From isn at c4i.org Tue Jun 1 04:28:23 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 1 07:01:25 2004 Subject: [ISN] Missing: A Laptop of DEA Informants Message-ID: http://www.msnbc.msn.com/id/5092991/site/newsweek/ [Lost or stolen, I can never figure out how this happens so often, I'm so protective of my laptop, and while its a $600 refurbished Thinkpad, the information on board is worth 100's of times more. You'd have to turn me into a bloody pulp before I'd give mine up. - WK] Michael Isikoff Newsweek June 7 2004 issue Federal investigators are frantically trying to determine what happened to a missing laptop computer that contains sensitive data on as many as 100 Drug Enforcement Administration investigations around the country, including a wealth of information about many of the agency's confidential informants, NEWSWEEK has learned. The computer was first reported stolen three weeks ago by an auditor for the Justice Department's Office of Inspector General, which was conducting a routine review of DEA payments to informants. The auditor told police the laptop had been stolen from the trunk of his car while he was at a bookstore coffee shop in suburban Washington. But when investigators confronted the auditor last week and questioned his account, the auditor changed his story, saying he had accidentally damaged the computer - then destroyed it and threw it away in a Dumpster to avoid embarrassment. Investigators are seeking to verify his new account. Either way, DEA agents are "livid," said one senior law-enforcement official who noted that, although the computer didn't contain informants' names, it included more than 4,000 pages of case-file data, including enough details about the informants' work that it could allow drug traffickers to figure out who they are. "This is a sin in our business," the official said. The incident is a particular embarrassment for Inspector General Glenn Fine's office, which has taken on an expanded watchdog role under Attorney General John Ashcroft. Only two years ago, the IG issued a blistering report criticizing Justice agencies, including the DEA and the FBI, for failure to maintain adequate controls on sensitive items - including their laptop computers. From isn at c4i.org Tue Jun 1 04:28:47 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 1 07:01:26 2004 Subject: [ISN] Linux Security Week - May 31st 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | May 31st, 2004 Volume 5, Number 22n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Minimizing Privileges," "Security in an ERP World," "Key Considerations for Outsourcing Security," and "CIOs Gear Up for Changing Security Climate." ---- >> Secure Online Data Transfer with SSL << Get Thawte's new introductory guide to SSL security which covers the basics of how it operates. A discussion of the various applications of SSL certificates and their appropriate deployment is also included along with details of how to test SSL on your web server. Download a guide to learn more: http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawten06 ---- LINUX ADVISORY WATCH: This week, advisories were released for libneon, mailman, kde, xpcd, kdepim, httpd, SquirrelMail, cvs, neon, subversion, cadaver, metamail, firebird, opera, mysql, mc, apache, heimdal, kernel, utempter, and LHA. The distributors include Conectiva, Debian, Fedora, FreeBSD, Gentoo, Mandrake, OpenBSD, Red Hat, Slackware, SuSE, and TurboLinux. http://www.linuxsecurity.com/articles/forums_article-9355.html ---- Linux and National Security As the open source industry grows and becomes more widely accepted, the use of Linux as a secure operating system is becoming a prominent choice among corporations, educational institutions and government sectors. With national security concerns at an all time high, the question remains: Is Linux secure enough to successfully operate the government and military's most critical IT applications? http://www.linuxsecurity.com/feature_stories/feature_story-165.html ---- >> Bulletproof Virus Protection << Protect your network from costly security breaches with Guardian Digital's multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn04 -------------------------------------------------------------------- Guardian Digital Security Solutions Win Out At Real World Linux Enterprise Email and Small Business Solutions Impres at Linux Exposition. Internet and network security was a consistent theme and Guardian Digital was on hand with innovative solutions to the most common security issues. Attending to the growing concern for cost-effective security, Guardian Digital's enterprise and small business applications were stand-out successes. http://www.linuxsecurity.com/feature_stories/feature_story-164.html ---- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Secure programmer: Minimizing privileges May 26th, 2004 Secure programs must minimize privileges so that any bugs are less likely to be become security vulnerabilities. This article discusses how to minimize privileges by minimizing the privileged modules, the privileges granted, and the time the privileges are active. http://www.linuxsecurity.com/articles/documentation_article-9348.html * Secure coding attracts interest, investment May 26th, 2004 A new product from computer security firm @stake will help developers search computer code for errors, security holes and other flaws that malicious hackers can use to break applications -- and break into computers. http://www.linuxsecurity.com/articles/host_security_article-9345.html * Security in an ERP World May 25th, 2004 Every good hacker story ends with the line: "and then he's got root access to your network and can do whatever he wants." But the story really doesn't end there. This is just the beginning of the real damage that the hacker can inflict. http://www.linuxsecurity.com/articles/network_security_article-9341.html +------------------------+ | Network Security News: | +------------------------+ * Snort up for revamp, says creator May 24th, 2004 The creator of Snort, the open-source network-based Intrusion Detection System (IDS), says the software is up for an overhaul. IDS has failed to impress the market, Martin Roesch told delegates at the AusCERT computer security conference in Queensland. http://www.linuxsecurity.com/articles/intrusion_detection_article-9336.html +------------------------+ | General Security News: | +------------------------+ * Key Considerations for Outsourcing Security May 27th, 2004 As last summer's virus attacks vividly demonstrated, companies of every size are finding themselves hard pressed to maintain around-the-clock network security. http://www.linuxsecurity.com/articles/vendors_products_article-9351.html * CIOs Gear Up for Changing Security Climate May 27th, 2004 "Security and business continuity have been pushed to the top of my list post-9/11," says Lockheed Martin CIO Joseph R. Cleveland. "We've always been focused on information security, but now we've had to think differently about the combination of information and physical security." http://www.linuxsecurity.com/articles/general_article-9350.html * Auditors warn of foreign risks to weapons software May 27th, 2004 The Defense Department's control of the source of weapons software came under fire today in a report issued by the General Accounting Office, which said overseas production of software creates an unacceptable security environment. http://www.linuxsecurity.com/articles/government_article-9352.html * EU seeks quantum cryptography response to Echelon May 26th, 2004 The European Union plans to invest $13 million during the next four years to develop a secure communication system based on quantum cryptography, using physical laws governing the universe on the smallest scale to create and distribute unbreakable encryption keys, project coordinators said today. http://www.linuxsecurity.com/articles/cryptography_article-9346.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Jun 1 04:29:20 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 1 07:01:27 2004 Subject: [ISN] Department of Defense Releases FY04 Report to Congress on PRC Military Power Message-ID: Some interesting notes on Chinese information operations, and computer network attack. ---------- Forwarded message ---------- Date: Sat, 29 May 2004 22:43:12 -0400 From: DoD Advisories Reply-To: dodadvisories-l-request@DTIC.MIL To: DODADVISORIES-L@DTIC.MIL Subject: Department of Defense Releases FY04 Report to Congress on PRC Military Power PRESS ADVISORY from the United States Department of Defense No. 029-04 PRESS ADVISORY May 29, 2004 Saturday, May 29, 2004 The Department of Defense has released its annual report to congress on military power in the People?s Republic of China. The report addresses the current and probable future course of military-technological developments of the People's Liberation Army, the tenets and probable development of Chinese grand strategy, security strategy, and military strategy. Electronic copies of the report are available in .PDF format at: http://www.defenselink.mil/pubs/d20040528PRC.pdf [Web Version: http://www.defenselink.mil/advisories/2004/pa20040529-0422.html] -- Press Advisories: http://www.defenselink.mil/advisories/ -- DoD News: http://www.defenselink.mil/news/dodnews.html -- Subscribe/Unsubscribe: http://www.defenselink.mil/news/dodnews.html#e-mail -- Today in DoD: http://www.defenselink.mil/today/ From isn at c4i.org Tue Jun 1 04:29:56 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 1 07:01:28 2004 Subject: [ISN] North Korea operating computer-hacking unit Message-ID: Forwarded from: Rob Rosenberger Ah, yes. North Korea's elite cyber-terror squad. As a matter of fact, you can download a satellite photo of the facility where North Korea does almost all of its military hacking... http://Vmyths.com/mm/ads/vmyths/korea.jpg Rob From isn at c4i.org Tue Jun 1 04:35:47 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 1 07:01:29 2004 Subject: On the Other hand: Re: [ISN] Auditors warn of foreign risks to weapons software Message-ID: Forwarded from: matthew patton hmm, so what did the NSA do all that time they were evaluating Linux? They obviously didn't catch a bunch of buffer overflows etc. Do they catch much of anything in the rest of the operating systems they look at? Thing is commercial software that is also used in DoD is developed by overseas coders too. Heck, we have foreign nationals writing code while living here in the US of A. So where does it stop? Is DoD software only to be written by uniformed personnel who have undergone an exhaustive background check, have no foreign contacts and so forth? I'd hate to see the quality (or even quantity) of software that was put into such constraints. From isn at c4i.org Tue Jun 1 06:46:57 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 1 07:01:30 2004 Subject: [ISN] Six ways to justify security training Message-ID: http://www.computerworld.com/securitytopics/security/story/0,,93419,00.html Advice by Peter H. Gregory MAY 27, 2004 COMPUTERWORLD A few days ago, a reader asked if I could help him justify the cost of security training that he and his fellow Unix system administrators felt they needed. I gave the reader a variety of ideas, one of which is sure to resonate with his manager. When making your pitch, you might want to try these reasons: 1. Avoidance of a costly security incident. The knowledge and skills gained in security training will help system administrators do a better job of securing systems. For instance, host hardening may help to prevent a break-in. Improving password quality may fend off a dictionary attack. Security incidents are expensive, disruptive and could cause long-term pain for people's careers. Incidents interrupt and take the momentum out of projects and turn department priorities upside down. 2. Avoidance of disruptive downtime. Often, when the knowledge gained in security training is applied to host hardening, those systems have added resiliency. This will make them more resistant to attacks, improving availability. No one likes downtime, especially unscheduled downtime for security reasons. Unscheduled downtime hurts those end-of-month metrics and other performance indicators. 3. Improved availability. Learning security skills sharpens a system administrator's overall skills: To secure a system, one must be intimately familiar with a system. Administrators trained in security will be more familiar with all of the systems' switches and knobs and will be less likely to make mistakes. Mistakes decrease availability and reliability. 4. Improved consistency. Meticulous system administrators will want to secure not just one system, but all of the systems in his sphere of influence. This will tend to make the configuration of many systems more consistent. Consistency is a good thing in busy environments where several people are managing a large population of systems. The more consistent the systems are, the less likely things are going to go wrong. 5. Improved failure analysis. Administrators who have received security training will know more about how their systems work. Consequently they'll do a better job of root-cause analysis the next time something goes wrong. 6. Improved audit results. Many companies' IT shops are under more scrutiny than ever. Increased regulation, stricter requirements from customers or suppliers, or the need to reduce the probability of security incidents are driving home the need to improve the security of systems, processes and people. More companies than ever are facing audits. In many cases, the high-level results of those audits are publicly available (in particular, audits performed on government systems and publicly held companies). Many companies are having security companies perform security assessments on their systems, networks and operations, in order to discover opportunities for improvement. In the face of this, management often opens the training spigot a little to help improve the results of upcoming assessments. Increased marketability The more training you can put on your resume, the more marketable you will become. As a longtime IT manager, I have always encouraged my staff members to improve their skills through training and certifications. I have long held to what was first a counterintuitive fact: The more marketable your staff members are, the more likely they are to stay. There are two reasons for this. First, technologists love to learn new skills and technologies. If I provide both, they're more likely to stay put and ride the learning train for as long as possible. Second, if I'm providing my staff with learning and training opportunities, they'll feel more secure in their jobs and be less likely to develop anxiety that can lead to a job change. From isn at c4i.org Tue Jun 1 06:47:08 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 1 07:01:31 2004 Subject: [ISN] FDIC info security lacking, GAO finds Message-ID: http://www.fcw.com/fcw/articles/2004/0524/web-fdic-05-28-04.asp By Sarita Chourey May 28, 2004 Weaknesses in the Federal Deposit Insurance Corp.'s information systems place sensitive information at risk of unauthorized disclosure, disruption of operations or loss of assets, according to the General Accounting Office. Congressional auditors found that the corporation had resolved almost all the computer security weaknesses from 2001 and 2002. But the 2003 audit found new vulnerabilities in its information systems. FDIC must establish controls and ensure information security receives enough attention, auditors said. GAO recommended that the agency's chief information officer correct a number of information security weaknesses and improve the ability of its computer security management program to test and evaluate security measures. Officials from FDIC agreed with the recommendations and plans to follow them, according to the GAO report. From isn at c4i.org Tue Jun 1 06:50:39 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 1 07:01:32 2004 Subject: [ISN] North Korea operating computer-hacking unit Message-ID: Fowarded from: Robert G. Ferrell At 07:48 AM 5/28/2004 -0500, InfoSec News wrote: > Their tasks are to get into the computer networks run by South > Korean government agencies and research institutes, and retrieve > classified information from them. Big deal. It's not as though every script kiddie on the planet hasn't been doing this for years. South Korean systems have traditionally been about as well protected as British grain fields. ;-) RGF Robert G. Ferrell rgferrell@direcway.com Pluralitas non est ponenda sine necessitate From eric at swordsoft.com Tue Jun 1 15:43:53 2004 From: eric at swordsoft.com (Eric Knight) Date: Wed Jun 2 05:23:16 2004 Subject: [ISN] Visual Enterprise Security/Fatum Agent 2.0.10 Beta Test Announcement Message-ID: <003601c44810$c61b6fe0$6600a8c0@datendrao2d5z7> Greetings, This is an open call for beta testers and interested parties to take a look at the Visual Enterprise Security Server and Fatum Agent technology that I (SwordSoft, me.) have been developing. It's a Microsoft Windows based Agent/Server security and management architecture that is meant to be an experimental design for integration of security tools based on the design strategies presented in the "Treatise on Informational Warfare" (As it stands, 75% of the framework has been implemented.) The information about the product(s) can be found at: http://www.swordsoft.com/modules.php?name=VES (Visual Enterprise Security) http://www.swordsoft.com/modules.php?name=Fatum (Fatum Agent) You can download it now without a bunch of registration forms and whatnot immediately from: http://www.swordsoft.com/modules.php?name=Downloads To stem off "I'm doing this for the advertising" complaints, the product may be planned for commercial use, and there are people working gratis to help build SwordSoft, but the VES/Fatum products are going to be free for up to 10 computers even after it goes final. I do want this product to be used by the majority, it's aimed at the small environments and tries and move as far away from the "expensive band-aid" as possible. Aside from that, VES currently isn't "for sale" by SwordSoft and in fact, nothing on the web site is. The program was written in a very small computing environment, so it's a big mystery to us if it can even scale past 10 computers - we're predicting 20, although in theory a PC with a gig of ram could handle 250.. Anyway, the point being its concept technology brought to a level where it needs to get out of the lab. I've written almost 400,000 lines of code into this, made over 1,000 icons, the distribution size is about 20 megabytes for the server, 10 megabytes for the Agent. With some help from some supporters providing distribution bandwidth, we're giving "grassroots" a try to at least figure out what the people in the industry think of this "concept-ware". I did my best to keep the project as professional as possible given its scale, lack of resources, and such. I was following my dream for an "all encompassing" type of integrated security environment that at least makes a genuine attempt to be friendly and easy to use. The reality behind a program like this is that it's a series of growth steps, building framework, building tools to test it, building components, platform tests, etc. My choices for tools at this time were based on framework integration, not industry need, but you'll get the idea what the whole system is capable of if you play around. I've been focusing more on industry demands lately. Anyway, enjoy. I hope you'll find it useful. I'll continue to support the development of the products; I've got no end to the number of improvements I want to make. The Beta keys don't have time expiration. They'll be fully functional for when the product is in "final" release. And otherwise, I look forward to hearing about what people think of this effort. Thank you, Eric Knight Security Researcher, Overworked, Dazed. eric@swordsoft.com From isn at c4i.org Wed Jun 2 04:43:46 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 2 05:23:17 2004 Subject: [ISN] OSVDB Post Go-Live Update, 3000 Stable Entries Message-ID: Forwarded from: jkouns@opensecurityfoundation.org 06/01/2004 Post Go-Live Update 3000 Stable Entries We have had an overwhelming positive response since the go-live of the Open Source Vulnerability Database project, and would like to thank everyone that has supported OSVDB. In the two months, we've gotten many new volunteers and have over fifty active data manglers. Thanks to their dedication and hard work, we have made great progress updating the database content, and have 3000 vulnerabilities in the "stable" status. As well as the database content, we have achieved a project milestone to help support the growth and adoption of OSVDB. In addition to the RSS feed (http://www.osvdb.org/backend/rss.php) of daily "stable" vulnerabilities, the entire database is now available in XML format. Custom scripts are available to load the data into PostgreSQL, MySQL and Microsoft Access databases. Any feedback on the XML format or scripts is greatly appreciated. Also on the new feature list is the OSVDB XML-RPC server. This had been requested by numerous security tools to help the active integration with and usage of OSVDB. We have developed our own library of procedure calls to be used as a means of retrieving data via XML-RPC. This library may be utilized to search and display data contained in the OSVDB database. More information can be found at: http://www.osvdb.org/xmlrpc-server-client-documentation.php. We want to send special thanks to Brandon for all of his hard work and making this big step for OSVDB possible! Since the OSVDB go-live, the development team has been inundated with requests for bug fixes, enhancements and major functionality changes. They previously posted a request for new developers, and are still seeking additional help. If interested, please email Forrest (fbr at 14x.net). We have had many people contact us and offer support for the project. We are currently determining our long-term hosting strategy, and appreciate the many offers of mirror space. When we have a clear strategy defined, we will be reviewing and evaluating all of the offers. Most notable of the support offers, we'd like to thank Churchill & Harriman (http://www.chus.com/), who became our first financial sponsor. We appreciate their support to help ensure the long-term success of OSVDB, and hope others will follow their lead. OSVDB continues to aggressively update the content of the database, as well as strive to complete the objectives we have previously outlined. We will also continue to update the community as major accomplishments are achieved. As always, please feel free to contact us with ideas, questions or feedback. From isn at c4i.org Wed Jun 2 04:44:05 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 2 05:23:18 2004 Subject: On the Other hand: Re: [ISN] Auditors warn of foreign risks to weapons software Message-ID: Forwarded from: security curmudgeon Cc: Hope This Works , Or This One , Maybe This One : Dan O'Dowd Reminds World of UNIX Creator Ken Thompson's Security Stunt : "We must not entrust national security to Linux," he declares. : April 11, 2004, http://linuxworld.com/story/44468.htm : In a speech intended to serve us a wake-up call to anyone relying on the : "many eyes" that look at the Linux source code to quickly find any : subversions, the CEO of Green Hills Software last week reminded his : audience how UNIX's creator Ken Thompson installed a back door in the : binary code of UNIX that automatically added his user name and password : to every UNIX system - a secret he revealed only 14 years later. : "The very nature of the open source process should rule Linux out of : defense applications," O'Dowd said. How is this any different than Windows or Solaris (or a dozen others) then? Both should be ruled out just as fast since each has shared its source code with the world. Solaris source has been available for years (and was available for years before they willingly made it public). Microsoft has shared huge portions of Windows source code with the Chinese government, and i'm sure we can trust them to report vulnerabilities they find .. right? : "The open source process violates every principle of security. It : welcomes everyone to contribute to Linux. Now that foreign intelligence : agencies and terrorists know that Linux is going to control our most : advanced defense systems, they can use fake identities to contribute : subversive software that will soon be incorporated into our most : advanced defense systems," he continued. They can also use those fake identities to get a job at Microsoft (or Green Hills) where the code is reviewed by significantly less people, then pushed out to millions of customers world wide. Is this any different than O'Dowd's scenario? : "If Linux is compromised, our defenses could be disabled, spied on, or : commandeered. Every day new code is added to Linux in Russia, China and : elsewhere throughout the world. Every day that code is incorporated into : our command, control, communications and weapons systems. This must : stop," he added, before continuing: And if these systems are running Windows or Solaris, it's magically better? Because those two operating systems don't have vulnerabilities or something? Microsoft has proven it doesn't need foreign agents to code gaping holes in its products. Or is this some obscure argument that the world needs to move to proprietary RTOSs and self-serving advertising? : "Linux in the defense environment is the classic Trojan horse scenario - : a gift of 'free' software is being brought inside our critical defenses. : If we proceed with plans to allow Linux to run these defense systems : without demanding proof that it contains no subversive or dangerous code : waiting to emerge after we bring it inside, then we invite the fate of : Troy." You demand proof? You have the source, audit it. Find all the malicious backdoors and trojans in it. Quit grandstanding and spouting this crap and *prove* it beyond doubt. That would seal your argument. : One of O'Dowd's most telling points came when he debunked the claim by : Linux advocates that its security can be assured by the openness of its : source code, arguing that "many eyes" looking at the Linux source code : will quickly find any subversions. : : Ken Thompson, the original developer of the Unix operating system (which : heavily influenced Linux) proved that this just isn't true, O'Dowd : argued. Thompson installed a back door in the binary code of UNIX that : automatically added his user name and password to every UNIX system. : : O'Dowd told his audience that, when Thompson revealed the secret 14 : years later, he declared: : : "The moral is obvious. You can't trust code that you did not create : yourself. No amount of source-level verification or scrutiny will : protect you from using untrusted code." : : "Before most Linux developers were born, Ken Thompson had already : proven that 'many eyes' looking at the source code can't prevent : subversion," said O'Dowd. "Linux is being used in defense applications : even though there are operating systems available today that are : designed to meet the most stringent level of security evaluation in : use by the National Security Agency, Common Criteria Evaluation : Assurance Level 7 (EAL 7)." This is worthy of a used car salesman. Two major points here, and I get to paraphrase since others have seen through this.. http://www.a42.com/node/view/149 Huh? Since when was Unix Open Source? Notice the technique here: first, make an association between Linux and Unix. Then, tell an anecdote about how Unix, a Closed Source project, was infected with a security leak. Then...voil! Linux joins the Axis of Evil. This is a classic non sequitur. It's another example of the deconstruction of both the English language and the logical thought processes of the general population. http://www.networkmagazine.com/article/NMG20020826S0005 Backdoors also have a long history in Unix software. Ken Thompson, a designer of the Unix OS, explained his magic password, a password that once allowed him to log in as any user on any Unix system, during his award acceptance speech at the Association for Computing Machinery (ACM) meeting in 1984. Thompson had included a backdoor in the password checking function that gets included in the login program. The backdoor would get installed in new versions of the Unix system because the compiler had Trojan Horse code that propagated the backdoor code to new versions of the compiler. Thompson's magic password is the best known, and most complex in distribution, backdoor code. So first, O'Dowd is trying to say that old UNIX is magically Linux and was open source, when it most certainly was not. Second, he says that Thompson revealed this fact 14 years later, yet the talk that disclosed it was presented in 1984, long before Linux was even a notion in Torvalds' mind (http://www.li.org/linuxhistory.php). You can read details of Thompson's tomfoolery in his presentation (http://vx.netlux.org/lib/mkt00.html). Third, the backdoor wasn't in the UNIX operating system, but the closed source compiler being used at the time (which was also used by Microsoft very early on.. trust issues and tin foil hats!), not the GNU C compiler. Further, his backdoor *was* discovered by people working on UNIX and by one professional's guess (no, not mine), it was around for six years before being discovered, in a closed source system, much like some of the nasty Windows bugs we see these days. O'Dowd's entire argument is a practical joke that some reporters fell for. All of that said, if it's really that bad, why does O'Dowd's company boast about its impressive sales and mentions that they sell embedded Linux? http://www.ghs.com/news/220304v.html In its latest study, entitled "Embedded Software Strategic Market Intelligence Program: Volume IV," published February, 2002, VDC reports on the worldwide market for all embedded operating systems for the year 2001. According to the VDC report, the embedded operating system market is estimated to top $663.8 million in 2001 shipments. This includes shipments of embedded operating systems from Microsoft (Windows XP Embedded, Windows CE), Palm (PalmOS), VenturCom (Windows), Symbian (SymbianOS), Sun (Solaris) and several vendors of embedded Linux. Despite this, Green Hills is on a recent anti-Linux crusade: http://www.ghs.com/news/index.html 17-May-2004: Green Hills Software Issues White Paper: Linux in Defense: An Urgent Threat to National Security 10-May-2004: Green Hills Software Issues White Paper: Linux in Defense: Free Software Is Just Too Expensive 3-May-2004: Green Hills Software Issues White Paper: Linux Security: Unfit for Retrofit 26-Apr-2004: Green Hills Software Issues Linux Security White Paper: Many Eyes No Assurance Against Many Spies 19-Apr-2004: Green Hills Software CEO Responds to Linux Security Controversy 8-Apr-2004: Using Linux Software in Defense Systems Violates Every Principle of Security Says Green Hills Software's CEO and Founder I'm not defending Linux as some magic solution to insecure operating systems, i'm not touting it as a secure alternative to any other operating system. However, I am tired of a few clowns conveniently bashing Linux and Open-Source for their own gain, especially when they use paid-for research (ADTI) or arguments that are easily shot down by third graders (GHS). So O'Dowd .. what's your real motivation here? Have anything remotely substantial to back these claims? Or is this a convenient media frenzy designed to get attention for your company? Just a way to scuttle your competition (MontaVista Software)? Jericho Security Curmudgeon Another Rebuttal: http://www.madpenguin.org/Article1182.html From isn at c4i.org Wed Jun 2 04:44:17 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 2 05:23:19 2004 Subject: [ISN] Cyber-Cops Outgunned Message-ID: http://www.eweek.com/article2/0,1759,1604316,00.asp By Dennis Fisher May 31, 2004 Bob Breeden isn't complaining, don't get him wrong. Special Agent Breeden, who heads the Computer Crime Division of the Florida Department of Law Enforcement, in Tallahassee, feels fortunate to work in one of the few state police departments running a full-time cyber-crime division. With four other officers under his command and another 10 FDLE employees at his disposal, Breeden oversees a division with an embarrassment of riches compared with its counter parts in most other states. Still, "there are days I feel like I need 10 more agents and more money," Breeden said. Considering Florida has the second-highest number of Internet-fraud incidents in the country each year and that Breeden's team handles between 400 and 500 cyber-crime cases annually, it's easy to see how resources can be stretched to the limit. Breeden knows that most jurisdictions have it far worse. "The vast majority of local law enforcement hasn't embraced technical investigations," he said. Since the 1980s, when computer crimes first became a concern for law enforcement, agencies have wrestled with how to deal with the often-confusing, highly technical realm of the cyber-criminal. Early efforts to centralize enforcement within federal agencies were seen as convenient and mostly logical but ultimately have led to jurisdictional squabbles and turf wars. "It is, in a word, chaotic," said Mark Rasch, a former U.S. Attorney who specialized in prosecuting computer crimes and is now the chief security counsel at Solutionary Inc., in Omaha, Neb. "There's supposedly a memorandum of understanding between the Secret Service and the FBI about who takes what, but it's usually whoever gets the first referral. [Today] you can have agents from the FBI, the Secret Service, and state and local police all working on the same case." Meanwhile, as cyber-crime skyrockets, law enforcement at all levels is at once struggling to get a handle on the threat and trying to impress those holding the purse strings in government that it is an area in need of attention and funding. In fact, the federal monopoly on cyber-crime cases for nearly two decades had the effect of leaving state and local law enforcement departments with no resources to investigate such crimes on their own and gave state legislatures little incentive to approve funding for specialized training or task forces to tackle the problem. As a result, during the Internet boom of the mid-to-late 1990s, most police departments were woefully unprepared for the resulting spike in online crime, experts say. Investigators accustomed to traditional cases with witnesses, clear evidence trails and time-tested techniques for tracking down suspects suddenly found themselves thrown into cyberspace, where chaos and anonymity reign. Compounding the problem: Most had little experience with computers and the Internet. "I didn't have any real technical knowledge when I started doing this," said Breeden, who has been investigating computer crimes for nearly six years. "You learn as you go." Meanwhile, as cyber-crime skyrockets, law enforcement at all levels is at once struggling to get a handle on the threat and trying to impress those holding the purse strings in government that it is an area in need of attention and funding. In fact, the federal monopoly on cyber-crime cases for nearly two decades had the effect of leaving state and local law enforcement departments with no resources to investigate such crimes on their own and gave state legislatures little incentive to approve funding for specialized training or task forces to tackle the problem. As a result, during the Internet boom of the mid-to-late 1990s, most police departments were woefully unprepared for the resulting spike in online crime, experts say. Investigators accustomed to traditional cases with witnesses, clear evidence trails and time-tested techniques for tracking down suspects suddenly found themselves thrown into cyberspace, where chaos and anonymity reign. Compounding the problem: Most had little experience with computers and the Internet. "I didn't have any real technical knowledge when I started doing this," said Breeden, who has been investigating computer crimes for nearly six years. "You learn as you go." [...] From isn at c4i.org Wed Jun 2 04:44:28 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 2 05:23:20 2004 Subject: [ISN] Linksys routers may be open to remote sniffing Message-ID: http://www.theinquirer.net/?article=16298 By Fernando Cassia 02 June 2004 FOLKS AT security portal SecuriTeam published on May 17 an exploit that could allow hackers and other nasty people to remotely sniff traffic passing through the router, and also crash the device. The article says it all comes down to a "memory leak", causing a flaw in the way the Linksys routers' DHCP server returns BOOTP protocol packets. This exploit is currently listed at position #3 in the SecuriTeam.com front page, so expect lots of script kiddies to be playing with it as we write (and you read) this. The site says: "Instead of returning legitimate BOOTP responses, (the linksys units) return BOOTP responses with the BOOTP fields filled in with portions of memory. This allows you to do cool things like the equivalent of sniffing all the traffic to/from the device". It continues: "I have successfully used this technique to steal the admin username and password from an innocent third party who recently configured the device, and I watched someone's traffic as they browsed ebay for a new Ti-Book". The exploit code indicates the vulnerability has been tested "on a fully updated Linksys BEFSR41 and BEFW11S4" but the author of this exploit, who signs his code under the name Jon Hart, hints that all other Linksys routers which have a dhcp server could be vulnerable "Currently, this looks to include at least the BEFN2PS4, BEFSR41, BEFSR81, BEFSX41, RV082, BEFCMU10, BEFSR11, BEFSR41W, BEFSRU31, BEFVP41, WRT55AG, WRV54G, WRT51AB", he writes. As the owner and active user of one Linksys BEFSR-41 since mid-2000, which is my first line of defense between my home LAN and the Interweb, I first checked my unit's current firmware level (1.45.7 dated June 2003) and then rushed to the Linksys site, expecting to see an updated firmware, given the publication of this exploit over two weeks ago. I was shocked when I found that Linksys hasn't even touched the BEFSRxx firmware in about a year. At the time of writing this, the last firmware on the Linksys web page for the very popular BEFSR41 routers is 1.45.7, dated June 2003. I remember that Linksys used to update its firmware on a monthly basis, sometimes faster, back in the days it was a small company trying to beat the big guys. From isn at c4i.org Wed Jun 2 04:44:38 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 2 05:23:21 2004 Subject: [ISN] Insecure at Softbank Message-ID: http://news.ft.com/servlet/ContentServer?pagename=FT.com/StoryFT/FullStory&c=StoryFT&cid=1085944451298 June 2 2004 Softbank president Masayoshi Son would probably be feeling more pleased with himself about his latest deal to take over Japan Telecom, were it not for a public embarrassment within his own, supposedly techno-savvy organisation. Two men arrested and charged with trying to blackmail Softbank with data they held on the group's customers were, it turns out, both contributors to PC Japan, a Softbank publication full of tips on network security. Yutaka Tomiyasu allegedly obtained information on users of Yahoo BB, Softbank's broadband internet service provider, from its database and tried to extort payment in exchange for returning the information. In 3? years he had more than 30 articles appear in PC Japan, a publication for advanced PC users that specialises in network security matters. The latest is in the June edition. His unnamed partner, who was a temporary employee at Softbank, wrote a feature article last year about how to protect against hacking and viruses. How are they alleged to have got to the database? While working for Softbank, Tomiyasu's partner had been given a user name and password needed to access it from a remote terminal. Softbank - wait for it - didn't bother to change these after he left, since they were being used by other employees who needed access to the data. Oh dear. From isn at c4i.org Wed Jun 2 05:12:38 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 2 05:23:22 2004 Subject: [ISN] Book review: "Computer Security for the Home and Small Office" by Thomas C. Greene Message-ID: http://www.powells.com/cgi-bin/partner?partner_id=28327&cgi=product&isbn=1-59059-316-2 Computer Security for the Home and Small Office Thomas C. Greene Paperback - 405 pages (2004) $39.99 - Apress ISBN: 1-59059-316-2 [Full Disclosure: I have been quoted by Greene for past articles in a friendly/professional capacity. He has also written articles that were accusatory to me and attrition.org in the past. Translated: I owe him nothing.] The first and most obvious question that will come to some people is where an alleged hack from The Register [1] gets off writing a book on computer security. After reading the entire book, you'll understand that his last five years covering computer security and playing Windows solitaire has paid off. Just as he writes his news material in an "irreverent editorial style", so shall I in this quippy review. Computer security isn't just for hackers or professionals, it's something every computer owner and operator should be aware of. When we read about the worm-of-the-week, it