed to intranet) browsing?" Here are the results from the 191 votes. - 68% Microsoft Internet Explorer (IE) - 9% Mozilla - 19% Firefox - 3% Opera - 1% Other New Instant Poll The next Instant Poll question is, "Do you now use or do you plan to use 802.11i on your wireless LANs?" Go to the Security Web page and submit your vote for - Yes, we use 802.11i now - Yes, we plan to use 802.11i in the next 3 months - Yes, we plan to use 802.11i in the next 6 months - Yes, we plan to use 802.11i in the next year - No, we don't plan to use 802.11i http://www.winnetmag.com/windowssecurity ==== 4. Security Toolkit ==== FAQ: How Can I Merge Multiple Primary Versions of the Same DNS Zone for Different Servers into One Active Directory (AD)-Integrated Zone? by John Savill, http://www.winnetmag.com/windowsnt20002003faq A. Only one primary version of the DNS zone should exist for zones that aren't AD-integrated. If necessary, you can create additional secondary versions of zones on other DNS servers to support fault tolerance and load balancing. If you have multiple primary versions of a zone that isn't AD-integrated, those zones won't replicate or remain synchronized. The possible actions that can occur when you move these multiple versions into AD for storage are: * After the first DNS server stores its zone information in AD, all subsequent DNS servers lose their DNS zone content and use the first DNS server's zone information in AD. * As each DNS server is modified to store its information in AD, the new DNS zone data overwrites the existing DNS zone data in AD. * As each DNS server is modified to store its information in AD, the new DNS server's data merges with the existing data. When you opt to integrate the second (or any subsequent) instance of the zone on a different DNS server in AD--as explained in the FAQ "How can I change how DNS information is stored on a DNS server?" ( http://www.winnetmag.com/articles/index.cfm?articleid=43104 )--you can choose between the first and second options. In the Active Directory Service box, you must select either "Discard the new zone, and load the existing zone from Active Directory" or "Overwrite the existing zone in Active Directory with the new zone." After you make your selection, click OK, then click OK again to confirm it. Featured Thread: USB Hub Security (Three messages in this thread) A reader wants to know if he can somehow set security on USB devices based on the device type. He wants to allow USB-based printer devices and disallow USB-based storage devices for users. Do you know whether this is possible and how to do it? Lend a hand or read the responses on our Security forum. http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=123393 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) New! Extending Microsoft Office with Integrated Fax Messaging Are you "getting by" using fax machines or relying on a less savvy solution that doesn't offer truly integrated faxing from within user applications? Attend this free Web seminar and learn what questions to ask when selecting an integrated fax solution, discover how an integrated fax solution is more efficient than traditional faxing methods, and learn how to select the fax technology that's right for your organization. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/eggi0CJgSH0CBw0BJoT0A3 ==================== ==== 5. New and Improved ==== by Jason Bovberg, products@winnetmag.com Insulate Your Network MetaInfo has developed the MetaInfo Appliance 250 Series and MetaInfo Appliance 500 Series of hardware platforms upon which you can easily deploy and maintain MetaInfo's Meta IP services. These appliances help prevent malicious users from exploiting and thus compromising your company's DNS and DHCP services. The 250 Series is ideal for midsized networks, and the 500 Series is best for larger networks. For pricing information, contact MetaInfo at 206-674-3700 or on the Web. http://www.metainfo.com Reduce Network Security Threats ElcomSoft released Proactive Windows Security Explorer 1.0, which executes a comprehensive audit of account passwords and exposes all unsecure passwords. You can identify patterns and trends that weaken security and develop the appropriate policies to improve network security. You can also use Proactive Windows Security Explorer to recover lost passwords and access users' Windows accounts. Proactive Windows Security Explorer 1.0 runs on Windows 2003/XP/Me/2000/NT 4.0/98. Prices begin at $299. For more information, contact ElcomSoft on the Web. http://www.elcomsoft.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. ==================== ==== Sponsored Links ==== Argent Comparison Paper: The Argent Guardian Easily Beats Out MOM http://list.winnetmag.com/cgi-bin3/DM/y/eggi0CJgSH0CBw0BDWV0Aa ==================== Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@winnetmag.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== ==== Contact Our Sponsors ==== Primary Sponsor: Executive Software -- http://executive.com Secondary Sponsor: Postini -- http://www.postini.com -- 1-888-584-3150 Hot Release Sponsor: thawte -- http://www.thawte.com -- 1-650-426-7400 ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z You received this email message because you asked to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Jul 16 03:26:50 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 16 03:32:20 2004 Subject: [ISN] Los Alamos Halts All of Its Classified Research After Data Vanishes Message-ID: http://www.nytimes.com/2004/07/16/national/16lab.html By KENNETH CHANG July 16, 2004 After the disappearance last week of two removable data storage devices, officials at Los Alamos National Laboratory yesterday announced a halt to classified research while they conduct an inventory of sensitive data. The halt affects the majority of work at Los Alamos, one of the nation's two nuclear weapons research laboratories. The loss of the storage devices was discovered July 7 during preparations to run an experiment in the laboratory's weapons physics division. The devices have not been found. The security lapse comes as the contract for managing Los Alamos goes out to bid. The University of California has run Los Alamos since it was founded during World War II, but the secretary of energy, Spencer Abraham, decided last year to seek competing bids after the discovery that some employees had spent thousands of dollars of laboratory funds on personal items. At the time, Mr. Abraham criticized the laboratory for "systematic management failure" in its business procedures. In a statement released yesterday, Mr. Abraham was similarly harsh on the laboratory's handling of classified information. "The investigation to date indicates widespread disregard of security procedures by laboratory employees," Mr. Abraham said. "This is absolutely unacceptable. While our first priority must be to locate the missing material, the government will insist that the University of California, which operates Los Alamos, ensures that the laboratory take strong measures to correct the systematic flaws that allowed this problem to occur." Conducting the inventory will take at least several days, said Kevin Roark, a laboratory spokesman. Employees involved in classified research will also repeat training on laboratory procedures and policies on handling sensitive data on floppy disks, CD-ROM's, memory cards and other removable data storage devices. Officials declined to say what kind of storage devices were missing or whether the data involved nuclear weapons research. The Department of Energy will soon release a request for proposals for running Los Alamos after the University of California's current contract ends in September 2005. From isn at c4i.org Fri Jul 16 03:27:05 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 16 03:32:21 2004 Subject: [ISN] Chinese Hacker May be PLA Message-ID: http://english.chosun.com/w21data/html/news/200407/200407150028.html Lee Ha-won may2@chosun.com July 15,2004 The Ministry of Foreign Affairs send an urgent message to the Korean Embassy in Beijing instructing it to confirm whether the recent hacking of computers at major national institutions is connected with the Chinese Peoples Liberation Army. Ahead of this, as the Foreign Ministry was protesting Chinese state-run media distortions of Goguryo history to Chinese Ambassador Li Bin on Wednesday, the ministry requested China's active cooperation in solving the hacking problem. Foreign Ministry spokesperson Shin Bong-kil said Li stated he would relay the request to Beijing and would work hard to see that the facts behind the hacking incident were revealed. The Foreign Ministry said, however, that since neither the identity of the hacker nor the level of PLA involvement has been revealed, it was best to respond cautiously. In accordance, at a meeting of high-ranking Foreign Ministry officials Thursday, the ministry decided to demand that measures be taken through diplomatic channels after National Intelligence Service and police investigations have been completed. In some Foreign Ministry quarters, there are concerns that if the Chinese government doesn't cooperate, the criminal may not be revealed and the matter itself may fall into a labyrinth. They say that if the criminal is not revealed, there are limits to the diplomatic measures the Korean government could apply. Moreover, there are those within the government pointing out that a system must be created in which the country could actively respond diplomatically to cyber-terrorism. In the countermeasures committee set up to deal with the Chinese hacking incident, there is only one Foreign Ministry official of bureau-head rank, and within the ministry, only the second division of the Northeast Asia bureau is handling the matter. Accordingly, some government figures say the Foreign Ministry should better recognize the severity of the incident and respond more aggressively. The Foreign Ministry worries that with Sino-Korean tensions growing as a result of the Goguryo history issue, should it be confirmed that the hacking was conducted by the PLA, relations between the two countries could worsen. From isn at c4i.org Fri Jul 16 03:28:03 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 16 03:32:22 2004 Subject: [ISN] California Department of Insurance Computer Hacked, Agents Notified Message-ID: http://www.insurancenewsnet.com/article.asp?a=top_news&id=22774 SACRAMENTO - A California Department of Insurance (CDI) computer server, used for pre-licensing purposes, was accessed without authorization on June 30, 2004. The Department is sending individual letters to the 599 applicants who were in the process of applying for insurance producer licenses and whose information was on the computer server at the time of the security incident. Upon discovery of the unauthorized access, as required by state policy, the Department of Insurance immediately notified the California Highway Patrol and the Department of Finance, Technology Oversight Security Unit. CDI will continue to participate in their investigation until it is completed. Although the accessed computer server contained applicants? names, addresses, and social security numbers, this information was encrypted and it is highly unlikely that information was compromised. The Department of Insurance employs one of the best levels of encryption software on the market in order to ensure that information, even if accessed, is highly unlikely to be decrypted into anything useful. CDI has also taken additional security measures to prevent unauthorized accesses in the future. While the Department of Insurance does not believe that private information has been revealed, it still suggests that the individuals contacted by letter order a credit report to verify that there is no unauthorized activity. Even if individuals in this incident choose not to order credit reports at this time, the California Office of Privacy Protection recommends that everyone check their credit report at least once a year. Applicants who were in the process of applying for an insurance producer license from the Department and are concerned that their information may have been impacted, should call Archie Alimagno, the Department's Information Security Officer, at 916/492-3353. From isn at c4i.org Fri Jul 16 03:28:20 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 16 03:32:23 2004 Subject: [ISN] Forensic computing uncloaks industrial espionage Message-ID: http://www.theregister.co.uk/2004/07/15/autocad_cads_foiled/ By John Leyden 15th July 2004 Forensic computing techniques proved decisive in winning a recent High Court action involving underhand dealings and industrial espionage in Britain's automotive tools industry. Computer forensics firm Vogon International was called in to help investigate the alleged theft of electronic copies of vital engineering drawings by a former director and members of staff who had left British Midland Tools, in Tamworth near Birmingham, to join Midland International Tooling Ltd (MIT). British Midland Tools' suspicions were aroused when MIT set up shop almost on its doorstep, offering identical services only weeks after its staff had left their former company. It was alleged the suspects had taken the electronic blueprints to their new company and had begun to attract business from customers of British Midland Tools valued at ?3m. British Midland Tools began a legal action and obtained a search order authorising a raid on MIT. Vogon assisted British Midland Tools' solicitors, Cripps and Shone, in the search and seize order at the site of Midland International Tooling. Vogon's investigators took a complete image of the entire contents of Midland International Tooling's AutoCAD (engineering drawing software) system, providing an exact replica of the system at the time the forensic process took place. AutoCAD files record information on data that is deleted - much like the metadata recorded by Microsoft Word. Tooling up Vogon investigated drawings from both companies at its laboratories in Bicester, Oxfordshire. The initial investigation revealed no real problems, but a different picture was revealed when the drawings were converted into common formats. Vogon?s investigators discovered that drawings found at Midland International Tooling contained one of British Midland Tool?s address blocks, the original of which had been overwritten and replaced with the address of the new company. Further investigation revealed two pages of British Midland Tools? quality manual in the slack space of Midland International Tooling?s computer, which should not have been there. How was MIT going to defend itself against such damning evidence? At the eleventh hour, the defence presented Vogon?s investigators with floppy disks, purporting to be Midland International Tooling?s original drawings on their original disks. Midland International Tooling claimed that these drawings were made in 2000; but checks with Sony revealed that the floppy disks had not been manufactured until two years later, in 2002. In court, Justice Hart concluded that the drawings had been deliberately copied from British Midland Tools? computer to the Midland International Tooling?s computer, as part of its plans to set up a rival business. The Judge found in favour of British Midland Tools and made an award for substantial undisclosed damages and all costs. The original judgement was made in January 2003, but an appeal in the case against former MIT directors was only exhausted in January this year. Both Midland International Tooling and British Midland Tools were wound up last year following the failure of their respective businesses. Tony Dearsley, senior computer investigation manager at Vogon International, said its computer forensics expertise is split evenly between criminal and civil cases where the "same principles and attention to detail apply". "Company loyalty is a thing of the past and this has led to an increase in people taking vital company information with them when they leave. We're often called in cases where sales and contact databases going missing," he said. From isn at c4i.org Fri Jul 16 03:29:02 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 16 03:32:24 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-29 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-07-08 - 2004-07-15 This week : 42 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: New Features at Secunia.com Secunia has implemented various statistical features at the websites for both Secunia advisories and Virus Information. Secunia Advisories Statistics: http://secunia.com/advisory_statistics/ Examples of Specific Product Statistics: http://secunia.com/product/11/ (Internet Explorer 6) http://secunia.com/product/761/ (Opera 7.x) http://secunia.com/product/1480/ (Mozilla 1.3) Secunia Virus Information Statistics: http://secunia.com/virus_statistics/ Furthermore, Secunia has made it possible for you to include all graphs available at secunia.com on your own website. This is described in detail at: http://secunia.com/secunia_image_inclusion/ ======================================================================== 2) This Week in Brief: ADVISORIES: This week, Microsoft issued 7 new security bulletins, fixing various issues in Microsoft Windows, Microsoft Outlook, and Microsoft Internet Informaion Server. The issues range from local privilege esclation to remote system access vulnerabilities. It finally seems like Microsoft decided to change the behaviour of the widely abused shell: URI handler functionality, which so many exploits rely on. The downside to this is that we still have some unfixed issues in Internet Explorer, which are still potentially dangerous. The 7 bulletins are described in the following Secunia Advisories: http://secunia.com/SA12059 http://secunia.com/SA12058 http://secunia.com/SA12051 http://secunia.com/SA12038 http://secunia.com/SA12060 http://secunia.com/SA12061 http://secunia.com/SA12062 -- Just hours before Microsoft released their patches as part of the monthly release cycle, 4 new vulnerabilities in Internet Explorer were published. Because http-equiv managed to create an exploit, which could be used to compromise a vulnerable system, Secunia decided to rate the advisory extremely critical. These 4 new vulnerabilities are still unpatched. However, the exploit made by http-equiv doesn't work after applying the patch in SA12058. Reference: http://secunia.com/SA12048 -- VIRUS ALERTS: Secunia has not issued any virus alerts during the last week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12048] Microsoft Internet Explorer Multiple Vulnerabilities 2. [SA11978] Multiple Browsers Frame Injection Vulnerability 3. [SA11793] Internet Explorer Local Resource Access and Cross-Zone Scripting Vulnerabilities 4. [SA12027] Mozilla Fails to Restrict Access to "shell:" 5. [SA12028] Opera Browser Address Bar Spoofing Vulnerability 6. [SA11966] Internet Explorer Frame Injection Vulnerability 7. [SA12042] Microsoft Products Fail to Restrict "shell:" Access 8. [SA9711] Microsoft Internet Explorer Multiple Vulnerabilities 9. [SA12041] Microsoft Outlook / Word Object Tag Vulnerability 10. [SA12053] Adobe Acrobat / Reader File Extension Buffer Overflow Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA12048] Microsoft Internet Explorer Multiple Vulnerabilities [SA12061] Microsoft Internet Information Server Redirection Buffer Overflow Vulnerability [SA12059] Microsoft Windows showHelp and HTML Help Vulnerabilities [SA12071] Gattaca Server 2003 Multiple Vulnerabilities [SA12060] Microsoft Windows Task Scheduler Buffer Overflow Vulnerability [SA12058] Microsoft Windows / Internet Explorer File Download Extension Spoofing [SA12056] INweb Mail Server Multiple Connection Denial of Service Vulnerability [SA12053] Adobe Acrobat / Reader File Extension Buffer Overflow Vulnerability [SA12046] IBM Lotus Notes Client Unspecified Java Applet Handling Vulnerabilities [SA12042] Microsoft Products Fail to Restrict "shell:" Access [SA12041] Microsoft Outlook / Word Object Tag Vulnerability [SA12039] Ability Mail Server Cross-Site Scripting and Denial of Service Vulnerabilities [SA12062] Microsoft Windows POSIX Subsystem Privilege Escalation Vulnerability [SA12051] Microsoft Windows 2000 Utility Manager Privilege Escalation Vulnerability [SA12033] DiamondCS Process Guard Protection Features Disabling Vulnerability [SA12047] Microsoft Java Virtual Machine Cross-Site Communication Vulnerability [SA12043] Sun Java Predictable File Location Weakness [SA12038] Microsoft Outlook Express Header Validation Denial of Service Weakness UNIX/Linux: [SA12070] Mandrake update for php [SA12063] 4D WebSTAR Multiple Vulnerabilities [SA12032] SSLtelnet Error Logging Format String Vulnerability [SA12072] Gentoo update for kernel [SA12069] Mandrake update for freeswan / super-freeswan [SA12066] Gentoo update for wv [SA12045] Moodle Unspecified Front Page Vulnerability [SA12040] wv Library Document DateTime Field Buffer Overflow Vulnerability [SA12068] Fedora update for ethereal [SA12035] Gentoo update for ethereal [SA12034] Mandrake update for ethereal [SA12031] OpenPKG update for dhcpd [SA12065] Moodle "help.php" Cross-Site Scripting Vulnerability [SA12057] Bugzilla Multiple Vulnerabilities [SA12054] Gentoo update for rsync [SA12036] Gentoo update for MoinMoin [SA12037] Fedora im-switch Insecure Temporary File Creation Vulnerability [SA12030] Gentoo update for shorewall [SA12029] Shorewall Insecure Temporary File Creation Vulnerability Other: [SA12067] Novell Bordermanager VPN Service Unspecified Denial of Service Cross Platform: [SA12064] PHP "strip_tags()" Function and memory_limit Vulnerabilities [SA12055] phpBB Two Unspecified Vulnerabilities [SA12052] IBM Lotus Sametime GSKit Denial of Service Vulnerability [SA12028] Opera Browser Address Bar Spoofing Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA12048] Microsoft Internet Explorer Multiple Vulnerabilities Critical: Extremely critical Where: From remote Impact: Security Bypass, Spoofing, System access Released: 2004-07-13 Paul has reported some vulnerabilities in Internet Explorer, allowing malicious people to bypass security restrictions and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12048/ -- [SA12061] Microsoft Internet Information Server Redirection Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-07-13 Microsoft has released an update for Internet Information Server. This fixes a vulnerability, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12061/ -- [SA12059] Microsoft Windows showHelp and HTML Help Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2004-07-13 Microsoft has issued an update for Windows. This fixes two vulnerabilities, allowing malicious websites to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12059/ -- [SA12071] Gattaca Server 2003 Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of system information, DoS Released: 2004-07-15 Dr_insane has reported multiple vulnerabilities in Gattaca Server 2003, which can be exploited by malicious people to disclose system information, cause a DoS (Denial of Service), or conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12071/ -- [SA12060] Microsoft Windows Task Scheduler Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-07-13 Microsoft has issued an update for Windows. This fixes a vulnerability, allowing malicious websites to execute arbitrary code on a vulnerable system. Full Advisory: http://secunia.com/advisories/12060/ -- [SA12058] Microsoft Windows / Internet Explorer File Download Extension Spoofing Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-07-13 Microsoft has issued an update for Microsoft Windows. This fixes a vulnerability, allowing malicious web sites to spoof the extension of files being downloaded. Full Advisory: http://secunia.com/advisories/12058/ -- [SA12056] INweb Mail Server Multiple Connection Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-07-13 Dr_insane has reported a vulnerability in INweb Mail Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12056/ -- [SA12053] Adobe Acrobat / Reader File Extension Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-07-13 Greg MacManus has discovered a vulnerability in Adobe Acrobat / Reader, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12053/ -- [SA12046] IBM Lotus Notes Client Unspecified Java Applet Handling Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-07-13 Jouko Pynnonen has reportedly discovered three vulnerabilities with an unknown impact in the Lotus Notes clients. Full Advisory: http://secunia.com/advisories/12046/ -- [SA12042] Microsoft Products Fail to Restrict "shell:" Access Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-07-12 Jesse Ruderman has reported a vulnerability in MSN Messenger and Microsoft Word, allowing access to the Windows "shell:" functionality. Full Advisory: http://secunia.com/advisories/12042/ -- [SA12041] Microsoft Outlook / Word Object Tag Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-07-12 James C. Slora has reported a vulnerability in Microsoft Word and Outlook, potentially allowing malicious people to gain system access. Full Advisory: http://secunia.com/advisories/12041/ -- [SA12039] Ability Mail Server Cross-Site Scripting and Denial of Service Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, DoS Released: 2004-07-12 Dr_insane has reported two vulnerabilities in Ability Mail Server, which can be exploited by malicious people to conduct cross-site scripting attacks and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12039/ -- [SA12062] Microsoft Windows POSIX Subsystem Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-07-13 Rafal Wojtczuk has reported a vulnerability in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12062/ -- [SA12051] Microsoft Windows 2000 Utility Manager Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-07-13 Cesar Cerrudo has discovered a vulnerability in Microsoft Windows 2000, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12051/ -- [SA12033] DiamondCS Process Guard Protection Features Disabling Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2004-07-09 Tan Chew Keong has reported a vulnerability in DiamondCS Process Guard, which can be exploited certain malicious processes to disable the security features provided by the product. Full Advisory: http://secunia.com/advisories/12033/ -- [SA12047] Microsoft Java Virtual Machine Cross-Site Communication Vulnerability Critical: Not critical Where: From remote Impact: Security Bypass Released: 2004-07-12 Marc Schoenefeld has reported a vulnerability in Microsoft Java Virtual Machine, allowing Java applets originating from different domains to communicate. Full Advisory: http://secunia.com/advisories/12047/ -- [SA12043] Sun Java Predictable File Location Weakness Critical: Not critical Where: From remote Impact: Unknown Released: 2004-07-12 A weakness has been reported in Sun Java, allowing malicious websites to write arbitrary content to a file with an easily guessable name. Full Advisory: http://secunia.com/advisories/12043/ -- [SA12038] Microsoft Outlook Express Header Validation Denial of Service Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2004-07-13 A weakness has been discovered in Microsoft Outlook Express 6, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12038/ UNIX/Linux:-- [SA12070] Mandrake update for php Critical: Highly critical Where: From remote Impact: System access, Security Bypass Released: 2004-07-15 MandrakeSoft has issued an update for php. This fixes two vulnerabilities, which can be exploited by malicious people to bypass certain security functionality or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12070/ -- [SA12063] 4D WebSTAR Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Privilege escalation, System access, Exposure of sensitive information, Exposure of system information Released: 2004-07-14 @stake has reported multiple vulnerabilities in 4D WebSTAR, which can be exploited to compromise a vulnerable system, gain escalated privileges or disclose information. Full Advisory: http://secunia.com/advisories/12063/ -- [SA12032] SSLtelnet Error Logging Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-07-09 A vulnerability has been reported in SSLtelnet, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12032/ -- [SA12072] Gentoo update for kernel Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-07-15 Gentoo has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12072/ -- [SA12069] Mandrake update for freeswan / super-freeswan Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2004-07-15 MandrakeSoft has issued updates for freeswan and super-freeswan. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12069/ -- [SA12066] Gentoo update for wv Critical: Moderately critical Where: From remote Impact: System access Released: 2004-07-14 Gentoo has issued an update for wv. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12066/ -- [SA12045] Moodle Unspecified Front Page Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-07-12 An unspecified vulnerability with an unknown impact has been reported in Moodle. Full Advisory: http://secunia.com/advisories/12045/ -- [SA12040] wv Library Document DateTime Field Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-07-13 Karol Weisek has reported a vulnerability in wv, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12040/ -- [SA12068] Fedora update for ethereal Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-07-15 Fedora has issued an update for Ethereal. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12068/ -- [SA12035] Gentoo update for ethereal Critical: Moderately critical Where: From local network Impact: System access, DoS Released: 2004-07-12 Gentoo has issued an update for Ethereal. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12035/ -- [SA12034] Mandrake update for ethereal Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-07-12 MandrakeSoft has issued an update for Ethereal. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12034/ -- [SA12031] OpenPKG update for dhcpd Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-07-09 OpenPKG has issued an update for dhcpd. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12031/ -- [SA12065] Moodle "help.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-07-14 Thomas Waldegger has reported a vulnerability in Moodle, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12065/ -- [SA12057] Bugzilla Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information, Privilege escalation Released: 2004-07-14 Multiple vulnerabilities have been reported in Bugzilla, which can be exploited by malicious users to gain knowledge of sensitive information, or conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/12057/ -- [SA12054] Gentoo update for rsync Critical: Less critical Where: From remote Impact: Manipulation of data, Security Bypass Released: 2004-07-13 Gentoo has issued an update for rsync. This fixes a vulnerability, potentially allowing malicious people to write files outside the intended directory. Full Advisory: http://secunia.com/advisories/12054/ -- [SA12036] Gentoo update for MoinMoin Critical: Less critical Where: From remote Impact: Privilege escalation Released: 2004-07-12 Gentoo has issued an update for MoinMoin. This fixes a vulnerability, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12036/ -- [SA12037] Fedora im-switch Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-07-13 Tatsuo Sekine has reported a vulnerability in Fedora, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12037/ -- [SA12030] Gentoo update for shorewall Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-07-09 Gentoo has issued an update for shorewall. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12030/ -- [SA12029] Shorewall Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-07-09 Javier Fern?ndez-Sanguino Pe?a has discovered a vulnerability in Shorewall, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12029/ Other:-- [SA12067] Novell Bordermanager VPN Service Unspecified Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-07-15 A vulnerability has been reported in Novell BorderManager, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12067/ Cross Platform:-- [SA12064] PHP "strip_tags()" Function and memory_limit Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2004-07-14 Stefan Esser has reported two vulnerabilities in PHP, which can be exploited by malicious people to bypass certain security functionality or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12064/ -- [SA12055] phpBB Two Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data Released: 2004-07-13 phpBB Group has released a new version of phpBB, which fixes two unspecified and some known vulnerabilities. Full Advisory: http://secunia.com/advisories/12055/ -- [SA12052] IBM Lotus Sametime GSKit Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-07-13 A vulnerability has been discovered in IBM Lotus Sametime, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12052/ -- [SA12028] Opera Browser Address Bar Spoofing Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2004-07-08 bitlance winter has discovered a vulnerability in the Opera browser, which potentially can be exploited by malicious people to conduct phishing attacks against a user. Full Advisory: http://secunia.com/advisories/12028/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Jul 16 03:29:23 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 16 03:32:26 2004 Subject: [ISN] Hacker Lamo Sentenced To Home Detention Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=23901163 By George V. Hulme July 15, 2004 Adrian Lamo, known as the "homeless" hacker, built a reputation for hacking into the networks of some of America's largest companies and then offering to help, for free, fix the security vulnerabilities that made his incursions possible. Lamo was indicted for breaking into computer systems at The New York Times. In January, he pleaded guilty to those charges. On Thursday, a federal judge sentenced him to two years probation, with six months to be served in home detention, says Lamo's federal public defender, Sean Hecker. Lamo will also have to pay $65,000 in restitution, Hecker says. In earlier interviews, Lamo said his hacking days were over. Lamo allegedly broke into computer systems at Excite@Home, Yahoo, Microsoft, MCI-WorldCom, and SBC Ameritech. Some of the companies Lamo hacked into, including WorldCom, thanked him for finding and helping to fix the security holes he uncovered. In each case, after Lamo helped the company fix its security hole, Lamo would call a news reporter to make his penetration public. That changed after Lamo breached the network of The New York Times in early 2001. In January of this year, Lamo pleaded guilty before U.S. District Judge Naomi Reice Buchwald to unauthorized access of the private network of the Times, where he added his name and contact information to the paper's op-ed database. In pleading guilty, he agreed that his actions caused losses in the range of $30,000 to $70,000. The losses include costs of intrusions into the Times, as well as use of the LexisNexis database and for alleged access to a Microsoft database in October 2001. Under the terms of Lamo's plea agreement with prosecutors, he could have faced six months to a year in prison. In court in January, Lamo read a statement in which he admitted guilt and said, "I know that I crossed a line that should not be crossed and I'm genuinely remorseful." From isn at c4i.org Mon Jul 19 02:42:31 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jul 19 06:21:11 2004 Subject: [ISN] Linux Advisory Watch - July 16, 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 16, 2004 Volume 5, Number 28a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for kernel, Ethereal, MoinMoin and rsync. The distributors include EnGarde, Fedora, Gentoo and Mandrake. ----- >> Need to Secure Multiple Domain or Host Names? << Securing multiple domain or host names need not burden you with unwanted administrative hassles. Learn more about how the cost-effective Thawte Starter PKI program can streamline management of your digital certificates. Click here to download our Free guide: http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawte07 ----- How Does Kerberos Actually Work? Kerberos uses secret-key cryptography to distribute tickets used for authentication of users to network services. The ticket is generated using a password that the user supplies, unequivocally linking it to the user. The services available for use with Kerberos also have tickets, but are not generated using a password. The user presents his ticket given to him by the Kerberos authentication server. The ticket is stored on the authentication server, which is configured to permit the user to access a particular service on a particular server on the network. The server uses this to verify the user's identity, and grants or denies access to a particular network service. Once the user has requested of the AS the use of a particular service, a session key (a random string of bits) is generated which is used to encrypt future communications between the client and AS. This key and the service name requested are encrypted together using the user's ticket. Another copy of the random session key generated by the AS and the username are encrypted together using the service's key. Both keys are then returned to the user. The user decrypts the first message using his ticket and reveals the server name from which he was requesting service and the session key generated by the AS. The second message passed to the user cannot be decrypted because it was encrypted using the service key, which the user does not have. The user then uses that session key to encrypt a message containing the current time. This message, and the second message still encrypted, are both passed to the service for which the user requests access. The service opens the first message (the one the client could not open) using its own key, extracting the session key and the user name requesting the use of the service. The service then opens the second message using the session key from the previous message to extract the message with the timestamp on it. This then serves to authenticate the user. This message may also contain an encryption key that is used to provide privacy in future communications between the user and the service. Security Tip Written by Dave Wreski (dave@guardiandigital.com) Additional tips are available at the following URL: http://www.linuxsecurity.com/tips/ ----- Catching up with Wietse Venema, creator of Postfix and TCP Wrapper Duane Dunston speaks at length with Wietse Venema on his current research projects at the Thomas J. Watson Research Center, including his forensics efforts with The Coroner's Toolkit. Wietse Venema is best known for the software TCP Wrapper, which is still widely used today and is included with almost all unix systems. Wietse is also the author of the Postfix mail system and the co-author of the very cool suite of utilities called The Coroner's Toolkit or "TCT". http://www.linuxsecurity.com/feature_stories/feature_story-169.html ------------------------------------------------------------------- Open Source Leaving Microsoft Sitting on the Fence? The open source model, with special regard to Linux, has no doubt become a formidable competitor to the once sole giant of the software industry, Microsoft. It is expected when the market share of an industry leader becomes threatened, retaliation with new product or service offerings and marketing campaigns refuting the claims of the new found competition are inevitable. However, in the case of Microsoft, it seems they have not taken a solid or plausible position on the use of open source applications as an alternative to Windows. http://www.linuxsecurity.com/feature_stories/feature_story-168.html ------ --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: EnGarde | ----------------------------// +---------------------------------+ 7/13/2004 - kernel Multiple vulnerabilities This update fixes several security vulnerabilities in the Linux Kernel shipped with EnGarde Secure Linux, most notably the "fsave/frstor" vulnerability and an information leak in the e1000 driver. http://www.linuxsecurity.com/advisories/engarde_advisory-4555.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 7/9/2004 - im-sdk Insecure temporary file vulnerability Multiple vulnerabilities The im-switch that is included in the Fedora Core iiimf-x package has been fixed to take appropriate precautions when generating temporary files. http://www.linuxsecurity.com/advisories/fedora_advisory-4551.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 7/9/2004 - Ethereal Multiple vulnerabilities Multiple vulnerabilities including one buffer overflow exist in Ethereal, which may allow an attacker to run arbitrary code or crash the program. http://www.linuxsecurity.com/advisories/gentoo_advisory-4550.html 7/12/2004 - MoinMoin ACL bypass vulnerability MoinMoin contains a bug allowing a user to bypass group ACLs (Access Control Lists). http://www.linuxsecurity.com/advisories/gentoo_advisory-4553.html 7/12/2004 - rsync Directory traversal vulnerability Under specific conditions, the rsync daemon is vulnerable to a directory traversal allowing to write files outside a sync module. http://www.linuxsecurity.com/advisories/gentoo_advisory-4554.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 7/9/2004 - ethereal Multiple vulnerabilities It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet into the wire or by convincing someone to read a malformed packet trace file. http://www.linuxsecurity.com/advisories/mandrake_advisory-4552.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Jul 19 02:44:45 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jul 19 06:21:12 2004 Subject: [ISN] Re: From the Strange File: Archive.org Hacking in Civil Lawsuit? Message-ID: > http://research.yale.edu/lawmeme/modules.php?name=News&file=article&sid=1543 > > By James Grimmelmann > July 12, 2004 > > I'm not really sure what to make of this one. BNA mentioned a case > named Flynn v. Health Advocate, Inc. (not publicly online yet, but > keep checking here). It's just a garden-variety civil lawsuit around > a business venture that never went anywhere. The plaintiff is > accusing the defendants of using the negotiations as a ploy to > ferret out various trade secrets and other confidential information. [...] UPDATE: July 15, 1:30 PM: Fixed the case name (I had conflated "Healthcare Advocates" with "Health Advocate"). From isn at c4i.org Mon Jul 19 02:45:04 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jul 19 06:21:14 2004 Subject: [ISN] DEF CON 11 Media is now ON-LINE Message-ID: Forwarded from: The Dark Tangent -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Continuing our tradition of putting on-line past speeches, I am now happy to say we have made DEF CON 11 available on the www.defcon.org. About six months late, but at long last it is there in higher resolution and better quality than years past. See you at DEF CON! The Dark Tangent -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQEVAwUBQPokOg6+AoIwjTCUAQJMdwf/eY+g811bIOVDFC59OnKP9Fb8QRfzHSYw NEgQWDbcDyYsl1x1nFi4SafGTcOHh+EHdABV7Ze3Xv8A7A8hDQe53MoRmro+NLuf U02BN8Fr9JFTDUtxEzsfNQmQkXSRTg5/l5EAAPQjC9SuMsdJz0rulJOfPJ3dzxXd TSdhcFxMaAqOc4dbjx0VFKE2Qi1KVVD8S7WL38P9MHSlXamnDZmveIlJyHHqoQSS cclzrV0y2L1HMNPwS1GlqLFYVTowkv6+X+9vczzaaNJXrQx3pIAIk/HXMXazvFXR j7/9dXiRNea7ihV24DOwJinawj+6Br9zf4Rt5ReCrFfBtI9k72po+g== =2uyf -----END PGP SIGNATURE----- From isn at c4i.org Mon Jul 19 06:14:19 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jul 19 06:21:15 2004 Subject: [ISN] Heathrow Airport Anti-Terror Plans 'Found in Road' Message-ID: Forwarded from: "Harper, Patrick" http://www.reuters.com/newsArticle.jhtml?type=worldNews&storyID=5699652 July 18, 2004 LONDON (Reuters) - British police said on Sunday they had launched an inquiry into how a secret police dossier went missing that according to a newspaper report contained counter-terrorist plans for London's Heathrow airport. The dossier, found lying in a road, showed 62 sites at the airport where al Qaeda was most likely to launch anti-aircraft missile strikes, the Sun newspaper said in its Monday edition. The Sun said the dossier included facts about surveillance, escape routes, evacuation plans and deployment of rooftop snipers at the world's busiest international hub. The plans, which have since been returned to police, were found by a motorist, the newspaper said. A police spokeswoman could give no details about what the dossier contained or where it was found, but confirmed it had been returned to police. "We treat any breach of security extremely seriously," the spokeswoman said. "We have launched an internal inquiry into the circumstances of how these documents went missing and will take the appropriate action when we have ascertained the facts surrounding this matter," the spokeswoman said. She could not confirm whether the dossier was compiled by the SO18 anti-terrorist Aviation Security team, which is based at Heathrow police station. According to The Sun, the papers contained detailed maps and photographs, including aerial and satellite shots. In one section, the dossier identified a field close to the airport as being ideal for a terrorist attack. "This site affords an excellent site to attack aircraft departing Heathrow," the Sun quoted from the dossier, saying it included aerial and satellite photographs of the site. Dated June 26 2004, the dossier gave surveillance and assessment information valid until December, the newspaper said. Ten years ago, the Irish Republican Army targeted Heathrow airport with rocket attacks. None of the missiles packed with Semtex plastic explosive detonated. Security chiefs sent tanks into Heathrow last year after intelligence pointed to a threatened missile attack. This year, flights to the U.S. have been canceled amid fears of an al Qaeda attack. From isn at c4i.org Tue Jul 20 08:11:44 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 20 08:24:20 2004 Subject: [ISN] Linux Security Week - July 19, 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 19, 2004 Volume 5, Number 29n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Denial-of- service flaw fixed in Linux kernel", "The Hidden Treasures of IPTables" and "Quantum Crypto Network Debuts". ---- >> Bulletproof Virus Protection << Protect your network from costly security breaches with Guardian Digital's multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn04 ---- LINUX ADVISORY WATCH: This week, advisories were released for kernel, Ethereal, MoinMoin and rsync. The distributors include EnGarde, Fedora, Gentoo and Mandrake. http://www.linuxsecurity.com/articles/forums_article-9520.html ---- Security Expert Dave Wreski Discusses Open Source Security LinuxSecurity.com editors have a seat with Dave Wreski, CEO of Guardian Digital, Inc. and respected author of various hardened security and Linux publications, to talk about how Guardian Digital is changing the face of IT security today. Guardian Digital is perhaps best known for their hardened Linux solution EnGarde Secure Linux, touted as the premier secure, open-source platform for its comprehensive array of general purpose services, such as web, FTP, email, DNS, IDS, routing, VPN, firewalling, and much more. http://www.linuxsecurity.com/feature_stories/feature_story-170.html --------------------------------------------------------------------- Catching up with Wietse Venema, creator of Postfix and TCP Wrapper Duane Dunston speaks at length with Wietse Venema on his current research projects at the Thomas J. Watson Research Center, including his forensics efforts with The Coroner's Toolkit. Wietse Venema is best known for the software TCP Wrapper, which is still widely used today and is included with almost all unix systems. Wietse is also the author of the Postfix mail system and the co-author of the very cool suite of utilities called The Coroner's Toolkit or "TCT". http://www.linuxsecurity.com/feature_stories/feature_story-169.html ---- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * PHP Zaps Security Leaks July 19th, 2004 The open-source PHP Group has released a fix for a pair of security holes that could be exploited to execute arbitrary code on remote PHP servers. The flaws affect PHP versions 4.3.7 and prior and version 5.0.0RC3 and prior. http://www.linuxsecurity.com/articles/projects_article-9522.html * Denial-of-service flaw fixed in Linux kernel July 16th, 2004 Gentoo has fixed a vulnerability in the 2.6 Linux kernel that could be exploited for a remote denial-of-service attack. The company calls this a "high-impact" flaw and recommends users update to newer versions of the kernel. http://www.linuxsecurity.com/articles/server_security_article-9521.html * Automate backups on Linux July 12th, 2004 The loss of critical data can prove devastating. Still, millions of professionals ignore backing up their data. While individual reasons vary, one of the most common explanations is that performing routine backups can be a real chore. Because machines excel at mundane and repetitive tasks, the key to reducing the inherent drudgery and the natural human tendency for procrastination, is to automate the backup process. http://www.linuxsecurity.com/articles/host_security_article-9494.html * NIST helps on security budgets July 12th, 2004 Agency officials struggling to include information-security outlays in their budget requests may find help in a publication released today by the National Institute of Standards and Technology. The draft document, NIST Special Publication 800-65, presents seven steps to ensure that information technology budget requests meet the requirements of the Federal Information Security Management Act of 2002. http://www.linuxsecurity.com/articles/government_article-9499.html +------------------------+ | Network Security News: | +------------------------+ * The Hidden Treasures of IPTables July 16th, 2004 With these powerful add-ons for iptables you can match strings or port ranges in iptables rules or even create a tar pit for network abusers. http://www.linuxsecurity.com/articles/documentation_article-9519.html * SSH2, Part 1: Securing Your Telnet Session July 14th, 2004 This may seem an obscure UNIX topic I'm about to talk about, but keep watching. SSH is a very important and useful program if you're at all concerned about security. And it's absolutely indispensable if you use wireless networking. http://www.linuxsecurity.com/articles/network_security_article-9507.html * Choose the Best FTP Server July 13th, 2004 A FTP server does the heavy lifting of security, organization, and transfer control, while clients usually just take part in saving transferred files to a specified location on your hard drive. If you are really into business and plan on spending money on your FTP server, you'll want to focus on what kind of qualities and characteristics the software provides. http://www.linuxsecurity.com/articles/server_security_article-9501.html * Quantum Crypto Network Debuts July 14th, 2004 Quantum cryptography has the potential to guarantee perfectly secure communications, but until now all of the prototype systems have been point-to-point links rather than networks that share connections. BBN Technologies, Harvard University and Boston University researchers have built a six-node quantum cryptography network that operates continuously to provide a way to exchange secure keys between BBN and Harvard, which is about 10 kilometers away. http://www.linuxsecurity.com/articles/cryptography_article-9509.html +------------------------+ | General Security News: | +------------------------+ * Open Source: Get With the Program July 19th, 2004 Open Source is changing the software industry. It will change it forever. There is no going back. Let's consider some statistics. A number of Open Source products are market leaders http://www.linuxsecurity.com/articles/general_article-9523.html * Fighting spam on Linux July 15th, 2004 Security management vendor IntelliReach Corp. of Dedham, Mass., announced today the new version of its MessageScreen spam and content filtering appliance supports SuSE Linux. http://www.linuxsecurity.com/articles/host_security_article-9513.html * Pssst--wanna buy some source code? July 15th, 2004 A group of self-identified hackers has set up shop online to sell what it claims are files containing confidential software code--and it says it's ready to take orders for more. http://www.linuxsecurity.com/articles/hackscracks_article-9515.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Jul 20 08:11:57 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 20 08:24:21 2004 Subject: [ISN] Chinese hackers attack Taiwan military news agency ahead of drill Message-ID: http://www.channelnewsasia.com/stories/afp_asiapacific/view/96583/1/.html 20 July 2004 TAIPEI: Suspected Chinese hackers have launched an offensive against the website of Taiwan's Military News Agency ahead of practice freeway landings by fighter jets on the island, the defense ministry said. The attack took place on Monday night and the agency affiliated with the ministry was forced to close down its website, the ministry said. The hackers replaced the agency's homepage with a slogan that said 'Reunification with Taiwan in 2021', it said. An identical attack occurred a month ago when suspected Chinese hackers attacked the site of Taiwan President Chen Shui-bian's pro-independence Democratic Progressive Party. Hong Kong's pro-Beijing Wen Wei Po daily last week quoted Chinese military sources as warning Taiwan must re-enter the Chinese fold or face military action within the next 20 years. In response to Taiwan's recent "pro-independence provocation," Beijing gave what was believed to be the first ultimatum to reclaim sovereignty over the island, it said. Unnamed military sources were quoted as saying former Chinese president and Central Military Commission chairman Jiang Zemin had recently discussed a timetable regarding using force to achieve Taiwan's reunification in a speech at a military conference in Beijing. The fresh Internet attack came two days before Taiwanese air force is due to practice emergency landings on a freeway as part of measures against an attack by China, the defense ministry said. Two French-made Mirage 2000-5s are set to land, refuel and load ammunition on the road in Tainan, southern Taiwan. The exercise is designed to "review the air force's capability in using freeways for emergency landings and logistic support in case of war," defense ministry spokesman Huang Suey-sheng told reporters. Since Chen's re-election in March, China has ratcheted up its rhetoric, reiterating its long-standing vow to take Taiwan by force should Chen move the island towards formal independence. Beijing has considered Taiwan part of its territory awaiting reunification since the two sides split at the end of a civil war in 1949. From isn at c4i.org Tue Jul 20 08:12:10 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 20 08:24:22 2004 Subject: [ISN] First Windows CE virus emerges Message-ID: http://www.nwfusion.com/news/2004/0719firstwindo.html By David Legard IDG News Service 07/19/04 A virus designed to demonstrate security holes in Microsoft's Windows CE operating system but not to cause damage was identified by security companies over the weekend. The WinCE4.Duts.A virus (sometimes known as Dust) only affects devices running ARM Ltd. processors and infects Pocket PC PE files in the root directory, according to Bucharest-based Softwin S.R.L., which first reported the virus on Saturday. It raises a dialog box which asks "Dear User, am I allowed to spread?" If the user agrees, the virus appends itself to all .EXE files not already infected in the current directory, according to anti-virus vendor Symantec. The virus contains no payload, Symantec said. The virus was sent by its authors to anti-virus vendors rather than being distributed in the wild and was not designed to propagate on a massive scale, but rather to demonstrate that devices running Microsoft Windows CE can be infected by malicious code, according to Viorel Canja, head of Softwin's BitDefender Labs unit. There are over 17 million Pocket PCs, smartphones, and other Internet appliances currently using the Windows CE operating system, according to Softwin. More information can be found at the BitDefender site. From isn at c4i.org Tue Jul 20 08:12:24 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 20 08:24:23 2004 Subject: [ISN] Hackers and establishment to mingle at DEFCON Message-ID: http://www.theinquirer.net/?article=17274 By Doug Mohney 19 July 2004 DEFCON 12, the oldest continuously running hacker convention, takes place at the end of the month in Vegas. Already there's an up tick of fearful announcements from PR flacks and the press. Expect to read more over the next two weeks, blaming everything from the latest Windows XP security holes to mass toaster failure on the forthcoming gathering. It's a perception that's a little bit out of touch with reality. At the earliest DEFCON hacker conventions in Las Vegas, one of the most popular street games was "Spot the Fed". DEFCON attendees were invited to single out the US law enforcement federal government employees in attendance. Successful outing results in the spotter receiving a "Spot the Fed T-shirt" complete with a universe of Uncle Sam government agency logos. It was a playful teasing between supposed adversaries, with DEFCON serving a Switzerland-type role where so-called "Black Hats" could strut the latest code hacks and methods to break down security procedures while "White Hats" took notes on what cyber badboys had discovered. Over the years, the relationship between organisers and Feds has evolved into a more complex one. Today, DEFCON staff discreetly swap "I'm the Fed" T-shirts for three-letter-agency coffee mugs and other swag. While no official statistics are kept - everyone pays in cash at the door - the total number of Feds attending the conference has steadily gone up over the years, both in terms of sheer bodies and on a percentage basis. U.S. government employees started officially appearing on the DEFCON program guide back in DEFCON 4/1996 when the FBI's San Francisco Computer Crime Squad showed up to speak to the crowd, not arrest them. Over the years, speakers from the United States Army and National Security Agency have made presentations. For DEFCON 12, an associate professor from the West Point military academy, an analyst from the Navy Criminal Investigative Service will be among the military feds giving talks, but perhaps the most interesting talk will be given by Robert Morris Senior, former chief scientist at NSA and father of Robert Tappan Morris. Junior is best known for his 1988 release of the original Internet worm. In addition, a number of West Point professors may be roaming around DEFCON to get a taste of potential future adversaries. There are also likely to be plenty of paying U.S. government workers at DEFCON's commercial brother, the more formal Black Hat briefing & training held the week before DEFCON. The two day training courses run $2000-2400 per person (lunch and two coffee breaks included) and have proved to be quite a draw since launching in 1997. http://www.defcon.org From isn at c4i.org Tue Jul 20 08:12:40 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 20 08:24:25 2004 Subject: [ISN] Report: Contractors Upgrading IRS Systems Put Taxpayer Data At Risk Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=UH3N5BCMVPG50QSNDBGCKHY?articleID=23902174 By Mary Dalrymple AP Tax Writer July 19, 2004 WASHINGTON (AP) -- Private contractors revamping IRS computers committed security violations that significantly increased the possibility that private taxpayer information might be disclosed, Treasury Department inspectors say. An investigation by the department's inspector general for tax administration found that employees working for contractors, or an experienced hacker, could use the contractors' computers to gain access to taxpayer data. "Our concerns were increased when we could not find documentation that all contractor employees had received background investigations as required," the report said. Other lapses left the IRS computer system vulnerable to viruses and hackers, investigators said. "In summary, a contractor's employees committed numerous security violations that placed IRS equipment and taxpayer data at risk," the report found. "In some cases, contractors blatantly circumvented IRS policies and procedures even when security personnel identified inappropriate practices." In response, an IRS official acknowledged security problems but said the agency found no evidence to support contentions that there was a big risk that hackers could gain access to IRS computers or that taxpayer confidentiality would be breached. "We can find no evidence of contractor activities that resulted in unrestricted access to production systems or taxpayer data," Daniel Galik, chief of IRS mission assurance, wrote to inspectors. "In the absence of documented incidents, we must conclude that much of your assessment is based on theoretical possibilities." The report comes as Congress considers giving the IRS authority to hire private contractors to collect overdue tax debts, an effort that has some lawmakers and others worried that taxpayer information won't be protected. "They obviously do not have good systems in place to monitor the contractors today," said Colleen Kelley, president of the National Treasury Employees Union. "This will result, for taxpayers, in very aggressive tactics by debt collectors." The employees' union obtained a copy of the report through the Freedom of Information Act. Portions identifying the contractor, its employees, and IRS personnel practices were not shown. Treasury inspectors also found that after their auditors conducted the exam and the security violations became known, the IRS granted the contractor "root" access to the computer system. Root access gives a user permission to make unlimited and unrestricted changes to any part of the computer system, including the ability to turn off mechanisms that monitor users' actions. The inspectors raised additional concerns: -- Unauthorized chat and instant-messaging activity left the IRS vulnerable to hackers who use those avenues to get information about an organization's internal computer architecture. -- Contractors' computers were vulnerable to hackers and viruses because they did not have security patches for known vulnerabilities in operating software. -- Some computers used by contractors were too old to support a secure operating system, and the IRS did not have enough money to replace them. The inspector general reviewed four contracts last year in which contractors had access to critical equipment and systems. The IRS has over 900 contracts with private companies and consultants. From isn at c4i.org Tue Jul 20 08:12:55 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 20 08:24:26 2004 Subject: [ISN] Stolen code shop back in business - on Usenet Message-ID: http://www.itworld.com/Man/2681/040719stolencode/ Paul Roberts IDG News Service 7/19/04 An online group claiming to have the source code for two popular computer programs for sale opened its doors for business again on Saturday. An e-mail message that claims to come from "larry hobbles" and the Source Code Club was sent to the Full-Disclosure security discussion list. The message said that the group has moved operations to Usenet, the network of online bulletin boards that makes up part of the Internet, where interested customers can buy the source code for the Dragon intrusion detection system (IDS) software from Enterasys Networks Inc. and peer-to-peer server and client software from Napster LLC, now owned by Roxio Inc. The club made headlines last week after posting messages to online discussion groups that advertised a Web site selling the source code and design documents for Dragon and Napster. By Thursday, the group's Web page displayed a message saying the club had ceased operations due to "fears our customers faced." A subsequent "newsletter" from the club dated July 17 and posted to the Usenet group alt.gap.international.sales at 10:28 PM Pacific Standard Time called Usenet the "official home" of the Source Code Club and said the informal network was "better suited" to the club and would give potential customers two ways to contact club members: through a club e-mail address and through messages posted in the Usenet group. The newsletter claims that the Source Code Club soon hopes to go underground and stop offering code for sale in public, but is offering the Dragon and Napster code "to authenticate our skills." The Enterasys code would allow purchasers to understand the "secrets behind Dragon," whereas the Napster code could give "any company interested in breaking into the online music industry" a jump-start, the newsletter said. The club also expressed regret for the "public fiasco that ensues when you publicly offer source code," an apparent reference to media attention to the group's unveiling. The club also posted instructions for potential customers to purchase the stolen code. Customers are encouraged to contact the group using e-mail and PGP (Pretty Good Privacy) encryption to disguise their requests. Source code for the Dragon software was priced at US$16,000 and Napster for $10,000, with payments made through one of a number of online payment services. Those wary of sending money to the club have the option of buying the source code in $500 increments to build confidence. Enterasys is working with the U.S. Federal Bureau of Investigation and reviewing the club's claims. The company claims that its product code was lifted off stolen media, such as a compact disc or computer hard drive, rather than stolen directly from its computer network, according to Kevin Flanagan, an Enterasys spokesman. A Napster spokeswoman said last week that while Roxio owns the rights to the original Napster code being sold by the club, the current Napster online service does not use any code from the original, free music swapping service and is not affected by the alleged theft. From isn at c4i.org Tue Jul 20 08:13:09 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jul 20 08:24:27 2004 Subject: [ISN] Man charged with hacking U.S. computers Message-ID: http://www.mercurynews.com/mld/mercurynews/news/local/9196282.htm July 20, 2004 Contra Costa Times A Pleasant Hill man appeared in federal court Monday on a five-count indictment charging him with hacking government computers and purposely damaging the Web sites of federal agencies. Robert Lyttle, 20, is accused of breaking into computers at the Department of Defense's Defense Logistic Information Service, the Office of Health Affairs and the National Aeronautic and Space Administration Ames Research Center at Moffett Field, according to the U.S. Attorney's Office for the Northern District of California. If convicted, Lyttle faces up to 10 years in prison and fines of up to $250,000. Lyttle is free after posting $25,000 bond Monday. He appeared in a San Francisco courtroom Monday but did not enter pleas. Federal Judge Maria-Elena James ordered Lyttle to return to court Aug. 6. From isn at c4i.org Wed Jul 21 09:49:07 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 21 09:52:38 2004 Subject: [ISN] E-mail security problems reported at Los Alamos National Lab Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,94638,00.html By Todd R. Weiss JULY 20, 2004 COMPUTERWORLD Security troubles continue at the Los Alamos National Laboratory, where officials have confirmed that workers recently sent out an undisclosed number of classified e-mails over a nonsecure e-mail system. The new disclosure comes less than two weeks after the New Mexico-based lab announced that two removable computer disks containing classified nuclear weapons data were missing. That incident represents at least the third time since 2000 that storage media containing classified information have been lost in the facility. In the latest incident, lab spokesman Kevin Roark late yesterday confirmed a Los Angeles Times report that the lab recently discovered new incidents of classified information being sent through a nonclassified e-mail system. "We have had occurrences recently, yes," Roark said. "We have had them in the past. It's anticipated we will have them in the future." The incidents, he said, occurred when scientists in the lab, which employs about 12,000 people, incorrectly judged information as being classified or unclassified and sent it without asking for assistance about the contents of their e-mails. The incidents are always promptly reported to the U.S. Department of Energy and other agencies, as required by law, Roark said. When such incidents reoccur, employees are given additional training to remind them of the proper procedures, he said. The problem is that there are "vagaries in the classification rules" which can sometimes make it difficult to determine what is or isn't classified. "It's not as simple as people might think it would be," he said. "We're not in a situation where a scientist knows what he's writing about is classified and he just doesn't care." Robert K. Musil, executive director and CEO of the Washington-based Physicians for Social Responsibility, a non-profit group that seeks the elimination of nuclear and other weapons of mass destruction, said the security incidents should remind the public that "nuclear weapons remain the single most important threat to U.S. security that exists. "Even though it is quite dangerous to have these kinds of classified files and materials floating around somewhere, at least it will underscore a problem that people haven't paid enough attention to," Musil said. "It also reminds people that ultimately the best way for us to be secure is to ... prevent the proliferation of such weapons and reduce or eliminate our own nuclear weapons." Roark said he couldn?t comment on the exact number of classified e-mails that were recently sent over the unclassified e-mail system, but he said it is "a very small number." "We'd like to get that to zero," he said. "But you've got to understand, you can't legislate perfection on people. All you can do is tell them in security briefings and reiterate it every time you talk about security." Late last week, the lab suspended all activities while the investigation into the missing computer disks continues. Only some essential activities are ongoing, Roark said, including certain important national security functions and human resources, public relations and building infrastructure tasks. The suspension will continue until officials there believe the latest security problems are corrected, Roark said. All classified activities were suspended on July 9 after the disks were reported missing. Some reviews are complete, while others may take several more days or even weeks for high-risk activities, Roark said. The Los Alamos facility develops and applies technology to ensure the safety and reliability of U.S. nuclear deterrent systems and to reduce the threat of weapons of mass destruction and terrorism. The lab also does research aimed at solving national problems in defense, energy and the environment. From isn at c4i.org Wed Jul 21 09:49:22 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 21 09:52:39 2004 Subject: [ISN] New Bagle, MyDoom variants roil Internet Message-ID: http://www.nwfusion.com/news/2004/0720newbagle.html By Paul Roberts IDG News Service 07/20/04 New versions of the Bagle and MyDoom worms surfaced on the Internet Monday, and appear to be spreading. Bagle.AI and MyDoom.N are both so-called "mass mailing" worms that use a built-in SMTP engine that sends e-mail messages carrying worm-infected file attachments from computer to computer on the Internet, both using faked (or "spoofed") sender addresses, anti-virus companies said. The new worm variants are just the latest in a string of virus releases in recent days that have anti-virus software companies scrambling to keep their customers protected. W32.Bagle.AI first appeared Monday and is rated a "medium" threat by McAfee's Antivirus Research Team, citing reports of the virus from customers. McAfee rated MyDoom.N a "low" threat, whereas Computer Associates noted the prevalence and destructiveness of the worm. Similar to earlier versions of Bagle, the AI variant spreads through shared file folders and in e-mail messages carrying the worm file as an attachment, according to advisories from Sophos PLC and McAfee. E-mail messages generated by the worm used forged (or "spoofed") sender addresses and the subject line "Re:" Worm-infected file attachments might be in ZIP, EXE, SCR, COM or CPL and also have nonspecific names like "Moreinfo," "Details" or "Readme," anti-virus companies said. Infected file attachments use one of a short list of names including "MP3," "Doll" and "Cat." The worm can also send copies of itself as a password-protected compressed file with a ZIP extension. The password needed to unzip the ZIP file is contained in a second file with a TXT, INI, DOC or other extensions, McAfee said. The MyDoom.N worm uses spoofed sender addresses such as "postmaster," "Post Office" and "MAILER-DAEMON" that make the e-mail resemble a rejected message. MyDoom.N messages also have nondescript Subject lines such as "hello," "hi" and "delivery failed." Virus file attachments have names like "readme," "mail," "text" and "attachment." File extensions include CMD, BAT, COM, EXE and ZIP, McAfee said. Anti-virus companies issued updated virus definitions that can detect the new Bagle and MyDoom variants and recommended that customers update their anti-virus software. From isn at c4i.org Wed Jul 21 09:49:35 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 21 09:52:40 2004 Subject: [ISN] Big companies employing snoopers for staff email Message-ID: http://management.silicon.com/government/0,39024677,39122384,00.htm By Jo Best July 19 2004 Large companies are now so concerned about the contents of the electronic communications leaving their offices that they're employing staff to read employees' outgoing emails. According to research from Forrester Consulting, 44 per cent of large corporations in the US now pay someone to monitor and snoop on what's in the company's outgoing mail, with 48 per cent actually regularly auditing email content. The Proofpoint-sponsored study found the motivation for the mail paranoia was mostly due to fears that employees were leaking confidential memos and other sensitive information, such as intellectual property or trade secrets, with 76 per cent of IT decision makers concerned about the former and 71 per cent concerned about the latter. Porn and ropey jokes still figure on the list of concerns for execs, though, with 64 per cent admitting to worrying about "inappropriate content and attachments" on the emails. What worries those in charge of tech most about their staff emails differs depending on the size of the business, the study found. The smaller the enterprise, the more likely it was to worry more about attachments and less likely to be troubled by the possibility the email won't be up to compliance standards set by Sarbanes-Oxley and other legislation. Understandably, with Basel II and similar looming, financial services was the vertical that is the most concerned with meeting compliance targets - as they should be, it appears. A survey of UK financial institutions found that around half would be unable to find an email over three years old; storing email is a key demand of the new legislation. From isn at c4i.org Thu Jul 22 07:49:43 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 22 07:56:31 2004 Subject: [ISN] Experts: Cybersecurity needs education, standards, partnerships Message-ID: http://www.fcw.com/fcw/articles/2004/0719/web-cybersec-07-21-04.asp By Margaret A.T. Reed July 21, 2004 Partnerships, education and standards are important to strengthening the information technology workforce's ability to protect the nation's infrastructure, experts and lawmakers said today at a hearing of the House Science Committee. Annual economic losses are estimated to be $13 billion to worms and viruses and $226 billion to all forms of overt attacks, according to documents prepared for the committee's hearing on cybersecurity. "The advancement and availability of education, training and internship programs is paramount if we are to strengthen our nation's cybersecurity workforce," said Chet Hosmer, president and chief executive officer of WetStone Technologies Inc. Enacted in 2002, the Cyber Security Research and Development Act designates the National Science Foundation as the lead agency for civilian cybersecurity research and education and authorizes $216 million between fiscal years 2003 and 2007 for NSF cybersecurity, education and training programs. "Job creation in the 21st century can only happen with a 21st-century system of education," said Rep. Sherwood Boehlert (R-N.Y.), committee chairman. The foundation sponsors programs at every level of education to encourage students to use their cybersecurity training to work for the government. The organization's Scholarship Track provides grants to students in exchange for two years of work in the Federal Cyber Service, and its Capacity-Building Track provides grants to colleges and universities to offer courses in cybersecurity. The programs appear to be successful, but they still need a codified set of standards, lawmakers said. The "federal government should exercise more leadership in convening and coordinating efforts between educators and industry to develop standards for certification and accreditation of cybersecurity courses and educational programs," said Rep. Bart Gordon (D-Tenn.), the committee's ranking minority member. From isn at c4i.org Thu Jul 22 07:51:28 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 22 07:56:33 2004 Subject: [ISN] Book excerpt: High-Tech Crimes Revealed: Cyberwar Stories from the Digital Front Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,94643,00.html [ http://www.amazon.com/exec/obidos/ASIN/0321218736/c4iorg - WK] Book (Excerpt) by Steven Branigan JULY 20, 2004 COMPUTERWORLD This excerpt is from Chapter 3, "If He Had Just Paid the Rent" from High-Tech Crimes Revealed: Cyberwar Stories from the Digital Front "The prisoners will not be harmed, until they are found guilty." -Q, in "Encounter at Farpoint," from the television series, Star Trek: The Next Generation Introduction The problem with many criminals is that they get addicted to illegal behavior. The excitement that comes from committing the first crime has its roots in the fear of getting caught. If they don't get caught, they are encouraged to do it again and possibly again. As they get away with more crimes and infractions, they begin to feel untouchable. Eventually, they feel like they can commit any crime and get away with it. Fortunately for us, that becomes their fatal flaw. All of these little crimes eventually catch up with them. This is why police training teaches cops to investigate small crimes, because they can lead to the discovery of much larger ones. Of course, you can never tell when a small incident will turn out to be nothing or become a pretty big deal, so it is important to examine them all. Take the case of our new friend, Wesley. He was renting an apartment in New York City for about $2,000 a month. NYC is a tenant-friendly city, so it is difficult to evict a deadbeat occupant. It did not take much for Wesley to figure this out, and soon he stopped paying the rent on his apartment - which went on for months. As you might imagine, his landlord William didn't like this at all. William was getting weary of trying to chase him down to collect the rent. He would get evasive answers and empty promises of payment, but no money. After six months of fighting for some attention, he had enough and decided to proceed with legal action. It was time to evict Wesley. It was not an easy route, but the way he saw it, he simply had no alternative. The eviction William hired a lawyer and filled out the necessary paperwork to start the eviction process. In NYC, this can be very tricky, and trying to do it without a lawyer is often a mistake. The process requires a final, formal demand for the rent. Once this is done, and after a few more steps, the case can go to court. Only through a trial can the landlord get the legal authority to forcibly evict the tenant. When he gets the judgment in his favor, he gets a Warrant of Eviction, which empowers the government to physically remove a person from his rented home. In this case, Wesley went without paying the rent for six months before the Warrant of Eviction was finalized and assigned to Sheriff Yar to execute. Expulsion can be either difficult, or more difficult. Difficult is when the tenant is in the place at the time of the eviction. The Sheriff lets the tenant take his personal belongings and escorts him out of the apartment. The more difficult option is when the tenant is not there. The Sheriff then needs to forcibly enter the apartment and remove the personal property that is inside, usually putting it on the street. Either way, once the process has been completed, the apartment is turned over to the landlord. Tenants can usually sense that they are about to be kicked out of their residence, especially when they haven't been paying rent for a while. By that time, they have usually vacated the apartment, taking away anything of value. Wesley wasn't this bright. There was no one home when Yar arrived, and it was beginning to seem as if Wesley had skipped town. Because William was there as well, he was more than happy to open the apartment for Yar. Upon entry, it was obvious that Wesley had not cleared his apartment out, as there were quite a few televisions and other strange electrical equipment. This seemed very odd, and Yar immediately suspected that the apartment was being used to store stolen goods. Because the equipment might have been considered evidence of a crime, leaving it on the street was not an option. He needed help and wanted to contact the NYPD to have them check it out, but what was he going to do with the apartment in the meantime? Unfortunately, since this was not an emergency, he could not call and wait for them. Instead, he would need to set up a time when they could come by and in the meantime secure the site to prevent Wesley from coming back in. He could not let William have his place back -- not yet. Oh great, William thought, he would have to wait even longer before he could rent out the apartment again. So Sheriff Yar padlocked the door, put some yellow tape across its opening, and posted a notice that an eviction warrant was being served. He wanted to make sure Wesley was not going to be able to remove or destroy any of the evidence. Now he could go contact the NYPD. Wesley arrived to his "apartment" later in the day to find out he was being evicted and could not get in. Panicked, he called William and was informed that he was being expelled because he failed to pay rent for six months, owing $12,000. Wesley profusely apologized and asked to meet with him to take care of his debt. William told him that he would take only cash, no checks, because he knew it was his only chance to get the money he was owed. Somehow, in a matter of minutes, Wesley got the money together to pay his overdue rent. It was hard to believe this was the same guy that was hard to find and unwilling to pay just a couple of days before. William could not believe his eyes and eagerly took the cash. Wesley, after taking a deep breath of relief, asked to be let into his apartment. William told him that now he would need to speak to Sheriff Yar, because that's who now had control over the apartment. Wesley got really upset and tried to argue to get his money back, but William, being a true New Yorker, knew better than to give him the cash back. Getting the back rent paid was a nice surprise for William, but since Sheriff Yar had the apartment, he still did not have an apartment to rent. The NYPD cops arrived quickly to inspect the apartment. They immediately determined that the "TVs" in the room were actually computer monitors. The "other electrical stuff" was computer and networking equipment. With that mystery solved, a new one arose. What were all of these devices being used for? This was a residential apartment, not an office, so this equipment seemed very out of place. The cops were unsure as to how the equipment was being utilized and decided to play it safe. They posted a couple of officers to guard the place and left. They decided to leave the apartment and find a law enforcement agency that specialized in computer cases. In NYC, Supervisory Special Agent Robert Weaver of the New York Field Office of the U.S. Secret Service had just recently started an experimental multijurisdiction, multidiscipline task force known as the New York Electronic Crimes Task Force (NYECTF). It is comprised of agents from the Secret Service, the FBI, the NYPD, and the State Police, along with representatives from the high-tech industry that specialize in computer crime investigations and computer forensics. The NYECTF, with its diverse makeup and expertise, was designed to handle cases just like this. The NYECTF agents accepted the case but were not able to come down to inspect the location immediately because they needed to get a search warrant. As we are well aware, those can take a couple of days to get completed. So in the meantime, members of the NYECTF were able to get some cops from the NYPD to continue guarding the apartment while the paperwork was completed, ensuring that the potential evidence inside the apartment was not compromised. A simple twist Wesley's panic grew. Not only could he not get into his apartment, but also the police were either looking through his stuff or were about to look through it. He was scared and desperate, so he decided that he needed to do something. Calling upon his fantastic