is infecting and compromising tens of thousands of machines, often owned by you, the end user. How are the average computer users expected to protect their home systems when security is a discipline and career? In the past, they were expected to read web sites, trust Microsoft and possibly struggle through an overly technical book detailing the ins and outs of firewalls or other security technology. Some books came out to address this issue but ended up being dull, covering the absolute basics while ignoring serious issues, or contained more errors than facts. After all this time, one book seems to be ideal for the everyday user, and read to educate them on more than configuring a Windows machine or personal router. Overall, the book favors the end Windows user in time spent explaining the gritty details of basic security. However, neophyte Linux users will be able to learn some of the basics as applies to them, as Greene considers both platforms when dealing out information. Using plain wording unencumbered by superflous jargon, the lessons you need are easy to understand, well organized and well written. Fortunately for you, the book was technically reviewed by Robert Slade [2] before hitting the shelves, and it shows. It's a pleasant change of pace reading a book without sighing in disgust every few pages when the author typically proves they are better off working at McDonalds. The Greene/Slade combination is definitely worthy of Subway. The last third of the book moves beyond configuring your computer and delves into the single most aspect of computer security: Common Sense and Awareness. Rather than continue on with tech tips, Greene opts to educate the end user about the security industry, which is a blessing in disguise. Later chapters warn you on FUD (Fear, Unscertainty and Doubt), how to avoid industry charlatans, and how to apply common sense toward keeping unwanted people out of your system. Greene also delves into some of the great debates of our time, like open vs closed operating systems (Windows vs Linux). His journalistic experience shines through here and Greene delivers perhaps the single best summary of why Linux may be a better option for you than Windows. He dispels the myth that it is too complex, that it doesn't run the programs you want, and the shortcomings of Windows. The last section covers a wide variety of topics that move beyond the personal computer and into daily life, as computers may affect you. This is a nice touch as a large part of the population doesn't follow technology news despite the drastic effects it can have on your life. By understanding what is looming around the corner, you can better prepare for changes that affect the Internet, your computer, and your security. No review is complete without a little criticism! The biggest complaint I can direct at this book is the practice of lengthy and largely worthless Appendix. Starting on page 297 (Appendix B) and ending on page 392 (Appendix C), about half of the material would have been better left on Greene's new website [3]. Giving us long lists of trojan port numbers for example, isn't the most helpful thing you could have filled those pages with. All in all, if you are an average Joe when it comes to computers and security, grab a copy of this book. It *will* help you learn what you need to know, and it will make you realize that security is more than tweaking options on a computer configuration screen. That lesson is still hard to teach to some so-called security professionals, but one you will learn rapidly with this book. [1] http://www.theregister.com/ [2] http://victoria.tc.ca/int-grps/books/techrev/mnbk.htm [3] http://www.basicsec.org/ From brennan at ideahamster.org Thu Jun 3 01:37:33 2004 From: brennan at ideahamster.org (brennan stewart) Date: Thu Jun 3 04:11:26 2004 Subject: On the Other hand: Re: [ISN] Auditors warn of foreign risks to weapons software In-Reply-To: References: Message-ID: <1086240499.3428.1033.camel@localhost.localdomain> Some milestones relating to Linux in the US Government Linux COE certification http://disa.dtic.mil/coe/index.html Linux distros with Common Criteria certification http://niap.nist.gov/cc-scheme/vpl/vpl_type.html#operatingsystem Products on Linux with FIPS certification http://csrc.nist.gov/cryptval/140-1/1401val2004.htm Common Access Card compatibility with Linux http://www.it-umbrella.navy.mil/contract/middleware-esa/Schlumberger/Linux_Report_Card.pdf http://www.slb.com/cactus/product.htm DISA's Linux STIG (horribly outdated and inadequate by the way) http://csrc.nist.gov/pcig/STIGs/unix-stig-v4r4-091503.zip http://csrc.nist.gov/pcig/CHECKLISTS/unix-checklist-031504.zip So it does appear that Linux holds all the certifications needed. The agencies I have worked for will insist on performing a code audit regardless of the software source (vendor/OSS/etc) if it is a national security system. They aren't going to just plug something into a SCIF. I could make the argument that Linux adoption will help improve the security of the US government too, to prevent a monoculture (defense in diversity). Take for example the way the IRS was victimized by Sasser... (and how many other agencies?) I think many proprietary software companies fail to understand what is happening with the software industry, the "creative destruction" as the open source paradigm spreads. DoD technologists can see the writing on the wall too. -b On Wed, 2004-06-02 at 04:44, InfoSec News wrote: > Forwarded from: security curmudgeon > Cc: Hope This Works , Or This One , Maybe This One > > : Dan O'Dowd Reminds World of UNIX Creator Ken Thompson's Security Stunt > : "We must not entrust national security to Linux," he declares. > : April 11, 2004, http://linuxworld.com/story/44468.htm > > : In a speech intended to serve us a wake-up call to anyone relying on the > : "many eyes" that look at the Linux source code to quickly find any > : subversions, the CEO of Green Hills Software last week reminded his > : audience how UNIX's creator Ken Thompson installed a back door in the > : binary code of UNIX that automatically added his user name and password > : to every UNIX system - a secret he revealed only 14 years later. > > : "The very nature of the open source process should rule Linux out of > : defense applications," O'Dowd said. > > How is this any different than Windows or Solaris (or a dozen others) > then? Both should be ruled out just as fast since each has shared its > source code with the world. Solaris source has been available for > years (and was available for years before they willingly made it > public). Microsoft has shared huge portions of Windows source code > with the Chinese government, and i'm sure we can trust them to report > vulnerabilities they find .. right? > > : "The open source process violates every principle of security. It > : welcomes everyone to contribute to Linux. Now that foreign intelligence > : agencies and terrorists know that Linux is going to control our most > : advanced defense systems, they can use fake identities to contribute > : subversive software that will soon be incorporated into our most > : advanced defense systems," he continued. > > They can also use those fake identities to get a job at Microsoft (or > Green Hills) where the code is reviewed by significantly less people, > then pushed out to millions of customers world wide. Is this any > different than O'Dowd's scenario? > > : "If Linux is compromised, our defenses could be disabled, spied on, or > : commandeered. Every day new code is added to Linux in Russia, China and > : elsewhere throughout the world. Every day that code is incorporated into > : our command, control, communications and weapons systems. This must > : stop," he added, before continuing: > > And if these systems are running Windows or Solaris, it's magically > better? Because those two operating systems don't have vulnerabilities > or something? Microsoft has proven it doesn't need foreign agents to > code gaping holes in its products. Or is this some obscure argument > that the world needs to move to proprietary RTOSs and self-serving > advertising? > > : "Linux in the defense environment is the classic Trojan horse scenario - > : a gift of 'free' software is being brought inside our critical defenses. > : If we proceed with plans to allow Linux to run these defense systems > : without demanding proof that it contains no subversive or dangerous code > : waiting to emerge after we bring it inside, then we invite the fate of > : Troy." > > You demand proof? You have the source, audit it. Find all the > malicious backdoors and trojans in it. Quit grandstanding and spouting > this crap and *prove* it beyond doubt. That would seal your argument. > > : One of O'Dowd's most telling points came when he debunked the claim by > : Linux advocates that its security can be assured by the openness of its > : source code, arguing that "many eyes" looking at the Linux source code > : will quickly find any subversions. > : > : Ken Thompson, the original developer of the Unix operating system (which > : heavily influenced Linux) proved that this just isn't true, O'Dowd > : argued. Thompson installed a back door in the binary code of UNIX that > : automatically added his user name and password to every UNIX system. > : > : O'Dowd told his audience that, when Thompson revealed the secret 14 > : years later, he declared: > : > : "The moral is obvious. You can't trust code that you did not create > : yourself. No amount of source-level verification or scrutiny will > : protect you from using untrusted code.h the recent sasser " > : > : "Before most Linux developers were born, Ken Thompson had alreadyped by Microsoft (as I am sure their 'royalty-free' velOSity kernel is) ? a closed door/closed-mouth association of developers from Washington. The very nature of this operation violates every principle of security and we have actual evidence. I'm talking about security risks and damage on a global scale, not only in the USA. Microsoft's software has done some serious damage to the computer systems of the world, as well as the pocketbooks of the companies running it. Think about it... employee salaries, overtime, professional support, software upgrades, patches, etc... all factor into the damages caused by the malware encouraged by the flaws in Microsoft's software products. You can bet that Green Hills is no different. How do their customers know they are safe? They don't. They have to rely on what they are told by the company... the same company who is interested in the big sale. Linux does not come with an agenda. What you see is what you get. No hidden surprises that keep you in your data center all night squashing bugs that have completely devastated your servers. Furthermore, you know what you have in your Linux systems because you can actually see for yourself. > : proven that 'many eyes' looking at the source code can't prevent > : subversion," said O'Dowd. "Linux is being used in defense applications > : even though there are operating systems available today that are > : designed to meet the most stringent level of security evaluation in > : use by the National Security Agency, Common Criteria Evaluation > : Assurance Level 7 (EAL 7)." > > This is worthy of a used car salesman. Two major points here, and I > get to paraphrase since others have seen through this.. > > http://www.a42.com/node/view/149 > > Huh? Since when was Unix Open Source? Notice the technique here: first, > make an association between Linux and Unix. Then, tell an anecdote about > how Unix, a Closed Source project, was infected with a security leak. > Then...voil! Linux joins the Axis of Evil. This is a classic non > sequitur. It's another example of the deconstruction of both the English > language and the logical thought processes of the general population. > > http://www.networkmagazine.com/article/NMG20020826S0005 > > Backdoors also have a long history in Unix software. Ken Thompson, a > designer of the Unix OS, explained his magic password, a password that > once allowed him to log in as any user on any Unix system, during his > award acceptance speech at the Association for Computing Machinery (ACM) > meeting in 1984. Thompson had included a backdoor in the password > checking function that gets included in the login program. The backdoor > would get installed in new versions of the Unix system because the > compiler had Trojan Horse code that propagated the backdoor code to new > versions of the compiler. Thompson's magic password is the best known, > and most complex in distribution, backdoor code. > > So first, O'Dowd is trying to say that old UNIX is magically Linux and was > open source, when it most certainly was not. Second, he says that Thompson > revealed this fact 14 years later, yet the talk that disclosed it was > presented in 1984, long before Linux was even a notion in Torvalds' mind > (http://www.li.org/linuxhistory.php). You can read details of Thompson's > tomfoolery in his presentation (http://vx.netlux.org/lib/mkt00.html). > > Third, the backdoor wasn't in the UNIX operating system, but the > closed source compiler being used at the time (which was also used by > Microsoft very early on.. trust issues and tin foil hats!), not the > GNU C compiler. Further, his backdoor *was* discovered by people > working on UNIX and by one professional's guess (no, not mine), it was > around for six years before being discovered, in a closed source > system, much like some of the nasty Windows bugs we see these days. > > O'Dowd's entire argument is a practical joke that some reporters fell for. > > > All of that said, if it's really that bad, why does O'Dowd's company boast > about its impressive sales and mentions that they sell embedded Linux? > > http://www.ghs.com/news/220304v.html > > In its latest study, entitled "Embedded Software Strategic Market > Intelligence Program: Volume IV," published February, 2002, VDC reports > on the worldwide market for all embedded operating systems for the year > 2001. According to the VDC report, the embedded operating system market > is estimated to top $663.8 million in 2001 shipments. This includes > shipments of embedded operating systems from Microsoft (Windows XP > Embedded, Windows CE), Palm (PalmOS), VenturCom (Windows), Symbian > (SymbianOS), Sun (Solaris) and several vendors of embedded Linux. > > Despite this, Green Hills is on a recent anti-Linux crusade: > > http://www.ghs.com/news/index.html > > 17-May-2004: Green Hills Software Issues White Paper: Linux in > Defense: An Urgent Threat to National Security > > 10-May-2004: Green Hills Software Issues White Paper: Linux in > Defense: Free Software Is Just Too Expensive > > 3-May-2004: Green Hills Software Issues White Paper: Linux Security: > Unfit for Retrofit > > 26-Apr-2004: Green Hills Software Issues Linux Security White Paper: > Many Eyes No Assurance Against Many Spies > > 19-Apr-2004: Green Hills Software CEO Responds to Linux Security > Controversy > > 8-Apr-2004: Using Linux Software in Defense Systems Violates Every > Principle of Security Says Green Hills Software's CEO and Founder > > > I'm not defending Linux as some magic solution to insecure operating > systems, i'm not touting it as a secure alternative to any other > operating system. However, I am tired of a few clowns conveniently > bashing Linux and Open-Source for their own gain, especially when they > use paid-for research (ADTI) or arguments that are easily shot down by > third graders (GHS). > > So O'Dowd .. what's your real motivation here? Have anything remotely > substantial to back these claims? Or is this a convenient media frenzy > designed to get attention for your company? Just a way to scuttle your > competition (MontaVista Software)? > > > Jericho > Security Curmudgeon > > > Another Rebuttal: http://www.madpenguin.org/Article1182.html > > > > _________________________________________ > ISN mailing list > Sponsored by: OSVDB.org > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: This is a digitally signed message part Url : http://www.attrition.org/pipermail/isn/attachments/20040603/866a9792/attachment-0001.bin From isn at c4i.org Thu Jun 3 03:30:18 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 3 04:11:28 2004 Subject: [ISN] E-mail Confidential Message-ID: http://slate.msn.com/id/2101561/ By Jack Shafer June 1, 2004 The other day, a Time Inc. journalist of my acquaintance sent me an e-mail from his corporate e-mail account. I read it quickly and was about to hit the delete icon when I spotted this extraordinary 114-word "disclaimer" sloshing around at the bottom. It read: This message is the property of Time Inc. or its affiliates. It may be legally privileged and/or confidential and is intended only for the use of the addressee(s). No addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. If you have received this communication in error, please immediately notify the sender and delete this message. Thank you. Ignoring the e-mail's threats, I forwarded it to my 175-pound Samoan attorney for his opinion, and he convinced me that Time Inc. has much more to fear from me than I have to fear from Time Inc. In fine Socratic fashion, my counsel walked me through the disclaimer, sentence by sentence, encouraging me to add my own thinking to our exercise. Here are my notes. This message is the property of Time Inc. or its affiliates. My attorney noted that it's probably true in the technical sense that an e-mail message from one of its employees sent via Time Inc.'s e-mail system is Time Inc.'s property. For that reason, Time Inc. employees should probably use their personal e-mail accounts for personal notes. But sending me an e-mail - like sending a letter?creates an implied license for certain uses. What sort of uses? Surely I have the right to delete it or to print it for my records. I know of nothing in U.S. law that would bar me from sharing it with my friends or even quoting the message in print. Of course, there are limits to what one can do with e-mail or other correspondence. U.S. copyright law gives every letter and laundry list automatic copyright protection, so if you published a slew of e-mail from a correspondent and he sued you alleging copyright infringement, a court might find that you deprived him of the financial rewards of his literary labors and render a decision against you. But I doubt very much if that's going to apply to one in a billion e-mails. The first sentence of the Time Inc. disclaimer also got me to thinking: If the message is Time Inc.'s corporate "property," what is it doing in my in-box without an invitation? Trespassing? It may be legally privileged and/or confidential and is intended only for the use of the addressee(s). Or it may not be, as my attorney noted. Correspondence between an attorney and his client is usually considered "legally privileged," but an e-mail from a Time Inc. wage slave to me? Not automatically. If the message is privileged or confidential, shouldn't Time Inc. let me know and not leave me dangling with the vague "may be" language? And when the disclaimer declares the message is "intended only for the use of the addressee(s)," to what "use" is it referring? Reading and burning it? No addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. Note the operative word, "should." My attorney says this is nothing more than a request - only a fool would consider it a binding contract. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. My Samoan attorney says Time Inc. might have a case if the message contained a trade secret intended for a recipient other than me and I distributed it. But sending a confidential or valuable message via insecure e-mail is a funny way to preserve a secret. If Time Inc. wants to keep its communications safe, it should invest in some sort of encryption software that allows privileged readers to open the mail but prevents them from forwarding, printing, or otherwise duplicating it. Microsoft, which publishes Slate, even makes a product for such occasions. If you have received this communication in error, please immediately notify the sender and delete this message. This, too, is only a request. (See above.) The oddest thing about the Time Inc. disclaimer isn't its dubious legal language, but its placement at the bottom of the e-mail message. It's one thing to ask a correspondent to agree to terms of confidentiality before they read the message, but to dictate the terms afterwards? Ridiculous! If you really want to get the goat of a Time Inc. journalist, send him some extraordinary dish about your company via e-mail but then type the Time Inc. disclaimer into the end, substituting your company's name for that of Time Inc. As stupid as the Time Inc. disclaimer may be, they come a lot stupider. In 2001, the Register, a U.K. information technology Web site, enlisted its readers to gather the longest, most PC, and most incomprehensible disclaimers on the Internet. -=- After reading, please burn this Web posting and then send your most hilarious disclaimer to pressbox@hotmail.com. (E-mail may be quoted by name unless the writer stipulates otherwise.) Jack Shafer is Slate's editor at large. From isn at c4i.org Thu Jun 3 03:30:35 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 3 04:11:28 2004 Subject: [ISN] Catching a Virus Writer Message-ID: http://www.securityfocus.com/columnists/246 By Kelly Martin Jun 02 2004 Like a sneeze in a crowded subway, it's hard to find the human source of the latest viral infection. On the Internet it's not much different. The people who write these nasty little programs and release them into the wild almost never get caught. Why? The answer is easy, but it's also a sort of technical nemesis: there's simply no way to track these people down. The current approach to catching virus writers isn't working. Code analysis and disassembly provides clues about the author, but it's not enough. Virus writers boast of their accomplishments in private bulletin boards, yet only the most vocal and arrogant few will get caught. Even with logs, IP addresses and private access, it's still near impossible to track them down. Law enforcement agencies in every country are clearly ill-equipped to deal with the myriad of technical hurdles required to track virus authors down, and so they turn to a few elite security consultants, some working as threat analysts at the major A/V vendors for help. They can usually narrow down the source of a virus to having been released in a geographic part of the world, but the rest is a mere packet in the bitstream. Add Microsoft's new $250,000 bounty into the mix and at first glance, you'd think we're right on track. Not a chance! There are simply too many ways to be anonymous on the Internet, and more so today than ever before. You don't even need to spoof IP addresses these days; there are too many ways to have perfect stealth, starting with an untraceable MAC address on a borrowed IP address, linked into a wireless router down the street which has access logging disabled? and you tunnel through countless proxies and compromised zombies until you reach the desired launch point. Someone who does not wish to be caught (and knows what they're doing), cannot be caught. With wireless, it become a physical battle between a million victims and one guy walking down the street. Why WiFi? WiFi has exploded. Welcome to the truly anonymous Internet. There is no easier way to slip on and off the Internet now without being noticed than on an unsecured 802.11x wireless network in a coffee shop, under a tree in Central Park, at a library or even just leaked through the walls of the apartment next door. North America, and indeed the rest of the world, already has an incredible number of wireless devices that are effectively free, unsecured, and readily available to anyone - to such an extent that it's more difficult to avoid these sprawling networks than it is to connect to them. My Mac with embedded g-band happily connects to just about any network it can find, and it appears there are literally a hundred wireless Access Points within a short walking distance downtown. There are a mind-boggling number of wireless access points now, and only the ubiquity of these devices is new: while four or five years ago I may have been the first on my block with WiFi, now there are so many devices I have to worry about interference. More than that, there are a mind-boggling number of wireless access point that are not Secure by Default, out of the box - just like the machine owned by your average Microsoft Windows user. But even if they were, it wouldn't matter. I live in a sparsely-populated area, at least for a major metropolitan city. Yet without even leaving the couch of my living room, I can "borrow" someone else's Internet connection, mask my MAC address and have complete stealth on the Internet. It would be difficult, if not impossible, to prove it was me. If I wanted to be a bit smarter about things, however, I'd walk to the park and get my access from there... less likely that the police come knocking on my door. Or I'd drive down to the coffee shop, and setup a launch from there. Or better still: point my homemade antenna (made out of a soup and used according to the exacting laws of wavelengths and physics) and bounce it off a digital satellite dish, extending my network's range by up to 2km. In other words, I could literally get my Internet access by simply pointing my directional antenna towards metropolitan downtown. I have no malicious intent, however. I'm generally not searching for these insecure networks, they just appear all on their own. When I'm not publishing articles on SecurityFocus, I go for coffee at a shop at the bottom of our building. There is free wireless Internet access available, sure -- though I'm not sure if it's actually provided by the coffee shop, or if it's coming from an office next door, or below me, or above me -- the service has never been advertised. Instead, one day I just opened up my Mac with OS X, and it was there (broadcasting itself, with no security). Most Windows machines, by default, similarly connect to the strongest local signal without discretion, and voila. I check the connection, and can instantly surf the web. SSH works fine, and thus secure (and dynamic) SSH tunnels are possible. And secure email, through port 993, is possible as well. Web access, like usual, is in the clear (except when using SSL and then it too, is secure). No security whatsoever. It's wide open. I drink my coffee and imagine opening up a can of worms... or rather, imagine someone logging onto his bot network through IRC, sitting anonymously in some coffees shop, drinking espresso and launching DDoS (distributed denial-of-service) attacks. If I fudge my MAC address and make up a fake one, it will be impossible for anyone to know it's me. I'll change the apparent MAC address again tomorrow and maybe I'll sit in a different coffee shop, too. Free but insecure networks What I'm trying to get at is this "promiscuity" of wireless networks has already made security on the Internet redundant - a virus writer using this technology could never be tracked down. There are hundreds of access points within my five kilometer radius, and the number is growing every day. Having had 802.11x access myself for a long time, the technology and its weaknesses are hardly new - what's new is the proliferation of access points, the vast majority of which are freely available for personal use. Even a robustly secured wireless access point can be cracked in a matter of hours. The extreme, industrial-strength security using LDAP and/or RADIUS and rotating keys is possible, but not for the faint of heart. In other words, for tens of thousands of access points across the country and around the globe, their security is already irrelevant. For someone searching for a novel launch point for their virus, you might still be the next in line. Salon published an interesting (and entertaining) article by Micah Joel (requires free day pass) about the opening up access points and its legal implications: no security, broadcast the SSID, and turn logging off. Encourage people, in fact, to use the free connection. With no way to know who has used your Internet connection, there's no way that you could be held liable for inappropriate (or illegal) use. You'd be just like everyone else who took it out of the box, and plugged it in. While this theory has yet to be help up in court, at least here in Canada, a precedent is waiting to be set. It's already everywhere. Don't believe me? CNN published an article recently only confirming what many of us already knew: the insecurity of wireless networks has become extreme. Of course, it would be just as easy to launch a virus from an Internet caf? in many other parts of the world, like Asia and India where anonymous access is given for a dollar an hour. And then there are the libraries, colleges, user groups and other institutions everywhere else that, once again, provide a bastion of easy, cheap anonymity. Let me now be clear about my motivations: while I do not have the skills to write a virus myself, there are many, many people out there who do. Writing it and sharing code is one thing; launching it into the wild is another thing altogether. Similarly, technical stealth is now very easy, so we're left to rely on the social component of a coder leaving his mark, showing some arrogance, and perhaps doing some public code sharing, that will ultimately do the virus writer in. The only way they might be caught is if one of their inner-circle friends squeal on them - and then traditional law enforcement steps in, grabs all the electronic equipment, and the forensics start. Then once the informant is linked to the virus world as well, the blue cloud of Microsoft's $250,000 bounty again fades into the mist. Virus writers can launch their dubious malcode from just about anywhere in the world, a form of cyber-terrorism that cannot be stopped. The promiscuity of the Internet is here. Kelly Martin is the content editor for SecurityFocus. From isn at c4i.org Thu Jun 3 03:30:50 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 3 04:11:29 2004 Subject: [ISN] Simple passwords no longer suffice Message-ID: http://www.cnn.com/2004/TECH/ptech/06/01/beyond.passwords.ap/index.html June 1, 2004 (AP) -- To access her bank account online, Marie Jubran opens a Web browser and types in her Swedish national ID number along with a four-digit password. For additional security, she then pulls out a card that has 50 scratch-off codes. Jubran uses the codes, one by one, each time she logs on or performs a transaction. Her bank, Nordea PLC, automatically sends a new card when she's about to run out. As more Web sites demand passwords, scammers are getting more clever about stealing them. Hence the need for such "passwords-plus" systems. Scandinavian countries are among the leaders as many online businesses abandon static passwords in favor of so-called two-factor authentication. "A password is a construct of the past that has run out of steam," said Joseph Atick, chief executive of Identix Inc., a Minnesota designer of fingerprint-based authentication. "The human mind-set is not used to dealing with so many different passwords and so many different PINs." When a static password alone is required, security experts recommend that users combine letters and numbers and avoid easy-to-guess passwords like "1234" or a nickname. Stevan Hoffacker follows those rules but commits a different faux pas: He uses the same password everywhere, including access to multiple e-mail accounts, Amazon.com, The New York Times' Web site and E-ZPass electronic toll statements. In such cases, should hackers or scammers compromise one account, they potentially have one's entire online life. "This is one of these things that if I stop and think about it, it is not good, but I do my best not to stop and think about it," said Hoffacker, an information technology manager in New York. Password harvesting But it's difficult to remember dozens of strong passwords -- so many sites now require them. Alternatives include writing them down on a sticky note attached to a monitor or in an electronic spreadsheet -- practices security experts also deem unsafe. Software such as Symantec Corp.'s Norton Password Manager and Apple Computer Inc.'s Keychain help store passwords in secure, encrypted form. But if you compromise the master password, you're out of luck. Your entire collection is gone. Many sites, meanwhile, will e-mail passwords insecurely -- without encryption -- if you forget. A site called BugMeNot.com even encourages users to share passwords for nonfinancial sites like newspapers. The tools of password harvesting are many: Keystroke recorders secretly installed at public Internet terminals can capture passwords, as can "phishing" e-mails designed to trick users into submitting sensitive data to fraudulent sites that look authentic. There are computer viruses programmed to harvest passwords as well as software that guesses passwords by running through words in dictionaries. Though analysts have no hard figures on password-specific fraud, they blame insecure passwords for unauthorized financial transfers, privacy breaches and even the hacking of corporate networks. With two-factor authentication, having a password alone is useless. "We will never play the fear factor here, but still it stays a fact that with our products, phishing is no longer an issue," said Jochem Binst of Vasco Data Security International Inc. The Belgian company issues devices the size of pocket calculators or keychains. You type your regular password into the device for a second code that is based on the time and the unit's unique characteristics. That's the code you type into the Web site. Someone who steals your device won't have your password; someone who steals your password won't have your device. Two-factor authentication MasterCard International Inc. has been testing similar systems in Britain, Germany and Brazil. Swipe a credit card with a smart chip into a special reader, enter your PIN and obtain a password good only once at Office Max, British Airways and a dozen other merchants. In Singapore, bank customers wishing to designate new accounts for fund transfers must likewise obtain a second password -- through a phone call, e-mail or mobile text messaging. Biometric systems are similar, except a fingerprint or iris scan replaces one or both passwords. In the United States, use of two-factor authentication remains limited. RSA Security Inc. has several products, including RSA SecurID, but they are primarily issued to employees for remote network access and to customers with high-value portfolios. "There's a delicate balance between maintaining security but also providing customers with ease of use," said Doug Johnson, senior policy analyst at the American Bankers Association. Gartner analyst Avivah Litan said banks are "all afraid of making the first step. They don't want consumers going to other banks because it's too hard." U.S. banks and e-commerce companies have focused, for now, on making sure passwords are strong. EBay, for instance, now rejects attempts to create passwords such as "ebay" or "password." Before two-factor authentication becomes commonplace, laptops must come standard with biometric readers, or manufacturers must bring down costs for password-generating devices. Outfitting 1 million customers with such devices could cost $20 million, while Internet fraud for those customers amounts to "tens of thousands at most," said Tony Chew, director of technology risk supervision at the Monetary Authority of Singapore. Singapore banks thus limit dynamic passwords to fund transfers, he said. Setting standards Companies also need to set standards. Though Jubran enjoys her bank's scratch-off passwords, she wouldn't want the Amazon.coms of the world all adopting them as well. "It would be too complicated to have 10 different cards you scrape off," the 24-year-old medical student said. Jason Lewis, vice president of product management at RSA Security, figures companies will have to create services so a single device can work on multiple sites. Nordea and other Scandinavian banks already have partnered with government agencies and utilities, and an identity-management coalition called the Liberty Alliance Project has begun to explore standards. People will pay more attention to security as they keep more of their lives online, said Robert Chesnut, eBay's vice president for rules, trust and safety. He offered this analogy: "The more stuff you have in your house, the better the deadbolt lock you have." From isn at c4i.org Thu Jun 3 03:32:26 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 3 04:11:30 2004 Subject: [ISN] Security UPDATE--Email Filtering--June 2, 2004 Message-ID: ==================== Make sure your copy of Security UPDATE doesn't get mistakenly blocked by antispam software! Be sure to add Security-UPDATE@list.winnetmag.com to your list of allowed senders and contacts. ==== This Issue Sponsored By ==== OpenNetwork http://list.winnetmag.com/cgi-bin3/DM/y/egA50CJgSH0CBw0BIp70A4 Windows & .NET Magazine http://list.winnetmag.com/cgi-bin3/DM/y/egA50CJgSH0CBw0BEuX0Ad ==================== 1. In Focus: Want A Junk-Free Inbox? Then Filter It 2. Security News and Features - Recent Security Vulnerabilities - Feature: Coping with Today's Killer App - News: Report from the Phishing Spot - Feature: A First Look at the New MBSA - News: Microsoft Partnering to Sell ISA Server Appliances 3. Instant Poll 4. Security Toolkit - FAQ - Featured Thread 5. New and Improved - Monitor Your Server from Anywhere in the World ==================== ==== Sponsor: OpenNetwork ==== Wondering where to start your Identity Management implementation? Find out more by reading the free whitepaper: Understanding the Identity Management Roadmap. Get your copy today at http://list.winnetmag.com/cgi-bin3/DM/y/egA50CJgSH0CBw0BIp70A4 ==================== ==== 1. In Focus: Want A Junk-Free Inbox? Then Filter It ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net Last week, I wrote about DomainKeys, Sender Policy Framework (SPF), and CallerID for E-Mail. All three technologies have been submitted to the Internet Engineering Task Force (IETF) as draft proposals. Since then, the developers of SPF and Microsoft (the developer of CallerID) have agreed to merge the two technologies into one. A new draft proposal will be created and submitted to the IETF; however, the name for the new technology has yet to be formalized. If you're interested in some of the ideas regarding how the two technologies will operate after they're merged, be sure to read Meng Weng Wong's outline of how things might pan out. Wong is one of the SPF developers, and you can find his outline in the SPF mailing list archives. http://archives.listbox.com/spf-discuss@v2.listbox.com/200405/0199.html Last week, I pointed out that people who intend to use any or all of the three new technologies to help filter unwanted email will also need to use other technologies in combination with them because none of the three new technologies, not even all of them together, will completely stop unwanted email. A reader of this newsletter who also participates in the SPF mailing list asked SPF mailing list members whether my statement was true. The short answer is "yes," and another list member explains why. http://archives.listbox.com/spf-discuss@v2.listbox.com/200405/0373.html Another reader of this newsletter wrote to tell me that his Hotmail account is spam free. That may be true; however, I doubt that all other Hotmail accounts are in the same situation. Regardless, the way Hotmail (or any technology, for that matter) eliminates junk mail is to filter it by any of the available various methods, because that's the only way to do it without resorting to short-term disposable email addresses. Of course, such filtering relies on a variety of parameters, including known junk-mail-message content, known domains and networks that service spammers, open mail relays, keywords, key phrases, content types, block lists, allow lists, and so on. In the near future, DomainKeys and the combined SPF/CallerID will be a couple of additional mechanisms that will definitely be used for mail filtering. As you may know, the current rendition of SPF is already part of several mail-filtering packages; undoubtedly, such integration will continue. If you intend to curb unwanted email, you'll need to adapt to a method of filtering and tune that method as necessary. ==================== ==== Sponsor: Windows & .NET Magazine ==== Get 2 Sample Issues of Windows & .NET Magazine! Every issue of Windows & .NET Magazine includes intelligent, impartial, and independent coverage of security, Active Directory, Exchange, scripting, and much more. Our expert authors deliver how-to articles and product evaluations that will help you do your job better. Try two, no-risk sample issues today, and find out why 100,000 IT professionals rely on Windows & .NET Magazine each month! http://list.winnetmag.com/cgi-bin3/DM/y/egA50CJgSH0CBw0BEuX0Ad ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html Feature: Coping with Today's Killer App Some people are still waiting for the next killer app to emerge. But in my view, email is the killer app and has been for the past several years. Email has opened up easy communication for people both inside and outside an organization. It's a fast and convenient transport and distribution mechanism for vital information and enables an organization to operate smoothly. For many companies, email is a mission-critical component: If email is down, the business suffers--sometimes dramatically. In this article, Michael Otey discusses the need to treat email as the vital company resource it is and protect it. http://www.winnetmag.com/article/articleid/42593/42593.html News: Report from the Phishing Spot According to the Anti-Phishing Working Group, in April, 1125 unique scams tried to obtain sensitive information from customers of 12 well-known companies, including Citibank, U.S. Bank, eBay, PayPal, and Federal Deposit Insurance Corporation (FDIC). In March, the group tracked 402 scams against 18 companies. As of the last week in May, half as many companies had been targeted as in April, but the total number of scams for the month was unreported. http://www.winnetmag.com/article/articleid/42785/42785.html Feature: A First Look at the New MBSA Microsoft recently released a new version of Microsoft Baseline Security Analyzer (MBSA), a free security auditing and reporting tool. MBSA 1.2 has many enhancements that improve its functionality for system and security administrators. In addition to the ability to scan 10,000 machines in one run, MBSA now audits against a Microsoft Software Update Services (SUS) server and, when run locally, reports on macro settings in Microsoft Office products, the state of the Automatic Updates client, and the state of the Internet Connection Firewall (ICF). Paula Sharick gives an overview of the more notable new features in MBSA 1.2 in this article on our Web site. http://www.winnetmag.com/article/articleid/42757/42757.html News: Microsoft Partnering to Sell ISA Server Appliances Microsoft announced at the Tech Ed 2004 conference in San Diego last week that it will team with hardware vendors to begin selling security appliances. The company aims to provide customers with a dedicated hardware solution that runs Internet Security and Acceleration Server (ISA) 2004, which is currently in beta testing. The solution will become available in the third quarter of this year from HP, Network Engines, Celestix Networks, and Avantis. The starting price will be $1499 per CPU, per server. http://www.microsoft.com/isaserver/beta/hardwaresolutions.asp ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) New Chapter Available--"The Expert's Guide for Exchange 2003: Preparing for, Moving to, and Supporting Exchange Server 2003" Chapter 4 is now available, "Database Strategies and Server Sizing." This free eBook will educate Exchange administrators and systems managers about how to best approach the migration and overall management of an Exchange 2003 environment. You'll learn about core issues such as configuration management, accounting, monitoring performance, and more. Get the latest chapter now! http://list.winnetmag.com/cgi-bin3/DM/y/egA50CJgSH0CBw0BIoQ0AU Chapter 2 Available Now--"Preemptive Email Security and Management" This free eBook will offer a preventive approach to eliminating spam and viruses, stopping directory harvest attacks, guarding content, and improving email performance. In this new chapter, learn evolving techniques for eliminating spam, email virus, and worm threats. Download this eBook today! http://list.winnetmag.com/cgi-bin3/DM/y/egA50CJgSH0CBw0BIoR0AV Windows & .NET Magazine Announces Best of Tech Ed Winners! Windows & .NET Magazine and SQL Server Magazine announced the winners of the Best of Tech Ed 2004 Awards. The field included more than 260 entries in 10 categories. Winners were announced at a private awards ceremony on Wednesday, May 26 at Tech Ed. Click here to find out the winners: http://list.winnetmag.com/cgi-bin3/DM/y/egA50CJgSH0CBw0BIoS0AW ==================== ==== 3. Instant Poll ==== Results of Previous Poll The voting has closed in the Windows & .NET Magazine Network Security Web page nonscientific Instant Poll for the question, "Which wireless intrusion prevention system do you use?" Here are the results from the 9 votes. - 11% AirDefense products - 0% AirMagnet products - 0% Red-M products - 11% Aruba Wireless Networks products - 78% Other products New Instant Poll The next Instant Poll question is, "Does your company intend to implement Windows XP Service Pack 2 (SP2)?" Go to the Security Web page and submit your vote for - Yes, as soon as it's available - Yes, within 3 months of its release - Yes, within 6 months of its release - Yes, but we're not sure when - No http://www.winnetmag.com/windowssecurity ==== 4. Security Toolkit ==== FAQ: How can I enable forms-based authentication for an Exchange Server 2003 system that hosts Microsoft Outlook Web Access (OWA)? by John Savill, http://www.winnetmag.com/windowsnt20002003faq A. After you enable Secure Sockets Layer (SSL) on a Microsoft Internet Information Services 5.0 (IIS) server (as I describe in the FAQ "How can I obtain a certificate so that I can enable Secure Sockets Layer (SSL) on my Microsoft Internet Information Services 5.0 (IIS) server?"), you can enable forms-based authentication on the server by performing these steps: 1. Start the Exchange System Manager (ESM) utility (click Start, Programs, Microsoft Exchange, System Manager). 2. Navigate to the OWA server (Administrator Groups, <Administrative group name>, Servers, <Server name>). 3. Expand Protocols and expand HTTP. 4. Right-click the HTTP virtual server and click Properties. 5. Click the Settings tab of the displayed dialog box. 6. Select the "Enable Forms Based Authentication" check box and click OK. If you want to stop non-SSL connections to your Exchange server, you can modify the Exchange virtual directory through the Microsoft Management Console (MMC) IIS snap-in as follows: 1. Access the Exchange virtual directory's Properties page. 2. Click the Directory Security tab. 3. Click Edit, and in the Secure Communication section, select the "Require secure channel (SSL)" check box. Featured Thread: Port Scanning a Windows Server 2003 System (Seven messages in this thread) A reader writes that he recently downloaded a simple port scanner program and scanned his Windows Server 2003 test server. He found that the server is running the following services: Domain Controller for his test Active Directory (AD), DHCP, DNS, FTP, File/Print Server, and RRAS with 2 NICs--one connected to a cable modem and the other to the LAN. After the port scanner has scanned all the ports of the WAN IP, its report shows that numerous other ports are open. The reader wants to know how to find out which programs are listening on each of the ports and how worms work (because he suspects that a worm might be able to infiltrate his system on one of the listening ports). Lend a hand or read the responses: http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=121555 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) New Web Seminar--Shrinking the Server Footprint: Blade Servers In this free Web seminar, you'll learn how blade servers provide native hot-swappable support, simplified maintenance, modular construction, and support for scalability. And we'll talk about why you should be considering a blade server as the backbone of your next hardware upgrade. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/egA50CJgSH0CBw0BIoT0AX ==================== ==== 5. New and Improved ==== by Jason Bovberg, products@winnetmag.com Monitor Your Server from Anywhere in the World GFI Software announced GFI Network Server Monitor 5.5, the most recent version of its automatic network and server monitoring tool. The upgraded version includes a remote Web monitor, which lets you check network and server status from anywhere in the world from a Web browser, a mobile phone, or any handheld device. GFI Network Server Monitor 5.5 costs $699 for unlimited monitoring of all workstations and servers or $375 for a five-server monitoring license. For more information about GFI Network Server Monitor 5.5 and to obtain an evaluation version, contact GFI on the Web. http://www.gfi.com/nsm Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. ==================== ==== Sponsored Links ==== Argent Comparison Paper: The Argent Guardian Easily Beats Out MOM http://list.winnetmag.com/cgi-bin3/DM/y/egA50CJgSH0CBw0BDWV0A5 ==================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== ==== Contact Our Sponsors ==== Primary Sponsor: OpenNetwork -- http://www.opennetwork.com ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z You received this email message because you asked to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Jun 3 03:33:29 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 3 04:11:31 2004 Subject: [ISN] [Vmyths.com ALERT] mi2g predicts ''catastrophic'' attack in 2004 Message-ID: Vmyths.com Virus Hysteria Alert Truth About Computer Security Hysteria {2 June 2004, 17:50 CT} CATEGORY: Hysteria related to a publicity stunt British firm "mi2g" issued a "news release" today to predict a heinous Internet attack will occur this year. They declared "the probability of a catastrophic malware attack, defined as global damages in excess of $100bn from a chain of combined events, has risen from 1 in 40 (2.5%) for 2003 to about 3 in 10 (30%) for 2004." Vmyths dismisses the prediction as a blatant publicity stunt. mi2g is famous in the security world for using a digital crystal ball -- and this latest "news release" fails to buttress a supposed twelve-fold increase in the accuracy of their beliefs. Vmyths has documented a string of bad mi2g predictions dating back to 1999. Two recent examples include (1) a terrorist cyber-strike on the first anniversary of the "9/11" attacks and (2) a crippling cyber-war during the 2003 invasion of Iraq. mi2g did not pinpoint who might launch their newest predicted catastrophe. They talked only in vague terms about "hacking groups," "criminal syndicates," and "politically and ideologically motivated" organizations. mi2g speculated the masterminds will use diabolical "automated malware agents distributed through email spam, viruses and worms" to "convert millions of computers to zombies for nefarious purposes." mi2g left "nefarious purposes" to the reader's imagination. mi2g defined a "catastrophic malware attack" as "global damages in excess of $100bn." This is convenient, because mi2g is the media's ONLY source for absurdly precise virus damage costs. Vmyths believes media outlets will embrace the new publicity stunt for exactly this reason. Gullible reporters routinely fall for mi2g's fearmongering predictions, wild damage guesstimates, irrelevant granfalloons, and creative phrases like "global digital eco-system" and "digital risk fallout." Vmyths has repeatedly slammed mi2g over the years for its blatant PR stunts. This latest "news alert" is actually a thinly veiled plug for their "D2-Banking" service. We've highlighted mi2g in multiple Hysteria Alerts and we maintain a "Hysteria roll call" resource on them: mi2g "Hysteria roll call" resource: http://Vmyths.com/resource.cfm?id=64&page=1 Hysteria Alerts archive: http://Vmyths.com/resource.cfm?id=34&page=1 Vmyths insists you should never take mi2g's claims at face value. For example, they trumpet themselves as a computer security firm "since 1995" when in fact they wormed their way into the security world in 1999. mi2g has threatened in the past to sue Vmyths for libel (see http://Vmyths.com/rant.cfm?id=497&page=4 for details). For the record: we stand by our criticisms. However, Vmyths prides itself for an industry-leading "corrections and clarifications" page. Anyone may write to VeaCulpa@Vmyths.com to contest our claims & accusations. Anyone may visit http://Vmyths.com/rant.cfm?id=470&page=4 to rebut our opinions & criticisms. Don't take mi2g's "news alerts" at face value. Stay calm. Stay reasoned. And stay tuned to Vmyths. Rob Rosenberger, editor http://Vmyths.com Rob@Vmyths.com (319) 646-2800 Acknowledgements: confidential source CATEGORY: Hysteria related to a publicity stunt --------------- Useful links ------------------ Remember this when virus hysteria strikes http://Vmyths.com/resource.cfm?id=31&page=1 Common clich?s in the antivirus world http://Vmyths.com/resource.cfm?id=22&page=1 False Authority Syndrome http://Vmyths.com/fas/fas1.cfm From isn at c4i.org Thu Jun 3 03:34:25 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 3 04:11:32 2004 Subject: [ISN] Sun to open source Solaris Message-ID: http://www.nwfusion.com/news/2004/0602suntoop.html By Robert McMillan IDG News Service 06/02/04 After months of hinting about its intentions, Sun on Wednesday confirmed that it intends to release source code from its Solaris operating system under an open source licence. Sun spokesman Russ Castronovo confirmed that an open source Solaris is in the works, but he declined to reveal any significant details about the project including what software license Sun would be using, whether all of the components of the operating system would be open-sourced and when, exactly, Sun intended to release an open source Solaris. "At this time it's in the development phase," said Castronovo. "We're in the thinking about it stage, and looking at details," he said. "The are a million details to work out." The debate over whether or not to open source Solaris has been a contentious one, according to sources within Sun. As recently as Tuesday, Sun CEO Scott McNealy was claiming that it would make little sense for Sun to freely release such a valuable asset. But Sun has, in fact, released a number of open source software products to date, including the OpenOffice productivity suite, components of the Gnome desktop, and the Tomcat servlet container. However, the company has, until now, declined to release its most important software assets -- Solaris and the Java platform -- under an open source license. While the central kernel of the Solaris operating system includes some interesting technology, an open source Solaris will need to materialize within the next few months if it is to be of any interest to developers, said Eric Raymond, founder of the Open Source Initiative, a nonprofit corporation created to help companies develop open source software licenses. "If they don't get this done within six months, it's not going to matter at all because Linux is advancing too fast," he said. Sun has lost a significant portion of its business to Linux servers running on inexpensive Intel-based systems. Linux server shipments grew by 57% year-over-year in the first quarter of 2004, while sales of Unix servers declined by 3% during that time, according to industry research firm IDC. The fact that Sun is now planning to open source Solaris is somewhat ironic, Raymond said. "It is a matter of record that Linux was written because Solaris was too expensive and was closed source," he said. "If they had open-sourced it in 1990 or sooner, Linux would never have happened." From wk at c4i.org Fri Jun 4 02:15:02 2004 From: wk at c4i.org (William Knowles) Date: Fri Jun 4 03:05:27 2004 Subject: [ISN] Expert calls for better security Message-ID: http://www.fcw.com/fcw/articles/2004/0531/web-secure-06-03-04.asp By Dibya Sarkar June 3, 2004 A leading expert who helped develop the federal cybersecurity strategy during the Clinton administration said the plan is not working and needs to be overhauled. "We are grossly unprepared to address the issue of cyberterrorism," said Jeffrey Hunker, a professor of technology policy at Carnegie Mellon University. Hunker, who spoke today at a Washington, D.C., homeland security conference sponsored by McGraw-Hill Companies, said people need to better understand the threats, build national structures for network security, understand the interdependencies with critical infrastructure, build incentives for educational awareness and recognize new technologies and standards. He listed six suggestions to improve cybersecurity: * Invest more in collecting statistics related to cybercrime * Keep what works, such as federal research, developing funding, private and public partnerships and a federal program that provides scholarships to undergraduate and graduate students studying computer security. * Develop national standards that have teeth, meaning officials would enforce them. * Expand and clearly define organizational and personal liability. * Have the Securities and Exchange Commission require companies to disclose cybersecurity investments to their investors. * Adjust federal research and development practices that also focus on developing management programs Hunker, a former senior director of critical infrastructure with the National Security Council, said the United States has also failed to take leadership to shape global policy, leaving that to the European Union, United Nations and others. The United States, he added, hasn't seen anything that can even be characterized as a cyberterrorism. Most events should be described as either cybercrime or vandalism. "These are...inconvenient but don't rise to the level of national security," he said. However, he said there have been cyber skirmishes between countries such as China and Taiwan and between Israelis and Palestinians. He said after the Chinese embassy was bombed in Belgrade, Yugoslavia, in 1999 by NATO forces, Chinese hackers launched a number of attacks against U.S. federal institutions. However, Hunker, who is writing a book about the subject due out soon, said he expects to see some type of cyberterrorist attack in the next five years. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* From isn at c4i.org Fri Jun 4 02:28:12 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 4 03:05:28 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-23 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-05-27 - 2004-06-03 This week : 30 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: ADVISORIES: Vulnerabilities have been reported in Kerberos V5, which could be exploited to compromise a vulnerable system. Patches are available that address these vulnerabilities. Reference: http://secunia.com/SA11753 -- Apple has issued a new security update for Mac OS X, which addresses no less than 8 unspecified vulnerabilities. Currently, no further details have been disclosed by Apple. Users are therefore advised to apply this update as soon as possible. See Secunia advisory below for further details about how to obtain the update. Reference: http://secunia.com/SA11724 VIRUS ALERTS: During the last week, Secunia issued one MEDIUM RISK virus alert. Please refer to the grouped virus profile below for more information: Korgo.F - MEDIUM RISK Virus Alert - 2004-06-02 19:58 GMT+1 http://secunia.com/virus_information/9767/korgo.f/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA11689] Mac OS X Volume URI Handler Registration Code Execution Vulnerability 2. [SA11622] Mac OS X URI Handler Arbitrary Code Execution 3. [SA11724] Mac OS X Multiple Unspecified Vulnerabilities 4. [SA11534] Apache mod_ssl "ssl_util_uuencode_binary()" Buffer Overflow Vulnerability 5. [SA11746] Windows 2000 Expired Password Domain Authentication Security Issue 6. [SA10395] Internet Explorer URL Spoofing Vulnerability 7. [SA11754] Linksys Routers Administrative Web Interface Access Security Issue 8. [SA11728] Novell iManager and eDirectory OpenSSL Vulnerabilities 9. [SA11730] Sun Java System Application Server Path Disclosure Weakness 10. [SA11641] CVS Entry Line Heap Overflow Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA11727] WildTangent Web Driver Filename Buffer Overflow Vulnerability [SA11731] TinyWEB cgi-bin Content Disclosure Vulnerability [SA11748] Sambar Server Administrative Area Cross Site Scripting Vulnerabilities [SA11746] Windows 2000 Expired Password Domain Authentication Security Issue [SA11730] Sun Java System Application Server Path Disclosure Weakness UNIX/Linux: [SA11747] spamGuard Multiple Buffer Overflow Vulnerabilities [SA11741] Isoqlog Multiple Buffer Overflow Vulnerabilities [SA11733] Debian update for jftpgw [SA11732] jftpgw Logging Format String Vulnerability [SA11757] Trustix update for apache [SA11753] Kerberos V5 "krb5_aname_to_localname()" Buffer Overflow Vulnerabilities [SA11751] Mandrake update for apache2 [SA11749] Mandrake update for mod_ssl [SA11744] Debian update for ethereal [SA11743] tla libneon Client Code Format String Vulnerabilities [SA11736] Fedora update for vsftpd [SA11735] Gentoo update for mplayer/xine-lib [SA11734] SquirrelMail "Content-Type:" Header Script Injection Vulnerability [SA11726] OpenPKG update for apache [SA11729] Gentoo update for heimdal [SA11742] OpenBSD update for kerberos [SA11750] Mandrake update for xpcd [SA11738] Debian GATOS xatitv Potential Privilege Escalation Vulnerability Other: [SA11754] Linksys Routers Administrative Web Interface Access Security Issue Cross Platform: [SA11740] e107 Multiple Vulnerabilities [SA11755] PHPoto Unspecified Vulnerabilities [SA11752] Gallery User Authentication Bypass Vulnerability [SA11739] Land Down Under BBcode Script Insertion Vulnerability [SA11737] jPORTAL "print.inc.php" SQL Injection Vulnerability [SA11728] Novell iManager and eDirectory OpenSSL Vulnerabilities ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA11727] WildTangent Web Driver Filename Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-28 NGSSoftware has reported a vulnerability in WildTangent Web Driver, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11727/ -- [SA11731] TinyWEB cgi-bin Content Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2004-06-01 Ziv Kamir has discovered a vulnerability in TinyWEB, which can be exploited by malicious people to download or disclose the content of files in the "cgi-bin/" directory. Full Advisory: http://secunia.com/advisories/11731/ -- [SA11748] Sambar Server Administrative Area Cross Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-06-02 Oliver Karow has reported some vulnerabilities in Sambar Server, which can be exploited to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/11748/ -- [SA11746] Windows 2000 Expired Password Domain Authentication Security Issue Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-06-01 A security issue has been discovered in Windows 2000, which may allow bypassing certain security restrictions. Full Advisory: http://secunia.com/advisories/11746/ -- [SA11730] Sun Java System Application Server Path Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2004-05-28 Marc Schoenefeld has reported a weakness in Sun Java System Application Server, which can be exploited by malicious people to gain knowledge of path information. Full Advisory: http://secunia.com/advisories/11730/ UNIX/Linux:-- [SA11747] spamGuard Multiple Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-06-01 Multiple vulnerabilities have been discovered in spamGuard, where some potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11747/ -- [SA11741] Isoqlog Multiple Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-06-01 Multiple vulnerabilities have been discovered in isoqlog, where some potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11741/ -- [SA11733] Debian update for jftpgw Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-30 Debian has issued an update for jftpgw. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11733/ -- [SA11732] jftpgw Logging Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-30 Jaguar has reported a vulnerability in jftpgw, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11732/ -- [SA11757] Trustix update for apache Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-06-02 Trustix has issued an update for apache. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11757/ -- [SA11753] Kerberos V5 "krb5_aname_to_localname()" Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-06-02 Vulnerabilities have been discovered in Kerberos V5, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11753/ -- [SA11751] Mandrake update for apache2 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-06-02 MandrakeSoft has issued an update for apache2. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11751/ -- [SA11749] Mandrake update for mod_ssl Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-06-02 MandrakeSoft has issued an update for mod_ssl. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11749/ -- [SA11744] Debian update for ethereal Critical: Moderately critical Where: From remote Impact: System access, DoS Released: 2004-05-31 Debian has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11744/ -- [SA11743] tla libneon Client Code Format String Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-31 tla is affected by some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11743/ -- [SA11736] Fedora update for vsftpd Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-05-31 Fedora has issued an update for vsftpd. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11736/ -- [SA11735] Gentoo update for mplayer/xine-lib Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-31 Gentoo has issued updates for mplayer and xine-lib. These fix some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11735/ -- [SA11734] SquirrelMail "Content-Type:" Header Script Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-06-01 Rom?n Medina-Heigl Hern?ndez has reported a vulnerability in SquirrelMail, which can be exploited by malicious people to conduct script injection attacks. Full Advisory: http://secunia.com/advisories/11734/ -- [SA11726] OpenPKG update for apache Critical: Moderately critical Where: From remote Impact: System access, DoS Released: 2004-05-28 OpenPKG has issued an update for apache. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11726/ -- [SA11729] Gentoo update for heimdal Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-05-28 Gentoo has issued an update for heimdal. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11729/ -- [SA11742] OpenBSD update for kerberos Critical: Less critical Where: From local network Impact: Spoofing Released: 2004-05-31 OpenBSD has issued an update for kerberos. This fixes a vulnerability, which may allow certain people to impersonate others. Full Advisory: http://secunia.com/advisories/11742/ -- [SA11750] Mandrake update for xpcd Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-06-02 MandrakeSoft has issued an update for xpcd. This fixes some vulnerabilities, which potentially can be exploited by malicious people to execute arbitrary code on a user's system. Full Advisory: http://secunia.com/advisories/11750/ -- [SA11738] Debian GATOS xatitv Potential Privilege Escalation Vulnerability Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2004-05-31 Debian has issued an update for gatos. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11738/ Other:-- [SA11754] Linksys Routers Administrative Web Interface Access Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-06-02 A security issue has been reported in some Linksys routers, which potentially may grant malicious people administrative access to a vulnerable device. Full Advisory: http://secunia.com/advisories/11754/ Cross Platform:-- [SA11740] e107 Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access Released: 2004-06-01 Janek Vind "waraxe" has reported some vulnerabilities in e107, which can be exploited by malicious people to disclose path information, conduct cross-site scripting and SQL injection attacks, and include arbitrary files. Full Advisory: http://secunia.com/advisories/11740/ -- [SA11755] PHPoto Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-06-02 Some unspecified vulnerabilities with unknown impact have been discovered in PHPoto. Full Advisory: http://secunia.com/advisories/11755/ -- [SA11752] Gallery User Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-06-02 A vulnerability has been discovered in Gallery, which can be exploited by malicious people to bypass the user authentication. Full Advisory: http://secunia.com/advisories/11752/ -- [SA11739] Land Down Under BBcode Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-05-31 crypt0 has reported a vulnerability in Land Down Under, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/11739/ -- [SA11737] jPORTAL "print.inc.php" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2004-05-31 Maciek Wierciski has reported a vulnerability in jPORTAL, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/11737/ -- [SA11728] Novell iManager and eDirectory OpenSSL Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-05-28 Novell has acknowledged multiple OpenSSL vulnerabilities in eDirectory and iManager, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11728/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Jun 4 02:28:39 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 4 03:05:29 2004 Subject: [ISN] [Vmyths.com ALERT] mi2g predicts ''catastrophic'' attack in 2004 Message-ID: Forwarded from: Kurt Seifried Hahaha, jokes on mi2k. I'm betting a global cyber catastrophy will only result in 99.7 billion dollars and 54 cents (which countries dollars I do not know, and do they mean a european billion, which is a north american trillion?). Boy will mi2g look bad when the world melts down and they were caught 299,999,999.46 over on their estimate (or if they meant a european billion then they'll be off by a few orders of magnitude, but at that point I think the world economy would be drooling and twitching on the floor). Somehow $99,699,999,999,54 is silly, but 100 billion is ok. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ From isn at c4i.org Fri Jun 4 02:29:59 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 4 03:05:30 2004 Subject: [ISN] Simple passwords no longer suffice Message-ID: Forwarded from: myemailaccount@fastmail.fm I consider password security to be most important. I understand regular users cannot think of thousands of passwords and not write them down. Because my memory is also not perfect I have developed the following password scheme: I memorized 8 difrent sequences of alphanumerical characters, let's call them SAC's. (just inventing a new abbreviation here). Each difrent in size and using some Uppercase letters. I give them all a number (so SAC1, SAC2, SAC3 etc.) For every account I select three of these sequances of alphanumerical characters, and put them in a certain order. That is my password. I then write down the order in a password protected database. (with a simpler password, don't care that much if the database is compromised) So for example: For hotmail I might use sequance SAC4, SAC5, SAC2. I just add to my password database "Hotmail 452" and I know what the password is. For sequance SAC1, SAC8, SAC3 I use with my mail certificate the note I have written down is "mail certificate 183" Somewhere else I have as a reminder a list of all my SAC's but only with the first two characters being correct, the rest is put there as desinformation. So I actually look only at the first two characters and then remember what that SAC was again. So I have a list that looks like this: SAC# written down - real password SAC1 fuh355y9wtga9 - fuh5y05edh SAC2 g8betb8g - g8bs=hb56hRRTYsh SAC3 l;kyh35h9 - l;g588bas3DR SAC4 aBfbvsdh4 - aBbdnitbAA$ SAC5 GgfasdG - Gggrw422a~ SAC6 >>GSDFGWRw444 - >>GAEB53th8g3e SAC7 BbgRhgw52354 - Bdghbwtrb53 SAC8 6775u3ed5us - 67hJ^$6493 So for example when I need my password to get into hotmail I just open my password database or grab my paperprint out of the list and lookup the hotmail account, I see "Hotmail 452". I also look up my SAC list up here and by looking at the first few characters I remember what each SAC is. So the password is "aBbdnitbAA$Gggrw422a~g8bs=hb56hRRTYsh" without the quotes. Once you have the discipline to set up something similar and stick to it your password security will be increadable. (and it's worth the look on peoples faces when they see you enter passwords of more then 20 characters at lightning speed, try to sneak up that one =D ) Also I try to maintain my habit to type in numbers on the number keypad and as I do so cover up my hand with the other hand so it cannot really be seen or recorded by camera's. Just as one would protect their pin-code. (also considering those credit thieves that build in camera's in ATM machines and devices that record your magnetic strip. Haha, have fun with my strip, but you couldn't see my pin code :P) Greetings, Da paranoid android ;-) > -----Oorspronkelijk bericht----- > Van: isn-bounces@attrition.org > [mailto:isn-bounces@attrition.org] Namens InfoSec News > Verzonden: Thursday, June 03, 2004 09:31 > Aan: isn@attrition.org > Onderwerp: [ISN] Simple passwords no longer suffice > > http://www.cnn.com/2004/TECH/ptech/06/01/beyond.passwords.ap/i > ndex.html > > June 1, 2004 > > (AP) -- To access her bank account online, Marie Jubran opens a Web > browser and types in her Swedish national ID number along with a > four-digit password. > > For additional security, she then pulls out a card that has 50 > scratch-off codes. Jubran uses the codes, one by one, each time she > logs on or performs a transaction. Her bank, Nordea PLC, > automatically sends a new card when she's about to run out. > > As more Web sites demand passwords, scammers are getting more clever > about stealing them. Hence the need for such "passwords-plus" > systems. > > Scandinavian countries are among the leaders as many online > businesses abandon static passwords in favor of so-called two-factor > authentication. > > "A password is a construct of the past that has run out of steam," > said Joseph Atick, chief executive of Identix Inc., a Minnesota > designer of fingerprint-based authentication. "The human mind-set is > not used to dealing with so many different passwords and so many > different PINs." > > When a static password alone is required, security experts recommend > that users combine letters and numbers and avoid easy-to-guess > passwords like "1234" or a nickname. From isn at c4i.org Fri Jun 4 02:30:13 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 4 03:05:31 2004 Subject: [ISN] Yorker advises Greeks on Olympic security Message-ID: http://www.yorkdispatch.com/Stories/0,1413,138~10023~2190329,00.html By JACK SHOLL The York Dispatch June 03, 2004 As Greece prepares for the start of the summer Olympic games in two months, its government is taking steps against potential terrorist attacks in Athens. Intelligence experts say major events like the Olympics present potential targets. Although physical attacks are one possibility, another is a computer assault, such as hacking into the Olympic security systems. High-tech security: "We do everything today on the computer," said James Walsh of Red Lion, a retired special agent with the U.S. State Department who just returned from Greece. Walsh now consults for governments and companies, and trained the Hellenic National Police Force in computer security. "We haven't had a massive computer attack in the past," he said. "But we're gearing up for it. The potential for a huge problem is there." Walsh specializes in computer forensics, a relatively new field that combines law enforcement with computer technology. He helped the U.S. government start its first computer forensics program and now teaches a "Digital Evidence" class in the Continuing Education Program at Georgetown University Law School in Washington, D.C. Crafting a response: Walsh taught Greek police how to respond to possible cyber-terrorism. Because of the nature of the work, he's reluctant to talk about how and why terrorists could disrupt or hack into the Olympic computer systems. But, he points to a general example: "Imagine the problems if terrorists could interrupt vital banking transactions in the world." Such speculation is backed by hard realities. Although the motivation turned out to be financial gain, he cites an identity-theft case he worked on. The individual, he says, now serving a 71/2-year prison sentence, had created three separate identities, each with its own false passport, birth certificate, and bank account and credit records. A U.S. State Department visa inspector flagged one of the passports when the man returned from a trip to Africa. Walsh was called in. The person had erased all e-mails and records from his laptop computer, but Walsh recovered from the computer's hard drive many documents that unearthed the three identities. York County detective: Walsh, 57, received a B.S. in criminal justice from York College and an M.A. in public administration from Harvard University. He was York County Chief of Detectives from 1977 to 1981. During his government career, Walsh was a special agent for the Diplomatic Security Service of the U.S. State Department, the department's own security force. The unit focuses on passport and visa fraud, terrorism and counterterrorism, and counterintelligence. Many of his assignments were abroad, where he advised American ambassadors, including the ambassador in Ankara, Turkey, on intelligence and law enforcement matters. He also helped protect foreign dignitaries in the United States who were not at the head of state level -- heads of state are protected by the U.S. Secret Service and other agencies -- as well as officials from countries not recognized by the U.S. That included supervising security details for the presidents of Northern Cyprus and Bosnia; the Crown Princes of Japan and Spain; the Duchess of York, Sarah Ferguson; and the U.S. Ambassador from Saudi Arabia, Saudi Prince Bandar Bin Sultan Bin Abdulaziz. >From home bases in Washington and New York, Walsh's 20 years of government service took him all over the world, from the Middle East to Western and Eastern Europe to Central and South America. "Not bad for a little old boy who was a county detective in York," he said with a laugh. From isn at c4i.org Fri Jun 4 02:30:26 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 4 03:05:31 2004 Subject: [ISN] Security cert body gives lesson in insecurity Message-ID: http://www.theregister.co.uk/2004/06/03/isc2_survey_snafu/ By John Leyden 3rd June 2004 Security certification and training body (ISC)2 has apologised for a serious security breach which saw the personal details of thousands of respondents to a survey posted onto an insecure server. Phone numbers, email and contact addresses for many of the estimated 20,000 respondents to (ISC)2 Constituent Survey were easily available on the site because of lax security for a short time towards the end of last week. The data was unencrypted and left open to harvesting through simple URL manipulation despite a promise from (ISC)2 to survey participants that "your answers and feedback will be kept strictly confidential and will not be associated with you, your organization, or your employer". It was also possible to modify the information filled in, according to a Register reader, who sent us a sample of data (home and work addresses and phone numbers) to back up his concerns. Upon hearing about the problem, (ISC)2 responded quickly by closing the survey site. The survey was re-opened on Tuesday after coders closed up the gapping security loophole. It?s unclear whether any sensitive data got into the wrong hands as a result of the cock-up. (ISC)2 has issued a statement explaining its handling of the problem: "In the few hours after (ISC)2's annual Constituent Survey 2004 was distributed by its survey vendor last Thursday, several constituents alerted (ISC)2 that the survey had a potential vulnerability which, under the right circumstances, could reveal a respondent's name and survey answers. The survey was shut down immediately and all survey data was locked down. The issue has been resolved and the survey was re-opened on Tuesday." "This is an internal survey of (ISC)2 constituents who are certified information security professionals bound by the (ISC)2 Code of Ethics. (ISC)2 is investigating the matter with its survey vendor. We apologize to our constituents for any inconvenience," it added. From isn at c4i.org Fri Jun 4 02:30:39 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 4 03:05:32 2004 Subject: [ISN] Revenge-seeking university employee hacks into server Message-ID: http://mdn.mainichi.co.jp/news/20040602p2a00m0dm011000c.html Mainichi Shimbun Japan June 2, 2004 A private university employee who hacked into the institution's computer server in retaliation for being demoted has been arrested, Tokyo police said. Ryoichi Nakayama, 47, a clerk at Takachiho University in Suginami-ku, Tokyo, is accused of violating the anti-hacking law. "I committed the crime because I'm no longer able to do computer-related work," he was quoted as telling investigators. Nakayama used his own computer and a secret password to illegally access the university's server on over 100 occasions between October and December last year. He looked at e-mail sent to colleagues and made its bulletin board inaccessible, investigators said. Nakayama was hired as a computer expert at the university in 1998. However, the university transferred him to its library as a clerk in May last year after holding him responsible for defects in its computer system's security network. From isn at c4i.org Fri Jun 4 02:36:22 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 4 03:05:33 2004 Subject: [ISN] Panel: Do not outsource all security Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,93609,00.html By Chris Conrath JUNE 03, 2004 ITWORLDCANADA TORONTO - In a time when outsourcing is all the rage and IT security is slowly following this trend, panelists at yesterday's Infosecurity conference in Toronto were in agreement that certain portions of a company's security should always be kept in-house becaue they are too