criminal mind, he set about a course of action. He broke into his own apartment (which was under surveillance) through a window and came out quickly, running off with a laptop computer. The police officers that were guarding the place were caught by surprise. Who would have expected that a tenant who had been evicted from his apartment would want to break back in? It seems very funny today, but a few years ago, law enforcement did not think that high-tech crimes would inspire such amazingly bold acts. At that time, no one would have expected it. Sadly, when the police finally realized what was going on, Wesley was already gone. Apparently there was something very valuable to him in that computer. Of course, the cops felt really embarrassed that they allowed this to happen. Their sergeant, a bit frustrated, replaced them with different officers who were more careful. NYECTF I got involved in this case together with one of my friends, Hugh, because we were part of this new task force. We were pleased to be able to offer our computer and telephone expertise to help the NYECTF. Hugh was a seasoned telecommunications security professional, having worked for companies such as New York Telephone and Nynex for many years. He was very knowledgeable and easy to work with. Some members of the organization, who asked to meet with us in NYC, called us in. They had an assignment coming up and wanted to discuss some options, so we got together with them at their office in 7 World Trade Center early in the evening. From there, we went down to the parking garage of 1 WTC (the north tower). Because of the bombing of the WTC garage by fanatics in 1993, additional security had been put into place. You needed official permission and a special pass to gain access. The guys on the task force definitely had the pull to escort us in. The Secret Service had a section of the garage reserved for them. Here, they stored their government vehicles, affectionately known as G-rides, and parked their personal cars. We met there to discuss the upcoming search and to help load the van with the equipment that would be needed. One of the things that Hugh noticed right away was a "Nynex" vehicle that just did not look right. He turned to Bob, pointed to the van, and politely asked, "What the hell is that?" With a smirk, Bob told him that it was one of their undercover vans. Hugh responded that it made sense, because it wasn't a real Nynex truck. To this day, none of us could tell how Hugh knew! High-tech crimes revealed After a little while, it started to sink in to Hugh and me where we were. The garage walls were painted green in some sections, yellow and red in others -- not a usual color scheme, to be sure. We were told that the red paint signified the area where the bomb had been set off three years prior, at level B-2. We finally understood we were near the location where the truck bomb was set off back in February 1993. This was a very somber moment for us. As we stood in the building's foundation, I remember marveling at the immensity of the structure, thinking that it would be nearly impossible to significantly damage these massive buildings that were reaching nearly a quarter-mile into the sky. Sadly, recent history has proven me wrong. The rest of the night was spent preparing the computer forensic equipment for the search, which was scheduled for the next day. We were assembling cartons, power cords, any disk duplicators that we could find and items of the like. This was just some basic preparation that needed to be done. [...] From isn at c4i.org Thu Jul 22 07:51:49 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 22 07:56:35 2004 Subject: [ISN] Prominent database company hacked again Message-ID: http://www.siliconvalley.com/mld/siliconvalley/9208688.htm July 21, 2004 LITTLE ROCK, Ark. (AP) - A Florida man has been charged with stealing large amounts of consumer information from Acxiom Corp., one of the world's largest database companies. The new indictment comes on the heels of a separate case last year in which an Ohio man pleaded guilty to hacking into an Acxiom server. Acxiom manages personal information on millions of consumers, along with financial and other internal data for companies. The new case, against Scott Levine, 45, represents ``what may be the largest cases of intrusion of personal data to date,'' U.S. Assistant Attorney General Christopher A. Wray said Wednesday at a news conference in Washington. Prosecutors said the stolen data included personal information about ``a great number of individuals,'' but they added that the information wasn't used for identity fraud. Levine ran Snipermail.com Inc., which distributed ads over e-mail. Prosecutors said Levine and other Snipermail employees got into Acxiom's server to take 8.2 gigabytes of consumer files in 2002 and 2003. A telephone number believed to be Levine's was no longer in service. He was indicted on 144 counts, including unauthorized access of a protected computer, conspiracy, access device fraud, money laundering and obstruction of justice. In a statement released late Wednesday, Acxiom thanked investigators ``for working so hard and effectively over the past year to bring these individuals to justice.'' ``We are committed to safeguarding our systems and the data that we store and manage on behalf of our clients,'' the company said. ``Since evidence of this crime was uncovered and halted in the summer of 2003, Acxiom has made a strong security system even stronger.'' This case arose from the one last year in which Daniel Baas of Milford, Ohio, pleaded guilty to hacking into Acxiom. During follow-up investigations, the company detected a second set of intrusions, coming from a different Internet protocol address, which was traced to Levine, prosecutors said. From isn at c4i.org Thu Jul 22 07:52:03 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 22 07:56:36 2004 Subject: [ISN] Internet Extortion Ring Smashed Message-ID: http://www.newsfactor.com/story.xhtml?story_title=Internet-Extortion-Ring-Smashed&story_id=25965&category=ecommerce By Beatrice Arnfield NewsFactor Network July 21, 2004 An extortion and money-laundering ring targeting UK sports-betting Web sites has been smashed by UK and Russian law enforcement agencies, assisted by government agencies and businesses from the U.S., Canada, Australia and Estonia. Three men were arrested in Russia on July 20th, accused of running a global protection racket and extracting hundreds of thousands of dollars from online sports-betting sites. DoS Attack In October 2003, the gang started launching denial of service (DoS) attacks on Web sites belonging to UK sports-betting companies. By overwhelming the servers with messages, they were able to close down the sites and cause millions of dollars in lost business. The gang then sent e-mail demands, asking for money to stop the attacks for one year. However, the gang said in the e-mails that at the end of that year, they would return for more money. Sports betting agencies in the UK have been subject to attacks and demands for money since October 2003, and officers from the UK's National Hi-Tech Crime Unit (NHTCU) have been working closely with their Russian counterparts to track down and arrest the criminals. Safe for Business "The success of this operation is built on the foundation of international partnerships between law enforcement and business," detective chief superintendent Len Hynds, head of the NHTCU, said in a statement. "The more we work together in the fight against organized crime, the safer the UK will be for business. "Thanks to the response of all the parties involved, we have helped to dismantle a determined group of organized criminals. The clear message we are sending is that if you attack firms based in the UK, we will find you and stop you." In Russia, the NHTCU worked closely over many months with the Investigation Department of the Investigative Committee attached to the Ministry of Internal Affairs (MVD) and the MVD's computer-crimes specialist department. "The trend of fraud being conducted online is growing rapidly, and it is really good news that several governments have cooperated on this case," Naftali Bennett, CEO of New York-based Internet security company Cyota, told NewsFactor. "The governments are sending the message that criminals face the risk of being caught, and this will act as a deterrent." The gang was using a number of legitimate money-transfer agencies to move their money around. The use of the agencies came to light when 10 members of the gang were arrested in Riga, Latvia in November 2003. The money-transfer agencies cooperated, with the NHTCU in tracking the money and identifying the remaining members of the gang. Application Gateway "This type of attack could have been prevented with appropriate software," Yankee Group analyst Phoebe Waterfield told NewsFactor. "Web application gateway software blocks messages going in or out that do not comply with the site's policy. "There is a growing market for this type of software and there are a number of vendors that sell effective software, including Top Layer Networks, based in Westboro, Massachusetts; Foster City, California-based Imperva; and NetContinuum, which is based in Santa Clara, California." From isn at c4i.org Thu Jul 22 07:52:49 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 22 07:56:38 2004 Subject: [ISN] Security UPDATE--Security Writers Web Site--July 21, 2004 Message-ID: ==== This Issue Sponsored By ==== Sunbelt Network Security Inspector http://list.winnetmag.com/cgi-bin3/DM/y/egnS0CJgSH0CBw0BJ360AJ Free Security White Paper from Postini http://list.winnetmag.com/cgi-bin3/DM/y/egnS0CJgSH0CBw0BJ370AK ==================== 1. In Focus: Security Writers Web Site 2. Security News and Features - Recent Security Vulnerabilities - Feature: SUS Implementation Tips 3. Security Toolkit - FAQ - Featured Thread 4. New and Improved - Antivirus Activity Analysis ==================== ==== Sponsor: Sunbelt Network Security Inspector ==== A World-Class Scanner that Won't Make a Hole in Your Budget! New V1.5 Now Multi-Platform; Scan By IP-range! Sunbelt Network Security Inspector (SNSI) is a low-cost, quick-install, fast-result vulnerability scanner. It uses a top-quality, commercial-grade vulnerability database with well over 3,000 ranked vulnerabilities. SNSI is licensed per Admin. Now you can finally afford a world-class scanner and be proactive without compromises. Click here for your free download. http://list.winnetmag.com/cgi-bin3/DM/y/egnS0CJgSH0CBw0BJ360AJ ==================== ==== 1. In Focus: Security Writers Web Site ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net I think you'll agree that either being a security administrator or managing security administrators requires that you continually add new information to your base of knowledge. Lots of resources are available for you to use to gather more information. Some of the resources are well-known and others are either relatively new or remain a bit obscure for whatever reasons. This week, I want to share with you a resource that you might not be aware of but that's worth checking into. Information Security Writers (Infosec Writers) is a Web site at which you can find numerous technical papers and essays, all of which of course pertain to information security. The site was originally launched in 2000 as the Security Writers Guild. Since that time, the site has obviously changed names, and the content has grown. http://www.infosecwriters.com The site hosts a library of technical papers written by various contributors who want to share their knowledge with the community at large. Categories in the Web site's Text Library include Email Security; Exploitation/Vulnerability; Firewall & Perimeter Protection; Forensics; General Security Concepts & Misc.; Honeypots; Information Assurance; Intrusion Detection; Malware/Malicious Code; Network Devices, Protocols & Traffic; Organizational Security; Security Tools; and Wireless Security. For some examples of the types of papers that you might find at the site, check the Latest Articles section of the Infosec Writers home page. Some recently published papers are "Securing Mac OS X" by Stephen de Vries, "Shadow Software Attack" by Angelo Rosiello, "The Increasing Risks of Internet Computing" by Greg Greer, "Information Systems Misuse--Threats & Countermeasures" by Vijay Gawde, and "Non Conventional Virus Attack" by Raul Alvarez. Another item of interest that you can find at the site is "Hitchhiker's World," which is a Web-based magazine. As far as I can determine, the magazine isn't published at any particular interval, however the next version is due to be released July 27. You might want to read some or all of the previous editions; if you find the content useful, you can mark your calendar to read the upcoming edition. If you know of other security-related Web sites that others might not be aware of and you want to share their names with the readers of this newsletter, please send me an email and let me know about them. ==================== ==== Sponsor: Free Security White Paper from Postini ==== The Shifting Tactics of Spammers: What You Need to Know about New Email Threats As the incidence of spam and malicious emails carrying viruses and worms continues to increase, conventional content filtering anti-spam solutions fail to keep pace. This paper will describe the latest email threats, how spam filters typically operate and how spammers are attempting to defeat conventional software and appliance content filtering technologies. You'll see how spammers are moving beyond hash busting and Bayesian poisoning and learn how spammers are stealing addresses from your email directory with "directory harvest attacks"--compromising and even bringing down your email servers. Download this free white paper now! http://list.winnetmag.com/cgi-bin3/DM/y/egnS0CJgSH0CBw0BJ370AK ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html Feature: SUS Implementation Tips As you know, Microsoft Software Update Services (SUS) lets you download (for free) all crucial updates to a Windows 2000 or later server, then distribute them to your network's Windows servers and workstations. SUS gives you a way to automate patch management and eliminates the need to manually download and install critical updates on individual workstations. In this article, Alan Sugano offers some tips for SUS implementation. http://www.winnetmag.com/article/articleid/43247/43247.html ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) Get Subscriber Access to Everything in the Windows & .NET Magazine Network! Our VIP Web site/Super CD subscribers are used to getting online access to all of our publications, plus a print subscription to Windows & .NET Magazine and exclusive access to our banner-free VIP Web site. Now we've added even more content from the archives of SQL Server Magazine! You won't find a more complete and comprehensive resource anywhere--check it out! http://list.winnetmag.com/cgi-bin3/DM/y/egnS0CJgSH0CBw0BJEb0AL Windows Connections, October 24-27, Orlando, FL Microsoft and Windows & .NET Magazine team up to produce the essential conference for network administrators and IT managers on Windows and Exchange technology. Register early and attend sessions for free at the concurrently run Microsoft Exchange Connections. See the complete conference brochure online or call 800-505-1201 for more information. http://list.winnetmag.com/cgi-bin3/DM/y/egnS0CJgSH0CBw0KXQ0AI Free eBook--"The Expert's Guide for Exchange 2003: Preparing for, Moving to, and Supporting Exchange Server 2003" This eBook will educate Exchange administrators and systems managers about how to best approach the migration and overall management of an Exchange 2003 environment. The book will focus on core issues such as configuration management, accounting, and monitoring performance with an eye toward migration, consolidation, security, and management. http://list.winnetmag.com/cgi-bin3/DM/y/egnS0CJgSH0CBw0BJkl0A8 ==================== ==== Hot Release ==== Need to Secure Multiple Domain or Host Names? Securing multiple domain or host names need not burden you with unwanted administrative hassles. Learn more about how the cost-effective Thawte Starter PKI program can streamline management of your digital certificates. Click here to download our free guide: http://list.winnetmag.com/cgi-bin3/DM/y/egnS0CJgSH0CBw0BJ380AL ==================== ==== 4. Security Toolkit ==== FAQ: What Causes the Error I Receive in the Event Log When I Attempt to Replicate the ForestDNSZones Directory Partition? by John Savill, http://www.winnetmag.com/windowsnt20002003faq A. The ForestDNSZones directory partition is replicated among all domain controllers (DCs) in a forest that have the DNS service installed. When you replicate ForestDNSZones, you might see an error message that's similar to one posted with this FAQ at the URL below. This type of error can occur when you have several sites that don't have site links between them or when site-link bridging is disabled (and no site-link bridge has been manually created) and when a site that has DCs running DNS is connected to a site that has DCs that don't run DNS. The ForestDNSZones partition, which replicates only between DCs that have DNS installed, can't replicate to the DCs that don't have DNS installed. Consider a scenario in which sites A and C have DCs that run DNS and are connected to site B, which has a DC that doesn't run DNS. The error appears on DCs in sites A and C if site-link bridging is disabled and no site-link bridge was manually created between them. To solve this problem, you must either create a site-link bridge between sites A and C, or if sites A and C aren't connected because of routing restrictions, install DNS on a DC at site B. Using either method allows replication through the DC at site B. You don't need to configure any zones on the DC; merely having DNS installed is enough to add the DC to the ForestDNSZones partition's replication set. http://www.winnetmag.com/windowsnt20002003faq/article/articleid/43165/43165.html Featured Thread: Web Site Access to Internal Databases (Three messages in this thread) Gary writes that he has a Web server on a demilitarized zone (DMZ) that accesses an internal SQL database through Active Server Pages (ASP). He wants to know the best way to let some of his customers access certain parts of the database while not allowing public access. He wonders if he should set up local accounts on the Web server and use Windows authentication. Lend a hand or read the responses. http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=123379 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) Going Beyond Blade Server Basics In this free Web seminar, attendees will learn about the scalability of blade servers and how the HP BL series of servers work. And, we'll look at support for remote management, Integrated Lights Out (ILO) management, automated configuration, and server provisioning, as well as specialized server designations within a blade enclosure and more. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/egnS0CJgSH0CBw0BJyv0AX ==================== ==== 5. New and Improved ==== by Jason Bovberg, products@winnetmag.com Antivirus Activity Analysis eIQnetworks announced FirewallAnalyzer Enterprise 3.5, the newest enterprise version of the company's browser-based firewall/VPN analysis, reporting, and monitoring solution. FirewallAnalyzer Enterprise 3.5 correlates antivirus server and firewall/VPN information and reports on it. The product comes with more than 400 reports to help you take preventive actions against network-perimeter attacks and viruses. It provides more than 100 reports that identify virus activity across enterprise networks, delivering such information as virus type, source, destination, frequency, file type, file extension, and protocol. Information can be reported hourly, daily, and monthly from each firewall, as well as across all firewalls and antivirus servers. The software runs on Windows 2003/XP/2000/NT and costs $795 per physical firewall. For a free trial, contact eIQnetworks on the Web. http://www.eiqnetworks.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. ==================== ==== Sponsored Links ==== Argent Comparison Paper: The Argent Guardian Easily Beats Out MOM http://list.winnetmag.com/cgi-bin3/DM/y/egnS0CJgSH0CBw0BDWV0AL CrossTec Free Download--New - Launch NetOp Remote Control from a USB Drive http://list.winnetmag.com/cgi-bin3/DM/y/egnS0CJgSH0CBw0BJyw0AY ==================== Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@winnetmag.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== ==== Contact Our Sponsors ==== Primary Sponsor: Sunbelt Software -- http://www.sunbelt-software.com -- 1-888-688-8457 Secondary Sponsor: Postini -- http://www.postini.com --1-888-584-3150 Hot Release Sponsor: thawte -- http://www.thawte.com -- 1-650-426-7400 ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z You received this email message because you asked to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Jul 22 07:53:21 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 22 07:56:39 2004 Subject: [ISN] Hackers and establishment to mingle at DEFCON Message-ID: Forwarded from: Ralf Bendrath > http://www.theinquirer.net/?article=17274 (...) > DEFCON 12, the oldest continuously running hacker convention, Wrong. The German "Chaos Computer Club" (established in 1981) has been holding its annual Chaos Communication Congresses for 20 years now. The next one is from December 27 to 29 in Berlin, and they are getting bigger and more international each year. For the last one, see Ralf From isn at c4i.org Fri Jul 23 10:25:02 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 23 10:40:20 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-30 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-07-15 - 2004-07-22 This week : 34 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: New Features at Secunia.com Secunia has implemented various statistical features at the websites for both Secunia advisories and Virus Information. Secunia Advisories Statistics: http://secunia.com/advisory_statistics/ Examples of Specific Product Statistics: http://secunia.com/product/11/ (Internet Explorer 6) http://secunia.com/product/761/ (Opera 7.x) http://secunia.com/product/1480/ (Mozilla 1.3) Secunia Virus Information Statistics: http://secunia.com/virus_statistics/ Furthermore, Secunia has made it possible for you to include all graphs available at secunia.com on your own website. This is described in detail at: http://secunia.com/secunia_image_inclusion/ ======================================================================== 2) This Week in Brief: ADVISORIES: An unspecified vulnerability in the logging functionality has been reported in "mod_ssl" for Apache. The impact of this vulnerability is currently unknown, however, due to the way this software is used and the potential severity of the vulnerability, Secunia choose to issue the advisory as "Highly Critical". Thereby, encouraging all administrators to update their systems as soon as possible. Reference: http://secunia.com/SA12077 VIRUS ALERTS: During the last week, Secunia issued three MEDIUM RISK virus alerts. Please refer to the grouped virus profiles below for more information: BAGLE.AH - MEDIUM RISK Virus Alert - 2004-07-19 21:40 GMT+1 http://secunia.com/virus_information/10739/bagle.ah/ Korgo.U - MEDIUM RISK Virus Alert - 2004-07-18 23:37 GMT+1 http://secunia.com/virus_information/10254/korgo.u/ BAGLE.AF - MEDIUM RISK Virus Alert - 2004-07-16 02:16 GMT+1 http://secunia.com/virus_information/10683/bagle.af/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12048] Microsoft Internet Explorer Multiple Vulnerabilities 2. [SA11978] Multiple Browsers Frame Injection Vulnerability 3. [SA11793] Internet Explorer Local Resource Access and Cross-Zone Scripting Vulnerabilities 4. [SA12076] Mozilla / Firefox Certificate Store Corruption Vulnerability 5. [SA12077] mod_ssl Unspecified "mod_proxy" Hook Functions Format String Vulnerability 6. [SA12027] Mozilla Fails to Restrict Access to "shell:" 7. [SA12028] Opera Browser Address Bar Spoofing Vulnerability 8. [SA12064] PHP "strip_tags()" Function and memory_limit Vulnerabilities 9. [SA11966] Internet Explorer Frame Injection Vulnerability 10. [SA10395] Internet Explorer URL Spoofing Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA12111] WWW File Share Pro HTTP Request Denial of Service Vulnerability [SA12108] Sysinternals PsTools Fails to Disconnect from Shares [SA12092] CA eTrust Common Services Denial of Service Vulnerabilities [SA12101] I-Caf? client Restriction Bypass UNIX/Linux: [SA12116] Slackware update for php [SA12113] Debian update for php4 [SA12106] Red Hat update for php [SA12103] PlaySMS SMS Gateway SQL and Command Injection Vulnerabilities [SA12095] Debian update for netkit-telnet-ssl [SA12091] Gentoo update for Unreal [SA12088] OpenPKG update for mod_ssl [SA12081] Conectiva update for php4 [SA12078] SuSE update for php4 [SA12073] Gentoo update for php [SA12109] Gentoo update for Opera [SA12100] SCO OpenServer Multiple Vulnerabilities in MMDF [SA12098] Fedora update for httpd [SA12096] Debian update for l2tpd [SA12084] Outblaze Script Insertion Vulnerability [SA12094] Debian update for ethereal [SA12086] HP-UX WU-FTPD Directory Access Restriction Bypass Vulnerability [SA12082] Postnuke "title" Cross Site Scripting Vulnerability [SA12075] Conectiva update for kernel [SA12104] Sun Solaris SVM Local Denial of Service Vulnerability Other: [SA12117] Cisco ONS 15000 Multiple Denial of Service Vulnerabilities [SA12110] Conceptronic CADSLR1 Router Denial of Service Vulnerability [SA12112] Lexmark T522 HTTP Host Header Denial of Service Vulnerability Cross Platform: [SA12099] artmedic kleinanzeigen Inclusion of Arbitrary Files [SA12089] Medal of Honor Buffer Overflow Vulnerability [SA12077] mod_ssl Unspecified "mod_proxy" Hook Functions Format String Vulnerability [SA12097] BLOG:CMS / Nucleus / PunBB Inclusion of Arbitrary Files [SA12083] PHP-Nuke Multiple Vulnerabilities [SA12105] Invision Power Board "index.php" Cross Site Scripting Vulnerability [SA12076] Mozilla / Firefox Certificate Store Corruption Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA12111] WWW File Share Pro HTTP Request Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-07-21 nekd0 has reported a vulnerability in WWW File share Pro, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12111/ -- [SA12108] Sysinternals PsTools Fails to Disconnect from Shares Critical: Less critical Where: From local network Impact: System access Released: 2004-07-21 Alan Ridgeway has reported a security issue in PsTools, potentially allowing malicious users to gain administrative privileges on remote systems. Full Advisory: http://secunia.com/advisories/12108/ -- [SA12092] CA eTrust Common Services Denial of Service Vulnerabilities Critical: Less critical Where: From local network Impact: DoS Released: 2004-07-19 Cengiz Aykanat has reported two vulnerabilities in eTrust Common Services, allowing malicious people to cause a Denial of Service. Full Advisory: http://secunia.com/advisories/12092/ -- [SA12101] I-Caf? client Restriction Bypass Critical: Less critical Where: Local system Impact: Security Bypass Released: 2004-07-20 Lostmon has reported a weakness in I-Caf? client, allowing malicious users to by disable the software. Full Advisory: http://secunia.com/advisories/12101/ UNIX/Linux:-- [SA12116] Slackware update for php Critical: Highly critical Where: From remote Impact: System access, Security Bypass Released: 2004-07-21 Slackware has issued an update for php. This fixes two vulnerabilities, which can be exploited by malicious people to bypass certain security functionality or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12116/ -- [SA12113] Debian update for php4 Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2004-07-21 Debian has issued an update for php4. This fixes two vulnerabilities, which can be exploited by malicious people to bypass certain security functionality or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12113/ -- [SA12106] Red Hat update for php Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2004-07-19 Red Hat has issued an update for php. This fixes two vulnerabilities, which can be exploited by malicious people to bypass certain security functionality or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12106/ -- [SA12103] PlaySMS SMS Gateway SQL and Command Injection Vulnerabilities Critical: Highly critical Where: From remote Impact: Manipulation of data, System access Released: 2004-07-19 The vendor has reported two vulnerabilities in PlaySMS, allowing malicious people to conduct SQL injection attacks and execute arbitrary system commands. Full Advisory: http://secunia.com/advisories/12103/ -- [SA12095] Debian update for netkit-telnet-ssl Critical: Highly critical Where: From remote Impact: System access Released: 2004-07-19 Debian has issued an update for netkit-telnet-ssl. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12095/ -- [SA12091] Gentoo update for Unreal Critical: Highly critical Where: From remote Impact: System access Released: 2004-07-20 Gentoo has issued an update for Unreal. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12091/ -- [SA12088] OpenPKG update for mod_ssl Critical: Highly critical Where: From remote Impact: System access Released: 2004-07-19 OpenPKG has issued an update for apache with mod_ssl. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12088/ -- [SA12081] Conectiva update for php4 Critical: Highly critical Where: From remote Impact: System access, Security Bypass Released: 2004-07-19 Conectiva has issued an update for php4. This fixes two vulnerabilities, which can be exploited by malicious people to bypass certain security functionality or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12081/ -- [SA12078] SuSE update for php4 Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2004-07-19 SuSE has issued an update for php4. This fixes two vulnerabilities, which can be exploited by malicious people to bypass certain security functionality or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12078/ -- [SA12073] Gentoo update for php Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2004-07-16 Gentoo has issued an update for php. This fixes two vulnerabilities, which can be exploited by malicious people to bypass certain security functionality or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12073/ -- [SA12109] Gentoo update for Opera Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2004-07-21 Gentoo has issued an update for Opera. This fixes a vulnerability, which can be exploited by malicious people to conduct phishing attacks against a user. Full Advisory: http://secunia.com/advisories/12109/ -- [SA12100] SCO OpenServer Multiple Vulnerabilities in MMDF Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-07-20 Some vulnerabilities has been reported in SCO MMDF, the impact of the vulnerabilities is unknown. Full Advisory: http://secunia.com/advisories/12100/ -- [SA12098] Fedora update for httpd Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-07-20 Fedora has issued an update for httpd. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12098/ -- [SA12096] Debian update for l2tpd Critical: Moderately critical Where: From remote Impact: System access Released: 2004-07-19 Debian has issued an update for l2tpd. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12096/ -- [SA12084] Outblaze Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-07-20 DarkBicho has reported a vulnerability in Outblaze, allowing malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12084/ -- [SA12094] Debian update for ethereal Critical: Less critical Where: From remote Impact: DoS Released: 2004-07-19 Debian has issued an update for Ethereal. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12094/ -- [SA12086] HP-UX WU-FTPD Directory Access Restriction Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-07-19 HP has acknowledged a vulnerability in their version of WU-FTPD. This can be exploited by malicious, authenticated users to circumvent certain restrictions. Full Advisory: http://secunia.com/advisories/12086/ -- [SA12082] Postnuke "title" Cross Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-07-19 DarkBicho has reported a vulnerability in Postnuke, allowing malicious people to conduct Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/12082/ -- [SA12075] Conectiva update for kernel Critical: Less critical Where: Local system Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS Released: 2004-07-16 Conectiva has issued an update for the kernel. This fixes multiple vulnerabilities, which can be exploited to gain escalated privileges, cause a DoS (Denial of Service), or gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12075/ -- [SA12104] Sun Solaris SVM Local Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2004-07-19 The vendor has reported a vulnerability in Solaris 9, allowing malicious local users to cause a Denial of Service. Full Advisory: http://secunia.com/advisories/12104/ Other:-- [SA12117] Cisco ONS 15000 Multiple Denial of Service Vulnerabilities Critical: Less critical Where: From local network Impact: Security Bypass, DoS Released: 2004-07-21 The vendor has reported several vulnerabilities in Cisco ONS 15000 based products, allowing malicious people to cause a Denial of Service or bypass authentication. Full Advisory: http://secunia.com/advisories/12117/ -- [SA12110] Conceptronic CADSLR1 Router Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-07-21 Jordi Corrales has reported a vulnerability in CADSLR1, allowing malicious people to cause a Denial of Service. Full Advisory: http://secunia.com/advisories/12110/ -- [SA12112] Lexmark T522 HTTP Host Header Denial of Service Vulnerability Critical: Not critical Where: From local network Impact: DoS Released: 2004-07-21 Peter Kruse has reported a vulnerability in Lexmark T522, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12112/ Cross Platform:-- [SA12099] artmedic kleinanzeigen Inclusion of Arbitrary Files Critical: Highly critical Where: From remote Impact: System access Released: 2004-07-21 Francisco Alisson has reported a vulnerability in artmedic kleinanzeigen, allowing malicious people to include arbitrary files. Full Advisory: http://secunia.com/advisories/12099/ -- [SA12089] Medal of Honor Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-07-19 Luigi Auriemma has reported a vulnerability in Medal of Honor, allowing malicious people to gain system access. Full Advisory: http://secunia.com/advisories/12089/ -- [SA12077] mod_ssl Unspecified "mod_proxy" Hook Functions Format String Vulnerability Critical: Highly critical Where: From remote Impact: Unknown, System access Released: 2004-07-16 A vulnerability has been reported in mod_ssl, which currently has an unknown impact but may allow malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12077/ -- [SA12097] BLOG:CMS / Nucleus / PunBB Inclusion of Arbitrary Files Critical: Moderately critical Where: From remote Impact: Unknown, Exposure of sensitive information Released: 2004-07-20 Radek Hulan has reported a vulnerability in BLOG:CMS, PunBB and Nucleus, potentially allowing malicious people to gain system access. Full Advisory: http://secunia.com/advisories/12097/ -- [SA12083] PHP-Nuke Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2004-07-19 Janek Vind has reported some vulnerabilities in PHP-Nuke, allowing malicious people to conduct Cross Site Scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/12083/ -- [SA12105] Invision Power Board "index.php" Cross Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-07-21 Electrobug has reported a vulnerability in Invision Power Board, allowing malicious people to conduct Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/12105/ -- [SA12076] Mozilla / Firefox Certificate Store Corruption Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-07-16 Marcel Boesch has reported a vulnerability in Mozilla and Firefox, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12076/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Jul 23 10:25:21 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 23 10:40:22 2004 Subject: [ISN] Report Faults Cyber-Security Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A7192-2004Jul22.html By Jonathan Krim Washington Post Staff Writer July 23, 2004 The Department of Homeland Security's efforts to battle computer-network and Internet attacks by hackers and other cyber-criminals suffer from a lack of coordination, poor communication and a failure to set priorities, according to an internal report released yesterday. The report, by the department's inspector general, said the shortcomings of the National Cyber Security Division leave the country vulnerable to more than mere inconvenience to businesses and consumers. The division "must address these issues to reduce the risk that the critical infrastructure may fail due to cyber attacks," the report said. "The resulting widespread disruption of essential services after a cyber attack could delay the notification of emergency services, damage our economy and put public safety at risk." Among the report's recommendations is that the division develop a process for overseeing efforts of federal, state and local governments to better protect their systems. The report cited progress in some areas since the division was formed in June 2003 as part of the federal reorganization that created the DHS. It praised the creation of a cyber-security coordination center called US-CERT, and an alert system that includes a Web site and automated notification to tech-security professionals of security threats making their way through cyberspace. But the report comes at a time of heightened frustration among technology company executives and members of Congress that cyber-security is not getting enough attention and is poorly understood by some senior department officials. The issue is not just the possibility of a broad cyber-terrorist attack, those people say, but the daily attacks that are costing U.S. businesses and computer users hundreds of millions of dollars a year and countless hours of lost productivity. "If we are at war, as Bush and [Homeland Security Secretary Tom] Ridge say we are . . . based on this report, we are clearly not on a war footing on cyber-security, or in DHS," said F. William Conner, chief executive of Entrust Inc., a Texas cyber-security company. "I read about the progress, but they've got the wrong measuring stick. Progress has to be measured against external risk." Especially irksome to some executives and security experts is that the department has not adopted some of the practices they argue that government agencies, companies and organizations should employ to reduce the risk of cyber-attacks. "The department as a whole isn't leading by example," said Alan Paller, head of the SANS Institute in Bethesda, a computer security research group. Paller, who praises some of the cyber division's work, said the department should take the lead in using its buying power to demand that software vendors make their products more secure. Paller said the agency is not doing so. Paul Kurtz, head of the recently formed Computer Security Industry Alliance, a corporate trade group, said the HS was reluctant to participate in a cyber-security exercise sponsored by Dartmouth University, and did so only after pressure from the White House. Kurtz added that follow-through has been poor on the government's highly touted public-private partnership with industry to address security issues. That effort was part of a White House directive on cyberspace that mandated tighter controls for federal agencies but called for a voluntary plan for the private sector. After a meeting late last year, the partnership yielded five major reports and dozens of recommendations, but little in the way of further action. "Not enough is happening" even to fulfill the Bush directive, said Rep. Zoe Lofgren (D-Calif)., who represents Silicon Valley. To try to increase attention on cyber-security, several industry groups are supporting a bill co-sponsored by Lofgren and Rep. William M. "Mac" Thornberry (R-Tex.) that would elevate the director of the cyber division, currently Amit Yoran, to assistant secretary with more direct access to top DHS officials. But Robert P. Liscouski, assistant secretary for information analysis and infrastructure protection, who oversees the Cyber Security Division, said the notion of separating attention on cyber-threats from overall infrastructure protection would be bad policy. "Cyber . . . is a very key priority for us," said Liscouski, a former police officer and Coca-Cola Co. security executive. But elevating it to special status "is a step back," he said, arguing that physical and cyber-security are closely connected. Thornberry said that philosophy is "kind of a dumbing down of our cyber-security efforts. Cyber has some unique features." Liscouski said he also has to focus on where the greatest threat lies and that overall he thinks the division is making progress. "The fact that I'm not on the bully pulpit is more a reflection of where our threat is," he said, referring to tech industry's desire that the Homeland Security Department take a lead role in pushing companies to make cyber-security a top priority. "The dominant threat has been a physical threat." He acknowledged the department's initial reluctance to participate in the Dartmouth exercise because the division was still organizing itself and might not have been able to "engage in a meaningful way." But he said it was highly valuable in the end. Industry executives say that if, as the administration has said, it wants to rely on their expertise to help formulate cyber-security policy, it should heed their advice now. Harris N. Miller, head of the Information Technology Association of America, said his group "continues to be concerned that DHS does not have adequate resources devoted to cyber-security and that the cyber-security head does not have adequate visibility within the bureaucracy. Improvements are coming, but slowly. The question is whether the nation can afford to wait." From isn at c4i.org Fri Jul 23 10:25:46 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 23 10:40:23 2004 Subject: [ISN] Laptops at the FleetCenter at risk of breaches, attack Message-ID: http://www.boston.com/business/technology/articles/2004/07/22/laptops_at_the_fleetcenter_at_risk_of_breaches_attack/ By Hiawatha Bray Globe Staff July 22, 2004 The Democratic National Convention will attract thousands of visitors armed with laptop computers that feature wireless Internet access. And that could be a formula for disaster, according to a Boston data security firm that recently ran a vulnerability test in the area around the FleetCenter. Michael Maggio, the president of Newbury Networks Inc., said that unless proper precautions are taken, computer vandals will be able to tap into these laptops by using wireless transmitters located outside of the FleetCenter. The attackers could then use the compromised laptops to gain access to the computer network used to run the convention. The vandals could obtain sensitive information related to the campaign of presidential candidate John Kerry. Or they could unleash an attack that would bring down the network and throw the convention into chaos. ''It's part of the security . . . that people aren't thinking about, not because they're dumb, but because we didn't have this four years ago," Maggio said. Indeed, hardly anyone had heard of WiFi wireless networking in 2000. Today, half of all new laptops come with WiFi capability built in. A WiFi-equipped computer can share digital data by communicating with a wireless ''access point." Standard WiFi equipment has a range of about 150 feet, but that range can be substantially increased with high-powered equipment and a special antenna. The Democratic convention will use a standard wired network rather than WiFi. But according to Maggio, this won't provide any extra security. That's because many visitors who'll plug into the network will have computers with built-in WiFi capability. The WiFi feature is automatically switched on when the computer is running. In effect, the laptop can connect to a wired and a wireless network at the same time. Maggio said that an attacker with a high-powered WiFi access point could set up shop outside the FleetCenter, and communicate with WiFi laptops on the inside. If these laptops haven't been protected with the latest security patches, a skilled intruder will be able to gain access to the laptop. He could then leapfrog onto the Democrats' network, allowing him to steal information or vandalize computers. ''By being on both networks at the same time," said Maggio, ''that can compromise the entire network security." Maggio also said Newbury Networks ran a test of WiFi vulnerability around the FleetCenter by driving through the area in a vehicle equipped with a WiFi ''honeypot"-- an access point programmed to attract compatible WiFi laptops. According to Maggio, the testers were able to connect to several laptops being operated in or near the FleetCenter. Had these computers been connected to the Democrats' network, the testers might have been able to access confidential information. But Maggio said there was no attempt to read files on the laptop or the network, because that would violate state and federal law. Newbury Networks stands to profit from its warning. The company specializes in wireless network security products. But other technical specialists agreed the convention offers a ripe target for attackers. ''That's definitely a problem with any machine that has a wireless device that's not secure and that has not been disabled," said Chris Wysopal, vice president for research and development for At Stake Inc., a Cambridge computer security firm. The presence of thousands of laptop computers increases the chance that at least some of them will lack the latest security upgrades, making those machines open to attack. ''The numbers are on the attacker's side," said Wysopal. ''Out of a hundred machines you only need to find one machine that has a vulnerability, and you can use that to hop onto the wired network." Kip Meacham, director of technical marketing for Senforce Technologies Inc. in Draper, Utah, said that most of the damage from such an attack would probably be confined to the individual laptops, because it would be fairly difficult to undermine the Democrats' wired network. But Meacham said that if an attacker got control of a laptop used by one of the Democratic network managers, he could do considerable damage. That's because a network manager's laptop would have access to critical network files, which could be beamed out of the FleetCenter and into a data thief's computer. ''Wireless really makes that kind of scary," said Meacham. ''You no longer have to be physically connected with someone." The solution, said Meacham, is a kind of quarantine system that isolates laptop computers from the rest of the network, until they've passed a series of security tests. For example, if a user plugged a laptop into the network, the machine would be tested for virus infections, and checked to see if its WiFi network chip is switched on. Infected laptops, or machines with active WiFi chips, would be blocked from access to the network. Lina Garcia, press secretary for the Democratic convention, refused to say whether such a system is in place in the FleetCenter. Indeed, she refused to offer any details about computer security plans, to keep potential intruders in the dark. But Garcia insisted the Democrats have the computer security situation well in hand, with the help of security specialists from Cisco Systems Inc. and Microsoft Corp. ''People can rest assured that we are aware of the need for a strong security system for our technology infrastructure," said Garcia, reading from a prepared statement, ''and we are working with our partners, Cisco and Microsoft, to ensure that our systems remain secure." Hiawatha Bray can be reached at bray@globe.com From isn at c4i.org Fri Jul 23 10:27:34 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 23 10:40:25 2004 Subject: [ISN] mi2g attacks "so-called" security sites Message-ID: Forwarded from: Rob Rosenberger To: full-disclosure@lists.netsys.com, isn@c4i.org, bugtraq@securityfocus.com, vulnwatch@vulnwatch.org Cc: editor@securityfocus.com, fyodor@insecure.org, webmaster@neohapsis.com, mailman-owner@lists.netsys.com, security@der-keiler.de, info@gossamer-threads.com, webmaster@mi2g.net, sales@mi2g.com, dkmatai@mi2g.net, sips@mi2g.net, rjackson@mi2g.net, jokeaday@jokeaday.com Subject: mi2g attacks "so-called" security sites mi2g attacked a number of "so-called" security sites in a 20 July press release. mi2g identified by name the following sites: SecurityFocus, Insecure, Neohapsis, NetSys, e2kSecurity, Der Keiler, gossamer-threads, C4I, VulnWatch, and Landfield. Vmyths will slam mi2g in an upcoming column -- because they don't know the difference between a hoax and a PARODY. Vmyths has dared to use the word "plagiarism" in the same sentence with "mi2g." We will now dare to use the word "slander." We'll say it in both a column and a press release. mi2g threatened to sue Vmyths for libel in 2002. (See http://Vmyths.com/rant.cfm?id=497&page=4 for details.) Two years later, we're still waiting for the "so-called" security firm to identify ANY libelous text on our website. "Truth" remains the first word in our website slogan. Rob Rosenberger, Vmyths editor Truth about computer virus hysteria http://Vmyths.com (319) 646-2800 Weekly newsletter sign-up: http://Vmyths.com/news.cfm From isn at c4i.org Fri Jul 23 10:34:07 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 23 10:40:26 2004 Subject: [ISN] REVIEW: "Defend I.T.", Ajay Gupta/Scott Laliberte Message-ID: Forwarded rom: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKDFNDIT.RVW 20040623 "Defend I.T.", Ajay Gupta/Scott Laliberte, 2004, 0-321-19767-4, U$34.99/C$49.99 %A Ajay Gupta %A Scott Laliberte %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2004 %G 0-321-19767-4 %I Addison-Wesley Publishing Co. %O U$34.99/C$49.99 800-822-6339 Fax: 617-944-7273 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0321197674/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321197674/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321197674/robsladesin03-20 %P 349 p. %T "Defend I.T.: Security by Example" The preface states that this collection of (sixteen) "case studies" is intended to explain the security profession. This seems to be a bit of a challenge since not all security work involves "cases." Part one is entitled "Basic Hacking." Chapter one describes the process of enumerating a network with nmap and other tools. There is lots of information about blackhat activity in this regard, but nothing on defending IT and nothing on what security professionals do. Chapter two, however, actually does deal with security work in describing forensics and the importance of logs and auditing when dealing with intrusions and attacks over trusted links. Unlike the conceptual discussion in chapter two, chapter three's packet dump listings are not explained in terms of the evidence that would indicate a DDoS (Distributed Denial of Service) attack. Part two's emphasis seems to be on how "current methods" of security are insufficient for most companies. Chapter four follows the security assessment of a new wireless network, although not quite the system design process promised at the beginning. A virus infection (except that Sadmind is a worm) is used to demonstrate the need for patching and scanning, in chapter five. A worm infection is used, in chapter six, to prove the need for incident response. (There is significant misleading information: the user actions described would not start a worm, and virus scanning of email would not prevent it.) Chapter seven looks at a web defacement indicating the need for clear contracts and understandings in penetration tests. Part three reviews additional items. Chapter eight deals with the selection of an IDS (Intrusion Detection System), but could be a general model for any security acquisition. While a company's ad hoc recovery from disaster is exciting, chapter nine does not clearly make the case for business continuity planning. Policy is vital to security, but chapter ten does not effectively demonstrate either the centrality or the process. Chapter eleven could have had the requirements of HIPAA (Health Insurance Portability and Accountability Act) point out the need for re-assessment under changing legislation, but didn't. Part four nominally reviews old stuff. Unfortunately, it returns to the pattern of chapter one, concentrating on the attack aspects and limiting the discussion of defence. Chapter twelve looks at war dialling and says very little about the countermeasures: thirteen is even worse in dealing with social engineering. Part four covers aspects of computer forensics. Supposedly about industrial espionage, fraud, and a really clumsy attempt at extortion, chapters fourteen to sixteen actually just recycle the usual material on data recovery and chain of custody. A "conclusion" attempts to fill in the holes that this book leaves in dealing with other areas of security. The division of the book into parts seems quite arbitrary and artificial. The groups of chapters do seem to have vague themes, but they are tenuous at best. Overall, the book must be said to have gone some ways towards fulfilling its goal of explaining what the security profession is about. Not the whole way: there are serious gaps in the coverage, and someone getting a picture of a security career from this book alone would receive a fairly skewed image. But the book does present some interesting aspects of the field in a (mostly) readable form. There are any number of books that present a more misleading image. copyright Robert M. Slade, 2004 BKDFNDIT.RVW 20040623 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu There is something wrong with a profession in which the only way to get anything done is to find a bearded wonder, lock him in a closet, and slip him crackers under the door. - Robert W. Bemer http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Fri Jul 23 10:34:55 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jul 23 10:40:27 2004 Subject: [ISN] Big companies employing snoopers for staff email Message-ID: Forwarded from: matthew patton --- InfoSec News wrote: > http://management.silicon.com/government/0,39024677,39122384,00.htm > > By Jo Best > July 19 2004 > > Large companies are now so concerned about the contents of the > electronic communications leaving their offices that they're > employing staff to read employees' outgoing emails. > > According to research from Forrester Consulting, 44 per cent of > large corporations in the US now pay someone to monitor and snoop on > what's in the company's outgoing mail, with 48 per cent actually > regularly auditing email content. Yet information can readily leak through floppies, cdrom's, ftp, https, or the 'simple' act of outsourcing laptop and desktop support. If monitoring email were so critical to preventing information disclosure, where and how do we categorize tens of billion dollar international companies in say financials or pharacuticals that don't protect against connection hopping, use telnet and X11 in the clear, build production and DMZ unix hosts with full development (compilers, you name it) distributions, send their laptops off to the likes of Dell with all corporate product, sales, and other proprietary data still on them and likewise grant these same 3rd parties significant network access to replicate message stores, add the laptop computer to the corporate Active Directory domain, load cryptographic identities and so forth? I'm all for balancing business needs against network security but does this strike anyone else as just a little bit unbalanced? From isn at c4i.org Mon Jul 26 06:26:58 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jul 26 06:37:46 2004 Subject: [ISN] Richard Thieme's Islands in the Clickstream. THE BOOK. Message-ID: http://www.amazon.com/exec/obidos/ASIN/1931836221/c4iorg This is a cut and paste of Richard Thieme's book annoucement for Islands in the Clickstream, THE BOOK. Longtime readers of InfoSec News know I am big fan of Richard's work, can count him as a good friend, and someone who has the pulse of a number of worlds. After the horific events of 9/11/01, the only thing that made any sense of the day was Richard's prose. http://seclists.org/isn/2001/Sep/0050.html William Knowles wk@c4i.org -=- Please forgive me if you were previously notified of my book through my email list. This is being sent to colleagues in the security, technical, and intelligence worlds and is the last "official announcement." A book collecting some of my work from the past eight years has just been published. Andrew Briney, editor-in-chief of Information Security, says in the forward - "This book is about power and knowledge, insight and inspiration, culture and experience, physics and metaphysics. Like space and time, there are multiple dimensions to this book. I'll wager you've never read anything quite like it." He may be right... My work as a speaker