important to entrust to others. "Never, ever outsource anything that touches your clients," said Rosaleen Citron, CEO of WhiteHat Inc., during the "view from the top" panel discussion. If something happens to corporate clients, from a security perspective, no matter whose fault it is, the company, not the outsourcer, gets the blame and its brand and image suffers. Last year, the BMO Financial Group learned a version of this truth when two of its servers containing customer information inadvertently ended up on eBay for a few hours after one of its outsourcers shipped the wrong pallet. The mistake, from a "keep it in-house" security perspective, was that the bank should have wiped the server drives clean itself. Ron Ross, chief strategist for Bell Canada's Managed Security Solutions, said the key to successfully defining what can be outsourced and what must be kept in-house is to define what is core to a company's success and what is contextual. "Core, keep in-house; context, let it go." But not all information directly pertaining to security is considered to be core to a company's success. For many companies, managing firewalls, intrusion-detection systems and antivirus softwate are a headache best lived without. Outsourcing them, or at least their attributes, can be a wise security move, said Michael Murphy, Canadian country manager for Symantec Corp. Though many companies still want control over the above-mentioned security solutions, they pass on the configurations to a third party to monitor them and to aggregate the data with other systems around the world. This gives Symantec (as well as other companies offering managed security services solutions) the ability to advise its customers of trends and events as they develop, instead of waiting until they happen. He likened self-monitoring your IT security environment to monitoring your home alarm system. Homeowners control the alarm but let someone else monitor it. Murphy cited Symantec's statistics that show that companies using its managed security services for more than six months suffered fewer "severe events" than those newly signed on. Symantec was better able to understand the specific security needs of those clients with "tenure" and thus better apprise them of specific defense strategies for developing attacks. During a six-month period (July to December 2003), 100% of those clients with less than three months of tenure had severe events. This number fell to 30% for those clients using Symantec's services for more than six months, Murphy said. Though Dean Provost, president of IT services at Allstream Corp., didn't join the outsourcing debate, he had some advice for companies as they increase internal, as well as external, interconnectivity. As connectivity increases, so too does complexity, Provost said. "You create a larger surface area that you have to protect, [so you have] to think about what kind of environment you have created." Companies have to pay careful attention to who has access to what information. "When we get audited, one of the things they ask is about [our] internal IT environment," he said. As a result of this attention to security details, Allstream can reduce its IT-related insurance bill, he said. From isn at c4i.org Mon Jun 7 02:35:24 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 7 03:17:26 2004 Subject: [ISN] Bank glitch leaves 10 million Canadians without paycheque Message-ID: Forwarded from: Mark Bernard Dear Associates, A rather sigificant lack of information security practices and procedures has created a rather large problem where 1/3 of Canadians haven't been paid! http://www.canadaeast.com/apps/pbcs.dll/article?AID=/20040604/TTEBRIEF/306040085/-1/FRONTPAGE June 4, 2004 Times & Transcript Staff Computer problems plaguing the Royal Bank of Canada has caused payroll paralysis across the country, affecting more than 10 million people nationwide with the end for some unpaid clients not expected until the weekend. More than 10,000 provincial government employees, including Premier Bernard Lord, were not paid yesterday leaving $11.4 million in the government's bank account until the massive computer failure is fixed. The payroll problem didn't end with the government; more than 3,000 NB Power employees were impacted as well as 125 City of Moncton workers who were left without a pay cheque. Finance Minister Jeannot Volp? said the province is helpless in the matter. "It is not something that we can fix ourselves," Volp? said. "It is very unfortunate for all the employees that were impacted but there is nothing that we can do about it." By the end of business hours yesterday, Volp? said employees who use the Royal Bank, Bank of Montreal, CIBC and Toronto Dominion-Canada Trust should be paid but those using the Scotiabank, credit unions and other financial institutions would have to wait until today. The finance minister also noted that some of the province's direct deposit payments to vendors and to people receiving family support orders have been affected. Government workers were not complaining about the computer problems yesterday as they were leaving for their lunch break. "Honestly it doesn't really affect my life today, no," said Micheline LeBlanc. "It is something that happens and we are used to computer glitches in the computer system." Jim Knight, a government worker, said he knows he's going to get paid eventually and he feels worse for the bank's computer technicians. "We've all been there and I hope it turns out well for them," Knight said. The Royal Bank issued a statement late yesterday indicating all transactions made as of Tuesday have been updated and all money movement made as of Wednesday is expected to be reflected in client balances today. But transactions made yesterday are not anticipated to be processed until the weekend. In situations where customers had been expecting to be paid and have necessary purchases, such as groceries, scheduled for the weekend, the Royal Bank is recommending they visit their local branch immediately. "The branch will work with them and see if they can accommodate the client," said Lori Smith, a Halifax-based spokeswoman for the bank. Bank branches were kept open later yesterday and Smith said, if there is a need in various communities today, business hours will be extended again. As for individuals who have automatic withdrawals scheduled with other financial institutions, Smith said customers should not worry about late fees, overdraft charges or damaged credit ratings. "All of the other financial institutions know and understand what is happening and we've asked for their co-operation in getting through this time," she said. The bank has said the processing disruption was created during a routine programming update to one of the institution's computer systems. Despite the problems, bank officials are underscoring to their clients that their money is safe and secure. The banking problems caught many employers off guard yesterday. A City of Moncton spokeswoman could not estimate how much money was not transferred to employees but confirmed the city's finance department is keeping in touch with the Royal Bank to overcome the problems. The province's power corporation has been particularly impacted by the computer problems as nearly $5 million has not been handed out to employees. "While in the past we've had problems with individual banks, we've been able to rectify them on the same day," said Jeffrey Carleton, a NB Power spokesman. "This is the first time in well over two decades that we've ever had such a widespread problem in paying employees on the day that they are supposed to be paid." NB Power's problems don't stop with the payroll department; large wire transfers to vendors, which can range from $15,000 to well over $1 million, were delayed in recent days. The NB Power spokesman said, as of late yesterday, all the wire transfers to vendors, such as fuel suppliers or financial institutions, had been carried out and the banking backlog did not impact smaller vendors. The power company has also been forced to make changes to its direct deposit system for customers. Carleton said NB Power will not withdraw funds from accounts that cannot pay because of the computer glitch and will catch back up in the next several days. Stephane Robichaud, the director of provincial affairs for the Canadian Federation of Independent Business, said he hasn't yet received any complaints from the small businesses he represents in New Brunswick. Mark E. S. Bernard, CISM, PM, PA, e-mail: mbernard@nbnet.nb.ca Phone: (506) 375-6368 Leadership Quotes: "People cannot be managed. Inventories can be managed, but people must be led," H. Ross Perot From isn at c4i.org Mon Jun 7 02:37:17 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 7 03:17:28 2004 Subject: [ISN] [Vmyths.com ALERT] mi2g predicts ''catastrophic'' attack in 2004 Message-ID: Forwarded from: Marc Maiffret Can I get in at $1 so when everyone over bids I can win the house, and tractor trailer on the "price is wrong bitch" showcase showdown? Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities | -----Original Message----- | From: isn-bounces@attrition.org | [mailto:isn-bounces@attrition.org] On Behalf Of InfoSec News | Sent: Thursday, June 03, 2004 11:29 PM | To: isn@attrition.org | Subject: Re: [ISN] [Vmyths.com ALERT] mi2g predicts | ''catastrophic'' attackin 2004 | | Forwarded from: Kurt Seifried | | Hahaha, jokes on mi2k. I'm betting a global cyber catastrophy | will only result in 99.7 billion dollars and 54 cents (which | countries dollars I do not know, and do they mean a european | billion, which is a north american trillion?). Boy will mi2g | look bad when the world melts down and they were caught | 299,999,999.46 over on their estimate (or if they meant a | european billion then they'll be off by a few orders of | magnitude, but at that point I think the world economy would | be drooling and twitching on the floor). | | Somehow $99,699,999,999,54 is silly, but 100 billion is ok. | | Kurt Seifried, kurt@seifried.org | A15B BEE5 B391 B9AD B0EF | AEB0 AD63 0B4E AD56 E574 | http://seifried.org/security/ From isn at c4i.org Mon Jun 7 02:37:42 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 7 03:17:29 2004 Subject: [ISN] Linux Advisory Watch - June 4th 2004 Message-ID: +----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | June 4th, 2004 Volume 5, Number 23a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes point This week, advisories were released for mailman, kde, MySQL, mc, Apache, Heimdal, utempter, and LHA. The distributors include Conectiva, FreeBSD: core, Gentoo, Mandrake, Red Hat, and SuSE. ----- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 ----- Incident Response One of the most overlooked aspects of information security is incident response. Often system administrators and management only take action after a compromise or critical failure. Incident response includes much more than sorting out problems after they occur. It includes incident preparation, detection mechanisms, containment, eradication, restoration, and review. In preparation for a security incident, it is important to establish a security policy & plan of action and identify a security response team that is available 24 hours. Software to be used during an incident should be installed, tested, and configured during the preparation phase. During the adrenaline rush of an incident, it is impossible to learn new software. Administrators should also take appropriate steps to ensure event detection. This includes scanning and reviewing system log files, installing host and network based intrusion detection systems, and implementing a remote notification system to notify members of the security response team via pager or mobile phone. Upon detection of an incident, it is important to have containment procedures. Is the threat a network user? It is important that the staff has the knowledge and tools necessary to address the problem at the firewall level. If there is a system compromise, is tripwire configured properly to report exactly what files were modified? After containment, the next step is eradication. How can the problem be eliminated? The primary purpose of containment and eradication is limiting damage and stopping the problem from further damage. After an incident has commenced, the next step is system restoration. It is important to assess the actual damage that took place and restore the system to its original condition. This may only include fixing a few files, or restoring completely from a tape-backup. Finally, after restoration is important to review how well the incident was handled. Until next time, cheers! Benjamin D. Thomas ben@linuxsecurity.com ---- Guardian Digital Security Solutions Win Out At Real World Linux Enterprise Email and Small Business Solutions Impres at Linux Exposition. Internet and network security was a consistent theme and Guardian Digital was on hand with innovative solutions to the most common security issues. Attending to the growing concern for cost-effective security, Guardian Digital's enterprise and small business applications were stand-out successes. http://www.linuxsecurity.com/feature_stories/feature_story-164.html -------------------------------------------------------------------- Interview with Siem Korteweg: System Configuration Collector In this interview we learn how the System Configuration Collector (SCC) project began, how the software works, why Siem chose to make it open source, and information on future developments. http://www.linuxsecurity.com/feature_stories/feature_story-162.html -------------------------------------------------------------------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 5/27/2004 - mailman Multiple vulnerabilities Fixes cross site scripting and remote password retrieval vulnerabilities, plus a denial of service. http://www.linuxsecurity.com/advisories/conectiva_advisory-4409.html 5/27/2004 - kde Insufficient input sanitation The telnet, rlogin, ssh and mailto URI handlers in KDE do not check for '-' at the beginning of the hostname passed. http://www.linuxsecurity.com/advisories/conectiva_advisory-4410.html +---------------------------------+ | Distribution: FreeBSD | ----------------------------// +---------------------------------+ 5/27/2004 - core:sys Buffer cache invalidation vulnerability Insufficient input sanitation In some situations, a user with read access to a file may be able to prevent changes to that file from being committed to disk. http://www.linuxsecurity.com/advisories/freebsd_advisory-4408.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 5/27/2004 - MySQL Symlink vulnerability Two MySQL utilities create temporary files with hardcoded paths, allowing an attacker to use a symlink to trick MySQL into overwriting important data. http://www.linuxsecurity.com/advisories/gentoo_advisory-4404.html 5/27/2004 - mc Multiple vulnerabilities Multiple security issues have been discovered in Midnight Commander including several buffer overflows and string format vulnerabilities. http://www.linuxsecurity.com/advisories/gentoo_advisory-4405.html 5/27/2004 - Apache 1.3 Multiple vulnerabilities Several security vulnerabilites have been fixed in the latest release of Apache 1.3. http://www.linuxsecurity.com/advisories/gentoo_advisory-4406.html 5/27/2004 - Heimdal Buffer overflow vulnerability A possible buffer overflow in the Kerberos 4 component of Heimdal has been discovered. http://www.linuxsecurity.com/advisories/gentoo_advisory-4407.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 5/27/2004 - mailman Password leak vulnerability Mailman versions >= 2.1 have an issue where 3rd parties can retrieve member passwords from the server. http://www.linuxsecurity.com/advisories/mandrake_advisory-4402.html 5/27/2004 - kolab-server Plain text passwords Password leak vulnerability The affected versions store OpenLDAP passwords in plain text. http://www.linuxsecurity.com/advisories/mandrake_advisory-4403.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 5/27/2004 - utempter Symlink vulnerability An updated utempter package that fixes a potential symlink vulnerability is now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4399.html 5/27/2004 - LHA Multiple vulnerabilities Ulf Harnhammar discovered two stack buffer overflows and two directory traversal flaws in LHA. http://www.linuxsecurity.com/advisories/redhat_advisory-4400.html 5/27/2004 - tcpdump,libpcap,arpwatch Denial of service vulnerability Multiple vulnerabilities Upon receiving specially crafted ISAKMP packets, TCPDUMP would crash. http://www.linuxsecurity.com/advisories/redhat_advisory-4401.html +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ 5/27/2004 - kdelibs/kdelibs3 Insufficient input sanitation Multiple vulnerabilities The URI handler of the kdelibs3 and kdelibs class library contains a flaw which allows remote attackers to create arbitrary files as the user utilizing the kdelibs3/kdelibs package. http://www.linuxsecurity.com/advisories/suse_advisory-4398.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Jun 7 02:38:00 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 7 03:17:30 2004 Subject: [ISN] Microsoft bars Windows pirates Message-ID: http://news.bbc.co.uk/1/hi/technology/3774567.stm 4 June, 2004 Many people using pirated copies of Windows XP will get no help from Microsoft to make their PC safer. The software giant has decided that a forthcoming update to XP will not work with the most widely pirated versions of its operating system. The upgrade, called Service Pack 2, closes security loopholes in XP and adds features that make it easier to keep machines safer from viruses. The software update is due to be released during the summer. Pirate pack SP2 is the long awaited upgrade for Windows XP that Microsoft hopes will make the software much more resilient to many of the ways that malicious hackers and virus writers have exploited it before now. Also included are features that make it easier for users to manage their anti-virus software and firewall. It also forces users to make explicit choices about how secure they want their PC to be. Other features include a blocker for adverts that pop-up when people browse the web and background utilities that warn when spyware is trying to install itself on their machine. Once installed SP2 also changes the way that future updates are installed. Instead of downloading the whole chunk of XP being updated, SP2 instead only downloads the parts that have changed. This change should reduce future patch download times by up to 80%. Hefty download The arrival of SP2 also has implications for those running websites and Microsoft has issued advice to help webmasters cope with the changes. Paul Randle, Microsoft's UK manager of all things XP, said the final SP2 package would be about 80MB in size when released. "It is not a normal service pack," he told BBC News Online. "We are breaking our own rules that said we would not put new code into service packs." Microsoft was working hard to ensure that users could get hold of the software as many ways as possible, he said. Net service providers plus software and hardware partners of Microsoft are expected to make copies available to customers and subscribers. Users will also be able to register on a Microsoft website to get a CD containing the patch sent to them. Mr Randle said during installation SP2 will check the product ID number for the copy of XP in use on a PC and will not let itself be installed if that software is a version that has been widely pirated. Constant review Microsoft has worked out the 20 most pirated product IDs and SP2 will not install and run on any copy of XP bearing one of those numbers. "The situation at the moment is that we will block those," he said. It is unclear what effect this strategy will have in countries where much of software used is illegal. For instance, the anti-piracy Business Software Alliance estimates that 92% of software in China is pirated. Mr Randle said Microsoft was keeping its SP2 strategy under constant review. "Whether it will change between now and launch I do not know," he said. Service Pack 1 for Windows XP worked with almost all legitimate and pirated versions of the software. Only those copies of XP that used the two most widely pirated product IDs were barred from getting the upgrade. From isn at c4i.org Mon Jun 7 02:38:18 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 7 03:17:31 2004 Subject: [ISN] Wardriver pleads guilty in Lowes WiFi hacks Message-ID: http://www.securityfocus.com/news/8835 By Kevin Poulsen SecurityFocus June 4, 2004 In a rare wireless hacking conviction, a Michigan man entered a guilty plea Friday in federal court in Charlotte, North Carolina for his role in a scheme to steal credit card numbers from the Lowe's chain of home improvement stores by taking advantage of an unsecured wi-fi network at a store in suburban Detroit. Brian Salcedo, 21, faces an a unusually harsh 12 to 15 year prison term under federal sentencing guidelines, based largely on a stipulation that the potential losses in the scheme exceeded $2.5 million. But Salcedo has agreed to cooperate with the government in the prosecution of one or more other suspects, making him eligible for a sentence below the guideline range. One of Salcedo's two codefendants, 20-year-old Adam Botbyl, is scheduled to plead guilty Monday, assistant U.S. attorney Matthew Martins confirmed. Botbyl faces 41 to 51 months in prison, but also has a cooperation deal with the prosecutors, according to court filings. The remaining defendant, 23-year-old Paul Timmins, is scheduled for arraignment on June 28th. In 2000, as a juvenile, Salcedo was one of the first to be charged under Michigan's state computer crime law, for allegedly hacking a local ISP. According to statements provided by Timmins and Botbyl following their arrest, as recounted in an FBI affidavit filed in the case, the pair first stumbled across an unsecured wireless network at the Southfield, Michigan Lowe's last spring, while "driving around with laptop computers looking for wireless Internet connections," i.e., wardriving. The two said they did nothing malicious with the network at that time. It was six months later that Botbyl and his friend Salcedo hatched a plan to use the network to steal credit card numbers from the hardware chain, according to the affidavit. FBI Stakeout The hackers used the wireless network to route through Lowe's corporate data center in North Carolina and connect to the local networks at stores in Kansas, North Carolina, Kentucky, South Dakota, Florida, and two stores in California. At two of the stores -- in Long Beach, California and Gainseville, Florida -- they modified a proprietary piece of software called "tcpcredit" that Lowe's uses to process credit card transactions, building in a virtual wiretap that would store customer's credit card numbers where the hackers could retrieve them later. At some point, Lowe's network administrators and security personnel detected and began monitoring the intrusions, and called in the FBI. In November, a Bureau surveillance team staked out the Southfield Lowe's parking lot, and spotted a white Grand Prix with suspicious antennas and two young men sitting inside, one of them typing on a laptop from the passenger seat, according to court documents. The car was registered to Botbyl. After 20 minutes, the pair quit for the night, and the FBI followed them to a Little Ceasar's pizza restaurant, then to a local multiplex. While the hackers took in a film, Lowe's network security team poured over log files and found the bugged program, which had collected only six credit card numbers. FBI agents initially identified Timmins as Botbyl's as the passenger in the car, apparently mistakenly, and both men were arrested on November 10th. Under questioning, Botbyl and Timmins pointed the finger at Salcedo. Timmins had allegedly provided the two hackers with an 802.11b card, and had knowledge of what his associates were up to. Botbyl and Timmins, known online as "noweb4u" and "itszer0" respectively, are part of the Michigan 2600 hacker scene -- an informal collection of technology aficionados. The Lowe's wi-fi system was installed to allow scanners and telephones to connect to the store's network without the burden of cables, according to the indictment. From isn at c4i.org Mon Jun 7 02:38:35 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 7 03:17:32 2004 Subject: [ISN] Worst-Case Worm Could Rack Up $50 Billion In U.S. Damages Message-ID: http://nwc.securitypipeline.com/showArticle.jhtml?articleID=21401701 By Gregg Keizer Courtesy of TechWeb News June 04, 2004 A worst-case worm attack on the U.S. could easily cost the country $50 billion in direct damages, a pair of security experts said Friday. Nicholas Weaver and Vern Paxson, two security researchers who work with the International Computer Science Institute (ICSI), a nonprofit research group associated with the University of California at Berkeley, modeled a worst-case scenario in which state-sponsored attackers construct a worm exploiting an unpublished vulnerability, then launch it over the Internet. Weaver is a postdoctoral researcher at ICSI, while Paxson is also a staff scientist at the Lawrence Berkeley National Laboratory. "Although our estimates are at best approximations, a plausible worst-case worm could cause $50 billion or more in direct economic damage by attacking widely used services in Microsoft Windows and carrying a highly destructive payload," said Weaver and Paxson in their paper. And that boggling economic disaster doesn't include secondary losses, such as possible impacts on IT infrastructure, but only accounts for loss productivity, lost data, damaged desktops and servers, and repair expenses. Weaver and Paxson make a number of assumptions to arrive at their worst-case worm, including attackers with extensive resources, such as those sponsored by an enemy nation state; the ability to sniff out an as-yet-undiscovered vulnerability in Windows; and a resulting worm that could spread so quickly that anti-virus firms wouldn't be able to react in time with updated signatures before the majority of the damage had been done. "An electronic attack [of this magnitude] could cause widespread economic damage by disrupting or even destroying a large fraction of the computers responsible for day-to-day business," said Weaver and Paxson. "It's not implausible to conceive of attacks that could disrupt 50 million or more business computers." By comparison, Weaver and Paxson said, last summer's MSBlast worm, which exploited a vulnerability that was known for almost a month before the worm appeared, infected a minimum of 8 million machines. Worms would be the weapon of choice for such an attack, the researchers said, because they can spread very quickly, as evidenced by the Slammer worm of 2003, which managed to infect tens of thousands of systems worldwide in less than ten minutes. Speed would be crucial to any successful worst-case worm, since, once it's released, the race begins against propagation and security firms' ability to create new signature files to defend against the threat. The reason it's likely such a superworm would be developed with support from a nation state, said the duo, is that it would require the additional resources that smaller, less well-funded groups lack. State-sponsored hackers would have the personnel and time to discover one or more "zero-day" vulnerabilities in Windows-so called, because they would be vulnerabilities never before seen, and so without a patch--and thoroughly test the worm to make sure it could successfully infect a wide range of Windows operating systems. Among the most likely candidates for a zero-day exploit, said Weaver and Paxson, is Windows' SMB/CIFS file-sharing service, which is used by all versions of Microsoft's operating system since Windows 98. SMB/CIFS is used for desktop file and print sharing, and by Windows files servers. "SMB/CIFS makes a good target because it's on by default in most installs, it enables some exploits to connect without requiring authentication, any successful attack gains complete control of the machine, organizations cannot lightly disable it, and vulnerabilities [in it] have been discovered in the past," said Weaver and Paxson. Worst-case worm makers could steal already proven techniques, such as those used by 2001's Nimda worm, to first rapidly scan the Internet for vulnerable systems, then apply a mass-mailed version to penetrate internal networks secured at the gateway. "Although it is probably impossible to estimate more precisely," said the researchers, "if released during U.S. business hours, it could infect all the vulnerable machines before a reaction is possible, as even the highly disruptive and detectable Slammer worm was effectively unperturbed for three hours." Attackers with the right resources could dedicate months to testing their worm in order to ensure that it successfully infects as many different versions of Windows as possible. Historically, that's been one of the major flaws of most single-author or small-group worms, which may reliably attack Windows XP systems, for instance, but not work against Windows NT machines. "Considerable attacker effort needs to be spent in testing [worm] components in a wide range of environments," said Weaver and Paxson. "The more diverse the testing, the more widely the resulting worm is likely to penetrate." Once infected, machines could be directed to install a backdoor Trojan horse for deploying additional malicious payloads, randomly corrupt files, erase all found drives on the local machine and the network, and even corrupt the flash memory used by the PC's BIOS. Weaver and Paxson investigated seven popular system and two motherboard manufacturers' wares, and found that, in a third of the cases, it's possible for a worm to cause enough damage that the motherboard would need to be replaced. The other two-thirds of the time, the BIOS could be restored, but that's "a complex procedure that's beyond the skills of most computer users and perhaps even many system administrators," said the researchers. Businesses and government can take some steps to mitigate the damage that might be caused by a worst-case worm, including turning to SMB/CIFS-compatible servers, such as Samba, deploying mass-mailed worm defenses, disabling the BIOS reflash feature by setting jumpers on PC motherboards, and restricting desktop use of file sharing and other related services that might be exploited. But with damages that range from a low estimate of $50 billion to as high as over $100 billion--depending on the breaks, so to speak--no strategy can make such a worm anything but a disaster of monumental proportions. "Current defenses are not capable of dealing with threats of this magnitude," said Weaver and Paxson. From isn at c4i.org Tue Jun 8 02:52:49 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 8 04:02:28 2004 Subject: [ISN] Linux Security Week - June 7th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 7th, 2004 Volume 5, Number 23n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Multiple Security Roles With Unix/Linux," "What Exactly Is Computer Forensics," and "Six Ways to Justify Security Training." ---- >> Bulletproof Virus Protection << Protect your network from costly security breaches with Guardian Digital's multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn04 ---- LINUX ADVISORY WATCH: This week, advisories were released for mailman, kde, MySQL, mc, Apache, Heimdal, utempter, and LHA. The distributors include Conectiva, FreeBSD, Gentoo, Mandrake, Red Hat, and SuSE. http://www.linuxsecurity.com/articles/forums_article-13.html ---- Linux and National Security As the open source industry grows and becomes more widely accepted, the use of Linux as a secure operating system is becoming a prominent choice among corporations, educational institutions and government sectors. With national security concerns at an all time high, the question remains: Is Linux secure enough to successfully operate the government and military's most critical IT applications? http://www.linuxsecurity.com/feature_stories/feature_story-165.html ---- Guardian Digital Security Solutions Win Out At Real World Linux Enterprise Email and Small Business Solutions Impres at Linux Exposition. Internet and network security was a consistent theme and Guardian Digital was on hand with innovative solutions to the most common security issues. Attending to the growing concern for cost-effective security, Guardian Digital's enterprise and small business applications were stand-out successes. http://www.linuxsecurity.com/feature_stories/feature_story-164.html ---- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Multiple Security Roles With Unix/Linux June 4th, 2004 After the reception my last column regarding the security criticism I heaped on Unix and Linux vendors who are pursuing end-user desktops, I thought I would outline some of the areas where I think Linux and Unix already have strong wins. http://www.linuxsecurity.com/articles/network_security_article-14.html * What Exactly Is Computer Forensics? June 3rd, 2004 Computer forensics involves the preservation, identification, extraction, documentation and interpretation of computer data. It is often more of an art than a science, but as in any discipline, computer forensic specialists follow clear, well-defined methodologies and procedures, and flexibility is expected and encouraged when encountering the unusual. http://www.linuxsecurity.com/articles/network_security_article-10.html * Data Security Debacle June 2nd, 2004 There is a saying in IT that the only truly secure computer is one that's turned off. Because this isn't practical or feasible, data security becomes yet another unavoidable part of doing business in today's wired world. Simply put, data security is the protection of data from unauthorized, accidental, or deliberate modification, destruction, or disclosure. http://www.linuxsecurity.com/articles/network_security_article-4.html * From exposition to exploit: One security book's story June 2nd, 2004 Even prior to its release in May, The Shellcoder's Handbook: Discovering and Exploiting Security Holes drew attention to the exploitive nature of the narrative. In a series of e-mail exchanges, lead author Jack Koziol explains the motive behind this how-to for hackers and what's happened since it hit bookshelves. http://www.linuxsecurity.com/articles/documentation_article-3.html +------------------------+ | Network Security News: | +------------------------+ * Double Snorting June 3rd, 2004 Snort is a GPLed, Network Intrusion Detection System (NIDS) that runs on Linux and Win32. A NIDS monitors the network, looking for hostile traffic. Basically it scans all traffic on a network interface, not just its own host's, comparing it to rules describing the signatures of known attacks. http://www.linuxsecurity.com/articles/network_security_article-8.html +------------------------+ | General Security News: | +------------------------+ * How Much Should You Invest in IT Security? June 4th, 2004 One of the main concerns of the organizers of the Olympic Games to be held in Athens this summer is security, but not only physical security, computer security as well. The emphasis placed on avoiding problems with the computers that will manage huge amounts of data during the games will be proportional to the magnitude of this global event. http://www.linuxsecurity.com/articles/general_article-12.html * Early Alerting - The Key To Proactive Security June 3rd, 2004 The security challenges facing today's enterprise networks are intensifying -- both in frequency and number. The Blaster worm arrived just 26 days after Microsoft disclosed an RPC DCOM Windows flaw and released a patch for vulnerable systems. The worm took advantage of what some security experts have called the most widespread Windows flaw ever. For a time, Blaster was infecting as many as 2,500 computers per hour. http://www.linuxsecurity.com/articles/intrusion_detection_article-11.html * Six ways to justify security training June 1st, 2004 A few days ago, a reader asked if I could help him justify the cost of security training that he and his fellow Unix system administrators felt they needed. http://www.linuxsecurity.com/articles/network_security_article-9363.html * When encryption can be misleading June 1st, 2004 The trust that encryption generates can be deceptive, one researcher, a regular poster to the full-disclosure vulnerability mailing list, has discovered. http://www.linuxsecurity.com/articles/cryptography_article-9362.html * FDIC info security lacking, GAO finds June 1st, 2004 Weaknesses in the Federal Deposit Insurance Corp.'s information systems place sensitive information at risk of unauthorized disclosure, disruption of operations or loss of assets, according to the General Accounting Office. http://www.linuxsecurity.com/articles/government_article-1.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Jun 8 02:53:18 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 8 04:02:30 2004 Subject: [ISN] Experts Call for Raising Awareness About IT Security Message-ID: http://www.arabnews.com/?page=11§ion=0&article=46429&d=8&m=6&y=2004 M. Ghazanfar Ali Khan Arab News 8 June, 2004 RIYADH, 8 June 2004 - A panel of IT experts say local businesses need multilayer IT security cover because the exponential growth of worms, viruses and spam e-mail have dramatically changed the security landscape in the last two years. They also want to raise awareness about IT security in Saudi Arabia, where poor technical know-how together with lack of awareness could cost businesses dear. The experts were attending a meeting organized by Specialists for Computer Systems (SCS) here on Sunday. SCS says it is a leading provider of IT security products in the Middle East. The company's information security solutions include security awareness for enterprises, security assessments, consultancy, risk management, virus protection, policy compliance management, access control, integrated security solution, security knowledge transfer, intrusion detection system, firewalls, early warning solutions and content filtering. SCS is an enterprise security partner of Symantec, a Microsoft gold certified partner for security solutions, and a Cyber Guard and Citrix Golden partner. It is involved with a number of projects for Saudi government agencies and the private sector. The event was attended by experts from various companies including Muhammad Al-Mandil, SCS president; Esam Daban, vice president; Khalid Siddiqi, SCS marketing manager; Bashar Bashaireh, Cyber Guard manager for Middle East and North Africa; and Hani Hijazi of Citrix. Al-Mandil and Daban said demand for stronger application security and security for wireless networks will drive the growth of the information security services market, as will the continuing trend toward outsourcing network-security functions such as application security testing, disaster recovery and management of network security devices. "In 2002, the global financial impact from virus attacks dropped for the first time in seven years," said Bashar. However, the financial impact of virus attacks has been on the rise again in the recent past. Many factors have contributed to the rising costs, including the reality that many companies are still not prepared to handle the threat from fast-spreading virus attacks. Some studies nonetheless predict more than 20 percent annual growth in spending for information security services. From isn at c4i.org Tue Jun 8 02:54:44 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 8 04:02:31 2004 Subject: [ISN] Security Expected To Take A Larger Bite Out Of IT Budgets Message-ID: http://www.techweb.com/wire/story/TWB20040607S0013 By Antone Gonsalves TechWeb News June 7, 2004 Spending on security-related technology is expected to increase over the next couple of years, leveling off at 5 percent to 8 percent of the IT budget of global 2000 companies, a market-research firm said Monday. Security spending takes up from 3 percent to 4 percent of IT budgets today, the Meta Group said in a report on calculating information-security spending. That amount, however, is expected to increases at a compound annual growth rate of between 8 percent and 10 percent through 2006, before reaching a plateau. In general, information security doesn't have metrics for return on investment that's been adopted across industries. A chief financial officer typically defines ROI as dollars spent balanced by additional revenue or accrued profit, but "security doesn't generate revenue or improve profits in a predictable manner," Meta analyst Chris Byrnes said. Therefore, Meta recommends that companies look to best practices in their industry as a way to determine how much they should spend as a percentage of their IT budgets. "As a starting point for analysis, organizations should look at what other companies in the same industry are spending as a percentage of their budgets, and then adjust up or down from that number, depending on how comfortable they are with risk," Byrnes said. In general, percentages are expected to be higher among smaller organizations than at very large companies of, say, more than 50,000 users, Meta said. The above averages will typically be found in organizations with 5,000 to 10,000 users. The rate of spending is expected to be slower in Europe than in the U.S., with a 5 percent to 7 percent CAGR versus a 10 percent CAGR, Meta said. The major reasons are the lower intensity of publicity regarding cyber-crime and compliance issues. In the Asia-Pacific region, spending rates are expected to be similar to Europe in mature economies, such as Singapore, Japan, Australia, and South Korea. Security spending in developing countries, such as Malaysia, Thailand, and Philippines, is only starting. Within verticals, the more regulated industries and those that conduct a lot of electronic financial transactions over the public Internet are expected to continue spending more on security. From isn at c4i.org Tue Jun 8 02:55:12 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 8 04:02:33 2004 Subject: [ISN] Wireless Hackers Leave No Tracks Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,93625,00.html Security Manager's Journal by Vince Tuesday JUNE 07, 2004 COMPUTERWORLD I'm a parasite. I didn't pay for the bandwidth I'm using right now. I didn't ask for permission to use it -- I don't even know whom to ask. But I'm on holiday, I have a few bits of work to finish up before I can relax, and I need to send my e-mail. The broadband service in the rented house doesn't work, so I stuck in my wireless LAN card and found two WLANs covering the house. One has a Secure Set Identifier of "lopez" and has Wired Equivalent Privacy turned on; the other has an SSID of "default" and no WEP. My wireless card has automatically associated with the "default" base station, which gave me a Dynamic Host Configuration Protocol address. Now I'm connected to the Internet at 11Mbit/sec. with no fee and no restrictions on what I can do. When WLANs hit the mainstream a few years ago, the security focus was on confidentiality, and vendors included WEP to encrypt data in the air. WEP has flaws -- it might not stop a snooper in your parking from reading your data -- but just the fact that "lopez" had it turned on was enough to turn my attention elsewhere. Why hack "lopez" when "default" is sending in the clear? But having data sniffed from the air isn't the real threat that wireless poses. That problem is easily solved by using cryptography. A bigger worry is "de-perimeterization," which is a fancy way of saying that the walls of the normal fortress model are falling away, thanks in part to wireless. In the good old days, you inventoried all external connections and put firewalls in front of them. Now, nearly every organization has so many connections to the outside that it isn't feasible to set up firewalls to control access to all of them. If your wireless users need access to all of the internal services, what can you block with a firewall? And if you're a hacker, why bother trying to intercept data from the traffic flying about when you can just connect to the network and pretend to be a legitimate client? Once you become a full node on the network, you don't have to wait for a client to connect to download the information you want and sniff it. Instead, you can just waltz right in and take what you want. This is a lot less covert, but unless the target has a hair-trigger intrusion-detection system configuration and very good triangulation equipment, you probably won't be discovered. My company's authorized wireless access points have strong authentication, so only legitimate clients can connect, but all our exterior defenses might be for naught if a staff member plugs in a $99 access point. To protect against this, my team and I run regular sweeps to check for illegitimate access points that might allow unauthorized users to connect. We had a few early run-ins with staff when we began the sweeps, but now the authorized service is so good that everyone is happier using that than they would be trying to sneak new equipment into the office. Insecure Access In these sweeps, we've detected many access points that are transmitting from outside the company walls. It's interesting to see that all the bars and restaurants near our offices have WLANs for waiters to send orders to the kitchen. All are insecurely configured. However, since the worst anyone could do is jump the queue for ordering drinks, perhaps the low level of protection is all that's necessary. The only time I really went white was when a sweep at my company identified more than 30 unauthorized access points on a single floor. I couldn't imagine why an entire department would go crazy and try to provide its own competing WLAN service. But when I tried to connect to one of the access points, I could get only a printer service Web page. It turned out that our printer vendor had shipped a batch of printers with wireless printing support enabled by default. Each was functioning as a WLAN access point. We disabled the cards and asked the vendor to do the same with future orders. Rogue access points in the office are a problem we can solve, but the real WLAN problem that strikes terror into my heart is the home user. Before WLANs, if I were a hacker or virus writer or if I wanted to download or share illegal material, I had limited options. I could use my own account and eventually get caught after the feds tracked the abuse back to me. I could steal an AOL account by phishing until the feds used phone traces to catch me. Or I could wander into a Web cafe, do my evil deeds and flee, leaving closed-circuit TV footage, fingerprints and physical evidence the feds could use to put me behind bars. With WLANs, things have changed. On most streets in big metropolitan areas, a few people have broadband, and at least one uses it with an insecure wireless connection. Perhaps half of those people turn on the Windows XP firewall, but that won't stop an attacker. They just get within range and connect. There's no physical evidence, no closed-circuit TV, and the poor schmuck whose broadband connection gets used is the one whom the feds raid. So while the WLAN connection I'm using now is helpful to me as I finish up my work while on holiday, someone else could just as easily be using it to launch attacks before disappearing anonymously back into the night. There's no chance that home users will move to two-factor authentication for their wireless networks, so I'm making sure that my current designs for Web-facing infrastructure don't rely on being able to track down and stop attackers. Clearly, that's no longer possible. What do You Think? This week's journal is written by a real security manager, "Vince Tuesday," whose name and employer have been disguised for obvious reasons. Contact him at vince.tuesday@hushmail.com From isn at c4i.org Tue Jun 8 02:55:55 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 8 04:02:33 2004 Subject: [ISN] Oops! Firm accidentally eBays customer database Message-ID: http://www.theregister.co.uk/2004/06/07/hdd_wipe_shortcomings/ By John Leyden 7th June 2004 A customer database and the current access codes to the supposedly secure Intranet of one of Europe's largest financial services group was left on a hard disk offered for sale on eBay. The disc was subsequently purchased for just ?5 by mobile security outfit Pointsec Mobile Technologies. According to Pointsec, one of the hard discs contained "highly sensitive information from one of Europe's largest financial services groups with pension plans, customer databases, financial information, payroll records, personnel details, login codes, and admin passwords for their secure Intranet site. There were 77 Microsoft Excel documents of customers email addresses, dates of birth, their home addresses, telephone numbers and other highly confidential information, which if exposed publicly could cause irrevocable damage to the company." Pointsec isn't prepared to name the careless company. The incident recalls the episode four years where Sir Paul McCartney's banking details were discovered on a second-hand computer discarded by merchant bankers Morgan Grenfell Asset Management. The PC was released into the second-user market without first being wiped clean of data, a precaution that the majority of sellers still fail to take. Pointsec purchased 100 hard discs over auction site as part of its research into the "lifecycle of a lost laptop". Pointsec found that they were able to read seven out of 10 hard-drives bought over the Internet at auctions such as eBay despite the fact all of had "supposedly" been "wiped-clean" or "re-formatted". The company said the exercise illustrated how easy it is for identity thieves or opportunists to access highly sensitive and valuable company information from lost laptops and hard-drives. All the 100 hard drives and laptops purchased as part of Pointsec's research will be destroyed. Lost in transit The researchers also wanted to find out how easy it is to purchase and access information on laptops that are lost in transit at an airport Gatwick or handed into the Police. In all cases they found the laptops and all the information residing on them, were put up for auction if they were not reclaimed after three months. Pointsec visited one of the auctions used by Gatwick airport, near Chertsey and found that before even purchasing the laptops, the researchers were able to start up the laptops to inspect whether they worked. Using password recovery software they were able to access the information on one in three of these laptops. The exercise was repeated in Sweden, the US and Germany. In Sweden the first laptop Pointsec purchased at auction, contained sensitive information from a large food manufacturer. When the hard disc was analysed they found four Microsoft Access databases containing company and customer related information and 15 Microsoft PowerPoint presentations containing highly sensitive company information. Tony Neate Tactical & Technical Industry Liaison at the UK National Hi-Tech Crime Unit said: "Pointsec's research demonstrates just how easy it is to access information which is not adequately protected. Encryption and other security measures are vital to ensure that security is not compromised - something as simple as a hard disk drive password can deter the opportunist." From isn at c4i.org Tue Jun 8 02:56:33 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 8 04:02:34 2004 Subject: [ISN] First quantum cryptography network unveiled Message-ID: http://www.newscientist.com/news/news.jsp?id=ns99995076 Celeste Biever 04 June 04 NewScientist.com The first computer network in which communication is secured with quantum cryptography is up and running in Cambridge, Massachusetts. Chip Elliott, leader of the quantum engineering team at BBN Technologies in Cambridge, sent the first packets of data across the Quantum Net (Qnet) on Thursday. The project is funded by the Pentagon's Defense Advanced Research Projects Agency. Currently the network only consists of six servers, but they can be integrated with regular servers and clients on the internet. Qnet's creators say the implementation of more nodes in banks and credit card companies could make exchanging sensitive data over the internet more secure than it is with current cryptography systems. The data in Qnet flows through ordinary fibre optic cables and stretches the 10 kilometres from BBN to Harvard University. It is encrypted using keys determined by the exchange of a series of single, polarised photons. The first money transfer encrypted by quantum keys was performed between two Austrian financial institutions in April 2004. But Qnet is the first network consisting of more than two nodes to use quantum cryptography - a more complex challenge. "Imagine making a phone call. If you just have one possible receiver, you wouldn't even need buttons," explains Elliott. "But with a network you need a system that will connect anyone on the network to anyone else." In Qnet, software-controlled optical switches made of lithium niobate crystals steer photons down the correct optical fibre. Intruder detection Quantum cryptography guarantees secure communications by harnessing the quantum quirks of photons sent between users. Any attempt to intercept the photons will disturb their quantum state and raise the alarm. But Elliott points out that even quantum cryptography "does not give you 100 per cent security". Although quantum keys are theoretically impossible to intercept without detection, implementing them in the real world presents hackers with several potential ways to listen in unobserved. One example is if a laser inadvertently produces more than one photon, which happens occasionally. An eavesdroppper could potentially siphon off the extra photons and decrypt the key, although no one has actually done this. "However Qnet is more secure than current internet cryptography," says Elliott, which relies on "one way functions". These are mathematical operations that are very simple to compute in one direction, but require huge computing power to perform in reverse. The problem is, according to Elliott, that no one has actually proved that they cannot be solved in reverse. "So who's to say that someone won't wake up tomorrow and think of a way to do it?" Large and expensive At the moment computers capable of quantum cryptography are large and expensive, because they are custom-made. Elliott imagines a Qnet-like system may first appear in banks, for whom these factors might be less of a problem. Another limitation is that, for distances over 50 kilometres, the photon signal is degraded by noise, and it is unclear as yet how this problem will be overcome. However, quantum keys can potentially be exchanged over much larger distances through the air. Tiny, aligned telescopes can send and detect single photons sent through the air. The distance record for this form of transmission is currently about 20 kilometres. But calculations suggest that photons transmitted through the air could be detected by a satellite, which would enable data to be sent between continents. From isn at c4i.org Tue Jun 8 03:42:22 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 8 04:02:35 2004 Subject: [ISN] Confusion surrounds Cisco-Linksys wireless hole Message-ID: http://www.nwfusion.com/news/2004/0607confuse.html By Paul Roberts IDG News Service 06/07/04 A report last week about a security hole in a wireless broadband router made by Cisco's Linksys division overstated the severity of the vulnerability, according to the man who first warned of the problem. Independent technology consultant Alan Rateliff said Monday that Cisco's Linksys WRT54G wireless routers are not, by default, vulnerable to remote takeover from a malicious hacker. However, a vulnerability in the software that runs on those devices could still allow a malicious hacker to access administrative features for the router and take control of the device. Rateliff first posted a warning about the WRT54G on the Bugtraq discussion list on May 31. Based on testing with a sample Cisco router, Rateliff concluded that the routers were shipped with a configuration that would allow remote attackers to access the Web-based administration interface for the devices over two common communications ports, 80 and 443. The WRT54G, like other wireless routers, enables multiple computers to share a broadband Internet connection using wireless networking equipment The Bugtraq post prompted numerous responses that contested Rateliff's findings. After testing additional WRT54G devices, Rateliff said he found that the devices were not vulnerable in their default configuration, but could still be compromised remotely given the right circumstances. In particular, Rateliff discovered that a firewall feature in the routers is enabled, rather than disabled, by default, which prevents compromise on new systems. On versions of the router using firmware versions 2.02.2 and 2.02.7, malicious hackers can access the router's administrator interface and change the configuration of the router if the firewall feature is disabled and if the router's owner does not change the default administrator's password. The devices could be compromised regardless of whether a feature that provides remote, Web-based access to the routers was enabled or disabled, he said. Cisco has since released a test, or "beta" version of software for the device that fixes the remote access problem, he said. Rateliff posted a message to Bugtraq on June 2 and acknowledged that he made an error in his initial warning about the problem, but said he was just posting his findings based on a test of the Cisco hardware, standard practice in the Bugtraq forum. Rateliff did not expect the immense response to his post, which spawned stories in a number of online news outlets and prompted multiple responses on Bugtraq. "The exposure on this is not as bad as the (discussion) on Bugtraq made it seem. I can't account for the results of the first test, but at this point that's irrelevant. What's relevant now is that 'out of box' home users are safe," Rateliff said. From wk at c4i.org Wed Jun 9 06:01:42 2004 From: wk at c4i.org (William Knowles) Date: Wed Jun 9 06:23:29 2004 Subject: [ISN] Internet needs law enforcement, author says Message-ID: http://www.nwfusion.com/news/2004/0608gartnsummi.html By Grant Gross IDG News Service, 06/08/04 The Internet is a "god-awful mess," but few U.S. government officials are willing to take action against virus writers, spammers and other scammers, author Bruce Sterling said at the Gartner IT Security Summit Tuesday in Washington, D.C. Disorder and corruption are winning on the Internet, and computer users need the U.S. government to crack down on the thieves preying on the Internet, said Sterling, author of futuristic novels Heavy Weather and Islands in the Net and the nonfiction book The Hacker Crackdown: Law and Disorder on the Electronic Frontier. "We had a digital revolution in the 1990s -- now we've slid into digital terror," Sterling said during his hour-long critique on the state of cybersecurity. "Today's Internet is a dirty mess -- it's revolution failed. E-commerce was extremely inventive for a while, but the financing model was corrupt. There was poor governance in the financial systems, there was worse industrial policy; the upshot was a spectacular industry-wrecking boom and bust." Most of the advancements in Internet commerce since the dot-com bust have been illegal, Sterling noted, including spamming, identity theft, and "phishing," which is theft of credit card numbers or other personal information by directing customers to bogus Web sites to change their account settings. "If you advance into mayhem, that's not advancement, that's driving into a ditch," he added. Sterling offered what he called a little good news about cybersecurity, the recent arrests of a handful of virus or worm writers, including the arrest in May of the 18-year-old German man who allegedly wrote the Sasser worm. "The world is never going to run out of disaffected teenagers," he said. But Sterling said he's not overly worried about bored 18-year-old worm writers who are unsophisticated enough to get caught; instead he's concerned about the authors of such malicious code as Slammer, Code Red, and Witty because they haven't been caught. The authors of the Witty worm targeted users of Internet Security Systems' products, while the Bagel and Mydoom virus authors attempted to turn infected computers into spam-sending machines, Sterling said. "Bagel and Mydoom are the future of virus-writing because they have a business model," he said. "Those are organized crime activities. ... These are crooks." Virus and worm writing will grow as a weapon for terrorists and warring nations, he predicted. Terrorists operating in places with little central government control will begin to see cyberterrorism as an effective weapon because of a lack of international cooperation on cybersecurity enforcement, he said. He listed a dozen such countries, including Somalia, Bosnia and the Philippines. "This is the birth of a genuine, no-kidding, for-profit ... multinational criminal underworld," he said. "I don't see any way it can't happen. We're going to end up getting pushed around by bands of international electronic thieves in a very similar way to the way we've been pushed around by gangs of international Mafia and international Mujahideen terrorists." The new tools of terrorists and criminals will be "oil, narcotics, guns and broadband," he said. With cyberthreats likely to rise, the U.S. government needs to focus on enforcement of existing laws, including antifraud laws, Sterling said. He praised New York Attorney General Eliot Spitzer, who prosecuted Buffalo spammer Howard Carmack earlier this year, as well as other white collar criminals. Although virus writers and many spammers break existing laws, most prosecutors seem reluctant to take on computer cases, Sterling said "In my opinion, we need a thousand guys like (Spitzer)," Sterling said."We've got a ridiculous amount of computer laws." Efforts such as the Controlling the Assault of Non-Solicited Pornography and Marketing Act, passed by Congress in late 2003, are "phoney-baloney gestures," Sterling said. Instead of weak laws, the U.S. government needs to sponsor a multistate computer crime task force that enforces existing laws, he said. He also recommended that the U.S. post names of spammers and other Internet scammers on a Web site for everyone to see. Sterling also praised parts of the National Strategy to Secure Cyberspace, released by the Bush administration in February 2003, calling it "modest and feasible." The document recommended that nations work together to combat cyberthreats, and such cooperation is needed to fight borderless cyberterrorism, Sterling said. But the strategy is likely to go nowhere after former Bush cybersecurity chief Richard Clarke criticized his former boss' counterterrorism efforts in a book released earlier this year, Sterling said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* From isn at c4i.org Wed Jun 9 06:06:09 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 9 06:23:30 2004 Subject: [ISN] Microsoft releases monthly security patches Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,93728,00.html By Paul Roberts JUNE 08, 2004 IDG NEWS SERVICE Microsoft Corp. released software updates for versions of Windows XP and Windows Server 2003 and warned customers about a security vulnerability in a Windows component called IDirectPlay4, which is used to support multiplayer network games. The security hole, if successfully exploited, could allow a remote attacker to cause a Windows application using the affected component to fail, creating a denial-of-service attack. Microsoft published bulletin MS04-016 describing the hole and rated the problem "moderate," indicating that the hole is difficult to exploit or can be fixed by changing configuration settings or other factors. IDirectPlay4 is one of three application programming interfaces that makes up Microsoft DirectPlay, a protocol that provides networking services for networks based on TCP/IP and IPX. DirectPlay is frequently used to support multiplayer games. A remote attacker could trigger the security vulnerability by connecting to a machine using DirectPlay and sending a specially misformatted data packet to the machine. When received, that packet would cause the application using DirectPlay to crash. Microsoft provided patches for both 32- and 64-bit versions of Windows XP and Windows Server 2003 and advised customers to consider applying the updates. The company also patched three of its products to plug a newly discovered hole in the Crystal Reports and Crystal Enterprise reporting tools from Business Objects SA. Software updates were released for Visual Studio .Net and Outlook 2003 with Business Contact Manager, which redistribute Crystal Reports. A patch was also issued for Microsoft Business Solutions CRM 1.2, which redistributes Crystal Enterprise and is also affected. The hole, if successfully exploited, could allow a remote attacker to use a Web interface to Crystal Reports and Crystal Enterprise to retrieve or delete files on affected systems, Microsoft said. Microsoft published a bulletin (MS04-017) concerning the hole that rated the vulnerability "moderate." Customers should consider applying the patch, the company said. Microsoft released the patches in keeping with its stated policy of trying to limit security updates to one day per month, typically the second Tuesday of each month. After releasing more than 20 patches for security holes in April, many of them related to "critical" holes in versions of Windows and the Internet Explorer Web browser, the company has had two quiet months. It issued just one bulletin in April for a single, noncritical vulnerability. From isn at c4i.org Wed Jun 9 06:06:24 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 9 06:23:31 2004 Subject: [ISN] Illiterate Trojan found in wild Message-ID: http://www.theinquirer.net/?article=16461 By Nick Farrell 09 June 2004 SEVERAL COPIES of a two-stage Trojan virus, which uses an exploit to download and execute an encoded visual basic script from a website, have been seen in the wild. According to security firm MessageLabs it has intercepted several copies of a new Trojan this week although there are no other indications that it will be a major problem. No-one has come up with a name for it yet, although judging by the way it works, perhaps illiterate might be a good title. It appears in an email with a header which seems to have been penned by someone to whom English is a foreign language. It creates an executable file which appears to download a malicious program from the same website as the original script. Early indications suggest that this is similar to previous attacks where Trojans have been used to install key loggers and password stealers. For the record, don't open any emails with the following headers: Subject: about the thing we talked last week.. Hello , This is the letter I told ill wrote for ya.. Here is it.. like you asked for me 2 days ago Hey whatsup remember me? please , asnwer me.. you dont answer for me like 5 weeks allready. Re: Hello the email from 2 days ago.. here is my replay.. whats wrong with you ? why you dont answer to my emails? why you dont answer to my emails.., whats wrong ? From isn at c4i.org Wed Jun 9 06:06:52 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 9 06:23:33 2004 Subject: [ISN] The ease of (ab)using X11, Part 2 Message-ID: +------------------------------------------------------------------+ | Linux Security: Tips, Tricks, and Hackery 08-June-2004 | | Published by Onsight, Inc. Edition | | | | http://www.hackinglinuxexposed.com/articles/20040608.html | +------------------------------------------------------------------+ This issue sponsored by LinuxQuestions.org. LinuxQuestions.org offers a free, friendly and active Linux Community with over 85,000 members from newbies to experts. We have forums, quizzes, reviews, tutorials, links and much more. Many of our forums are officially recognized, such as Arch, Conectiva, Fedora, Libranet, Linux From Scratch, Mandrake, Red Hat, Slackware, and VectorLinux. If you have Linux questions or want to help out the Linux community, come by http://www.LinuxQuestions.org. -------------------------------------------------------------------- The ease of (ab)using X11, Part 2 By Brian Hatch Summary: Abusing X11 for fun and passwords. ------ Last time we looked at how you can get access to an X11 server, the desktop software you are using when you're running graphical environments like Gnome or KDE. When you have access to the X11 server, you can do some remarkable things. As an example, I previously showed you how to open an xterm on the users screen to leave them a message. Rather than use an xterm, it's much easier to use xmessage[1], which will pop up a window and can even have programmable buttons. So, using xmessage as our target program, let's recap. First, log into the victim's desktop, become root, and set up your environment to access his X11 server: home$ ssh victim_desktop victim$ sudo /bin/ksh victim\# XAUTHORITY=/home/fernando/.Xauthority victim\# export XAUTHORITY victim\# DISPLAY=:0 victim\# export DISPLAY At this point, you have access to the server and can do anything, for example running xmessage: victim\# xmessage "Hey, Fernando, don't forget to walk the dog." You won't see anything of course - the window went on Fernando's screen. Ok, so you can plop up some windows, big deal, right? What fun is that? Here are some other fun things you could do: xsetbg filename Don't like the desktop background? Change it easily with xsetbg. Can have a particularly disastrous effect on a machine at work depending on the content you choose. xlsclients -l Provides you a list of all X11 clients that are running on the machine. The output includes the window id that you'll need for some commands below. # xlsclients -l Window 0x180000d: Command: /usr/X11R6/bin/kterm Instance/Class: kterm/KTerm Window 0x1200001: Name: MozillaFirefox-bin Command: /usr/lib/mozilla-firebird/MozillaFirefox-bin Instance/Class: MozillaFirefox-bin/MozillaFirefox-bin Window 0x2d0000d: Name: xine Icon Name: kterm Command: /usr/bin/xine Instance/Class: xine/Xine xwininfo -id windowid Display verbose information about existing window, such as the title name, size, location, etc. This gives you more information for finding the window you're interested in for any of the other commands below that use windowids. xkill -id windowid A quick and efficient way to kill X11 windows. Purely a malicious activity. xwd xwd is an X window dumper - it dumps a screen shot of any window you request, or the whole screen. When used interactively, it will let you move the mouse and click on the window in which you're interested. If you want a specific window, you can specify it with xwd -id windowid, or you can choose the root window with xwd -root. To be surreptitious, you probably want to use -silent as well, to keep it from ringing the bell. So, the following would give you a screen shot of the entire desktop, and convert it to a .png file for viewing on your machine: # xwd -root -silent - | convert - fernando.png xev -id windowid xev can attach to an existing window and show you all X11 events that occur. Great for seeing in which windows the user is active. Since keypresses are events, you can see everything they type, though it's not the cleanest way, we'll see better options later. xkey This one is not a part of your standard X11 distribution, however you can easily find the source code via google. Xkey will watch for X11 keyboard events and prints the characters to the screen - a great way for sniffing the keyboard for passwords, as seen here: # xkey s -la cd <>~ convert /tmp/rack.jpg network-rack.png scp network-rack.png isp.example.net<>: d<>@r<>Pane<>T ssh isp.example.net d<>@r<>Pane<>T mutt -a network-rack.png In the output above, you get to see in gory detail exactly what the user is typing -- not only do you get to see that the password for the account at isp.example.net is d@rPaneT,[2] but you can see exactly which shift keys (left or right) were used in the attempt. x2x Using x2x, you can connect your mouse and keyboard to their display. You can use this to either play games by moving their mouse around, or more maliciously you can use this to send input to their windows.[3] For example, use xev to determine they're not doing anything, and then start typing in their shell. Start up a netcat daemon in listen mode, connect to their machine on that port and have straight shell access to their account. Anything's possible. x0rfbserver Want full blown access to the X11 server? Run an x0rfbserver on their display and you can connect to it with a vnc client to have complete control of their desktop. Valid for helping folks out remotely, but deadly when done maliciously. Hopefully this gives you a good idea why it's so very bad to allow access to your X11 server. Next time I'll address how you can keep your X11 server safe, and how your X11 server may not be safe even if your desktop is completely locked down; even if no one has access -- much less root access -- to it. NOTES: [1] I have slapped myself appropriately for having forgotten the proper tool and announcing my ignorance to the world. Thanks to the dozen people who reminded me what I was looking for, you're clearly on the ball more than I. [2] You need to ignore the <> entries in the output - you can prevent them from being displayed by editing the xkey.c source code [3] If you aren't in a window, you can move your mouse (on their screen) around until you are -- you can see which window is active by using xdpyinfo | grep focus. ------------- Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He looks back on his college days of playing xtank at 3am and wonders "Did anyone steal my passwords when we all ran 'xhost +' " ? Brian can be reached at brian@hackinglinuxexposed.com. -------------------------------------------------------------------- This newsletter is distributed by Onsight, Inc. The list is managed with MailMan (http://www.list.org). You can subscribe, unsubscribe, or change your password by visiting http://lists.onsight.com/ or by sending email to linux_security-request@lists.onsight.com. Archives of this and previous newsletters are available at http://www.hackinglinuxexposed.com/articles/ -------------------------------------------------------------------- Copyright 2004, Brian Hatch. From isn at c4i.org Wed Jun 9 06:07:33 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 9 06:23:33 2004 Subject: [ISN] Security Expected To Take A Larger Bite Out Of IT Budgets Message-ID: Forwarded from: Nick Owen ROI is a poor measure for all financial decisions. Information security just demonstrate it's major weakness - it ignores the cost of capital. What risk management projects do is reduce the cost of capital. Say you have two projects, one costs $1,000,000 and saves $100,000 a year; the other costs $100,000 and saves $10,000 a year. Which do you do? ROI and payback are the better for project A. However, what if project A is far riskier than project B? If your cost of capital for project A is 12%, doing project A is a *bad idea* because is creates only $833,333 in value. If the cost of capital for Project B is less than 10%, it is a good idea. ROI would have you do both. IMO, this unhealthy focus on a very poor measure is hurting information security. To suggest that my company should spend X% on security because our peers do is beyond absurd. How do I best my competition? There is no need for new ways to measure information security, they exist already: ROIC, EVA, etc. anything that includes at the cost of capital. -- Nick Owen CEO WiKID Systems, Inc. 404-962-8983 http://www.wikidsystems.com Two-factor authentication, without the hassle factor. InfoSec News wrote: > http://www.techweb.com/wire/story/TWB20040607S0013 > > By Antone Gonsalves > TechWeb News > June 7, 2004 > > Spending on security-related technology is expected to increase over > the next couple of years, leveling off at 5 percent to 8 percent of > the IT budget of global 2000 companies, a market-research firm said > Monday. > > Security spending takes up from 3 percent to 4 percent of IT budgets > today, the Meta Group said in a report on calculating > information-security spending. That amount, however, is expected to > increases at a compound annual growth rate of between 8 percent and 10 > percent through 2006, before reaching a plateau. > > In general, information security doesn't have metrics for return on > investment that's been adopted across industries. > > A chief financial officer typically defines ROI as dollars spent > balanced by additional revenue or accrued profit, but "security > doesn't generate revenue or improve profits in a predictable manner," > Meta analyst Chris Byrnes said. > > Therefore, Meta recommends that companies look to best practices in > their industry as a way to determine how much they should spend as a > percentage of their IT budgets. [...] From Jean-Marc.Seigneur at cs.tcd.ie Thu Jun 10 05:23:52 2004 From: Jean-Marc.Seigneur at cs.tcd.ie (Jm Seigneur) Date: Thu Jun 10 06:01:36 2004 Subject: [ISN] ACM SAC'05 TRECK Track Preliminary CFP: Trust, Recommendations, Evidence and other Collaboration Know-how Message-ID: <002201c44ecc$a5364a30$3924e286@clubm> (We apologize if you receive multiple copies of this message) CALL FOR PAPERS - SAC 2005 The 20th ACM Symposium on Applied Computing March 13 - 17, 2005, Santa Fe, New Mexico, USA Track: Trust, Recommendations, Evidence and other Collaboration Know-how (TRECK) SAC 2005: For the past nineteen years, the ACM Symposium on Applied Computing has been a primary gathering forum for applied computer scientists, computer engineers, software engineers, and application developers from around the world. SAC 2005 is sponsored by the ACM Special Interest Group on Applied Computing, and is hosted by New Mexico Institute of Mining and Technology, Socorro, NM, USA. Its proceedings are published by ACM in both printed form and CD-ROM; they are also available on the Web through the ACM Digital Library. More information about SIGAPP and past editions of SAC can be found at http://www.acm.org/sigapp/ and http://www.acm.org/conferences/sac/sac2005/ Aims and scope of the TRECK track: Computational models of trust and mechanisms based on the human notion of trust have been gaining momentum over the last couple of years. One reason for this is that traditional security mechanisms are challenged by open, large scale and decentralised environments. The use of an explicit trust management component goes beyond security though. Trust has been used in reputation systems, collaborative filtering, dynamic coalitions and virtual organizations. For example, adjunct trust metrics in recommender systems have solved some of the shortcomings of standard distributed recommender systems. The goal of the SAC 2005 TRECK track is to explore the set of applications that either benefit from the use of early trust-based mechanisms or could be enhanced by the integration of an advanced trust engine. The topics of interest include, but are not limited to: Trust/risk-based security frameworks Applications of trust management components Improvement of recommender systems with adjunct trust/reputation Trust-enhanced collaborative applications Tangible guarantees given by formal models of trust and risk Applications of formal models of trust and risk Assessment and threat analysis of trust metrics Pervasive computational trust and use of context-aware features Trade-off between privacy and trust Automated collaboration and trust negotiation Integration of soft computing techniques in trust engines Evidence gathering and management Real world applications, running prototypes and advanced simulations Applicability in large scale, open and decentralized environments Representation, management and recognition of identities Trust and reputation in virtual organizations Legal and economic aspects related to the use of trust-based systems User-studies of computational trust applications Submission guidelines are posted on the TRECK 2005 website (http://www.trustcomp.org/treck/), which always contains the latest updates: Authors are invited to submit full papers about original and unpublished research. We would like to encourage the submission of industrial experience reports and reports of innovative computing applications. Parallel submission to other conferences, other tracks of SAC 2005 or any other publications is forbidden. Papers submitted should not have been previously published and should not be subsequently published in the same form elsewhere. Submissions should be properly anonymized to facilitate blind reviewing: papers being submitted should not list the authors, affiliations or addresses on the first page and authors are also encouraged to take care throughout the entire document to minimise references that may reveal the identity of the authors or institution. The body of each paper should not exceed 4,000 words. Papers failing to comply with length limitations risk immediate rejection. Authors of accepted papers must be prepared to sign a copyright statement and must guarantee that their paper will be presented at the conference. At least three reviewers will be assigned to each submission to the TRECK track. Accepted papers are published by ACM in both printed form and CD-ROM; they are also available on the Web through the ACM Digital Library. Once accepted, papers must fit within five (5) two column pages (please check the author kit on the main SAC website: the format is usually the ACM one at http://www.acm.org/sigs/pubs/proceed/template.html), with the option (at additional expense) to add three (3) more pages. A second set of selected papers, which did not get accepted as full papers, will be accepted as posters and will be published as extended 2-page abstracts in the symposium proceedings. Paper submissions should be sent (as an attached PDF file) to: treck2005@trustcomp.org The body of the email should include the title of the paper, the author(s) name(s) and affiliation(s), and the address (including e-mail, telephone, and fax) to which correspondence should be sent. Submissions will be accepted until 23.59 PM GMT, 3 September, 2004. No more papers will be accepted after that time. For more information please visit: http://www.trustcomp.org/treck/ or send an email to sac.treck.info@trustcomp.org. IMPORTANT DUE DATES Sept. 3, 2004: Paper submissions Oct. 15, 2004: Author notification Nov. 5, 2004: Camera-Ready Copy March 13-17, 2005: SAC in Santa Fe Conference Venue: Nestled at 7000 feet (2000 