and consultant continues. Speaking is focused on the human dilemmas resulting from technology, terror, and other challenges of our public and private lives. I address the personal, spiritual, and social implications of technology and suggest ways to respond effectively to technology-driven change. I particularly enjoy facilitating retreats, enabling people to have an opportunity get off-site and to think things through. As Stephanie Fohn, formerly CEO of Security Focus, said: "In many ways you never left the ministry, at least from the standpoint of providing guidance in matters of spirituality and quality of life - you just changed your flock to the security community." . RT Multiple essays per chapter are arranged by topics: Chapter 1: This is the Way the Internet Works Chapter 2: Computer-Mediated Living: The Digital Filter Chapter 3: Doing Business Digitally Chapter 4: Hacking and the Passion for Knowledge Chapter 5: Digital Spirituality Chapter 6: Mostly True Predictions Chapter 7: The Psychology of Digital Life: Identity and Destiny Chapter 8: Political Implications Chapter 9: The Dark Side of the Moon and Beyond Chapter 10: Technology Gets Personal Here are some of the early accolades for Richard Thieme's Islands in the Clickstream: Reflections on Life in a Virtual World: Richard Thieme takes us to the edge of cliffs we know are there but rarely visit ... he wonderfully weaves life, mystery, and passion through digital and natural worlds with creativity and imagination. This is delightful and deeply thought provoking reading full of "aha!" insights. - Clinton C. Brooks, Former Senior Advisor for Homeland Security and Assistant Deputy Director, NSA These warm but penetrating essays use insights from hacker culture, science fiction movies, religion, military doctrine, psychology, Midwestern family life, literature and history to illuminate unorthodox but deeply profound ways of understanding ourselves and everything around us. - Jennifer Stisa Granick, Esq., Executive Director, Center for Internet & Society, Cyberlaw Clinic, Stanford Law School Where Thomas Aquinas and Aristotle left off, Richard Thieme picks up, exploring crucial questions about the nature of existence in the technology age and offering cogent commentary about truth and meaning that is as relevant to hackers as it is to CEOs. Thieme is truly an oracle for the Matrix generation. - Kim Zetter, Wired News Thieme's Islands in the Clickstream is deeply reflective, enlightening, and refreshing. --Peter Neumann, Stanford Research Institute Richard Thieme speaks to the heart. His words more than inspire, they teach us how to think. The reader is left reeling, dizzy with insight. - Robin Roberts, former head of Information Security R&D, CIA Richard Thieme sees deeply into the nature of networks and has the uncanny ability to describe what he sees with extraordinary clarity. - Howard A. Schmidt, former Cyber Security Advisor to the White House and former CSO, Microsoft Corp. Thieme's ability to be open minded, conspiratorial, ethical, and subversive all at the same time is very inspiring. - Jeff Moss, CEO, Black Hat, Inc. I believe that you are a practitioner of wu wei, the effort to choose the elegant appropriate contribution to each and every issue that you address. - Hal McConnell (former intelligence analyst, NSA) At its best, the Internet connects us to kindred souls, those who are destined to transform our lives in truly wondrous ways. My friend, Richard Thieme, first came to me over the Net and his words and actions have inspired me to see myself and the world around me in a different light. This collection of his writings represents a glimpse into the inner workings of a most extraordinary mind. - Becky Bace, former executive, National Security Agency Richard Thieme sees deeply into the nature of the human spirit and expresses with great clarity what he observes. - Joel Garreau, cultural revolution correspondent, The Washington Post Richard Thieme is an extraordinary person in every sense. Only someone who has lived different lives and could cope with what those had in stock for him, who sees with soft eyes while reflecting everything around him can express the meta layer of today's world and technology as the one thing it is. - FX WOW!!! you eloquently express thoughts and ideas that I feel. You have helped me, not so much tear down barriers to communication, as to leverage these barriers into another structure with elevators and escalators. --Chip Meadows, CISSP, CCSE, USAA e-Security Team "Richard Thieme navigates the complex world of people and computers with amazing ease and grace. His clarity of thinking is refreshing, and his insights are profound."--Bruce Schneier, CEO, Counterpane Richard Thieme presents us with a rare gift. His words touch our heart while challenging our most cherished constructs. He is both a poet and pragmatist navigating a new world with clarity, curiosity and boundless amazement. -- Kelly Hansen, CEO, Neohapsis Richard Thieme teaches experts to see with 'beginners' eyes' and hackers to think like philosophers. More than a great thinker, Thieme is an original soul. When you read Richard Thieme, you believe in the Matrix." -- Sol Tzvi, Senior Security and Privacy Architect, Trustworthy Computing, Microsoft Israel BOOK DETAILS ISBN: 1-931836-22-1 PRICE: $29.95 U.S. PAGE COUNT: 256 PP From isn at c4i.org Mon Jul 26 06:27:22 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jul 26 06:37:48 2004 Subject: [ISN] Energy halts use of classified discs, drives Message-ID: http://www.fcw.com/fcw/articles/2004/0719/web-doe-07-23-04.asp By Sarita Chourey Published on July 23, 2004 Energy Secretary Spencer Abraham ordered today all Energy Department operations to halt using controlled removable electronic media (CREM) to improve media protection procedures. Abraham's directive follows an announcement earlier this month that Los Alamos National Laboratory employees had lost two Zip discs containing classified material. Lab workers are searching for the discs amid more than 2,000 safes and vaults. The lab's director has halted all operations at Los Alamos, and Abraham has directed that classified operations will not resume until Energy's deputy secretary, Kyle McSlarrow, and the National Nuclear Security Administration's administrator, Linton Brooks, confirm that newly implemented corrective actions improve CREM management. "While we have no evidence that the problems currently being investigated are present elsewhere, we have a responsibility to take all necessary action to prevent such problems from occurring at all," Abraham said in a statement. CREM includes all types of classified hard drives or computer discs. In May, Abraham called for a variety of security reforms, including several that affect the way the agency protects classified data. Among the reforms is an initiative to move toward disk-free computer environments and keyless security possibly involving a biometric identifier. At the recommendation of McSlarrow and Brooks, Abraham announced a CREM stand down and details of a plan, effective July 26. "These procedures are designed to guarantee a complete inventory of our classified electronic holdings and make certain that specific individuals can be held responsible and accountable for future problems," Abraham said in a statement. Some elements of the plan include: * A 100 percent initial physical inventory of accountable CREM followed by weekly inventories. * Trained staff will control repositories for all accountable CREM. * Create a formal checkout process for all accountable CREM. * An independent validation team will verify the protocols before the operation gets back to normal. The halt to the use of classified discs and hard drives will continue at Energy facilities until each "conducts appropriate training, reviews security procedures, ensures complete and accountable custodial responsibility, and arranges for a complete inventory," Abraham said. From isn at c4i.org Mon Jul 26 06:27:36 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jul 26 06:37:49 2004 Subject: [ISN] Cybersecurity experts wanted Message-ID: http://www.nwfusion.com/news/2004/0723cyberexper.html By Emily Kumler PC World, 07/23/04 New worries about national cybersecurity are prompting government officials to press colleges for rigorous curricula that train future cyberprotectors. More educational programs, and up-to-date classes that adapt quickly to new needs in cybersecurity, were among suggestions at a hearing in the House Science Committee Wednesday. Sherwood Boehlert (R-New York) chaired the discussion just before release of the 9/11 Commission's report. Charles McQueary, undersecretary of science and technology for the U.S. Department of Homeland Security, has repeatedly lobbied for more money to train cyberexperts. Current efforts Threats develop and change at "Internet speed," Chet Hosmer, president of Wetstone Technologies, a cybersecurity research development company, told the hearing. He said it is essential that higher-education curricula be able to adapt quickly to produce security experts who can deal with changing threats. Many Wetstone employees also teach at local New York community colleges and larger universities, including Utica College of Syracuse University, Hosmer added. He pointed to criminal-justice programs as an example of how rigidity within higher-education curricula creates fragmented cybersecurity training programs. "Unfortunately, most criminal-justice university programs are offered out of the social science departments at universities, (whereas) computer science is a hard science, out of math or computer science departments," Hosmer said. "Building programs that cross domains is quite difficult for many reasons, and the student typically lacks depth in either area and is ill-prepared for (work in) digital investigation after graduation." Wetstone offers internships that help students engage in practical application of the theories they learn in school, he added. The focus on practical skills promoted by most community colleges puts such institutions in a perfect position to tackle cybersecurity education, said Erich Spengler, an associate professor at Morain Valley Community College in Illinois and director of the regional center for systems and information assurance. Spengler said 44 percent of the country's undergraduate students -- about 10.4 million people -- attend technical or community colleges. Those institutions rely heavily on local business and industry to foster learning within the classroom and to serve as potential employers after graduation, he added. Military training Second Lieutenant David Aparicio testified on behalf of the Air Force and as class valedictorian of the Advanced Course of Engineering on Cybersecurity. The program is designed to meet the recommendations of the National Strategy to Secure Cyberspace, an initiative promoting cybersecurity education in government, academia, and industry. "ACE taught me not only technical competence but mental flexibility to solve any problem placed in front of me - academic or critical," Aparicio said. The intense ten-week program involved weekly all-day lectures, and then the students had to solve real-world problems. The 14 students were mentored on military and industry projects, creating a holistic awareness of real threats lurking in the cyberworld, according to Aparicio. "I plan to eventually work for the Central Intelligence Agency or the National Security Agency with my new view of the world," Aparicio said. Boehlert said the success of ACE and the demand for ACE graduates is visible in the decision to double the enrollment this summer, to 28 students. Hosmer told the committee that while educational endeavors are crucial, the training doesn't end on graduation day. "Every week we get requests from (industry workers) who want to get trained by us," Hosmer said. "They are often paying for the training out of their own pocket and are taking vacation time to do it," he said, emphasizing the recognized market demand for cybersecurity training. Emily Kumler writes for the Medill News Service. From isn at c4i.org Mon Jul 26 06:27:54 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jul 26 06:37:50 2004 Subject: [ISN] Global Hackers Test their Skills on Korean Computer Systems Message-ID: http://english.chosun.com/w21data/html/news/200407/200407250029.html englishnews@chosun.com July 25,2004 Korean Internet users?? awareness of cyber security hasn??t yet matched the spread of high speed Internet in Korea. It is quite normal for hackers from all over the world to want to test their skills in the country,?? said Kwon Seok-chul (34), the president and CEO of computer virus vaccine developer HAURI Inc. He also pointed out, ??The damage done by the attacks on administrative organizations such as the National Assembly and Korea Institute for Defense Analyses could have been minimized had the users been more careful.?? Currently about 11.6 million people are connected on high speed Internet in Korea, arguably the best in the world ratio wise. However, the level of web security falls short of standard. For example last year??s ratio of the use of computer virus vaccine programs was only 38 percent, almost half the numbers of Japan (74 percent) or the United States (71 percent). Kwon warned that situations like the recent hacking incident can happen again, and the damage can be unthinkable. There was a time when only few experts had the ability to hack through the web, but these days with great amount of related information on the web it doesn??t take a computer master to hack a computer system. Moreover, personal computers are also targets for hackers today. Kwon also said, ??More hackers from all over the world hack systems of other countries by way of Korea or test their skills by hacking Korean computer systems.?? This explains why Korea is the largest cyber-criminal as well as the largest victim. According to a statistical research by Korea Information Security Agency, the number of hacking reports filed by foreign countries on Korea has grown form 468 in 2002 and 2,289 in 2003 to 1,634 in the first half of this year. Likewise, Hacking reports by Korea on other countries as well have increased from 14,063 in 2002, 14,063 in 2003 to 10,634 in the first half of 2004. Kwon worried about the increase of international underground hacker organizations. ??Since they work stealthily it is hard to estimate the exact number of such organizations, but a number of skilled hacker organizations based on China and Eastern Europe stand out.?? Said Kwon, adding, ??More and more hackers say they can do anything for money. The increase of hackers hired to steal secret information from competing companies is also notable. The abilities of Korean hackers are generally known to be inferior to these hackers.?? Surprisingly, Kwon found the reason of the lowering of standards of Korean hackers from investigations in the late 1990??s. He claims that the hacker community vanished as the best hackers got arrested. ??There had been a suggestion that we should train hackers for positive purposes, but it became difficult to bring them out from underground,?? says Kwon. From isn at c4i.org Mon Jul 26 06:28:53 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jul 26 06:37:52 2004 Subject: [ISN] Linux Advisory Watch - July 23rd 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 23, 2004 Volume 5, Number 29a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for MMDF, Mozilla, kernel, php4, webmin, samba, ethereal, l2tpd, mailman, httpd, libxml2, wv, php, Unreal, Opera, mod_ssl and freeswan. The distributors include SCO Group, Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, Slackware and Suse. ----- >> Need to Secure Multiple Domain or Host Names? << Securing multiple domain or host names need not burden you with unwanted administrative hassles. Learn more about how the cost-effective Thawte Starter PKI program can streamline management of your digital certificates. Click here to download our Free guide: http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawte07 ----- Creating New Accounts You should make sure to provide user accounts with only the minimal requirements for the task they need to do. If you provide your secretary, or another general user, with an account, you might want them to only have access to a word processor or drawing program, but be unable to delete data that is not his or hers. Several good rules of thumb when allowing other people legitimate access to your Linux machine: - Limit access privileges given to new users. - Be aware when/where they login from, or should be logging in from. - Make sure to remove inactive accounts - The use of the same user-ID on all computers and networks is advisable to ease account maintenance, as well as permit easier analysis of log data (but I'm sure someone will dispute this). However, it's practically essential if using NFS. There are several other protocols that use UIDs for local and remote access as well. - The creation of group user-IDs should be absolutely prohibited. User accounts also provide accountability, and this is not possible with group accounts. - Be sure shadow passwords are enabled. Shadow passwords is a method for storing the actual user's password in a root-owned file that is not readable by normal users, unlike the regular password file. This protects the passwords from being read and cracked using dictionary attacks. Most (if not all) current distributions already use shadow passwords. - Regularly audit user accounts for invalid or unused accounts, expired accounts, etc. - Check for repeated login failures. The files in /var/log are invaluable resource to track potential security problems. - Be sure to enable quotas on machines with many users, to prevent denial of service attacks involving filling disk partitions, or appending exploits to group-writable files. - Disable group accounts, and unused system accounts, such as sys or uucp. These accounts should be locked, and given non-functional shells. - Many local user accounts that are used in security compromises are ones that have not been used in months or years. Since no one is using them they provide the ideal attack vehicle. Security Tip Written by Dave Wreski (dave@guardiandigital.com) Additional tips are available at the following URL: http://www.linuxsecurity.com/tips/ ----- Security Expert Dave Wreski Discusses Open Source Security LinuxSecurity.com editors have a seat with Dave Wreski, CEO of Guardian Digital, Inc. and respected author of various hardened security and Linux publications, to talk about how Guardian Digital is changing the face of IT security today. Guardian Digital is perhaps best known for their hardened Linux solution EnGarde Secure Linux, touted as the premier secure, open-source platform for its comprehensive array of general purpose services, such as web, FTP, email, DNS, IDS, routing, VPN, firewalling, and much more. http://www.linuxsecurity.com/feature_stories/feature_story-170.html --------------------------------------------------------------------- Catching up with Wietse Venema, creator of Postfix and TCP Wrapper Duane Dunston speaks at length with Wietse Venema on his current research projects at the Thomas J. Watson Research Center, including his forensics efforts with The Coroner's Toolkit. Wietse Venema is best known for the software TCP Wrapper, which is still widely used today and is included with almost all unix systems. Wietse is also the author of the Postfix mail system and the co-author of the very cool suite of utilities called The Coroner's Toolkit or "TCT". http://www.linuxsecurity.com/feature_stories/feature_story-169.html ------ --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: SCO Group | ----------------------------// +---------------------------------+ 7/22/2004 - MMDF Multiple vulnerabilities This patch addresses many buffer overflows and cuts down sharply on unnecessary privilege. http://www.linuxsecurity.com/advisories/caldera_advisory-4584.html 7/22/2004 - Mozilla Multiple vulnerabilities This patch resolves a large number of Mozilla vulnerabilities. http://www.linuxsecurity.com/advisories/caldera_advisory-4588.html +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 7/16/2004 - kernel Multiple vulnerabilities This patch addresses a large number of kernel vulnerabilities at once. http://www.linuxsecurity.com/advisories/conectiva_advisory-4564.html 7/16/2004 - php4 Multiple vulnerabilities This patch resolves two vulnerabilities, each of which can cause the execution of arbitrary code. http://www.linuxsecurity.com/advisories/conectiva_advisory-4565.html 7/17/2004 - webmin ACL bypass vulnerability A vulnerability in webmin that would allow unauthenticated users to obtain read access to a module's configuration. http://www.linuxsecurity.com/advisories/conectiva_advisory-4566.html 7/22/2004 - samba Buffer overflow vulnerabilities This patch addresses several buffer overruns within samba. http://www.linuxsecurity.com/advisories/conectiva_advisory-4583.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 7/22/2004 - ethereal Denial of service vulnerabilities Several denial of service vulnerabilities were discovered in ethereal, one of which could be exploited by a remote attacker to crash ethereal with an invalid SNMP packet. http://www.linuxsecurity.com/advisories/debian_advisory-4579.html 7/22/2004 - netkit-telnet-ssl Format string vulnerability Denial of service vulnerabilities Vulnerability in netkit-telnet-ssl could potentially allow a remote attacker to cause the execution of arbitrary code with the privileges of the telnet daemon. http://www.linuxsecurity.com/advisories/debian_advisory-4580.html 7/22/2004 - l2tpd Buffer overflow vulnerability By exploting this, a remote attacker could potentially cause arbitrary code to be executed by transmitting a specially crafted packet. http://www.linuxsecurity.com/advisories/debian_advisory-4581.html 7/22/2004 - php4 Multiple vulnerabilties Patch fixes both a vulnerability to XSS (Cross Site Scripting) and execution of arbitrary local code. http://www.linuxsecurity.com/advisories/debian_advisory-4582.html 7/22/2004 - mailman Password leak vulnerability A flaw in Mailman 2.1.* allows a remote attacker to retrieve the mailman password of any subscriber by sending a carefully crafted email request to the mailman server. http://www.linuxsecurity.com/advisories/debian_advisory-4587.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 7/16/2004 - ethereal Denial of service vulnerabilities Patches resolve three different ways to crash ethereal. http://www.linuxsecurity.com/advisories/fedora_advisory-4563.html 7/22/2004 - httpd Multiple vulnerabilities This patch fixes a remotely triggerable memory leak and a buffer overflow vulnerability. http://www.linuxsecurity.com/advisories/fedora_advisory-4585.html 7/22/2004 - libxml2 Buffer overflow vulnerability Updated libxml2 packages that fix an overflow when parsing remote resources are now available. http://www.linuxsecurity.com/advisories/fedora_advisory-4586.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 7/16/2004 - wv Buffer overflow vulnerability A buffer overflow vulnerability exists in the wv library that can allow an attacker to execute arbitrary code with the user's privileges. http://www.linuxsecurity.com/advisories/gentoo_advisory-4560.html 7/16/2004 - kernel Denial of service vulnerability By sending a malformed TCP packet, an attacker can hang a machine running IPTables. http://www.linuxsecurity.com/advisories/gentoo_advisory-4561.html 7/16/2004 - php Multiple vulnerabilities Multiple security vulnerabilities, potentially allowing remote code execution, were found and fixed in PHP. http://www.linuxsecurity.com/advisories/gentoo_advisory-4562.html 7/22/2004 - Unreal Tournament Buffer overflow vulnerability Game servers based on the Unreal engine are vulnerable to remote code execution through malformed 'secure' queries. http://www.linuxsecurity.com/advisories/gentoo_advisory-4574.html 7/22/2004 - Opera Multiple spoofing vulnerabilities Opera contains three vulnerabilities, allowing an attacker to impersonate legitimate websites with URI obfuscation or to spoof websites with frame injection. http://www.linuxsecurity.com/advisories/gentoo_advisory-4575.html 7/22/2004 - kernel Multiple vulnerabilities This patch addresses multiple DoS and permission vulnerabilities http://www.linuxsecurity.com/advisories/gentoo_advisory-4576.html 7/22/2004 - l2tpd Buffer overflow vulnerability A buffer overflow in l2tpd could lead to remote code execution. It is not known whether this bug is exploitable. http://www.linuxsecurity.com/advisories/gentoo_advisory-4577.html 7/22/2004 - mod_ssl Format string vulnerability A bug in mod_ssl may allow a remote attacker to execute arbitrary code when Apache is configured to use mod_ssl and mod_proxy. http://www.linuxsecurity.com/advisories/gentoo_advisory-4578.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 7/16/2004 - php Multple vulnerabilities This patch resolves an improper memory_limit trigger as well as a possible XSS issue. http://www.linuxsecurity.com/advisories/mandrake_advisory-4557.html 7/16/2004 - ipsec-tools Multiple vulnerabilities Multple vulnerabilities This patch fixes both a Denial of Service attack and an ACL escape. http://www.linuxsecurity.com/advisories/mandrake_advisory-4558.html 7/16/2004 - freeswan Multiple vulnerabilities This patch resolves a DN impersonation attack as well as a denial of service. http://www.linuxsecurity.com/advisories/mandrake_advisory-4559.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 7/22/2004 - php Multiple vulnerabilities Patch resolves memory_limit bug with allows execution of arbitrary code and strip_tags bug which allows XSS (Cross Site Scripting). http://www.linuxsecurity.com/advisories/redhat_advisory-4572.html 7/22/2004 - samba Buffer overflow vulnerabilities Updated samba packages that fix buffer overflows, as well as other various bugs, are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4573.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 7/22/2004 - php Multiple vulnerabilities This patch resolves two bug that could potentially allow XSS (Cross-Site Scripting) and the execution of arbitrary code. http://www.linuxsecurity.com/advisories/slackware_advisory-4571.html +---------------------------------+ | Distribution: Suse | ----------------------------// +---------------------------------+ 7/16/2004 - php4/mod_php4 Multiple vulnerabilities Multiple vulnerabilities Fixes two vulnerabilities, one that leads to direct code execution, and the other a possible XSS. http://www.linuxsecurity.com/advisories/suse_advisory-4556.