m) in the foothills of Rocky Mountains, Santa Fe, New Mexico, the "City Different", is the oldest capital city in the United States, the city that has a long history and rich cultural heritage. Originally a townlet populated by Pueblo Indians, it became a capital of Nueva Espana (New Spain) in 1607, then a capital of the Mexican state of Nuevo Mexico (New Mexico); since the 1840's, it is part of the USA. Santa Fe is famous for its culture, art, and traditions. It is home to US's third largest art market, to the Santa Fe Opera, variety of cuisines, hundreds of quaint shops, and unlimited outdoor activities. For more information about Santa Fe see the city website at http://www.santafe.org/. Track Program Chairs: Christian Damsgaard Jensen Technical University of Denmark Christian.Jensen@imm.dtu.dk Jean-Marc Seigneur Trinity College Dublin, Ireland Jean-Marc.Seigneur@trustcomp.org Track Program Committee: Ciar?n Bryce, University of Geneva, Switzerland Laurent Bussard, Eurecom Institute, France Marco Carbone, University of Aarhus, Denmark Bruno Crispo, Vrije Universiteit Amsterdam, The Netherlands Robert Demolombe, Onera, France Theo Dimitrakos, CCLRC, United Kingdom Nathan Dimmock, University of Cambridge, United Kingdom Luca Ferrari, University of Modena and Reggio Emilia, Italy Jennifer Golbeck, University of Maryland, USA Angelos D. Keromytis, Columbia University, USA Sozo Inoue, Kyushu University, Japan Val?rie Issarny, INRIA, France Christian Damsgaard Jensen, Technical University of Denmark Audun J?sang, DSTC, Australia Frederik Leemans, Philips Remote Control Systems, Belgium Stephane Lo Presti, University of Southampton, United Kingdom Michael R. Lyu, Chinese University of Hong-Kong, China Stephen Marsh, National Research Council, Canada Anthony Meehan, Open University, United Kingdom Tobias Mahler, University of Oslo, Norway Paolo Massa, University of Trento, Italy Hugo Miranda, University of Lisbon, Portugal Seamus Moloney, Nokia, Finland Philip Robinson, Teco, University of Karlsruhe, Germany Jean-Marc Seigneur, Trinity College Dublin, Ireland Laurence Vignollet, Universit? de Savoie, France Waleed Wagealla, University of Strathclyde, United Kingdom Marianne Winslett, University of Illinois at Urbana-Champaign, USA Konrad Wrona, Ericsson, Ireland Cai-Nicolas Ziegler, University of Freiburg, Germany -- Jean-Marc Seigneur http://www.cs.tcd.ie/Jean-Marc.Seigneur/ From isn at c4i.org Thu Jun 10 05:43:59 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 10 06:01:38 2004 Subject: [ISN] 'Counterstrike software' for hackers Message-ID: Forwarded from: security curmudgeon http://australianit.news.com.au/articles/0,7204,9800011%5E15321%5E%5Enbv%5E,00.html [I'm now taking bets on the first waves or lawsuits that will follow due to the strike back hitting a server that doesn't belong to the attacker (physically/financially)] Correspondents in Paris JUNE 10, 2004 THE first commercial software to strike back at computer vandals and spammers has run into crossfire from experts, who fear it could unleash "a cyber bloodbath" that could engulf the internet, New Scientist says. The product, launched in March by Texas security company Symbiot, gives companies an escalating list of options to defend themselves against hackers and other sources of unwanted traffic. The menu starts with defensive choices: blocking traffic from a certain site, limiting the amount of bandwidth that certain senders can take up, and diverting troublesome data into a 'honeypot'. From then on, the options are more aggressive. Someone who tries to hack into the company's computer can be 'tagged'. He is allowed to steal information that appears valuable but in fact infiltrates his own computer, stamping all further data packets from that source with a tag which identifies it to other Symbiot subscribers as a 'known attacker'. As a final resort, the company can send code to the attacking computer to end the assault. Symbiot refuses to say what the counter-offensive entails, although a spokesman admits it "could be seen by some as malicious code", New Scientist says. That means the software enables its customers to invade other computers, and for critics, this could open the gates to an escalating conflict where innocents could end up victims, the British weekly says. The bystanders could include ordinary people whose computers are hijacked, without their knowledge, to send out spam or email viruses, or whose internet address is 'spoofed' - used by the hacker to mask his own whereabouts. Spoofing means "it is even possible to envisage an elaborate plot in which an unscrupulous small operator lures two larger rivals into a shooting match by convincing each one that it is under attack by the other", the report says. "This type of thinking comes from a small number of security professionals, ones I'd consider hotheads, who want to get back at people," Eugene Schultz, an expert at Lawrence Berkeley National Labs, said. "It's a vigilante mentality, and it just seems so irresponsible." Symbiot, which gives access to the counterstrike software for $US10,000 ($14,526) a month, is treading carefully. Before releasing its product, called iSIMS, it issued a white paper on "rules of engagement", stressing that users should only counterstrike when all else fails. The report appears in next Saturday's issue of New Scientist. Counterstrike software is being pursued by other computer security firms, sensing the widespread frustration at the failure of law enforcement at dealing with hacking and spamming. At present, companies and individuals have only defensive options in the commercial arena, such as software for firewalls, spam filters and detectors that block suspected viruses. But these are invariably breached after a while and have to be continuously updated. Agence France-Presse From isn at c4i.org Thu Jun 10 05:44:11 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 10 06:01:39 2004 Subject: [ISN] Internet Security Systems CTO Steps Down Message-ID: http://www.eweek.com/article2/0,1759,1609500,00.asp By Dennis Fisher June 9, 2004 Chris Klaus, the founder of Internet Security Systems, has decided to relinquish his role as chief technology officer, but is staying on with the company in the newly created position of chief security adviser. Chris Rouland, formerly the director of the X-Force security research team, is Klaus' handpicked successor as CTO. Klaus founded Internet Security Systems Inc. in 1994 on the strength of his Internet Scanner tool, one of the first vulnerability scanners on the commercial market, and built the company into one of the more formidable pure security vendors in the industry. Its product line now includes a variety of security appliances, intrusion detection software and a central management console. In his time as CTO, Klaus has been involved in setting the company's overall strategic technical direction and has also served as the public face of ISS, based in Atlanta. A company spokeswoman said Klaus will remain involved in the technical side of the company but will hand over the day-to-day duties to Rouland. No reason was given for Klaus' decision to give up the CTO position. The ascension to CTO is a major step up for Rouland, who is widely respected in the security industry and considered to be one of the top researchers around. Under Rouland, the X-Force has evolved from an internal team doing vulnerability research into a core part of the company's services offerings via the X-Force Threat Analysis Service. The team now concentrates on doing analyses of current and future threats and vulnerabilities and looking for trends to help enterprises ward off attacks. Rouland also was instrumental in the decision by ISS to publish its internal vulnerability disclosure guidelines in 2002. At the time, there was a lot of publicity surrounding disclosure and how much information was too much to include in security advisories. ISS had been criticized by some in the security community for releasing information before patches were ready, and the company decided to publish its disclosure guidelines in order to make clear the way it operated. From isn at c4i.org Thu Jun 10 05:44:23 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 10 06:01:40 2004 Subject: [ISN] Apple security patch problems fixed Message-ID: http://www.theregister.co.uk/2004/06/09/apple_security/ By Tony Smith 9th June 2004 Register readers experiencing problems with Apple's Security Update 2004-06-07 can take heart that the update does work, and its apparent inability to cope with some exploits can be solved using a little Terminal trickery. We were not alone in having troubles with the update when we applied it to our own Mac yesterday. A number of readers emailed us to say they too found the patch permitted certain vulnerability tests to operate. The issue centres on those who have taken the test before. Mac OS X's LaunchServices sub-system records what apps have been run, which document types they 'own' and which URIs they respond to. If, like us, you've previously run the test, either to determine its effects or to test Unsanity's Paranoid Android utility, the patched LaunchServices will happily let it through when you run the tests again. Apple's patch was - understandably - designed with the reasonable belief that no Macs had been exploited, even benignly. Our thanks, then, to reader Dave Schroeder who pointed out this tip over at Mac OS X Hints. The instructions allow you to reset LaunchServices' database, forcing it to lose the application-data-URI links registered by the vulnerabiltiy tests. Just run Mac OS X's Terminal app and paste in the following: /System/Library/Frameworks/ApplicationServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -kill -r -domain local -domain system -domain user Note that you may need to edit the line in a text editor first, to remove carriage returns and spaces between the slashes. We can confirm that the reset allows the patch to do its stuff with the tests and a number of those here. Security Updates for Mac OS X v10.3.4'Panther' and Mac OS X Server v10.3.4 can be found here and for Mac OS X v10.2.8 'Jaguar' and Mac OS X Server v10.2.8 here. From isn at c4i.org Thu Jun 10 05:44:35 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 10 06:01:41 2004 Subject: [ISN] Internet Explorer carved up by zero-day hole Message-ID: http://www.computerworld.com.au/index.php?id=117316298&eid=-255 Kieren McCarthy Techworld.com 09/06/2004 Two new vulnerabilities have been discovered in Internet Explorer which allow a complete bypass of security and provide system access to a computer, including the installation of files on someone's hard disk without their knowledge, through a single click. Worse, the holes have been discovered from analysis of an existing link on the Internet and a fully functional demonstration of the exploit have been produced and been shown to affect even fully patched versions of Explorer. It has been rated "extremely critical" by security company Secunia, and the only advice is to disable Active Scripting support for all but trusted websites. The discovery stems from Dutch researcher Jelmer who was sent an Internet link which he was warned used unknown Explorer vulnerabilities to install adware on his computer. He found it did and embarked on a detailed analysis of the link, which demonstrates an extremely sophisticated use of encrypted code to bypass the Web browser's security. In simple terms, the link uses an unknown vulnerability to open up a local Explorer help file -- ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm. It delays executing anything immediately but instead uses another unknown vulnerability to run another file which in turn runs some script. This script is then used to run more script. And finally that script is used to run an exploit that Microsoft Corp. has been aware of since August 2003 but hasn't patched. That exploit -- Adodb.stream -- has not been viewed as particularly dangerous, since it only works when the file containing the code is present on the user's hard disk. The problem comes in the fact that the Help file initially opened is assumed to be safe since it is a local file and so has minimal security restrictions. By using the unknown exploits, code is installed within the help file window, all security efforts are bypassed, and the Adodb.stream exploit is then used to download files on the Internet direct to the hard disk. What this means in reality is that if you click on a malicious link in an email or on the Internet, a malicious user can very quickly have complete control of your PC. And there is no patch available. You can see it happen by click here. With the code already available on the Net, this is effectively a security nightmare ... unless you're a Mozilla or Opera user that is. From isn at c4i.org Thu Jun 10 05:45:09 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 10 06:01:42 2004 Subject: [ISN] CFP: Tridentcom 2005 Message-ID: Forwarded from: Sandro Marcelo Rossi (We apologize if you receive multiple copies of this message) ----------------------------------------------------------------------- CALL FOR PAPERS << Tridentcom 2005 >> Testbeds and Research Infrastructures for the DEvelopment of NeTworks and COMmunities February 21 - 25, 2005 Trento, Italy www.tridentcom.org Submission Deadline: September 5, 2004 ----------------------------------------------------------------------- SCOPE ----- Experimental network infrastructures are pivotal for academic researchers, developers, service managers, providers, and ultimately end users to meet the challenges of the emerging fast Internet convergence. Tridentcom 2005 is the first event that brings together all aspects related to experimental telecommunications infrastructures, creating a forum where telecommunication network researchers, developers, vendors, providers, and users can exchange ideas on past and current experiences, needs, and visions for the establishment of such infrastructures. The meeting will take place in Trento, capital of the Trentino province, in the heart of recent and rapidly growing R&D initiatives in Computer Science and Telecommunications, and surrounded by some of the most spectacular skiing resorts in the Alps. Pauses in the conference program will allow social activities and informal interaction among the participants. We are soliciting full papers in all research, development, and deployment areas on experimental telecommunication network infrastructures, from academia as well as from industry. Topics of interest include, but are not limited to, the following: - Next generation Internet testbeds - Next generation wireless network testbeds - Next generation optical network testbeds - Grid computing network testbeds - Ubiquitous network testbeds - Wireless sensor testbeds - Testbed operation and management for user communities - Testbed operation and management for research communities - Testbed cooperation and integration - Innovative measurement methodologies and tools - Traffic measurements testbeds - Software tools to support distributed testbeds / Virtual labs - Management of massive databases of experimental data - Knowledge and technology transfer procedures - Security (AAA) testing on open testbeds - Social impacts of infrastructures - Infrastructure real-life applications - Business models for infrastructure budgeting and planning - Infrastructure renting and pricing policies - Vendor and providers partnership High quality papers will be selected for possible publication in a journal special issue and will be eligible for the Best Paper Award. IMPORTANT DATES --------------- Full papers due: September 5, 2004 Notification of acceptance: October 20, 2004 Final manuscript due: November 10, 2004 Conference Dates: February 21 - 25, 2005 PAPER SUBMISSION INSTRUCTIONS ----------------------------- Authors are invited to submit papers of up to 10 pages including references, figures, and tables, formatted according to the IEEE 8.5" x 11" proceedings format. Papers should be submitted electronically in Postscript or Adobe PDF format through the EDAS system at http://edas.info/Conferences.cgi. Further information on paper format and submission procedures are available on the Tridentcom 2005 conference website. PROPOSALS FOR DEMOS --------------------------------------------- Proposals for demos are solicited. Demo proposals should consist of: 1) title and description of the demo, 2) infrastructure requirements, 3) biographical sketch of the presenter(s). Further information on proposal format and submission procedures are available on the Tridentcom 2005 conference website. Full proposals due: September 5, 2004. CONFERENCE INFORMATION ---------------------- For further information on the Tridentcom 2005 conference, please visit http://www.tridentcom.org or contact the organizing committee at tridentcom2005@create-net.it. CONFERENCE ORGANIZING COMMITTEE ------------------------------- General Co-Chairs: Mario Gerla, UCLA (USA) Roberto Battiti, University of Trento (Italy) Vice-General Co-Chairs: Marco Ronchetti, University of Trento (Italy) Marcos Rogerio Salvador, CPqD Telecom & IT Solutions (Brazil) Technical Program Co-Chairs: Javier Aracil, University of Navarra (Spain) Kenichi Mase, Niigata University (Japan) Shivkumar Kalyanaraman, Rensselaer Polytechnic Institute (USA) Demo Chair: David W. Walker, University of Cardiff (UK) Publications and Web Chair: Piero Spinnato, Create-Net (Italy) Local Arrangements Chair: Sandro Pera, Create-Net (Italy) Publicity Co-Chairs: Hakki Candan Cankaya, Alcatel USA (USA) Shigeo Shioda, Chiba University (Japan) Sandro Marcelo Rossi, CPqD Telecom & IT Solutions (Brazil) Steering Committee Chair: Imrich Chlamtac, University of Texas at Dallas (USA) (Preliminary) Technical Program Committee members: Giuseppe Bianchi, University of Roma Tor Vergata (Italy) Victor Castelo, CSIC-RedIRIS (Spain) Piero Castoldi, Scuola Superiore Sant'Anna (Italy) Cem Ersoy, Bogazici University (Turkey) Alex Galis, University College London (UK) Parviz Kermani, IBM Watson Research Center (USA) Cees de Laat, University of Amsterdam (The Netherlands) Xing Li, Tsinghua University (China) Olivier Martin, CERN (Switzerland) Peter McBurney, University of Liverpool (UK) Saverio Niccolini, Create-Net (Italy) Yuji Oie, Kyushu Institute of Technology (Japan) Bjorn Pehrson, KTH (Sweden) Dipankar Raychaudhuri, Rutgers University (USA) Shiro Sakata, Chiba University (Japan) Rege Romeu Scarabucci, CPqD Telecom & IT Solutions (Brazil) Michael Stanton, RNP (Brazil) Bill St. Arnaud, CANARIE (Canada) Sven Ubik, CESNET (Czech Republic) Hisao Uose, NTT (Japan) Steven Willmott, UPC (Spain) Adam Wolisz, Technical University of Berlin (Germany) Thomas Ziegler, FTW (Austria) -------------------------------------------------------------------------- PS: Feel free to distribute! From isn at c4i.org Thu Jun 10 05:45:43 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 10 06:01:43 2004 Subject: [ISN] CSO survey: Companies lack plans in case of terrorist attacks Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,93741,00.html By Paul Roberts JUNE 09, 2004 IDG NEWS SERVICE A majority of security executives surveyed said their companies don't have plans to cope with an unconventional terrorist attack, even though most believe that a terrorist attack of some kind is likely to occur in the coming months, according to the results of a poll released by CSO magazine today. The survey of 476 chief security officers and senior security executives found that 60% believe that a terrorist attack is likely in Boston or New York, which are hosting the Democratic and Republican political conventions this summer, respectively. While 63% of CSOs said their companies have planned for conventional attacks such as bombings or hostage taking, 61% said they haven't planned for unconventional attacks using chemical, biological or nuclear weapons, according to the magazine. The online survey of CSO subscribers was conducted between April 27 and May 18, 2004, and has a 4.5% margin of error. CSO subscribers were asked their opinions on a number of issues, including terrorism, politics, IT security policy and purchasing decisions. While planning for unconventional terrorist attacks is rare, the CSOs reported much better preparation for threats such as cyberattacks, natural disasters and violent employees. Ninety-four percent of those surveyed said they have contingency plans in place for natural disasters and 86% for cyberattacks. Eighty percent said their companies are prepared for attacks from violent employees or former employees. Indeed, the survey showed that companies are quick to slam the door on former employees. Seventy-four percent of those surveyed block network access to e-mail and critical documents within one business day of employees being fired or leaving a company, and 81% block physical access within one business day. The theft of intellectual property or other proprietary information is also a top concern of CSOs, with 91% saying that managing access to critical information and documents is either "extremely important" or "very important." The study also showed that those concerns are often well placed. Fifteen percent of the respondents said their employer has lost or had critical documents or corporate information copied without authorization in the past year. Almost a quarter said they could not be sure whether such losses had occurred at their company. However, concerns about the theft of proprietary information aren't influencing decisions about which security products to buy. Only 11% of the CSOs surveyed said that the theft of intellectual property was the primary factor in security spending, which averaged $16.6 million annually among those surveyed. Instead, the desire to comply with government regulations is a bigger motivator. Forty-nine percent cited "issues related to regulatory compliance" as the prime reason behind their security purchases. Companies need to have policies and processes in place that protect their most important assets and ensure the safety and welfare of their employees, said Lew McCreary, CSO's editor in chief. Among other consequences, organizations that are shown to have ignored the interests of either shareholders or employees in the wake of a disaster could be held legally liable for losses and damage. Clearly articulated policies and procedures for emergencies and frequent exercises that reinforce those procedures are a good place to start, McCreary said. But companies also need to weigh the costs and benefits of any plans to guard against attacks, including those involving weapons of mass destruction. "Companies can't go crazy worrying about the likelihood of a terrorist event if the cost of remediating such an event is going to be prohibitive," he said. CSO magazine is published by CXO Media Inc., a subsidiary of International Data Group, which also owns the IDG News Service and Computerworld.com. From isn at c4i.org Thu Jun 10 05:46:17 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 10 06:01:44 2004 Subject: [ISN] Security UPDATE--Checking Up on Products--June 9, 2004 Message-ID: ==================== ==== This Issue Sponsored By ==== OpenNetwork http://list.winnetmag.com/cgi-bin3/DM/y/egGh0CJgSH0CBw0BIp70A1 Windows & .NET Magazine http://list.winnetmag.com/cgi-bin3/DM/y/egGh0CJgSH0CBw0BEuX0Aa ==================== 1. In Focus: Checking Up on Products 2. Security News and Features - Recent Security Vulnerabilities - News: SP2 for Web Developers - Book Review: Hardening Windows - Feature: Performing Forensic Analyses, Part 1 3. Security Toolkit - FAQ - Featured Thread 4. New and Improved - Secure Your Property with Network Camera Surveillance ==================== ==== Sponsor: OpenNetwork ==== Concerned about meeting auditing and compliance requirements for controlling access to sensitive information? Quickly enable and disable employee access to corporate applications and resources with an effective Identity Management strategy. Read OpenNetwork's free whitepaper, Understanding the Identity Management Roadmap, at http://list.winnetmag.com/cgi-bin3/DM/y/egGh0CJgSH0CBw0BIp70A1 ==================== ==== 1. In Focus: Checking Up on Products ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net When you configure your software and hardware to operate in a specific manner, how do you know they really perform as configured? Do you trust that the vendors have developed their products to operate properly? Of course you don't. Right? We all know that vendors, like everybody else, make mistakes. A case in point appeared on the Bugtraq mailing list last week. A researcher discovered that some Linksys WRT54G wireless routers under some circumstances might expose the administration interface to the WAN interface (typically connected to the Internet), even if the routers are configured to disable remote administration. So if you turned off remote administration and put the router on an Internet link, assuming the administration interface was disabled, a hacker could use the admin interface to break in. However, if you took a few minutes to probe the router from the WAN side, you might discover that the admin interface still answers even though it's supposedly disabled. Linksys, a division of Cisco Systems, released a new beta version of the WRT54G firmware to correct the problem, so if you use the device, you might consider loading the beta firmware. You might also consider placing your wireless routers behind a firewall, even if your routers have a built-in firewall, to help minimize unwanted system exposure and unwanted access. http://www.linksys.com/download/firmware.asp?fwid=201 A case in point for that suggestion pertains to another wireless router, the NETGEAR WG602, also mentioned on Bugtraq last week. Apparently, for some unknown reason, NETGEAR has integrated an undocumented administrator account into its router's firmware. The account can't be disabled, is accessible from the LAN and WAN sides of the router, and has a plaintext logon name and password that researchers have of course discovered. Anybody who uses the router is vulnerable to attack. If you have the router behind some other firewall that blocks access to its administration interface, then at least you're protected against attacks from the outside, but unauthorized users inside the local network could still log on to the router. The Linksys router vulnerability apparently stemmed from a programming error and has been fixed. But I have no idea why NETGEAR would implement an undocumented administrator account. Maybe it was inadvertently left in place. Clearly, you shouldn't blindly trust products--you need to consider checking them to make sure they perform as expected. ==================== ==== Sponsor: Windows & .NET Magazine ==== Get 2 Sample Issues of Windows & .NET Magazine! Every issue of Windows & .NET Magazine includes intelligent, impartial, and independent coverage of security, Active Directory, Exchange, scripting, and much more. Our expert authors deliver how-to articles and product evaluations that will help you do your job better. Try two, no-risk sample issues today, and find out why 100,000 IT professionals rely on Windows & .NET Magazine each month! http://list.winnetmag.com/cgi-bin3/DM/y/egGh0CJgSH0CBw0BEuX0Aa ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html News: SP2 for Web Developers Microsoft has published a document on the Microsoft Developer Network (MSDN) titled "How to Make Your Web Site Work with Windows XP Service Pack 2." The article covers design changes you might need to consider regarding ActiveX controls, file download mechanisms, pop-up windows, Java, HTML dialog boxes, and window-positioning restrictions. http://www.winnetmag.com/article/articleid/42843/42843.html Book Review: Hardening Windows For professionals who are heavily involved with Windows, a book titled "Hardening Windows" just cries out to be read. The author of "Hardening Windows" is Jonathan Hassell, a systems administrator and IT consultant who defines the term "hardening" as "the process of protecting a system against unknown threats." He points out that the four cornerstones of any such policy are privacy, trust, authenticity, and integrity. Privacy is the capability that a company or organization possesses to keep information confidential, and trust questions the validity of data and objects by not simply accepting things at face value. Authenticity involves ensuring that people really are who they say they are, and integrity ensures that systems aren't compromised in any way. You can read the entire book review on our Web site. http://www.winnetmag.com/article/articleid/42751/42751.html Feature: Performing Forensic Analyses, Part 1 In the "Security Administrator" articles "Building and Using an Incident Response Toolkit, Part 1" (April 2004, InstantDoc ID 41900) and "Building and Using an Incident Response Toolkit, Part 2" (May 2004, InstantDoc ID 42173), Matt Lesko discusses how to quickly and appropriately respond to a computer security incident. In the follow-up article "Performing Forensic Analyses, Part 1," he prepares to analyze the compromised machine by creating a bootable CD-ROM and duplicating the compromised machine's hard disk. http://www.winnetmag.com/article/articleid/42445/42445.html ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) Get 5 Years Worth of SQL Server Tools, Tips, & Content Introducing version 8 of the SQL Server Magazine Master CD. Subscribe today and get portable, high-speed access to all articles, code, tips, tricks, and expertise published in SQL Server Magazine and T-SQL Solutions. Let this helpful resource save you some time anywhere you are. Subscribe now and get 25% off! http://list.winnetmag.com/cgi-bin3/DM/y/egGh0CJgSH0CBw0BI270Ay Does Your Company Currently Use Microsoft Windows NT Server? If your answer is "yes," Windows & .NET Magazine wants your opinion! Take a short survey and register to win an Xbox. Click the link below to help us understand why more than 3 million servers currently run Windows NT Server. Give your opinion about consolidating file print servers and upgrading to Windows 2003. http://list.winnetmag.com/cgi-bin3/DM/y/egGh0CJgSH0CBw0BIuP0AW The Conference on Securing and Auditing Windows Technologies, July 20-21 New for 2004, The Conference on Securing and Auditing Windows Technologies will be held July 20-21, 2004, at the Fairmont Copley Plaza in Boston, MA. In vendor-neutral sessions on today's hottest topics, you'll get practical strategies for mitigating risk and safeguarding your systems. For more information, call 508-879-7999 or go to: http://list.winnetmag.com/cgi-bin3/DM/y/egGh0CJgSH0CBw0BHtU0AZ ==================== ==== Hot Release ==== CipherTrust Spammers are attacking the security and integrity of corporations. In this white paper, you'll learn to defend your organization against these threats. Topics include: * The security threat presented by spam * Spammer methods and techniques * The impact, including liability and damage to your reputation http://list.winnetmag.com/cgi-bin3/DM/y/egGh0CJgSH0CBw0BHFc0A2 ==================== ==== 4. Security Toolkit ==== FAQ: How can I recover Microsoft Office Outlook Messages that have been removed by a hard delete? by John Savill, http://www.winnetmag.com/windowsnt20002003faq A. Usually when you delete a message, Exchange Server moves it to the Deleted Items folder, which you can empty by right-clicking Deleted Items and selecting Empty "Deleted Items" Folder from the displayed context menu. Alternatively, you can configure Outlook to empty the Deleted Items folder each time you close Outlook. To do so, select Tools, Options and click the Other tab. In the General section, select the "Empty the Deleted Items folder upon exiting" check box. After Exchange removes items from the Deleted Items folder, it keeps them for 7 days. During this time, you can recover deleted messages from the Deleted Items folder by selecting Tools, Recover Deleted Items. You can perform a hard delete of a message by highlighting the message and pressing Shift+Del. Performing a hard delete removes the message without moving it to the Deleted Items folder. When you attempt to recover hard-deleted items, you'll see that they aren't listed in the recovery dialog box. If you select the folder from which you performed the hard delete (e.g., Inbox), you'll see that the option to recover deleted items is unavailable from the Tools menu. If you want to be able to recover items that have been deleted from an Outlook folder--including hard-deleted items--you need to perform the following steps or add the dumpster.reg entry to the registry. You can download the dumpster.reg entry at the URL below. 1. Start the registry editor (regedit.exe). 2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Options subkey. 3. From the Edit menu, select New and click DWORD Value. 4. Enter the name DumpsterAlwaysOn and press Enter. 5. Double-click the new value and set it to 1. Click OK. 6. Close the registry editor. When you restart Outlook, the option to recover messages should be available for all folders. http://www.winnetmag.com/articles/download/dumpster_reg.zip Featured Thread: Directory ACL Report Generator (Two messages in this thread) Chris writes that he's looking for a tool that will generate a report of the directory structure and the assigned ACLs on his file servers. He has tried some of the tools from the Windows 2000 Resource Kit, such as showacls and showmbrs, but they don't seem to work on large directory structures like his. Lend a hand or read the responses: http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=121489 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) The Exchange Server Seminar Series Coming to Your City in June Join industry experts Kieran McCorry, Donald Livengood, and Kevin Laahs for this free event! Learn the benefits of migrating to an integrated communications environment, consolidating and simplifying implementation of technology, and accelerating worker productivity. Register now and enter to win an HP iPAQ and $500 cash! http://list.winnetmag.com/cgi-bin3/DM/y/egGh0CJgSH0CBw0BG6C0AE ==================== ==== 5. New and Improved ==== by Jason Bovberg, products@winnetmag.com Secure Your Property with Network Camera Surveillance RFC Services released Visual Hindsight Professional Edition 1.01, software that supports network cameras and video servers capable of working with industry-standard JPEG still images or motion-JPEG image streams. Version 1.01 permits real-time viewing of as many as 100 cameras and video servers, while simultaneously recording as many as 50 live video streams to disk as compressed AVI files. Visual Hindsight, which costs $149, works with Windows XP, Windows 2000, and Windows NT. You can download a trial version from the Visual Hindsight Web site. http://www.visualhindsight.com/download.htm Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. ==================== ==== Sponsored Links ==== Argent Comparison Paper: The Argent Guardian Easily Beats Out MOM http://list.winnetmag.com/cgi-bin3/DM/y/egGh0CJgSH0CBw0BDWV0A2 Microsoft(R) TechNet Microsoft(R) TechNet Webcasts: essential guidance, industry experts http://list.winnetmag.com/cgi-bin3/DM/y/egGh0CJgSH0CBw0BG360Aw ==================== Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@winnetmag.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== ==== Contact Our Sponsors ==== Primary Sponsor: OpenNetwork -- http://www.opennetwork.com -- 1-877-561-9500 Hot Release Sponsor: CipherTrust -- http://www.ciphertrust.com -- 1-877-448-8625 ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z You received this email message because you asked to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Jun 11 06:19:10 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 11 06:38:40 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-24 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-06-03 - 2004-06-10 This week : 48 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: ADVISORIES: Jelmer issued a detailed analysis of a very sophisticated "zero-day" exploit for Internet Explorer. Jelmer obtained the exploit from an ad-ware site, which actively is using this exploit to install a toolbar in Internet Explorer on vulnerable users' systems. Please read Secunia advisory SA11753 below for additional details. Furthermore, Microsoft has released its monthly security bulletins for June, addressing vulnerabilities in DirectX and various products implementing Crystal Reports. Reference: http://secunia.com/SA11753 http://secunia.com/SA11803 http://secunia.com/SA11802 -- Apple has issued a security update to address the "disk://" vulnerability among others. The update has been long awaited by the Mac OS X community, as the vulnerabilities addressed have been "public knowledge" for several weeks now, and they could be used for a remote system compromise. Reference: http://secunia.com/SA11689 -- A vulnerability has been reported in Squid, which potentially could be exploited to compromise a vulnerable system. Squid has issued a patch, which fix this vulnerability. Reference: http://secunia.com/SA11804 VIRUS ALERTS: Secunia has not issued any virus alerts during the last week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA11793] Internet Explorer Local Resource Access and Cross-Zone Scripting Vulnerabilities 2. [SA11689] Mac OS X Volume URI Handler Registration Code Execution Vulnerability 3. [SA11754] Linksys Routers Administrative Web Interface Access Security Issue 4. [SA11622] Mac OS X URI Handler Arbitrary Code Execution 5. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability 6. [SA10395] Internet Explorer URL Spoofing Vulnerability 7. [SA11780] Sun Solaris update for sendmail 8. [SA11764] Linksys BEF Series Routers Denial of Service Vulnerabilities 9. [SA11792] PHP "escapeshellcmd()" and "escapeshellarg()" Security Bypass Vulnerability 10. [SA11794] Webmin Unspecified Denial of Service and Security Restriction Bypass ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA11793] Internet Explorer Local Resource Access and Cross-Zone Scripting Vulnerabilities [SA11792] PHP "escapeshellcmd()" and "escapeshellarg()" Security Bypass Vulnerability [SA11787] Oracle E-Business Suite Unspecified SQL Injection Vulnerabilities [SA11803] Microsoft Crystal Reports Web Viewer Directory Traversal Vulnerability [SA11802] Microsoft DirectPlay Packet Validation Denial of Service Vulnerability [SA11790] FoolProof Security Administrator Password Disclosure Weakness UNIX/Linux: [SA11804] Squid NTLM Authentication Helper Buffer Overflow Vulnerability [SA11795] Sun Crypto Accelerator 4000 Software OpenSSL Vulnerabilities [SA11780] Sun Solaris update for sendmail [SA11767] NetBSD update for CVS [SA11809] Gentoo update for mailman [SA11805] Horde IMP "Content-Type:" Header Script Insertion Vulnerability [SA11798] cPanel suEXEC Privilege Escalation Vulnerability [SA11794] Webmin Unspecified Denial of Service and Security Restriction Bypass [SA11789] Crafty Syntax Live Help Script Insertion Vulnerabilities [SA11788] l2tpd "write_packet()" Buffer Overflow Vulnerability [SA11786] Gentoo update for sitecopy [SA11785] sitecopy Multiple libneon Vulnerabilities [SA11784] cPanel killacct Script Arbitrary DNS Information Deletion Vulnerability [SA11782] Debian update for postgresql [SA11781] psqlodbc "PGAPI_Connect()" Buffer Overflow Vulnerability [SA11779] Debian update for lha [SA11778] Open Webmail "Content-Type:" Header Script Injection Vulnerability [SA11777] Fedora update for krb5 [SA11776] Gentoo update for ethereal [SA11771] Fedora update for ethereal [SA11769] Debian update for log2mail [SA11768] log2mail "printlog()" Message Logging Format String Vulnerability [SA11765] Mandrake update for krb5 [SA11759] Slackware update for mod_ssl [SA11758] Debian update for gallery [SA11797] FreeBSD Jailed Process Host Routing Table Manipulation Vulnerability [SA11796] Mandrake update for tripwire [SA11775] Gentoo update for tripwire [SA11763] Tripwire Email Reporting Privilege Escalation Vulnerability [SA11760] Slackware PHP Insecure Static Library Linking Security Issue [SA11770] Fedora update for net-tools Other: [SA11773] NetGear WG602 Wireless Access Point Default Account Security Issue [SA11764] Linksys BEF Series Routers Denial of Service Vulnerabilities Cross Platform: [SA11774] Mail Manage EX Arbitrary File Inclusion Vulnerability [SA11801] Roundup Web Interface Directory Traversal Vulnerability [SA11800] Crystal Reports and Crystal Enterprise Directory Traversal Vulnerability [SA11783] IBM Multiple Products GSKit Denial of Service Vulnerability [SA11772] SurgeMail Path Disclosure and Cross-Site Scripting Vulnerability [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability [SA11791] jCIFS Arbitrary Username Authentication Security Issue [SA11761] IBM Products Forms Authentication Session Hijacking [SA11766] PHP-Nuke Direct Script Access Restriction Bypass Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA11793] Internet Explorer Local Resource Access and Cross-Zone Scripting Vulnerabilities Critical: Extremely critical Where: From remote Impact: Security Bypass, System access Released: 2004-06-08 Two vulnerabilities have been reported in Internet Explorer, which in combination with other known issues can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11793/ -- [SA11792] PHP "escapeshellcmd()" and "escapeshellarg()" Security Bypass Vulnerability Critical: Highly critical Where: From remote Impact: Security Bypass Released: 2004-06-07 Daniel Fabian has discovered a vulnerability in PHP, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/11792/ -- [SA11787] Oracle E-Business Suite Unspecified SQL Injection Vulnerabilities Critical: Highly critical Where: From remote Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information, System access Released: 2004-06-07 Stephen Kost has reported multiple vulnerabilities in Oracle E-Business Suite and Oracle Applications, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/11787/ -- [SA11803] Microsoft Crystal Reports Web Viewer Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, DoS Released: 2004-06-08 A vulnerability has been discovered in various Microsoft products, allowing malicious people to disclose the content of arbitrary files or delete these. Full Advisory: http://secunia.com/advisories/11803/ -- [SA11802] Microsoft DirectPlay Packet Validation Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-06-08 John Lampe has discovered a vulnerability in Microsoft DirectPlay, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11802/ -- [SA11790] FoolProof Security Administrator Password Disclosure Weakness Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2004-06-08 Cyrillium Security has reported a weakness in FoolProof Security, which can be exploited by certain malicious users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11790/ UNIX/Linux:-- [SA11804] Squid NTLM Authentication Helper Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-06-09 A vulnerability has been reported in Squid, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11804/ -- [SA11795] Sun Crypto Accelerator 4000 Software OpenSSL Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-06-07 Sun has acknowledged that the Sun Crypto Accelerator 4000 software is affected by some OpenSSL vulnerabilities. According to the vendor, these can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11795/ -- [SA11780] Sun Solaris update for sendmail Critical: Highly critical Where: From remote Impact: System access Released: 2004-06-07 Sun has acknowledged a vulnerability in sendmail for Solaris, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11780/ -- [SA11767] NetBSD update for CVS Critical: Highly critical Where: From remote Impact: System access Released: 2004-06-04 NetBSD has issued patches for cvs. These fix a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11767/ -- [SA11809] Gentoo update for mailman Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2004-06-09 Gentoo has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to retrieve members' passwords. Full Advisory: http://secunia.com/advisories/11809/ -- [SA11805] Horde IMP "Content-Type:" Header Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-06-09 A vulnerability has been discovered in Horde IMP, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/11805/ -- [SA11798] cPanel suEXEC Privilege Escalation Vulnerability Critical: Moderately critical Where: From remote Impact: Privilege escalation Released: 2004-06-09 Rob Brown has reported a vulnerability in cPanel, which can be exploited by malicious, authenticated users to execute arbitrary code with escalated privileges. Full Advisory: http://secunia.com/advisories/11798/ -- [SA11794] Webmin Unspecified Denial of Service and Security Restriction Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2004-06-07 Two vulnerabilities have been discovered in Webmin, which can be exploited by malicious people to cause a DoS (Denial of Service) or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/11794/ -- [SA11789] Crafty Syntax Live Help Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-06-08 John C. Hennessy has reported two vulnerabilities in Crafty Syntax Live Help, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/11789/ -- [SA11788] l2tpd "write_packet()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-06-07 Thomas Walpuski has reported a vulnerability in l2tpd, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11788/ -- [SA11786] Gentoo update for sitecopy Critical: Moderately critical Where: From remote Impact: System access Released: 2004-06-07 Gentoo has issued an advisory for sitecopy. This describes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11786/ -- [SA11785] sitecopy Multiple libneon Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-06-07 It has been reported that sitecopy is affected by various libneon vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11785/ -- [SA11784] cPanel killacct Script Arbitrary DNS Information Deletion Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2004-06-07 verb0s has reported a vulnerability in cPanel, which can be exploited by malicious, authenticated, administrative users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/11784/ -- [SA11782] Debian update for postgresql Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-06-08 Debian has issued an update for postgresql. This fixes a vulnerability in the ODBC driver, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11782/ -- [SA11781] psqlodbc "PGAPI_Connect()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-06-08 delman has reported a vulnerability in psqlodbc, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11781/ -- [SA11779] Debian update for lha Critical: Moderately critical Where: From remote Impact: System access Released: 2004-06-07 Debian has issued an update for lha. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11779/ -- [SA11778] Open Webmail "Content-Type:" Header Script Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-06-05 A vulnerability has been discovered in Open WebMail, which can be exploited by malicious people to conduct script injection attacks. Full Advisory: http://secunia.com/advisories/11778/ -- [SA11777] Fedora update for krb5 Critical: Moderately critical Where: From remote Impact: System access Released: 2004-06-05 Fedora has issued an update for krb5. This fixes some vulnerabilities, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11777/ -- [SA11776] Gentoo update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-06-05 Gentoo has issued an update for ethereal. This fixes multiple vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11776/ -- [SA11771] Fedora update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-06-04 Fedora has issued an update for ethereal. This fixes multiple vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11771/ -- [SA11769] Debian update for log2mail Critical: Moderately critical Where: From remote Impact: System access Released: 2004-06-07 Debian has issued an update for log2mail. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11769/ -- [SA11768] log2mail "printlog()" Message Logging Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-06-07 Jaguar has reported a vulnerability in log2mail, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11768/ -- [SA11765] Mandrake update for krb5 Critical: Moderately critical Where: From remote Impact: System access Released: 2004-06-04 MandrakeSoft has issued an update for krb5. This fixes some vulnerabilities, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11765/ -- [SA11759] Slackware update for mod_ssl Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-06-03 Slackware has issued an update for mod_ssl. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11759/ -- [SA11758] Debian update for gallery Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-06-03 Debian has issued an update for gallery. This fixes a vulnerability, which can be exploited by malicious people to bypass the user authentication. Full Advisory: http://secunia.com/advisories/11758/ -- [SA11797] FreeBSD Jailed Process Host Routing Table Manipulation Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass, Manipulation of data Released: 2004-06-08 Pawel Malachowski has discovered a vulnerability in FreeBSD, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/11797/ -- [SA11796] Mandrake update for tripwire Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-06-08 MandrakeSoft has issued an update for tripwire. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11796/ -- [SA11775] Gentoo update for tripwire Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-06-05 Gentoo has issued an update for tripwire. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11775/ -- [SA11763] Tripwire Email Reporting Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-06-05 Paul Herman has discovered a vulnerability in Tripwire, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11763/ -- [SA11760] Slackware PHP Insecure Static Library Linking Security Issue Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2004-06-03 Bryce Nichols has discovered a security issue in Slackware, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11760/ -- [SA11770] Fedora update for net-tools Critical: Not critical Where: Local system Impact: DoS Released: 2004-06-04 Fedora has issued an update for net-tools. This fixes a vulnerability, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11770/ Other:-- [SA11773] NetGear WG602 Wireless Access Point Default Account Security Issue Critical: Moderately critical Where: From local network Impact: System access Released: 2004-06-07 Tom Knienieder has reported a security issue in NetGear WG602 Wireless Access Point, which can be exploited by malicious people to gain access to an affected device. Full Advisory: http://secunia.com/advisories/11773/ -- [SA11764] Linksys BEF Series Routers Denial of Service Vulnerabilities Critical: Moderately critical Where: From local network Impact: DoS Released: 2004-06-05 b0f has reported two vulnerabilities in various Linksys BEF series routers, which can be exploited to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11764/ Cross Platform:-- [SA11774] Mail Manage EX Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-06-04 Jan van de Rijt has reported a vulnerability in Mail Manage EX, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11774/ -- [SA11801] Roundup Web Interface Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-06-09 Vickenty Fesunov has reported a vulnerability in Roundup, which can be exploited by malicious people to view the content of arbitrary files. Full Advisory: http://secunia.com/advisories/11801/ -- [SA11800] Crystal Reports and Crystal Enterprise Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, DoS Released: 2004-06-08 Imperva Application Defense Center has discovered a vulnerability in Crystal Reports Web Viewers, allowing malicious people to disclose the content of arbitrary files or delete these. Full Advisory: http://secunia.com/advisories/11800/ -- [SA11783] IBM Multiple Products GSKit Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-06-07 A vulnerability has been discovered in various IBM products, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11783/ -- [SA11772] SurgeMail Path Disclosure and Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2004-06-07 Donnie Werner has reported a vulnerability in SurgeMail, which can be exploited by malicious people to disclose certain system information or conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/11772/ -- [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability Critical: Less critical Where: From remote Impact: Spoofing Released: 2004-06-03 GreyMagic has discovered a vulnerability in the Opera browser, which can be exploited by malicious people to fake (spoof) information displayed in various bars. Full Advisory: http://secunia.com/advisories/11762/ -- [SA11791] jCIFS Arbitrary Username Authentication Security Issue Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-06-09 A security issue has been discovered in jCIFS, which allows a malicious person to authenticate with an invalid username. Full Advisory: http://secunia.com/advisories/11791/ -- [SA11761] IBM Products Forms Authentication Session Hijacking Critical: Less critical Where: From local network Impact: Hijacking Released: 2004-06-04 A security issue has been discovered in multiple IBM products, which under some circumstances potentially can be exploited by malicious people to hijack an authenticated user's session. Full Advisory: http://secunia.com/advisories/11761/ -- [SA11766] PHP-Nuke Direct Script Access Restriction Bypass Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2004-06-04 Squid has reported a weakness in PHP-Nuke, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/11766/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Jun 11 06:19:44 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 11 06:38:41 2004 Subject: [ISN] Valve announces Half-Life 2 code theft arrests Message-ID: http://www.gamespot.com/news/2004/06/10/news_6100381.html By Tor Thorsen GameSpot June 10, 2004 Developer of the much-anticipated and delayed shooter sequel reveals that an international wave of arrests have been made. The Half-Life 2 code theft saga entered a new chapter today when Valve Software announced that a series of arrests had been made in the case. According to Valve, suspects in several countries had been taken into custody in relation to charges stemming from the theft of the Half-Life 2 code, the distribution of the code, and the break-in into Valve's network. Valve CEO Gabe Newell credited gamers with providing the information that led to the arrests. "It was extraordinary to watch how quickly and how cleverly gamers were able to unravel what are traditionally unsolvable problems for law enforcement related to this kind of cyber-crime," he said in a statement. "Everyone here at Valve is once again reminded of how much we owe to the gaming community." However, while Valve announced the arrests today, it was unclear when they actually occurred. Valve's statement on the matter--e-mailed to the press today--quoted Newell as saying, "Within a few days of the announcement of the break-in, the online gaming community had tracked down those involved." The FBI's Northwest Cyber Crime Task Force, the law-enforcement agency overseeing the code theft investigation, also divulged little information. When asked by GameSpot if it had made any arrests, the media contact at the task force's Seattle, Washington, headquarters said simply, "We did." However, when pressed for more information on the case--such as how many people in the US were arrested, where were they apprehended--the agent declined to say anything other than that arrests had been made. "Beyond that we cannot comment," he said. News of the Half-Life 2 arrests comes after months of rumors about law-enforcement activity on the case. In January, a number of computer experts in the San Francisco area reported having their hardware seized by FBI agents on the grounds that they were involved in the theft. Several weeks ago, unconfirmed reports from Germany said the author of the Phatbot Trojan worm was also involved in the theft. In both instances, neither Valve nor the authorities offered any comment. GameSpot will have more details on this developing story as they become available. From isn at c4i.org Fri Jun 11 06:20:01 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 11 06:38:42 2004 Subject: [ISN] UCLA laptop theft exposes ID info Message-ID: http://zdnet.com.com/2100-1105-5230662.html By David Becker CNET News.com June 10, 2004 Representatives of the University of California, Los Angeles, are warning 145,000 blood donors they could be at risk for identity theft due to a stolen university laptop. UCLA's Blood and Platelet Center included the advisory in a letter sent last week to all who donated blood through the organization. Thieves broke into a locked van last November and grabbed a laptop with a database that includes names, birth dates and Social Security numbers for all blood donors, according to a university statement. The database did not include medical information other than blood type, according to the statement, and university officials did not recognize the significance of the loss and the potential for identity theft until the matter came up in a security audit last month. "We deeply regret any inconvenience this incident may cause our blood donors," Dr. Priscilla I. Figueroa, director of the university's Division of Transfusion Medicine, said in the statement. "We hope and trust that they will continue participating in our blood drives and making these lifesaving donations." The database was password-protected but not encrypted, according to the statement, which said the university was reviewing data security policies in light of the incident. Los Angeles police are investigating the theft, according to the university, and there is no evidence yet that information in the database has been retrieved or misused. University representatives said in a follow-up statement that a second laptop was stolen two weeks ago from the financial office of the University's health care division, putting personal information for an additional 62,000 patients at risk. Widespread use of laptops has presented an increasing risk for security theft, with lost or stolen devices potentially exposing data ranging from FBI secrets to tax records in recent years. From isn at c4i.org Fri Jun 11 06:20:21 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 11 06:38:43 2004 Subject: [ISN] Inside the insider threat Message-ID: http://www.computerworld.com/securitytopics/security/story/0,,93757,00.html Opinion by Mudge Intrusic Inc. JUNE 10, 2004 Six years ago, I warned the U.S. Senate that it was possible to "take down the Internet in 30 minutes." There are still critical weaknesses in central points of the public network. Although more distributed now, remote points can still be harnessed to cause disruption and confusion in ways similar to distributed denial-of-service attacks (DDoS). These methods refer to a threat model embodied by the collective Internet. An Internetwide outage would affect everyone on the Web, but corporations, organizations and governments face even greater threat models that encompass much more acute localized pain and risk. One of the oldest and least modified over the years has been the insider threat -- hackers infiltrating internal networks. This threat is more common than insider attacks or destruction. The infiltration is achieved in various ways common to network interlopers and attackers, and most importantly, it is largely missed by existing audit and intrusion-detection systems (IDS). Web site defacement, concurrent versions system (CVS) attacks and DDoS attacks are rarely instigated by agents once they get inside an organization. Such overt attacks too easily reveal them. Once inside a network, a hacker's priorities change -- from vandal to spy. The insider threat is unaddressed by today's IDSs, which are focused on attacks. Attacks are noisy, so they're rarely used by insiders intent on remaining invisible inside of a network. Real-world examples of insiders include Robert Hanssen, the FBI mole; Aldrich Ames, the CIA mole; and the sleeper terrorist cells inside the U.S. that were responsible for 9/11. How many lives could have been saved if these moles and sleeper cells had been discovered earlier? Over the years, I have found critical systems, such as Supervisory Control and Data Acquisition/Data Control System components for utilities companies and large phone-switching systems for telecommunications companies, compromised by insiders who were camping out in these networks. Often, the system's critical function was unknown to the interloper, whose sights were set elsewhere. But many times control of the critical system was the ultimate goal. Proprietary source code, microchip design plans and databases full of personal information continue to become public, or competitor, domain. Companies and organizations of all shapes and sizes continue to bear this risk with little mitigation coming from the expensive network security defenses they have deployed. So how do antagonists continue to gain access so easily? Let's take a closer look at some of the tactics hackers commonly use. Sniffing, Trojan horses and application back doors Sniffing is the easiest and most profitable method hackers use to obtain the legitimate credentials and account information needed to gain access to an internal network. The act of sniffing refers to placing a system into promiscuous mode, in which network devices intercept and read each packet in its entirety. So the network will capture not only packets destined for that system, but also packets being exchanged among different systems. All information that passes along the network line while in promiscuous mode is captured, including usernames and passwords. Universities and network service providers are prime targets for the harvesting of accounts and credentials to access the internal networks of corporations because they have high-speed network connections that carry substantial amounts of traffic for a multitude of purposes. Hackers on the inside use a standard set of techniques to maintain invisibility on compromised systems. These techniques alter or replace applications, library calls, kernel interfaces, etc. so as not to show files, processes and other systems information that might tip off the company that its network is compromised (and that someone is most likely sniffing the local network interfaces). Encryption and communication applications are often modified by perpetrators to copy input and output from the controlling terminal into hidden sections on the system. Variants of these modifications send the copied data out over the network using covert data channels. So while the secure-encrypted communications of the session itself might have been protected, the modified endpoint application happily stored the correct information for later retrieval and reuse. The longer a hacker has control, the more options he has and the more value he receives. The hacker Fluffy Bunny, for example, was tremendously successful using these techniques and would then go public with some of the names and locations of places to which he had gained access and control. (It's a shame that most people didn't read the detailed descriptions provided around how the compromises were conducted.) Once legitimate credentials are obtained, the need to overtly attack is negated. No wonder vulnerability scanners and network IDSs do little to thwart this inside corporate networks. Who would want to deploy a system that stopped access to systems when legitimate credentials are presented? Don't forget that it's very likely any attacks or exploits used in compromising the first sniffing system happened outside of the network. Here is a real-world example of what an insider compromise can yield in one day of using a small sniffer/Trojan-horse log file placed on the back door of an Internet service provider that will remain anonymous: 4,466 username/password pairs for roughly 1,000 remote organizations -- 104 root accounts -- one of which was a master password for the IT organization of a global company. (Out of the thousands, perhaps only 20 of these accounts related to the service provider itself.) Another method is "island hopping." This approach targets broadband, Digital Subscriber Line and dial-up-connected PCs to take advantage of virtual private network connections to gain legitimate access to internal networks remotely accessed from home systems. There are many other ways for hackers to infiltrate networks without alerting firewalls and IDSs. Attackers have many ways of getting inside corporate networks. The insider threat has become an enormous danger to the internal networks of corporations, organizations and governments. To properly address this threat, organizations need to move beyond traditional perimeter-security systems. In an upcoming column, Mudge will explore options for companies to combat the insider threat. Peiter Mudge Zatko is a security expert and chief scientist at Waltham, Mass.-based Intrusic Inc., which is a security company focused exclusively on the insider threat. From isn at c4i.org Fri Jun 11 06:20:38 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 11 06:38:44 2004 Subject: [ISN] DHS Issues Oracle Warning Message-ID: http://www.fcw.com/fcw/articles/2004/0607/web-oracle-06-10-04.asp By Florence Olsen June 10, 2004 Homeland Security Department officials used the National Cyber Alert System this week to warn users of critical security vulnerabilities discovered in Oracle Corp.'s E-Business Suite 11i and Oracle 11 applications. The DHS alert warned that unauthorized but knowledgeable persons with Web browser access to unpatched versions of the Oracle software can exploit the vulnerabilities to execute destructive structured query language procedures inside the applications. Oracle has provided a patch that users can download to close the security holes for the software versions named in the alert. Earlier versions have not been tested for the vulnerability because Oracle is no longer providing patches for the older versions. Applications making the vulnerability list include Oracle E-Business Suite 11i and 11.5.1 through 11.5.8 and all releases of Oracle 11 applications. Oracle E-Business Suite Release 11.5.9 and later versions are not vulnerable. According to Integrigy Corp.'s Stephen Kost, a security expert who discovered the vulnerabilities, the unpatched Oracle database applications are open to malicious exploits known technically as SQL injection attacks. The DHS alert warns that "exploitation may lead to compromise of the database application, data integrity or underlying operating system." No operating system is immune. Oracle databases and applications are widely used throughout the federal government. The Energy Department's Sandia National Laboratories and NASA's Jet Propulsion Laboratory, among others, use the Oracle E-Business Suite for managing their business operations. From isn at c4i.org Fri Jun 11 06:21:24 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 11 06:38:45 2004 Subject: [ISN] Shortage of computer security experts hampers agencies Message-ID: http://www.govexec.com/dailyfed/0604/061004tdpm2.htm [Its great that everyone is looking forward to the future, but what about the present? I know a number of underemployed/unemployed security professionals now that would love to work in Government or Government contracting anywhere in the world, but honestly its pretty hard to find a job without an existing clearance, or that matter finding agencies on the prowl for qualified personel. Would it be too hard to set up a clearinghouse site for information security resumes, www.computersecurityjobs.gov? Maybe create a provisional clearance that requires new hires to work two to three years before getting a clearance that would allow them to move to another agency or work for a contractor? I can only hope this stimulates someone to explore these ideas. - WK] By William New National Journal's Technology Daily June 10, 2004 Bush administration officials and information technology industry experts on Thursday identified areas of cybersecurity that need to be addressed, including more research and development and the training of the next generation of cyber experts in government. "There is an incredibly shrinking pool of IT security professionals in government," said Jack Johnson, chief security officer at the Homeland Security Department. "The bench is not just thin; the bench is non-existent," he added in a sports reference to backup players. "We need to train the next generation" of IT professionals. Johnson said Homeland Security does not have the IT workforce to build the systems it needs and is "absolutely dependent" on help from the research and academic communities. The department contracts a lot of work outside government, he said, but there are a limited number of cleared contractors and high turnover of personnel. Johnson said he and Homeland Security Chief Information Officer Steve Cooper decided soon after the department's creation last year that Johnson would handle the classified material and Cooper the unclassified. Johnson is working on developing the Homeland Security Information Network, which he said would be at Defense Department "secret level" by year's end. He also said Homeland Security is looking to redesign personnel security to prevent internal cyber attacks. Thomas O'Keefe, deputy director of the Federal Aviation Administration office of information systems security, said more research and development, and more collaboration among researchers and industry, is needed on cybersecurity. "The sharing amongst bad guys is growing," he said at a SecureE-Biz.net conference. "The sharing amongst the good guys on procurement, technology and approach needs to grow at an equal or greater rate. My observation is we're just not as good at it." O'Keefe said firms are reluctant to mention their vulnerabilities because it may "unnecessarily put concern in people's minds." His office is working with the National Science Foundation to boost cyber-security research, as it is "still very small," he said. He and others on the panel predicted continually growing cyber attacks. "You've got to expect cyber storms," he said. The president last year signed a law authorizing a significant increase in cyber-security R&D funding, but it was not requested in the fiscal 2005 White House budget proposal. O'Keefe also said the nation's air-traffic control system does not have viral outbreaks. The air-traffic network is completely separate from the Internet, as well as other aspects of the FAA network, making it impossible for viruses to spread from those sources, he said. The modernization of the air-traffic network will include putting it on Internet protocol, though still not tying it to the Internet, and the agency will subject it to intensive testing and structuring for security, he said. That certification process can be applied to all new technologies, he added. Tom Kupiec of the National Geospatial Intelligence Agency said incentives are needed for telecommunications and electricity companies to make network functions more redundant. From isn at c4i.org Fri Jun 11 06:27:39 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 11 06:38:46 2004 Subject: [ISN] Hackers prey on Internet banking Message-ID: http://www.taipeitimes.com/News/taiwan/archives/2004/06/10/2003174478 STAFF WRITER, WITH CNA Jun 10, 2004 The numbers and personal codes of more than 100,000 Internet banking and auction-site clients are feared to have been stolen by hackers from across the Taiwan Strait. Criminal Investigation Bureau officials said yesterday that they had arrested a Taiwanese man named Chen Chung-shun (???R??), 30, in Hualien, and seized a huge amount of confidential data, including 45 million e-mail addresses, almost 200,000 bank and auction-site account numbers with their corresponding personal secret codes, and information on three figurehead bank accounts. Investigators believe Chen has been collaborating with Chinese hackers since February to steal Internet bank codes by planting "shell" or "revised" versions of "Trojan horse" programs into the personal computers of customers using Internet banking services. Although Chen said he had obtained hundreds of thousands of bank account codes, police found only a portion of the code information at Chen's premises in Hualien. Chen reported told investigators that he had transferred approximately 100,000 accounts and personal codes to the China-based hackers, and he had no backup copies in his database. Investigators have urged the public to change their bank codes immediately to avoid losing their money. Chen had reportedly gathered 45 million Taiwanese e-mail addresses, and in mid-February, he started sending advertising e-mails containing shell or revised Trojan horses to those e-mail addresses. By mid-March, he had sent out over 18 million e-mails. Police said the banks' firewalls a had not been compromised, but that using the "shell" versions provided by Chinese hackers and attached to the e-mails, Chen managed to record account numbers and personal codes as they were input by bank customers. After obtaining account num-bers and personal codes, Chen proceeded to transfer money to other accounts. Although the total amount stolen by the ring is estimated to be several million NT dollars, the full extent of the losses is not yet known. Officials said the ring withdrew the money from the International Commercial Bank of China ATM machines in China, or transferred it to hundreds of figurehead accounts which had been established in the names of 10 Taiwanese people. Hundreds of thousands of bank-account numbers, with corresponding personal codes, were exposed to the hackers' machines, according to investigators. The officials said that among the bank accounts tampered with were savings accounts with funds in excess of NT$200 million (US$5.9 million). Bureau officials described this type of Internet crime as "secretive, shapeless, borderless, anonymous and without restrictions on distance." They said the total damage caused by the hackers was not yet known. From isn at c4i.org Mon Jun 14 04:11:34 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 14 05:24:46 2004 Subject: [ISN] Linux Advisory Watch - June 11th 2004 Message-ID: +----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | June 11th, 2004 Volume 5, Number 24a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes point This week, advisories were released for gatos, jftpgw, ethereal, gallery, rsync, log2mail, kernel, lha, postgresql, cvs, cups, squirrelmail, squid, tla, Ethereal, tripwire, sitecopy, mailman, apache, mdkonline, xpcd, mod_ssl, ksymoops, and kerberos5. The distributors include Debain, Fedora, FreeBSD, Gentoo, Mandrake, NetBSD, OpenBSD, Red Hat, Slackware, SuSE, Trustix, and Turbo Linux. ----- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 ----- Unnecessary Software Each week system administrators are inundated by hundreds of vendor advisories for every type of software imaginable. From time to time the patches are critical from a security perspective, but on other occasions they are merely a fix to a known bug. It is advisable to update all software on a consistent basis so that a bug in software does not result in a system vulnerability. Unfortunately because of the great number of advisories each week, it could be a full time job applying them. Applying 10 patches to 30 servers could possibly take days if an automated process isn't used. Everyone would agree, this is poor utilization of resources. There are several solutions to the problem. First, it is often a good idea to choose a specialized distribution, or spend time configuring a broad one. For example, those building a Web server should choose a distribution such as EnGarde Linux that has already been optimized and secured to perform these services. If an administrator wishes to use a distribution such as Debian, it is important that the necessary time is take to remove everything not in use. For example, there is no need for a Web server to have a compiler, X-windows, or games. This option requires system expertise, but is feasible. No matter what system is installed, it will almost always be the case that at least some unnecessary software is installed on it. On an RPM based system, it can be removed with the following command: /bin/rpm -e Removing unnecessary software can potentially reduce administration work load. There will no longer be a need to keep that software up-to-date, and it no longer has the potential to turn into a vulnerability. It should be a priority to remove unnecessary setuid/setgid binaries. Vulnerabilities in these can often lead to root compromise, so they should only be used when necessary. To find setuid/setgid binaries on a system, simply use the following command: find / -type f -perm +6000 Remove each that is not in use and it can greatly reduce the risk of compromise. Until next time, cheers! Benjamin D. Thomas ben@linuxsecurity.com ---- Interview with Brian Wotring, Lead Developer for the Osiris Project Brian Wotring is currently the lead developer for the Osiris project and president of Host Integrity, Inc.He is also the founder of knowngoods.org, an online database of known good file signatures. Brian is the co-author of Mac OS X Security and a long-standing member of the Shmoo Group, an organization of security and cryptography professionals. http://www.linuxsecurity.com/feature_stories/feature_story-164.html -------------------------------------------------------------------- Guardian Digital Launches Next Generation Secure Mail Suite Guardian Digital, the premier open source security company, announced the availability of the next generation Secure Mail Suite, the industry's most secure open source corporate email system. This latest edition has been optimized to support the changing needs of enterprise and small business customers while continually providing protection from the latest in email security threats. http://www.linuxsecurity.com/feature_stories/feature_story-166.html -------------------------------------------------------------------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 6/8/2004 - gatos Privilege escalation vulnerability If initialization fails due to a missing configuration file, root privileges are not dropped, and xatitv executes the system(3) function without sanitizing user-supplied environment variables. http://www.linuxsecurity.com/advisories/debian_advisory-4434.html 6/8/2004 - jftpgw Format string vulnerability A remote user could potentially cause arbitrary code to be executed with the privileges of the jftpgw server process. http://www.linuxsecurity.com/advisories/debian_advisory-4435.html 6/8/2004 - ethereal Buffer overflow vulnerabilities Several buffer overflow vulnerabilities were discovered in ethereal. http://www.linuxsecurity.com/advisories/debian_advisory-4436.html 6/8/2004 - gallery Unauthenticated access A remote attacker could gain access to the gallery "admin" user without proper authentication. http://www.linuxsecurity.com/advisories/debian_advisory-4437.html 6/8/2004 - rsync Directory traversal vulnerability A remote user could cause an rsync daemon to write files outside of the intended directory tree, if the daemon is not configured with the 'chroot' option. http://www.linuxsecurity.com/advisories/debian_advisory-4438.html 6/8/2004 - log2mail Format string vulnerability Exploit could cause arbitrary code to be executed with the privileges of the log2mail process. http://www.linuxsecurity.com/advisories/debian_advisory-4439.html 6/8/2004 - kernel 2.2.20 Privilege escalation vulnerability Due to flushing the TLB too early it is possible for an attacker to trigger a local root exploit. This fix is to the sparc-built kernel and the kernel source. http://www.linuxsecurity.com/advisories/debian_advisory-4440.html 6/8/2004 - lha Multiple vulnerabilities Fixes multiple buffer overflows and multiple directory traversal vulnerabilities. http://www.linuxsecurity.com/advisories/debian_advisory-4441.html 6/8/2004 - postgresql Denial of service vulnerability It possible to exploit this problem and crash the surrounding application. http://www.linuxsecurity.com/advisories/debian_advisory-4442.html 6/10/2004 - cvs Buffer overflow vulnerability Derek Robert Price discovered a potential buffer overflow vulnerability in the CVS server. http://www.linuxsecurity.com/advisories/debian_advisory-4462.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 6/8/2004 - cups Non-encryption vulnerability Among other bugs, this fixes a failure to use encryption when required. http://www.linuxsecurity.com/advisories/fedora_advisory-4429.html 6/8/2004 - ethereal Multiple vulnerabilies This patch fixes three DoS vulns and a buffer overflow. http://www.linuxsecurity.com/advisories/fedora_advisory-4430.html 6/8/2004 - net-tools Excessive privilege vulnerability Multiple vulnerabilies netlink_listen & netlink_receive_dump should both check the source of the packets by looking at nl_pid and ensuring that it is 0 before performing any reconfiguration of network interfaces. http://www.linuxsecurity.com/advisories/fedora_advisory-4431.html 6/8/2004 - krb5 Multiple buffer overflows Exploitation could lead to denial of service or arbitrary code execution. http://www.linuxsecurity.com/advisories/fedora_advisory-4433.html 6/10/2004 - squirrelmail Multiple vulnerabilities Patch fixes a SQL injection and cross-site scripting flaw. http://www.linuxsecurity.com/advisories/fedora_advisory-4460.html 6/10/2004 - squid Buffer overflow vulnerability A remotely-exploitable buffer overflow allows the execution of arbitrary code. http://www.linuxsecurity.com/advisories/fedora_advisory-4461.html +---------------------------------+ | Distribution: FreeBSD | ----------------------------// +---------------------------------+ 6/8/2004 - kernel Excessive privilege vulnerability Jailed processes can manipulate host routing tables. http://www.linuxsecurity.com/advisories/freebsd_advisory-4428.