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Jul 26 06:31:10 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jul 26 06:37:53 2004 Subject: [ISN] "Fud, lies and libel" against (type any name here, I'll use mi2g) Message-ID: Forwarded from: Robert Wayne To: full-disclosure@lists.netsys.com Cc: isn@attrition.org, isn@c4i.org Hi there, I am a usual reader of all the major security lists and I laughed (in a way) to the posting about "Wendy's order system"... I laughed because at first glance I thought it was funny, but then I realised that what I was reading was a "vulnerability" on a security list, so it wasn't clear to me what that stupid joke was doing there. Ok, it's true.. full-disclosure is not moderated, everybody can post, yeah yeah, blah blah blah, but still: It is (meant to be) a security list. Am I wrong?. Please note that this is not just about another silly off-topic: someone deliberately posted a vulnerability, perfect in its structure, with all the right fields in the right place, on more than one security list. There is more than off-topic here. Ok, the content was clearly an hoax but it denotes a problem that could be much more dangerous... Let me point out that, as claims the anonymous guy that posted the (two?) articles, I'm not affiliated with mi2g. I thought about not replying and wasting my time, but given the fact that your stupid postings are going on, and some other people give you even credit for that, I would like to say something as well. Hope you don't mind. Hope the list doesn't mind. It is not something off-topic in my opinion, because it is strictly related to the way the security information are diffused so it is inherently about security. Before I proceed with the security issues related to the original post about "Wendy", I would like to explore some of the points you have made: --------------------- >Instead of laughing along with the obvious hoax, mi2g responded in typical >fashion by releasing a "News Alert" in which they spread FUD, lie about... I don't understand your point. I can laugh, you can laugh... but they are defamed! Can you explain why they should laugh? I don't get it... >Ransom demands? Negative publicity? Reputation damage accelerates? >mi2g is saying that "trusted web sites and security portals" posting >the original hoax have contacted mi2g, offering to not post it in return >for up to one MILLION dollars. Who are these black hearted criminals? First: my impression is that they are not referring to the sites you are talking about. I don't see anywhere in their message: "trusted web sites and security portals posting the original hoax have contacted mi2g". Are you making it up (lying) ? Second: are you working for all the sites mi2g is referring to, that you are so confident in excluding this possibility? Who gives you the right to judge something you don't know anything about? It appears to me that you've spent many (valuable?) of your hours discrediting that company, as well as bothering us (at least me) with your statements. Either you know something we don't or you'd better be silent. I can't tell if what mi2g says is true or not, I don't work there... do you? If I don't know something I tend not to speak publicly about it... at very least I don't try to sell it as THE TRUTH! >Because of this obvious advisory parody, the poor masses are going to >have a hard time figuring out which advisories are legitimate? I think >mi2g assumes every security professional and administrator is as big >a retard as themselves. Again, I do not agree with you. The whole point of their statement it is not about "Wendy"! Here it seems that YOU have some problems in comprehending the bottom line message (please note that I am not saying you are a retard): -------------------- "If you can so easily post a clear hoax and nobody - or very few of them - bothers to check, who can stop you from publishing a "real" (note the quotes!) vulnerability disclosure, more realistic than "Wendy's", attacking your competitor A or a product B ? What if you start publishing ten of them, and then hundreds? How this massive pollution of security lists and sites will change the user perception of a company A or product B? Will you buy a product from a company that has hundreds of so called vulnerabilities? I bet you wouldn't, at least you'll think about it twice... It doesn't really matter if they are real or not, they are listed everywhere, so the perception of them makes them real. If you have the power to disseminate a big number of lists (as well as very important web sites like securityfocus.com, that mirror any list without questioning the authenticity of the postings) with false vulnerabilities, you can discredit and damage any company. Full stop". -------------------- You got it? This is the message I understood from mi2g's reply and it makes perfect sense to me. Between you and me, it looks like you have already started this process against mi2g... Lies, false allegations, unreal vulnerabilities, all posted to public lists... You are working very hard... Is there at least someone paying you for this job? >One out of three correct, good job mi2g! Again, check the archives. I found also a posting on ISN that mi2g seems to have missed... Should I let them know?!? Hint: Don't look at the sites, you won't see it. Look on Google's cache... >a defamatory statement meant to gain sympathy from your eight customers. Eight? Is it just a guess or you know more than anybody else? >The post hit the Full-Disclosure list because it is the only list of >the three that is UNMODERATED. Yes, full-disclosure is unmoderated but I am sure you are aware that it is mirrored like any other security list on all sort of sites, so if you search on securityfocus.com (sorry guys if I named your site twice, but it is just an example) you will find these UNMODERATED postings. Now, if you read securityfocus.com and you trust them, you may end up "trusting" also what they publish (make sense?). If you post to FD then you are quite sure that your defamation (sorry, vulnerability disclosure) will end up on many reputable web sites... good job! I would suggest securityfocus.com (last time I name them, I promise) as well as other respectable security sites not to publish anything that is not moderated! By publishing them, they link their valuable name (the domain name) to the useless postings. I cannot imagine The New York Times or the Financial Times publishing without any form of control, the postings of an unmoderated list! >The material in the archives is clearly marked as coming from the original >person, and they make no claims as to the accuracy of such information >posted to the lists. The original person?!?!? You mean your account not-mi2g@hushmail.com or, as I believe also your account mi2g-research@hushmail.com ? You are an anonymous poster, that cowardly posts articles against a company and his Executive Chairman, without publishing your name! You are the LAST person that can talk about "original person"! If you got a problem with mi2g may I suggest you to solve it directly with them instead of publishing your rubbish on security lists? You are abusing these lists for your own agenda and I think this is not fair to me nor to the other readers of the lists. Can you please stop posting your rants against mi2g? Can you try to add some value to your postings (as well as your name of course). Can you detach your mind from mi2g for a second and use a normal email address? (An email address that hasn't got mi2g in it, I mean). >Put up or shut up DK Matai. None of these sites are attempting to extort >money from mi2g in return for "being silent" and witholding an obscure >hoax advisory buried in the thousands of trash posts to the Full-Disclosure >mail list. This is a blatant lie from Matai and mi2g, nothing more. Please, do something more interesting than spending your time blaming and accusing other peoples. Get a life! Robert Wayne From isn at c4i.org Mon Jul 26 06:34:22 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jul 26 06:37:54 2004 Subject: [ISN] Big companies employing snoopers for staff email Message-ID: Forwarded from: Jason Coombs PivX Solutions To: isn@c4i.org, isn@attrition.org Cc: pattonme@yahoo.com > I'm all for balancing business needs against network security but > does this strike anyone else as just a little bit unbalanced? Not at all. E-mail is business communication that may result in legal liability, binding contracts, and other significant business and legal risks - while data and information assets stored on hard drives is only at risk of theft. Remember that the U.S. ?Millennium Digital Commerce Act? (ESIGN) does not define a digital signature in terms of cryptography or anything even close to proof that a digital signature is authentic, yet establishes full force and effect of any handwritten signature for things like a keypress on a phone - or an e-mail. See: http://counsel.cua.edu/FEDLAW/ESIGN.htm Compare this to the more technical cryptography-based Digital Signatures Act passed in Estonia: http://www.legaltext.ee/text/en/X30081K3.htm In the U.S. we tend to oppose all forms of key escrow, even for signature purposes where only a certificate would perhaps be escrowed, and we don't like the idea of creating a special legal status for a digital signature private key. Instead we create laws that encourage litigation. This may in fact be a superior system, from an infosec viewpoint, since it avoids the risks that would otherwise be present if control over private keys is lost. Once a private key is used on anything other than a specialized digital signature device (that does not yet exist) rather than being used on a vulnerable software-based programmable personal computer, exclusive control over that key becomes an unknown. Losing control of data *may* create legal liability in the U.S., whereas signing a contract through an e-mail message *does* create liability. Anyone can forge a CEO's digital signature to bind a company under contract, including the other party to the contract, and the only defense the company has in court is proof that there was no business communication or relationship between the parties to the contract - how do you show this to a judge unless you are logging everything and can show what it was that the CEO was actually doing when supposedly sending the forged e-mails? How do you prove that a mail server did *not* relay an e-mail as alleged by forged mail headers unless you have a forensic log with a tamper-proof audit record? We must therefore monitor, log, and audit *everything* now that the protections we used to rely on (paper trail for important business documents, difficulty of intercepting a sample of the CEO's handwritten signature for forgeries, etc) are irrelevant. Sincerely, Jason Coombs Director of Forensic Services PivX Solutions, Inc. http://www.PivX.com/forensics/ -----Original Message----- From: InfoSec News Date: Fri, 23 Jul 2004 09:34:55 To:isn@attrition.org Subject: Re: [ISN] Big companies employing snoopers for staff email Forwarded from: matthew patton --- InfoSec News wrote: > http://management.silicon.com/government/0,39024677,39122384,00.htm > > By Jo Best > July 19 2004 > > Large companies are now so concerned about the contents of the > electronic communications leaving their offices that they're > employing staff to read employees' outgoing emails. > > According to research from Forrester Consulting, 44 per cent of > large corporations in the US now pay someone to monitor and snoop on > what's in the company's outgoing mail, with 48 per cent actually > regularly auditing email content. Yet information can readily leak through floppies, cdrom's, ftp, https, or the 'simple' act of outsourcing laptop and desktop support. If monitoring email were so critical to preventing information disclosure, where and how do we categorize tens of billion dollar international companies in say financials or pharacuticals that don't protect against connection hopping, use telnet and X11 in the clear, build production and DMZ unix hosts with full development (compilers, you name it) distributions, send their laptops off to the likes of Dell with all corporate product, sales, and other proprietary data still on them and likewise grant these same 3rd parties significant network access to replicate message stores, add the laptop computer to the corporate Active Directory domain, load cryptographic identities and so forth? I'm all for balancing business needs against network security but does this strike anyone else as just a little bit unbalanced? From isn at c4i.org Wed Jul 28 03:48:34 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 28 03:57:51 2004 Subject: [ISN] Are P2P networks leaking military secrets? Message-ID: http://news.com.com/Are+P2P+networks+leaking+military+secrets%3F/2100-1038_3-5285918.html By John Borland Staff Writer, CNET News.com July 27, 2004 A new Web log is posting what it purports are pictures, documents and letters from U.S. soldiers and military bases in Iraq and elsewhere--all of which the site's operator claims to have downloaded from peer-to-peer networks such as Gnutella. The "See What You Share" site has been online for a week and has published photos ranging from a crashed military jet to a screenshot of a spreadsheet file that appears to include names, addresses and telephone numbers of marines. The site's operator, a 30-year-old named Rick Wallace, wrote in a blog posting that he is trying to help the military understand how serious a security risk unmonitored peer-to-peer file sharing can be. CNET News.com could not independently verify the authenticity of the documents posted on the site. "I want everyone to know that we can be our own worst enemies when we don't understand the full power of our technology," Wallace wrote in a posting explaining the site. "I want every military and government agency to see firsthand what is being shared with anyone who has a computer. Since a picture is worth a thousand words, I can save myself some talking." Among the items appearing on the site were documents from a transportation unit at Fort Eustis in Virginia. A Fort Eustis spokesperson contacted could not immediately comment. The issue of unmonitored file sharing has been a problem since the release of Gnutella, which allowed people to share the entire contents of their hard drives, rather than just MP3 files, as had been the case with Napster. Network watchers quickly noted that some people appeared to be sharing much more than they realized, including personal information and Web "cookie" files that sometimes included passwords for credit cards and e-commerce accounts. Critics of file-sharing companies, including the Recording Industry Association of America, have often pointed to this accidental sharing of personal information as a rationale for tighter regulation of the networks. Wallace told CNET News.com that he first downloaded a zipped file of classified documents a few months ago on Gnutella, with stamped security clearances ranging from "For Official Use Only" to "Secret/NO FORN." (NOFORN typically stands for "not for release to foreign nationals" in military parlance.) The documents contained real-time information about operations in Iraq, "stuff that could kill people," he said. In an interview from Germany, where he lives with his wife, a U.S. Army officer, Wallace said he had contacted local military intelligence about the issue. They forwarded the information to a higher level, but there was little further response until he contacted the office of Sen. Conrad Burns, who represents Wallace's home state of Montana, Wallace said. Burns' office confirmed that the conversation had taken place. "We did send a letter to the secretary of the Army," Burns spokesman J.P. Donovan said. "We are monitoring this as it goes along." Shortly after Wallace got in contact with Burns' office, the file of classified documents disappeared from Gnutella. But many other potentially sensitive files remain on the sharing network, ranging from confidential military documents to internal information on public safety authorities procedures, Wallace said. "If you're a terrorist, imagine the damage you could do with that," Wallace said. "I don't really care if people share their love letters online. The only things I care about are when people share information that could hurt people." Wallace said he now calls agencies once before posting information on his blog but sees the site as a way to spotlight a problem that could cost lives in the future. He said he blacks out information that could be classified before posting a file. From isn at c4i.org Wed Jul 28 03:48:48 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 28 03:57:53 2004 Subject: [ISN] DoubleClick downed by denial-of-service attack Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,94837,00.html By Paul Roberts JULY 27, 2004 IDG NEWS SERVICE Internet advertising company DoubleClick Inc. was shut down today by a denial-of-service attack launched from computers on the Internet, a company spokeswoman confirmed. The massive DoS attack began at about 10:30 a.m. EDT in the U.S. and crippled the company's Web site and its advertising servers, which distribute Web advertisements to other Web sites on the Internet. Ripple effects from the attacks were felt across the Internet, as Web pages that display DoubleClick ads struggled to retrieve them from the company's servers, causing "severe disruption" for DoubleClick customers, according to a company statement. Leading Web sites all experienced significant slowdowns during the period covered by the attack, including Web pages for the Washington Post Co., New York Times Co., Cnet Networks Inc., Nortel Networks Corp. and InfoWorld magazine, according to Keynote Systems Inc., a Web performance measurement company in San Mateo, Calif. Keynote measurements for the period covered by the attacks show that the "base page" -- or basic HTML documents -- served by those Web sites loaded quickly, but that the "full page," which includes any content the Web page points to, suddenly began to load very slowly, said Lloyd Taylor, vice president of operations at Keynote. DoubleClick's DNS servers were the target of the attack, which came from unidentified "outside sources" and lasted for approximately four hours, said Jennifer Blum, vice president of corporate communications at DoubleClick. DNS is the system of servers that matches up reader-friendly names such as DoubleClick.net with the numeric Internet Protocol addresses used by machines on the Internet to route traffic. Keynote recorded a threefold slowdown in response time for Web pages beginning at about 7 a.m. EDT and ending at 1:30 p.m. EDT. The company doesn't know what caused the slowdowns, but the behavior of the pages is consistent with a DoS attack, Taylor said. The performance of DoubleClick's servers had returned to normal by late this afternoon, Taylor said. Staff members are taking steps to "resolve the situation permanently," Blum said. From isn at c4i.org Wed Jul 28 03:49:21 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 28 03:57:55 2004 Subject: [ISN] Linux Security Week - July 26th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 26, 2004 Volume 5, Number 30n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "A consideration of what it means to be secure", "Network security at risk from user negligence, report says", "An eye opener on open source Internet security" and "E-commerce attack is imminent, warn security experts". ---- >> Bulletproof Virus Protection << Protect your network from costly security breaches with Guardian Digital's multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=3Dgdn04 ---- LINUX ADVISORY WATCH: This week, advisories were released for MMDF, Mozilla, kernel, php4, webmin, samba, ethereal, l2tpd, mailman, httpd, libxml2, wv, php, Unreal, Opera, mod_ssl and freeswan. The distributors include SCO Group, Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, Slackware and Suse. http://www.linuxsecurity.com/articles/forums_article-9542.html ---- Security Expert Dave Wreski Discusses Open Source Security LinuxSecurity.com editors have a seat with Dave Wreski, CEO of Guardian Digital, Inc. and respected author of various hardened security and Linux publications, to talk about how Guardian Digital is changing the face of IT security today. Guardian Digital is perhaps best known for their hardened Linux solution EnGarde Secure Linux, touted as the premier secure, open-source platform for its comprehensive array of general purpose services, such as web, FTP, email, DNS, IDS, routing, VPN, firewalling, and much more. http://www.linuxsecurity.com/feature_stories/feature_story-170.html --------------------------------------------------------------------- Catching up with Wietse Venema, creator of Postfix and TCP Wrapper Duane Dunston speaks at length with Wietse Venema on his current research projects at the Thomas J. Watson Research Center, including his forensics efforts with The Coroner's Toolkit. Wietse Venema is best known for the software TCP Wrapper, which is still widely used today and is included with almost all unix systems. Wietse is also the author of the Postfix mail system and the co-author of the very cool suite of utilities called The Coroner's Toolkit or "TCT". http://www.linuxsecurity.com/feature_stories/feature_story-169.html ---- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf ----------------------- Top Articles This Week: ----------------------- +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * A consideration of what it means to be secure July 23rd, 2004 Only the paranoid survive, and that is no less true when securing Linux=AE systems as any other. Fortunately, a host of security features are built into the kernel, are packaged with one of the many Linux distributions, or are available separately as open source applications. http://www.linuxsecurity.com/articles/host_security_article-9540.html * Network security at risk from user negligence, report says July 21st, 2004 Evans Data Corporation's just-published Security Development Survey found that one in four developers believes that the biggest hurdle to computing security is end users who refuse to adhere to, or circumvent, polices. In the study, Evans found that "a quarter of developers found social engineering and lack of adherence to policies to be the biggest problem, while another 15 percent cite lack of qualified personnel." http://www.linuxsecurity.com/articles/host_security_article-9535.html * Developers Blame Users For Security Problems July 21st, 2004 Users are the weak link in security and Linux is inherently more secure than Windows, said developers polled by Evans Data in a survey released Tuesday. One in four developers think that the biggest hurdle to security is end users refusing to adhere to polices, a nice way to pass the buck for potentially-flawed code. http://www.linuxsecurity.com/articles/host_security_article-9533.html * Cryptography and the Open Source Security Debate July 20th, 2004 I've been reading Bruce Schneier's Book on cryptography for the last couple of days, and one of the main concepts in the text struck me as interesting. One of the points of discussion when looking at the security of a given algorithm is its exposure to scrutiny. http://www.linuxsecurity.com/articles/cryptography_article-9531.html +------------------------+ | Network Security News: | +------------------------+ * An eye opener on open source Internet security July 26th, 2004 Opening the eyes of the private and public sectors to the pros and cons of using open source software for Internet security is the SECRETS project, which evaluated two protocols in a series of trials covering e-commerce, mobile communications, network monitoring and intelligent networks. http://www.linuxsecurity.com/articles/network_security_article-9546.html * Best Practices For Securing Your WLAN July 23rd, 2004 The steady growth of Wi-Fi in the enterprise demands that corporate IT teams learn and adopt new security methodologies tailored to the unique requirements and weaknesses of wireless networks. Network and security staff must first evaluate a potentially confusing set of authentication and encryption mechanisms to be used in the network. http://www.linuxsecurity.com/articles/network_security_article-9541.html * PHP Zaps Security Leaks July 19th, 2004 The open-source PHP Group has released a fix for a pair of security holes that could be exploited to execute arbitrary code on remote PHP servers. The flaws affect PHP versions 4.3.7 and prior and version 5.0.0RC3 and prior. The final version of PHP 5.0, which was released earlier this week, is not affected. http://www.linuxsecurity.com/articles/projects_article-9522.html +------------------------+ | General Security News: | +------------------------+ * E-commerce attack is imminent, warn security experts July 26th, 2004 A surge in internet scanning activity in the past week could indicate a fresh wave of attacks on e-commerce servers, UK-based web services company Netcraft warned. The firm has detected a surge in scans of port 443, used by Secure Sockets Layer (SSL), a technology designed for securely transmitting financial data such as e-commerce transactions. http://www.linuxsecurity.com/articles/general_article-9545.html * Supporting development on demand: Open, cross-platform standards July 22nd, 2004 In the coming days, we may reveal additional aspects of these claims that don't reflect the facts. In any case, perhaps instead of creating yet more FUD (fear, uncertainty, and decepti-- er, doubt) with such comments, Microsoft would better serve the industry (and maybe even its own bottom line) by redirecting its energies on minimizing the fearsome -- and real -- vulnerabilities in its own products. http://www.linuxsecurity.com/articles/vendors_products_article-9538.html * E-mail security problems reported at Los Alamos National Lab July 22nd, 2004 Security troubles continue at the Los Alamos National Laboratory, where officials have confirmed that workers recently sent out an undisclosed number of classified e-mails over a nonsecure e-mail system. The new disclosure comes less than two weeks after the New Mexico-based lab announced that two removable computer disks containing classified nuclear weapons data were missing. http://www.linuxsecurity.com/articles/government_article-9537.html * Guest Editorial: Thoughts on secure operating systems July 21st, 2004 Remarks attributed to Gene Spafford and Cynthia Irvine by the EE Times and a marketing offensive by Green Hills against Linux don't provide an accurate picture of software security issues for operating systems and, in fact, add to the confusion. http://www.linuxsecurity.com/articles/server_security_article-9534.html * IRS admits security flaw July 20th, 2004 Private contractors revamping IRS computers committed security violations that significantly increased the possibility that private taxpayer information might be disclosed, Treasury Department inspectors say. http://www.linuxsecurity.com/articles/government_article-9528.