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 6/8/2004 - tla Heap overflow vulnerability This vulnerability could allow execution of arbitrary code with the rights of the user running tla. Note: Important errata included at bottom. http://www.linuxsecurity.com/advisories/gentoo_advisory-4423.html 6/8/2004 - MPlayer, xine-lib Multiple vulnerabilities Heap overflow vulnerability A remote attacker, posing as a RTSP stream server, can execute arbitrary code with the rights of the user of the software playing the stream. http://www.linuxsecurity.com/advisories/gentoo_advisory-4424.html 6/8/2004 - Ethereal Multiple vulnerabilities Exploitation may allow an attacker to run arbitrary code or crash the program. http://www.linuxsecurity.com/advisories/gentoo_advisory-4425.html 6/8/2004 - tripwire Format string vulnerability Attacker could cause execution of arbitrary code with permissions of the user running tripwire, which could be the root user. http://www.linuxsecurity.com/advisories/gentoo_advisory-4426.html 6/8/2004 - sitecopy Multiple vulnerabilities When connected to a malicious WebDAV server, these vulnerabilities could allow execution of arbitrary code with the rights of the user running sitecopy. http://www.linuxsecurity.com/advisories/gentoo_advisory-4427.html 6/10/2004 - Mailman Password leak Mailman contains a bug allowing 3rd parties to retrieve member passwords. http://www.linuxsecurity.com/advisories/gentoo_advisory-4457.html 6/10/2004 - apache Buffer overflow vulnerability A bug in mod_ssl may allow a remote attacker to execute remote code when Apache is configured a certain way. http://www.linuxsecurity.com/advisories/gentoo_advisory-4458.html 6/10/2004 - cvs Multiple vulnerabilities Several serious new vulnerabilities have been found in CVS, which may allow an attacker to remotely compromise a CVS server. http://www.linuxsecurity.com/advisories/gentoo_advisory-4459.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 6/8/2004 - mdkonline Squid incompatability Though not a security problem per se, this is important to any who use Mandrake Online to patch their systems. http://www.linuxsecurity.com/advisories/mandrake_advisory-4417.html 6/8/2004 - xpcd Buffer overflow vulnerability Problem could be exploited by a local attacker to obtain root privileges. http://www.linuxsecurity.com/advisories/mandrake_advisory-4418.html 6/8/2004 - mod_ssl Buffer overflow vulnerability A remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN. http://www.linuxsecurity.com/advisories/mandrake_advisory-4419.html 6/8/2004 - apache2 Buffer overflow vulnerability When mod_ssl is configured to trust the issuing CA, a remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN. http://www.linuxsecurity.com/advisories/mandrake_advisory-4420.html 6/8/2004 - krb5 Buffer overflow vulnerabilities This could lead to root privileges, though it requires successfull authentication plus a non-default configuration to exploit. http://www.linuxsecurity.com/advisories/mandrake_advisory-4421.html 6/8/2004 - tripwire Format string vulnerability Exploit could allow a local user to execute arbitrary code with the rights of the user running tripwire (typically root). http://www.linuxsecurity.com/advisories/mandrake_advisory-4422.html 6/10/2004 - krb5 Patch fix The original patch provided contained a bug where rule-based entries on systems without HAVE_REGCOMP would not work. http://www.linuxsecurity.com/advisories/mandrake_advisory-4452.html 6/10/2004 - mdkonline Patch fix The previous update did not parse noarch packages, and new archs have been added (ia64, amd64, x86_64, ppc64) as well. As well, the mdkapplet now forces a restart when changes to itself have occurred. http://www.linuxsecurity.com/advisories/mandrake_advisory-4453.html 6/10/2004 - cvs Multiple vulnerabilities This patch addresses four seperate security issues with cvs. http://www.linuxsecurity.com/advisories/mandrake_advisory-4454.html 6/10/2004 - squid Buffer overflow vulnerability This buffer overflow can be exploited by a remote attacker by sending an overly long password, and grants the ability to execute arbitrary code. http://www.linuxsecurity.com/advisories/mandrake_advisory-4455.html 6/10/2004 - ksymoops Insecure temporary file vulnerability The script fails to do proper checking when copying a file to the /tmp directory. http://www.linuxsecurity.com/advisories/mandrake_advisory-4456.html +---------------------------------+ | Distribution: NetBSD | ----------------------------// +---------------------------------+ 6/8/2004 - cvs Heap overflow vulnerabilities CVS had heap overflow vulnerabilities which can be trigged remotely by malicious people on the net. http://www.linuxsecurity.com/advisories/netbsd_advisory-4416.html +---------------------------------+ | Distribution: OpenBSD | ----------------------------// +---------------------------------+ 6/10/2004 - cvs Multiple vulnerabilities While no exploits are known to exist for these bugs under OpenBSD at this time, some of the bugs have proven exploitable on other operating systems. http://www.linuxsecurity.com/advisories/openbsd_advisory-4451.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 6/8/2004 - cvs Denial of service vulnerabilities Updated cvs packages that fix remote denial of service vulnerabilities are now available. (This is a legacy Red Hat fix, released by the Fedora Project). http://www.linuxsecurity.com/advisories/redhat_advisory-4432.html 6/9/2004 - Ethereal Multiple vulnerabilities Patch fixes a buffer overflow plus several denail of service vulnerabilities http://www.linuxsecurity.com/advisories/redhat_advisory-4443.html 6/9/2004 - krb5 Buffer overflow vulnerabilities Updated Kerberos 5 (krb5) packages which correct buffer overflows in the krb5_aname_to_localname function are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4444.html 6/9/2004 - squid Buffer overflow vulnerability If Squid is configured to use the NTLM authentication helper, a remote attacker could potentially execute arbitrary code by sending a lengthy password. http://www.linuxsecurity.com/advisories/redhat_advisory-4445.html 6/9/2004 - cvs Multiple vulnerabilities This patch resolves many outstanding vulnerabilities of cvs. http://www.linuxsecurity.com/advisories/redhat_advisory-4446.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 6/8/2004 - mod_ssl Buffer overflow vulnerability May allow remote attackers to execute arbitrary code via a client certificate with a long subject DN, if mod_ssl is configured to trust the issuing CA. http://www.linuxsecurity.com/advisories/slackware_advisory-4414.html 6/8/2004 - php Insecure path vulnerability Exploitation of this issue requires a static library at an insecure path, and could allow denial of service or arbitrary code execution. http://www.linuxsecurity.com/advisories/slackware_advisory-4415.html 6/10/2004 - cvs Multiple vulnerabilities Resolves many vulnerabilities, including a buffer overflow. http://www.linuxsecurity.com/advisories/slackware_advisory-4450.html +---------------------------------+ | Distribution: Suse | ----------------------------// +---------------------------------+ 6/10/2004 - cvs Multiple vulnerabilities These bugs allow remote attackers to execute arbitrary code as the user the CVS server runs as. http://www.linuxsecurity.com/advisories/suse_advisory-4448.html 6/10/2004 - squid Buffer overflow vulnerability Squid is vulnerable to a buffer overflow that can be exploited remotely by using a long password to execute arbitrary code. http://www.linuxsecurity.com/advisories/suse_advisory-4449.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 6/8/2004 - apache Buffer overflow vulnerability Stack-based buffer overflow may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN. http://www.linuxsecurity.com/advisories/trustix_advisory-4412.html 6/8/2004 - kerberos5 Buffer overflow vulnerabilities Exploitation of these flaws requires an unusual combination of factors, including successful authentication to a vulnerable service and a non-default configuration on the target service. http://www.linuxsecurity.com/advisories/trustix_advisory-4413.html 6/10/2004 - squid Buffer overflow vulnerability Remote exploitation of a buffer overflow vulnerability in Squid Web Proxy Cache could allow a remote attacker to execute arbitrary code. http://www.linuxsecurity.com/advisories/trustix_advisory-4447.html +---------------------------------+ | Distribution: Turbolinux | ----------------------------// +---------------------------------+ 6/8/2004 - Multiple Pkgs Multiple vulnerabilities cvs (2 issues), tcpdump (2 issues), apache (multiple issues) have been resolved. http://www.linuxsecurity.com/advisories/turbolinux_advisory-4411.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Jun 14 04:11:57 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 14 05:24:47 2004 Subject: [ISN] The Fourth WorldWide WarDrive is Underway Message-ID: Forwarded from: roamer -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 THE FOURTH WORLDWIDE WARDRIVE IS UNDERWAY Beginning at 12:00 AM GMT on 12 June 2004, the Fourth WorldWide WarDrive is underway. Data uploads are now being accepted at The WWWD 4 upload site (href=https://wigle.net/gps/gps/GPSDB/postfile/?event=1) courtesy of WiGLE.net (http://www.wigle.net). The statistics are being tabulated in real time and can be viewed at The WWWD 4 statistics page (https://wigle.net/gps/gps/GPSDB/stats/?eventid=1) Additionally, the maps can be viewed at The WWWD 4 Map Page (https://wigle.net/gps/gps/GPSDB/onlinemap/?eventid=1) The WWWD 4 will continue through 19 June 2004. Coordination of drives throughout the world is done at the WorldWide WarDrive Forums located at http://www.c2security.org/forums/wwwd/ As in the past, discussions pertaining to the WWWD can also be conducted on the WarDriving mailing list (http://mailsrv.dis.org/mailman/listinfo/wardriving). New for WWWD4 is the creation of a mailing list devoted solely to wireless security issues. To join this list, hosted by Michigan Wireless go to http://www.michiganwireless.org/lists.html For general information about the WorldWide WarDrive visit the WorldWide WarDrive website at http://www.worldwidewardrive.org or the WWWD Frequently Asked Questions documen$http://www.worldwidewardrive.org/faq.html. Media persons interested in articles or interviews should email media [at] worldwidewardrive [dot] org with MEDIA INQUIRY in the subject line. Roamer roamer [at] worldwidewardrive [dot] org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAyk3wkdZkhH2Wha0RAojDAJ9+AlO9+IVcoGCzr1em/xRgRxGobgCfasUs ZSppiLIL32nmiAfX2kZB0e0= =5s+E -----END PGP SIGNATURE----- From isn at c4i.org Mon Jun 14 04:13:12 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 14 05:24:48 2004 Subject: [ISN] Hacker offers to shut Putin's website Message-ID: http://www.guardian.co.uk/russia/article/0,2763,1237083,00.html Nick Paton Walsh in Moscow June 12, 2004 The Guardian In the spirit of the free market computer hackers in Russia have put their services up for sale, offering to "take out" any website for a price. Several hackers have posted a menu of services on the internet. The most popular is a Direct Denial of Service (DDoS) attack, in which a website and server can be disabled by being bombarded with emails and other information. These tactics have been used against large software companies such as Microsoft, disliked by some hackers for its monopoly on software. The MyDoom.B virus was used to try to shut down the website Microsoft.com through a DDoS attack earlier this year. The hackers' services were easily found by the Guardian. One, forum.carderplanet.cc, carries a request from a user called jm electron, who seeks "people who can do quite powerful DDoS attacks". TomCat replies that he is able to assist. The Vedomosti newspaper reported on Thursday that one hacker, Masha, offered to shut down any website for six hours for $60 (?33). The official website of President Vladimir Putin, kremlin.ru, could be shut down for a week for $2,000, said Masha. From isn at c4i.org Mon Jun 14 04:13:25 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 14 05:24:49 2004 Subject: [ISN] Jury acquits man of charges he used Net to promote terrorism Message-ID: Fowarded from: Marjorie Simmons Saudi graduate student Sami Omar Al-Hussayen was acquitted Thursday of charges that he used his computer skills to help terrorists raise money and recruit followers. http://www.firstamendmentcenter.org/news.aspx?id=13511 Jury acquits man of charges he used Net to promote terrorism Associated Press 06.11.04 BOISE, Idaho - In a case that pitted the Constitution against the Patriot Act, a Saudi graduate student was acquitted of charges he used his computer expertise to help Muslim terrorists raise money and recruit followers. A jury deliberated nearly seven days before handing down its verdict yesterday in favor of Sami Omar Al-Hussayen, a 34-year-old Ph.D. candidate in computer science at the University of Idaho. "The message is that the First Amendment is important and meaningful in this country," said David Nevin, lead attorney for Al-Hussayen. "The system worked." The case against Al-Hussayen was seen as an important test of a provision of the Patriot Act that makes it a crime to provide expert advice or assistance to terrorists. The act, passed in response to the Sept. 11, 2001, terrorist attacks, also expanded the government's surveillance and detention powers. . . . . and http://www.eff.org/news/archives/2004_06.php#001601 "Being a Webmaster for Controversial Islamic Websites Not a Crime" June 10, 2004 From isn at c4i.org Mon Jun 14 04:58:46 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 14 05:24:50 2004 Subject: [ISN] KISA-Microsoft Alliance Signed Message-ID: http://times.hankooki.com/lpage/tech/200406/kt2004061414475211810.htm 06-14-2004 The state-funded Korea Information Security Agency (KISA) on Monday signed a contract with Microsoft Corp., the world's biggest software company, to make a joint efforts against virus and hacking attacks. A memorandum of understanding was signed last November for the alliance, KISA said in a statement. Microsoft will send computer security professionals to train KISA officials and other Internet service providers. The KISA will make efforts to jointly develop applications with Microsoft to curb the spread of unsolicited advertising messages, or spam. From isn at c4i.org Mon Jun 14 04:59:02 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 14 05:24:52 2004 Subject: [ISN] Indian outsourcers push to boost data security Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,93764,00.html By Narayanan Madhavan JUNE 10, 2004 REUTERS India's booming software and outsourcing sectors are trying to improve data protection to please increasingly security-conscious clients and to preempt protectionist laws, industry officials said today. Officials at the National Association of Software and Service Companies (NASSCOM) told a news conference that they will work with customers, regulators and law enforcers to bolster "trustworthy outsourcing" in India. India, where English-speaking workers earn a fraction of what their Western counterparts make, exported $12.5 billion worth of software and services in the past year, up more than 30% from the previous year. But protectionist laws have surfaced in some U.S. states to prevent local governments from outsourcing back-office jobs to India, while candidates in the U.S. presidential election have also spoken of measures to check job losses. U.S. lawmakers often cite security concerns about bank details and medical records being transferred to foreign countries when campaigning against outsourcing. "There could be some legislation on data protection. I don't want to wait for it to happen. I want to be proactive," said Kiran Karnik, president of NASSCOM. "We have to watch that these [data issues] don't become nontariff barriers." Karnik said the industry association planned to encourage Indian companies to share information on back-office workers, create a certification authority for safety and plug gaps in Indian laws by talking with Europe and the U.S. A cybersecurity summit with the U.S. is planned for October, and NASSCOM plans to replicate a cybersecurity lab it formed for police in Bombay in other cities, Karnik said. "India does not have a specific data protection act, but there are six laws which cover about 98% of the requirements," said Sunil Mehta, a vice president at NASSCOM. Between March 2003 and this March, back-office work such as call center operations and accounting services generated $3.6 billion in revenue and 245,000 of the jobs in the sector, which employs 800,000 people overall. NASSCOM said in a statement that a survey it commissioned found that Indian companies have rarely faced any problems on data security. And, despite an army of programmers, no major computer viruses have been traced back to India, Karnik said. From isn at c4i.org Tue Jun 15 01:52:21 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 15 02:13:11 2004 Subject: [ISN] Linux Security Week - June 14th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 14th, 2004 Volume 5, Number 24n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Using Jabber as a log monitor," "Best Practices for Storage Security," "Use Webmin for Linux Administration," and "Secure Development: A Polarised Response." ---- >> Bulletproof Virus Protection << Protect your network from costly security breaches with Guardian Digital's multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn04 ---- LINUX ADVISORY WATCH: This week, advisories were released for gatos, jftpgw, ethereal, gallery, rsync, log2mail, kernel, lha, postgresql, cvs, cups, squirrelmail, squid, tla, Ethereal, tripwire, sitecopy, mailman, apache, mdkonline, xpcd, mod_ssl, ksymoops, and kerberos5. The distributors include Debain, Fedora, FreeBSD, Gentoo, Mandrake, NetBSD, OpenBSD, Red Hat, Slackware, SuSE, Trustix, and Turbo Linux. http://www.linuxsecurity.com/articles/forums_article-34.html ---- Interview with Brian Wotring, Lead Developer for the Osiris Project Brian Wotring is currently the lead developer for the Osiris project and president of Host Integrity, Inc.He is also the founder of knowngoods.org, an online database of known good file signatures. Brian is the co-author of Mac OS X Security and a long-standing member of the Shmoo Group, an organization of security and cryptography professionals. http://www.linuxsecurity.com/feature_stories/feature_story-164.html -------------------------------------------------------------------- Guardian Digital Launches Next Generation Secure Mail Suite Guardian Digital, the premier open source security company, announced the availability of the next generation Secure Mail Suite, the industry's most secure open source corporate email system. This latest edition has been optimized to support the changing needs of enterprise and small business customers while continually providing protection from the latest in email security threats. http://www.linuxsecurity.com/feature_stories/feature_story-166.html ---- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * More flaws foul security of open-source repository June 10th, 2004 Security researchers have found at least six more flaws in the open-software world's most popular program for maintaining code under development. http://www.linuxsecurity.com/articles/projects_article-28.html * The need for Security Testing June 10th, 2004 Will help C-level executives understand what Security Testing is and how the Open Source Security Testing Methodology Manual (OSSTMM) can help raise the level of security within their organization. http://www.linuxsecurity.com/articles/network_security_article-31.html * The ease of (ab)using X11, Part 2 June 9th, 2004 Last time we looked at how you can get access to an X11 server, the desktop software you are using when you're running graphical environments like Gnome or KDE. When you have access to the X11 server, you can do some remarkable things. http://www.linuxsecurity.com/articles/documentation_article-27.html * Best Practices for Storage Security June 9th, 2004 IT professionals and their businesses have learned the hard way in recent years that disaster can strike at anytime and that they must be prepared. Companies unable to resume operations within ten days of a disaster hit are not likely to survive, stated a study from the Strategic Research Institute. http://www.linuxsecurity.com/articles/network_security_article-25.html * Use Webmin for Linux Administration June 9th, 2004 Administering Linux and Unix-based servers does not need to be the scourge of your work day. With a handy tool called Webmin as part of your arsenal, you can regain complete control of your servers via the Web browser. http://www.linuxsecurity.com/articles/server_security_article-24.html +------------------------+ | Network Security News: | +------------------------+ * Using Jabber as a log monitor June 14th, 2004 Jabber, the streaming XML technology mainly used for instant messaging, is well-suited to its most common task. However, Jabber is a far more generic tool. It's not a chat server per se, but rather a complete XML routing framework. This has some pretty far-reaching implications. http://www.linuxsecurity.com/articles/network_security_article-39.html * Managing the security of data flow June 14th, 2004 Customer Relationship Management (CRM) systems are cited as one of the major technology successes of the last decade. These 'super databases' enable the real-time sharing of information across global organisations, increasing the visibility of the sales pipeline and providing a central control of the customer experience. http://www.linuxsecurity.com/articles/network_security_article-41.html * Ease the security burden with a central logging server June 14th, 2004 Every network device on your network has some type of logging capability. Switches and routers are extremely proficient in logging network events. Your organization's security policy should specify some level of logging for all network devices. http://www.linuxsecurity.com/articles/server_security_article-40.html * The DOMINO Theory: How to Thwart Wi-Fi Cheats June 10th, 2004 Byaltering the Multiple Access Control (MAC) protocol, one of the series of protocols that govern how bandwidth is distributed between multiple users of the same wi-fi access point byrandomly assigning each hotspot user a rate for data transfer, it is possible tosiphon off most or all of the bandwidth. http://www.linuxsecurity.com/articles/network_security_article-29.html * Securing the Wireless Enterprise June 10th, 2004 With recent technological advances, wireless devices are well positioned to add value as corporate productivity tools. Investments in this area have the potential to provide widespread improvements in mobile worker efficiency, business activity monitoring, exception handling, and organizational throughput. http://www.linuxsecurity.com/articles/network_security_article-30.html +------------------------+ | General Security News: | +------------------------+ * Security holes splatter Open Source June 11th, 2004 A KEY OPEN source tool used by developers to track and manage changes in computer code has six security glitches and counting. Concurrent Versions System (CVS) is used to manage code on a number of top open source software development projects. http://www.linuxsecurity.com/articles/general_article-33.html * Secure Development: A Polarised Response June 8th, 2004 Thankfully these days' assessing the security of an application prior to implementation is a normal process for most organisations. http://www.linuxsecurity.com/articles/projects_article-21.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Jun 15 01:52:36 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 15 02:13:12 2004 Subject: [ISN] Electronic jihad: Web sites featuring calls to arms, video of attacks Message-ID: http://www.detnews.com/2004/technology/0406/14/technology-182306.htm By Sarah El Deeb Associated Press June 14, 2004 MANAMA, Bahrain - Web sites featuring videos of the beheading of Americans or captives pleading for their lives have become part of an electronic war of incitement, humiliation and terrorist outreach, experts say, providing a window into the minds of militant Muslims who hate the West. The latest dramatic Web posting came Saturday, a short video that showed no faces but included a voice yelling in English: "No, no, please!" The video showed a shot fired, then the scene of the falling body of what appeared to be a Western man -- identified as Robert Jacobs, an American killed by suspected al-Qaida militants in Saudi Arabia last week. Two gunmen then fired at least 10 more shots, before one of them kneeled and motioned as if he was beheading the fallen man. An earlier video showed the beheading of American Nicholas Berg in Iraq. The CIA has said the black-clad militant shown on the video decapitating Berg was Abu Musab al-Zarqawi, a former commander for al-Qaida leader Osama bin Laden now believed to be leading resistance to Iraq's U.S. occupation. "The aim is really to spread as much terror as possible and make it available to as many people as possible, especially in the West," where Internet use is more common, said Dia'a Rashwan, a Cairo expert on Islamic militants. In what Rashwan calls a a war of "ideology, images and perception," the Web is a place for militants and their sympathizers to exchange the latest news, debate their definition of Islam, share how-to manuals, extoll their heroes and vilify their enemies. Images of American soldiers pointing guns at children, Iraqi prisoners being tortured, and Muslim rebels in the Philippines being decapitated pop up again and again. Contributors sign off with pictures of bin Laden or large machine guns. Militants can put images on the Internet most TV news producers would consider too shocking to televise. The Internet, though, also can be subject to censorship. Postings signed by the Saudi branch of al-Qaida -- everything from claims of responsibility for attacks in the kingdom to training and diet menus for a fit fighter -- started popping up on a sub-domain of a Qatar-based Web-hosting company run by Murad Alazzeh. Alazzeh told The Associated Press he shut down one of his two servers after his site was repeatedly hacked. He said he has cut subscribers from 48,000 to 4,000. The Web savvy, though, have ways around the gatekeepers. The Malaysian company that hosted the site on which the Berg beheading video was first posted shut it down days later, but surfers combing Islamic forums could find it elsewhere. Contributors on forums or chat rooms alert one another to the latest postings. Links are sometimes written in a kind of code, with letters or numerals missing from addresses. The initiated or the patient can figure out what's missing by perusing the rest of the posting. Experts say Islamic groups were among the first in the Arab world to realize the importance of staying connected. Egypt's Muslim Brotherhood uses dozens of Web sites to post literature banned by the government. Lebanon's Hezbollah is known for the sophistication of the propaganda on its Web site. Until the site was taken over by an American hacker, one site appeared to be the place where al-Qaida reported on developments in fighting in Afghanistan, and, some law enforcement officials believe, posted low-priority information for its to fighters. Some top al-Qaida operatives were trained as cyber specialists. The mushrooming of the sites and forums is an indication of the growing number of people who sympathize with militants who argue Islam is under attack in by the West, said Rashwan. Young, educated, unemployed people can spend hours managing or contributing to such sites from their own homes, rather than traveling to Iraq or Afghanistan to do battle. Their targets are people like them in the developing world -- educated and disenfranchised -- and Westerners. "They have no other part in holy war. Electronic holy war is their contribution," said Rashwan, whose book "Electronic Jihad" is to be published soon in Arabic and was to be translated into English soon. Some say the sites may offer well-hidden clues about coming attacks. Other experts say they have little to do with terrorist operations or planning, but prepare the ground for recruiting. "Over time, the propaganda is part of the conveyer belt to encourage people to figure out where they can join," said John Pike, director of GlobalSecurity.org, an Alexandria, Virginia, research center on security issues. While Net cops have many monitoring tools, those who want to hide their identities and intentions can do so on the Web. "It is difficult to know when a statement is posted, it is difficult to know if this is someone who has sworn allegiance to (bin Laden). ... It is difficult to understand who is the ultimate sponsor," Pike said. From isn at c4i.org Tue Jun 15 01:52:50 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 15 02:13:14 2004 Subject: [ISN] Apple Makes Its Case for Security Message-ID: http://www.wired.com/news/mac/0,2125,63805,00.html By Leander Kahney June 14, 2004 Apple is a famously secretive company. Its hush-hush culture makes it impossible for employees to talk about their work, even with spouses or family members. This may help keep new products a surprise, but it has a downside: In the past few weeks widely publicized security holes in OS X were discussed everywhere and by everyone, except Apple. For several weeks, many users felt they were being kept in the dark. And when Apple finally issued a fix -- two actually, a couple of weeks apart -- users complained they had no idea of what was being fixed or how. Descriptions of the updates were scant, bordering on meaningless. But security is very important to Apple. It's one of the key perceived differences between OS X and Windows, which is constantly battling viruses, worms and spyware. So this week Apple executives worked overtime talking to the press. The message is that Apple takes security very, very seriously, and the company has learned an important lesson in communicating about security issues with its customers. Ken Bereskin, Apple's director of Mac OS X product marketing, said that Apple was stung by recent criticism that the company didn't communicate in detail about security updates. He admitted descriptions of patches downloaded automatically in OS X's Software Update mechanism tended to be simplistic. "We think it was very, very valid feedback that we received from customers," Bereskin said. "We've had a wealth of information, but people haven't known it existed." Detailed information is available at the company's security website, and even some security companies aren't aware of it, Bereskin said. Starting with the latest security update, Apple now includes a link to its security website, Bereskin said. "We've actually acted on that feedback," he said. "I think that is an example that very much we want to refine our process." Bereskin added, "In general, we feel we've been approaching security in a really smart way. Nothing can be perfect. I think everybody acknowledges that, but we're trying to make it as safe and trustworthy for our customers as possible." According to Bereskin, Apple has issued 44 security updates since Mac OS X was introduced in March 2001, and 3 percent of those were classified critical -- a vulnerability that can be exploited remotely. The Help Viewer and Disk vulnerabilities are examples. By comparison, Microsoft issued 78 security updates in the same period, and 65 percent were critical, Bereskin noted. "Certainly no single operating system can be completely secure from all threats, but most people we talk to, most of the security experts we work with closely, agree that because Mac OS X has a Unix BSD core, it lands up being more secure than other platforms, certainly more than Microsoft," Bereskin said. BSD Unix -- Berkeley Software Distribution -- is a version of Unix developed in the 1970s. Designed from the outset as a network operating system, it has widely tested, refined and patched over 30 years. Peter Kastner, chief research officer at Aberdeen Group, said the storm in the Mac community about OS X security was overblown. "I think there have been huge overreactions," he said. "Every complex piece of software has vulnerabilities, that's a fact of life but OS X is good, strong Unix." Kastner said the criticism that Apple issued two separate fixes for related holes -? the Help Viewer and Disk vulnerabilities -- is unwarranted. He guessed that Apple may have fixed the easiest problem first and patched the more complex issue later. "As an ex-programmer I have a lot of sympathy for the Apple programmers who are being asked 'When is it going to be done?' OS X is a hugely complicated thing. You don't want to put new bugs in the system." Ray Wagner, a research director with market research group Gartner, also thought the fuss was overblown. "I think Apple's customer communication around vulnerability patching and their automatic update service is quite reasonable, useful, and convenient for the end user," he said. "Most of the concerns have been around communication with developers and security practitioners, rather than end users." Ngozi Pole is systems administrator for Sen. Edward Kennedy (D-Massachusetts), whose office runs the only Mac operation on Capitol Hill. Pole administers about 60 Macs and a couple of PCs. "(The Senate) got hit pretty hard by a worm recently," he said. "When that happened they had to shut a lot of computers down to isolate the problem. Kennedy's office was functioning normally during that time. OS X is just not as vulnerable as Windows." Pole said Kennedy's office is moving to a new, centralized OS X file server, and he is impressed with all the Unix security tools he will be able to use. "We're taking advantage of all the Unix stuff," he said. "We're very impressed with the Unix tools that can run from command line." From isn at c4i.org Tue Jun 15 01:53:03 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 15 02:13:15 2004 Subject: [ISN] OPM outlines four steps for IT security training Message-ID: http://www.gcn.com/vol1_no1/daily-updates/26205-1.html By Jason Miller GCN Staff 06/14/04 The Office of Personnel Management today outlined a four-step process for agencies to follow to ensure employees, contractors and others who access federal systems are adequately trained in IT security. The final rule, effective today, requires agencies to develop an IT security training plan. The plan should identify employees with significant cybersecurity responsibilities and provide role-specific training as detailed by the National Institute of Standards and Technology guidance. The rule said: * All users of agency systems must be exposed to security awareness materials at least annually. * Executives must receive training in IT security basics and policy level training in security and planning management. * Program managers, functional managers and IT functional and operations personnel must received training in IT security basics, management and implementation level training in security planning and system security management, application lifecycle management, risk management and contingency planning. * CIOs, IT security program managers, auditors and other security personnel, such as system and network administrators, must receive training in security basics and broad training in security planning, system and application security management, and system lifecycle, risk and contingency planning management. Agencies also must provide all new employees training before granting them access to federal systems. Employees must be given refresher training as determined necessary by the agency based on the sensitivity of the information that the worker uses. Departments also must provide new training whenever there is a significant change in the IT environment or procedures. From isn at c4i.org Tue Jun 15 01:53:13 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 15 02:13:16 2004 Subject: [ISN] Hackers target government holes Message-ID: http://www.fcw.com/fcw/articles/2004/0614/web-holes-06-14-04.asp By Brian Robinson June 14, 2004 Global threats such as the Blaster and SQL Slammer worms batter government network defenses as much as those in the commercial arena, but attacks that actually penetrate the network are focused on perceived weaknesses in Web-based applications, according to a Symantec Corp. report. Based on an analysis of data produced in the last six months of 2003, Symantec officials believe the problem could be due to a greater use of file-sharing applications within government, as opposed to industry. Globally, there is a bigger mixture of different kinds of attacks, according to Oliver Friedrichs, a senior manager at Symantec. In the last half of 2003, eight of the top 10 attacks on government were related to Web servers or Web-based applications. "It's the most dominant threat by far," Friedrichs said. "In contrast, threats such as those posed by the Blaster worm and others seem to be adequately blocked by [perimeter] firewall systems." Using data provided by sensors deployed throughout the government, Symantec officials concluded that TCP ports 6346 and 4662, which are typically used by peer-to-peer file-sharing networks, were targeted much more frequently by attacks against government systems than for other systems around the globe. That apparently means that attackers believe there are potentially vulnerable Web applications deployed in the government sector, Symantec officials said. There's been a constant evolution in such Web-based applications and technologies, Friedrichs said, but that also means they are that much more complex "so there's greater potential for more security problems." That only points out the need to focus even more attention on the security needs of Web-based systems, he said. Brian Robinson is a freelance journalist based in Portland, Ore. He can be reached at hullite@mindspring.com From isn at c4i.org Tue Jun 15 01:53:28 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 15 02:13:17 2004 Subject: [ISN] New Linux Security Hole Found Message-ID: http://www.eweek.com/article2/0,1759,1612480,00.asp By Steven J. Vaughan-Nichols June 14, 2004 A Linux bug was recently uncovered by a young Norwegian programmer that, when exploited by a simple C program, could crash most Linux 2.4 or 2.6 distributions running on an x86 architecture. "Using this exploit to crash Linux systems requires the (ab)user to have shell access or other means of uploading and running the program - like cgi-bin and FTP access," reports the discoverer, ?yvind S?ther. "The program works on any normal user account, and root access is not required," S?ther reported. "This exploit has been reported used to take down several 'lame free-shell providers' servers. [Running code you know will damage a system intentionally and hacking in general] is illegal in most parts of the world and strongly discouraged." Along with the code needed to use the exploit, S?ther also posted several patches to 2.4 and 2.6 kernels that will keep the exploit from crashing systems. Several security problems have been uncovered in Linux over the past year. The most serious was uncovered in February by the Polish security nonprofit organization iSEC Security Research. The biggest of these security holes, called "Linux kernel do_mremap VMA limit local privilege escalation vulnerability" by iSEC, could have enabled a cracker to achieve full super-user and full administration privileges. In each case, fixes were quickly delivered by the Linux open-source community. This latest security hole, however, can be used to crash a system, but it doesn't give an attacker any other control of a Linux system. Technically, the problem exists because the Linux kernel's signal handler isn't handling floating-point (FP) exceptions correctly. Linux's creator, Linus Torvalds, said, "There's a path into the kernel where if there is a pending FP error, the kernel will end up taking an FP exception, and it will continue to take the FP exception forever. Duh." Torvalds already has the problem well in hand, he said. "I fixed it in my [source code] tree a few days ago, so it's in the current snapshots, and if I wasn't in the middle of a move [to Portland, Ore.] I'd have released a 2.6.7 already. As it is, I'll hopefully have it done by tomorrow [June 15]. Eric Raymond, president of the Open Source Initiative, added, "It isn't a big deal. This one can be trivially fixed. This fixable kernel crasher doesn't cause any new problems." From isn at c4i.org Tue Jun 15 01:53:41 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 15 02:13:19 2004 Subject: [ISN] Gambling on Voting Message-ID: http://www.nytimes.com/2004/06/13/opinion/13SUN1.html June 13, 2004 If election officials want to convince voters that electronic voting can be trusted, they should be willing to make it at least as secure as slot machines. To appreciate how poor the oversight on voting systems is, it's useful to look at the way Nevada systematically ensures that electronic gambling machines in Las Vegas operate honestly and accurately. Electronic voting, by comparison, is rife with lax procedures, security risks and conflicts of interest. On a trip last week to the Nevada Gaming Control Board laboratory, in a state office building off the Las Vegas Strip, we found testing and enforcement mechanisms that go far beyond what is required for electronic voting. Among the ways gamblers are more protected than voters: 1. The state has access to all gambling software. The Gaming Control Board has copies on file of every piece of gambling device software currently being used, and an archive going back years. It is illegal for casinos to use software not on file. Electronic voting machine makers, by contrast, say their software is a trade secret, and have resisted sharing it with the states that buy their machines. 2. The software on gambling machines is constantly being spot-checked. Board inspectors show up