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Wed Jul 28 03:50:16 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 28 03:57:56 2004 Subject: [ISN] Hackers and establishment to mingle at DEFCON Message-ID: Forwarded from: The Dark Tangent -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 And even here in the States Summer Con has been running longer (In name, but not in organization) than DEFCON. At 04:53 AM 7/22/2004, you wrote: >Forwarded from: Ralf Bendrath > > > http://www.theinquirer.net/?article=17274 >(...) > > DEFCON 12, the oldest continuously running hacker convention, > >Wrong. > >The German "Chaos Computer Club" (established in 1981) has been >holding its annual Chaos Communication Congresses for 20 years now. >The next one is from December 27 to 29 in Berlin, and they are getting >bigger and more international each year. For the last one, see > > >Ralf > > > >_________________________________________ >Help InfoSec News with a donation: http://www.c4i.org/donation.html -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQEVAwUBQQCNJA6+AoIwjTCUAQK5Zgf/fNxjOBvs3prLUAosK/LRixKeRAE64NDz uWpIBncx/y3mB6Kj4f7GZsCrEW4IWx8IwRJZUu7lIsGlIiKYNYmKNkBeAv8MD/ns +rAv5jToepFin88JmNU3m+kcNTreZiRUpMxPwc9xtTno/4fbosGHoRGG9458XBLW aVu0zP4m9yKiXOkzPTwkdx6RmiupUVYuAKLEWOHpvzT9GlZjEZTSfZwlVCewbkP2 OukuJ8L0brljX+YjSq3C6czyD6dJasPsvA6KUB6j1kf4jlvEzOwOhrA5PDKDwvjD HS7eiP96HF6Ojv4yc3wVncWCsj8/kf0I0VY53doL93G0yzzq0nq50Q== =rTTk -----END PGP SIGNATURE----- From isn at c4i.org Wed Jul 28 03:52:03 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jul 28 03:57:57 2004 Subject: [ISN] Report: Private Sector Too Wary Of Sharing Security Information Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=QTGMSBKW1BCIYQSNDBGCKHQ?articleID=26100227 By Thomas Claburn July 27, 2004 The Department of Homeland Security and private industry aren't doing enough to exchange information related to threats to critical infrastructure such as IT and telecom networks, the banking system, or the food supply, a report issued Tuesday finds. A Government Accountability Office report offers recommendations to the Department of Homeland Security to improve the protection of national critical infrastructures in 13 sectors. GAO, the research arm of Congress formerly known as the General Accounting Office, suggests developing a plan for information sharing that more clearly describes the responsibilities of DHS and of private-sector information-sharing centers, which were created to pool data on the threats and vulnerabilities most relevant to each critical industry. The report also calls for establishing policies and procedures for agency interaction and the coordination of information sharing. "Sharing information between the federal government and the private sector on incidents, threats, and vulnerabilities continues to be a challenge," the report says. The report notes that the private sector's approach of collecting data through information-sharing and analysis centers, or ISACs, isn't working because companies fear the data will become public. "Much of the reluctance by ISACs to share information has focused on concerns over potential government release of that information under the Freedom of Information Act, antitrust issues resulting from information sharing within an industry, and liability for the entity that discloses the information," the report says. To address such problems, DHS is developing a road map tracing information-sharing relationships among the agencies involved, a set of goals for improving those relationships, and metrics for measuring improvements. No timetable has been announced, but the plan is expected later this summer. The report comes at the request of Congress, which sought these recommendations following an April 21 GAO report, and GAO testimony about on the status of private-sector ISACs and their efforts to help protect the nation's critical infrastructures. Such problems aren't new. John Pescatore, VP and research fellow at Gartner Research, notes that shortly after DHS was formed in November 2002, he recommended that the agency take steps to improve information sharing, such as having secure E-mail for intraagency communication. Almost two years later, he says, it still doesn't have that. Pescatore says that while the report gives DHS some good marks, it has mostly dealt with the easiest problems. "They've attacked some low-hanging fruit," he says. "We really have not seen them develop from separate organizations into a coordinated agency." From isn at c4i.org Thu Jul 29 02:51:23 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 29 02:56:35 2004 Subject: [ISN] Secret of Cyber Defence Exercise 2004 Message-ID: http://www.theinquirer.net/?article=17505 By Doug Mohney 28 July 2004 A WEEK before the 2004 Cyber Defense Exercise (CDX) kicked off in April, the National Security Agency abruptly asked the participating military service academies close off the event to the public and the media for "operational concerns." What did "operational concerns" mean? NSA's public affairs office failed to respond via e-mail. Of course, NSA had problems sending e-mail to my primary e-mail account in the first place, so I'm not sure if the response went into a top-secret black hole or I was just ignored. Each academy ultimately made their own call, with Army's West Point and little-heralded United States Merchant Marine Academy (USMMA) choosing to keep their doors open. Perhaps unsurprisingly, USMMA and West Point placed one and two in the CDX contest. The NSA's request was an about-face for an event that had been open and widely promoted by West Point over the last two years. Since the exercise was designed to be unclassified from the ground up, "Red Team" attackers from the NSA and the Air Force's 92nd Aggressor Squadron were only permitted publicly known security exploits and not use any classified "Zero-Day" techniques. CDX is designed to be a defense exercise, the most realistic scenario a military IT officer is going to face in the real world. Each participating team is tasked with setting up and operating a core set of services, keeping them operational in the face of Red Team attacks. The underdog winners at USMMA setup and operated a combination of Windows 2000, XP, and Linux Mandrake machines to resist the best unclassified attacks the U.S. cyberwarfare establishment could dish out. After all, the Red Team - or people just like them - were the folks that wrought havoc on Saddam Hussein's networks, monitoring communications and pulling such tricks as sending e-mail to senior Iraq military commanders asking them to surrender. Maybe sanctions had kept Saddam's people from getting the latest Microsoft security patches, but nobody's saying. USMMA's team used Windows 2000 Advanced Server with service pack 4 to run active directory, primary domain controller, e-mail (Exchange Server 2000 w/ SP3), mail relay, LRA (Local Registration Authority used to issue DoD public key encryption certificates), and web services with IIS 5.0. Workstations ran Windows 2000 Professional with SP1. A video conferencing station used Windows XP because the web camera being used was more stable under that OS. Finally, the heavy network lifting was done with Linux Mandrake 10.0, including the primary firewall and router, backup firewall, external DNS, and IDS. Needless to say, all the latest security patches were loaded and applied. However, USMMA Midshipman Allen Hsiao admits they tweaked things a little within the rules of the guidelines. Workstations were locked down to the point where end-users could only run Outlook, Internet Explorer, and NotePad, with options further tightened down in each of the programs. End users could not save files to any storage medium except for a floppy disk or a USB drive. "In a normal, real world network, end users normally require much more functionality from their workstation," said Hsiao. From isn at c4i.org Thu Jul 29 02:51:37 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 29 02:56:36 2004 Subject: [ISN] It's official: mi2g has no sense of humor Message-ID: http://vmyths.com/rant.cfm?id=661&page=4 [Another must read article from Rob Rosenberger! - WK] by Rob Rosenberger 07/25/04 CAN YOU TELL the difference between a parody and a hoax? One computer security firm can't. Our longtime readers know about a firm called "mi2g" (correct spelling). Vmyths has exposed their many shenanigans dating back to 1999. Our website tops the list if you Google for "mi2g criticism" and we're #3 if you Google for "mi2g humor." mi2g has threatened to sue Vmyths for libel but has not yet made good on its threat. An unknown person parodied an mi2g alert with the headline "Wendy's drive-up order system information disclosure." I'll call it "the mi2g parody" for short. It's a straightforward parody -- yet the folks at mi2g went ballistic over it. CEO & founder D.K. Matai (incorrect spelling) labeled it an outright hoax in a bizarre press release dated 20 July. It's not a hoax. It's a parody. PAIR-OH-DEE. Merriam-Webster's online dictionary explains the difference: parody: a literary or musical work in which the style of an author or work is closely imitated for comic effect or in ridicule hoax: 1: an act intended to trick or dupe The key to a hoax lies in the word "dupe." The hoaxster wants to trick you into believing the story he weaves. The key to a parody lies in the word "comic." The comedian wants you to laugh at an absurdity. Just for the fun of it, I want you to read a story with the headline "Exxon perfects new method for turning seawater into fuel." Hoax or parody? Now read "Giant flashbulb to help Hubble telescope see even farther." Hoax or parody? Finally, read "Rumsfeld, Bush Sr. arrested for past ties to Saddam." Hoax or parody? When I saw the mi2g parody, I immediately recognized it as such. Vmyths cohorts Lew Koch and George C. Smith recognized it as a parody, too. InfoSec News moderator William Knowles tagged it as a parody when he forwarded it to his mailing list. "Real mi2g, fake mi2g, whatever, it had me in stitches!" Pete Simpson (ClearSwift) exclaimed "that is the best belly laugh I've had in the last decade." Everybody got the humor -- except for the folks at mi2g. "It is clear that there is no purpose to it other than to smear reputation and cause damage," they huffed in a supposed "news alert." mi2g went on to slam a number of security sites by name, claiming "they did not control the content which they published, even when it was blatantly evident that the posting they were purveying was an obvious obnoxious hoax." A hoax? A hoax?!? Yeah, yeah, tell it to Exxon. Or tell it to Enron. Or tell it to ValuJet. Or heck, tell it to anyone I've parodied over the years. [...] From isn at c4i.org Thu Jul 29 02:51:50 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 29 02:56:38 2004 Subject: [ISN] Survey Says Linux Hacks Are Rare Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=IEMOBN5ZFAONYQSNDBCSKHQ?articleID=26100460 By TechWeb News InformationWeek July 28, 2004 Adding more fuel to the Linux vs. Windows fire, a research firm released a survey Wednesday that noted only 8% of Linux developers had ever seen a virus infect their systems. Evans Data, a research firm that regularly polls developers, surveyed 500 Linux developers. An overwhelming majority--92%--claimed that their machines had never been infected by malicious code, and fewer than 7% said that they'd been the victims of three of more hacker intrusions. Only 22% of Linux developers said that their systems had ever been hacked. A similar survey by Evans last spring found that nearly 60% of non-Linux developers admitted they'd been victimized by security breaches, and 32% had been hit three or more times. Does that mean Linux is a more secure operating system? Nicholas Petreley, Evans Data's Linux analyst, certainly thinks so. "It's not surprising that Linux systems aren't hacked to the degree that Windows-based machines can be exploited," he said in a statement. "The reasons for the greater inherent security of the Linux OS are simple: More eyes on the code means that less slips by and the OS is naturally going to be better secured." Another factoid from the July survey found that 76% of developers now believe that the SCO Group's ongoing lawsuits will "probably not" or "absolutely not" affect their company's adoption of the open-source operating system. That number is up 8% from when the question was last asked six months ago--a confirmation that SCO's sometimes-struggling legal battle isn't making much of an impression in the trenches. From isn at c4i.org Thu Jul 29 02:52:03 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 29 02:56:39 2004 Subject: [ISN] GAO finds information security compliance is sporadic Message-ID: http://www.govexec.com/story_page.cfm?articleid=29099&dcn=todaysnews By David McGlinchey dmcglinchey@govexec.com July 28, 2004 Agency compliance with federal information security standards is irregular and the process that measures compliance is unreliable, the Government Accountability Office said in a report released Wednesday. A GAO survey of 24 federal agencies found that 63 percent of information systems met security guidelines issued by the National Institute of Standards and Technology, including the minimum security controls mandated by the 2002 Federal Information Security Management Act. The GAO report determined, however, that compliance and accreditation varied greatly. Seven of the 24 agencies said more than 90 percent of their systems were certified and accredited as secure while, six reported less than half of their systems were accredited as secure. The survey was completed for House Government Reform Committee Chairman Tom Davis, R-Va., who has been critical of the government's information security. In March, Davis warned of a "cyber Pearl Harbor" if IT security measures were not improved. The Housing and Urban Development and Agriculture departments reported that none of their systems are certified or accredited to meet the NIST guidelines. Officials at both agencies said concerns over the certification process caused them to report that their systems were not in compliance. The top compliance levels were at the Social Security Administration and the Nuclear Regulatory Commission, which both registered 100 percent accreditation and certification. NASA reported 98 percent compliance and the National Science Foundation told GAO that 95 percent of its information systems met the guidelines. At the Defense Department, 77 percent of systems meet the guidelines, according to GAO. The study was conducted between September 2003 and June 2004. The NIST compliance guidelines are an update to its previous security guidance. They are tailored to "reflect today's more distributed computing environment in which systems are constantly evolving and require real-time, ongoing monitoring," according to the report [GAO-04-376]. The guidelines do not apply to information systems that deal with intelligence issues, the management of military forces and other national security subjects. Every agency surveyed reported that its process for certification and accreditation met the federal guidelines, but a closer GAO investigation of four agencies showed that the standards were not always satisfied. From isn at c4i.org Thu Jul 29 02:52:17 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 29 02:56:40 2004 Subject: [ISN] The best-laid plans for protecting your data in a power failure Message-ID: http://www.computerworld.com/securitytopics/security/story/0,,94661,00.html Advice by Douglas Schweitzer JULY 22, 2004 COMPUTERWORLD The old saw "hope for the best, but expect the worst" is easily applied to disaster planning. Case in point, on Aug. 14, 2003, at about 4:20 p.m. EST, the power went out across much of the Northeastern U.S., affecting an estimated 50 million people. Since the outage occurred on a weekday afternoon, businesses were in the midst of conducting their routine activities and transactions, with most using computers. For those of us using an uninterruptible power supply (UPS), an orderly shutdown of our computers was immediately set in motion, minimizing the chance of data loss or hardware failure resulting from the sudden loss of power. The right UPS can save you money when the power goes out or when voltage spikes and dips occur. Even though the Northeast's hurricane season's official start was June 1, it's not too late to ensure that workstations and servers are protected from both power and subsequent data losses. Use a UPS We're all aware of the dangers posed to our computer systems by worms, Trojan horses and viruses. That's why most of us rely on some sort of firewall and/or antivirus software to protect our servers and workstations. Are we as knowledgeable about the menaces that can be inflicted by power disturbances? Those in the know can protect their workstations from electrical disturbances by installing a UPS. An efficient UPS will keep your computer up and running long enough after a power outage so that you can save data and shut down your computer properly. Most UPSs even feature sophisticated software that enables automated data backups and system shutdowns during power failures that happen when you're not present. In addition to preventing data loss, a UPS prevents power anomalies (voltage spikes, power sags or surges, and electrical line noise) from reaching your system. In fact, a UPS will do the same for most any hardware device. The indispensability of a UPS is underscored when we take note that power disturbances are a leading cause of hardware damage, data corruption and loss, and system freezes. You must determine your backup needs before choosing a UPS. When a sudden power outage and subsequent data loss would be more of an inconvenience than a major problem, then either standby or line-interactive UPSs are adequate. If your power supply suffers frequent fluctuations, then a line-interactive UPS (which runs constantly) is best suited to the task. The higher cost of these units is acceptable because they offer the highest degree of protection when any shutdown time is detrimental. Finally, remember that unlike its other lifetime components, the least reliable aspect of a UPS is the battery. Batteries will need to be replaced anywhere from every two to every five years. A major cause for the disparity in UPS prices arises from the size of their battery component. Clearly, the bigger the battery, the longer backup operating time the UPS will provide. Safeguarding your data While a well-designed UPS can safeguard workstations, servers and other hardware from power anomalies, the data stored on those machines represents the true value of your information assets. To protect your data, the U.S. Department of Agriculture offers the following guidelines for users to safeguard and protect data: Maintain physical possession of the equipment (laptops, cell phones and handheld devices), which will stop the wrong people from gaining access to the data. Have a password on the equipment to keep unauthorized personnel out. Have a backup of the data in case of accidental deletion. Have a password on screen savers. Also institute a time-out so that after a minimum of 15 minutes of inactivity, the screen saver will come on and lock the workstation with a password. Alternatively, lock the workstation by simultaneously pressing Ctrl-Alt-Delete and selecting "lock workstation" to secure the unattended workstation. Label diskettes and CD-ROMs with adequate information to identify it for later use. When the user has finished with the information, delete it from the diskette, CD-ROM or hard drive. When sensitive information is no longer needed, ensure that the diskette, tape or CD-ROM is destroyed. Protect keyboards and screens from view by the general public and others to safeguard password entries and data. Encrypt sensitive data on desktops, laptops and servers. One or more files can be stored in a WinZip file; thereafter, add a password to encrypt the .zip file. From isn at c4i.org Thu Jul 29 02:53:03 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jul 29 02:56:42 2004 Subject: [ISN] Security UPDATE--Security Blog and Googling for Vulnerabilities--July 28, 2004 Message-ID: ==================== ==== This Issue Sponsored By ==== Featured Download: Patch Management Software http://list.winnetmag.com/cgi-bin3/DM/y/egrm0CJgSH0CBw0BJ8z0A1 Security Administrator http://list.winnetmag.com/cgi-bin3/DM/y/egrm0CJgSH0CBw0BFMs0AC ==================== 1. In Focus: Security Blog and Googling for Vulnerabilities 2. Security News and Features - Recent Security Vulnerabilities - Book Review: PDA Security: Incorporating Handhelds into the Enterprise 3. Security Matters Blog - It Had to Happen Sooner or Later - Stopping Malware That Travels Through SSL Connections - XML-Based Security Information Feeds 4. Instant Poll 5. Security Toolkit - FAQ 6. New and Improved - Know Your Enemy ==================== ==== Sponsor: Featured Download: Patch Management Software ==== As a busy IT professional, do you really have time to inventory, research, test, validate and report on each patch? Let UpdateEXPERT Patch Management work for you. All the steps are automated and our scalable architecture works on large and small enterprises alike. Find out why UpdateEXPERT was named a TechTarget 2004 Product of the Year. Download a Free 15-day Live Trial Today! http://list.winnetmag.com/cgi-bin3/DM/y/egrm0CJgSH0CBw0BJ8z0A1 ==================== ==== 1. In Focus: Security Blog and Googling for Vulnerabilities ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net First, I want to let you know that we've added a new section to our Web site and this newsletter. If you visit the Web site regularly and subscribe to our security-related Really Simple Syndication (RSS) feed, then you know we recently launched a new blog: Security Matters. Each week in this newsletter, you'll find a summary of the most recent blog postings. You can visit the Security Matters blog to add your comments to a given posting. If you have a tip, tidbit of information, resource, commentary, or other content that you think might be of interest to others, then certainly send me an email (mark at ntsecurity / net) with that content and I'll consider posting it to the blog. Last week, I mentioned the Information Security Writers Web site, which publishes security papers written by many authors. In the past week, the site has published a few new papers, one of which is "Demystifying Google Hacks," by Debasis Mohanty. http://www.infosecwriters.com/texts.php?op=display&id=191 The paper outlines several ways in which someone can use a particular search syntax in Google to query for sites that might have known vulnerabilities. For example, Google supports query syntax that includes the commands intitle:, inurl:, allinurl:, filetype:, intext:, and more. Google isn't the only search engine that provides the use of this sort of query syntax. MSN Search, AlltheWeb, Yahoo!, and others support a similar syntax to varying degrees. If intruders are using search engines, you should try the same techniques to check your own Web sites for vulnerabilities. Repeating the searches when new Web-related vulnerabilities are published might also be wise. Think of it as another method for scanning your systems. You can also build false URLs into a honeypot that supports Web services, then add the honeypot URLs to various search engines. A drawback of using search engines to search for vulnerabilities on your Web sites is that typing or pasting in query after query can become tedious work. One obvious solution is to use scripts to store queries and automate the actual querying and result gathering process. Foundstone released a free tool in May that automates the process of using Google to scan for vulnerabilities in a given site. I've used SiteDigger a few times, and it works really well. http://www.foundstone.com/resources/proddesc/sitedigger.htm Site Digger has a list of more than 100 predefined queries (vulnerability signatures) in which you simply enter a Web site address and click a button to start the Google query process. After the query is complete, you can easily export a report to HTML format. The signatures are stored in XML format, so you can add more or customize the current rules if you need to. If you do, be aware that the tool also has an update feature that lets you download new queries from the Foundstone Web site when they're available. I'm not sure whether the update process totally overwrites the signature file or not; you might want to save a copy of your custom signatures in case it does. Our Instant Poll this week asks, "Do you use search engines to look for vulnerabilities in the Web sites you manage?" Visit http://www.winnetmag.com/windowssecurity and give us your answer. ==================== ==== Sponsor: Security Administrator ==== Try a Sample Issue of Security Administrator! Security Administrator is the monthly newsletter from Windows & .NET Magazine that shows you how to protect your network from external intruders and control access for internal users. Sign up now to get a 1-month trial issue--you'll feel more secure just knowing you did. Click here! http://list.winnetmag.com/cgi-bin3/DM/y/egrm0CJgSH0CBw0BFMs0AC ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html Book Review: PDA Security: Incorporating Handhelds into the Enterprise According to information published on the companion Web site to the book "PDA Security: Incorporating Handhelds into the Enterprise," "PDAs have moved into the workplace. More than 25 million of them will soon be accessing company networks." Such a proliferation of PDAs represents another challenge for systems administrators who are already struggling to ensure that their company's information isn't violated in any way or by any means. Reviewer Tony Stevenson says the book will be useful to administrators tasked with developing a practical "handheld computing" strategy for their company or organization. Most important, the book provides the framework for assessing, and then addressing, the risks that PDAs present. Read the entire book review on our Web site. http://www.windowsitlibrary.com/bookreviews/bookreview.cfm?bookreviewid=80 ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) Get Your Free Small Business Servers Toolkit--Includes an eBook Plus 3 Web Seminars! Don't miss your opportunity to evaluate your server options and discover which Windows version is right for your needs to lower licensing and operating costs. You'll learn how to create a centralized server environment and develop an IT infrastructure plan to get the most out of your systems while minimizing the costs involved. Get your Small Business Servers Toolkit now! http://list.winnetmag.com/cgi-bin3/DM/y/egrm0CJgSH0CBw0BJ6s0Ar Do You Find Monitoring Windows Servers a Daunting Task? In this free eBook, we'll examine four main types of monitoring crucial to any network: performance, capacity, availability, and security. For each area, you'll find out the most important events and conditions to monitor to maximize performance, manage capacity, ensure availability, and stay on top of security. Download this free eBook today! http://list.winnetmag.com/cgi-bin3/DM/y/egrm0CJgSH0CBw0BJ6t0As ==================== ==== Hot Release ==== SSL123 - New from thawte The full 128-bit capable digital certificate issued within minutes for US$159.00. Free reissues and experienced 24/5 multi-lingual support included for the life of the certificate. Click here to read more: http://list.winnetmag.com/cgi-bin3/DM/y/egrm0CJgSH0CBw0BJ810An ==================== ==== 3. Security Matters Blog ==== by Mark Joseph Edwards, http://www.winnetmag.com/securitymatters Check out these recent entries in the Security Matters blog: It Had to Happen Sooner or Later - It was inevitable that somebody somewhere would produce a virus that affects Windows CE devices, and it happened this week. Stopping Malware That Travels Through SSL Connections - Inspecting Secure Sockets Layer (SSL) traffic isn't possible through standard methods. However, it is possible with a third-party solution. XML-Based Security Information Feeds - Really Simple Syndication (RSS) feeds are a great way to quickly gather security-related information, including information about all the latest vulnerabilities. ==== 4. Instant Poll ==== Results of Previous Poll The voting has closed in the Windows & .NET Magazine Network Security Web page nonscientific Instant Poll for the question, "Do you now use or do you plan to use 802.11i on your wireless LANs?" Here are the results from the 47 votes. - 13% Yes, we use 802.11i now - 4% Yes, we plan to use 802.11i in the next 3 months - 9% Yes, we plan to use 802.11i in the next 6 months - 17% Yes, we plan to use 802.11i in the next year - 57% No, we don't plan to use 802.11i New Instant Poll The next Instant Poll question is, "Do you use search engines to look for vulnerabilities in the Web sites you manage?" Go to the Security Web page and submit your vote for - Yes, I do so regularly - Yes, but only when I become aware of new Web vulnerabilities - No, but I plan to start - No, and I don't plan to start http://www.winnetmag.com/windowssecurity ==== 5. Security Toolkit ==== FAQ: Q. What Are the Relative Identifiers (RIDs) of a Domain's Built-in Accounts? by John Savill, http://www.winnetmag.com/windowsnt20002003faq A. Every object in a domain has a SID, which consists of the domain's SID and a RID. For built-in objects, such as built-in accounts, RIDs are hard-coded. A table at the URL below lists the built-in objects, their RID, and their object type. The fact that RIDs are hard-coded explains why merely renaming, say, the Domain Administrator object doesn't often thwart an intruder, who can simply locate the account by using the RID 500. However, you can create a honeypot by renaming the real Domain Administrator account and creating a new account called Domain Administrator that has no permissions. You can use the bogus Domain Administrator account to fool hackers into attacking it, then log the attacks and delay any real damage to the bona fide Domain Administrator account. http://www.winnetmag.com/articles/misc/table071904.htm ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) We're Bringing the Experts Directly to You with 2 New IT Pro Workshop Series on Security and Exchange Don't miss 2 intense workshops designed to give you simple and free tools to better secure your networks and Exchange servers. Discover how to prevent intruders from attacking your network and how to perform a security checkup on your Exchange deployment. Get a free 12-month subscription to Windows & .NET Magazine and enter to win an Xbox! Register now! http://list.winnetmag.com/cgi-bin3/DM/y/egrm0CJgSH0CBw0BJ6u0At ==================== ====6. New and Improved ==== by Jason Bovberg, products@winnetmag.com Know Your Enemy O'Reilly Media released "Security Warrior" by Cyrus Peikari and Anton Chuvakin. Based on the principle that the best way to defend your systems is to understand your attacker in depth, "Security Warrior" covers everything from reverse engineering to SQL attacks and includes such topics as social engineering, antiforensics, and advanced attacks against UNIX and Windows systems. The book discusses a combination of formal science and real-life information-security experiences, multiple platforms, and attacks and defenses. The book costs $44.95. For more information, contact O'Reilly at 707-827-7000 or 800-998-9938 or on the Web. http://www.oreilly.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. ==================== ==== Sponsored Links ==== Argent Comparison Paper: The Argent Guardian Easily Beats Out MOM http://list.winnetmag.com/cgi-bin3/DM/y/egrm0CJgSH0CBw0BDWV0Ap CrossTec Free Download--New - Launch NetOp Remote Control from a USB Drive http://list.winnetmag.com/cgi-bin3/DM/y/egrm0CJgSH0CBw0BJyw0A3 ==================== Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@winnetmag.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== ==== Contact Our Sponsors ==== Primary Sponsor: St. Bernard Software -- http://www.stbernard.com Hot Release Sponsor: thawte -- http://www.thawte.com -- 1-650-426-7400 ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z You received this email message because you asked to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved.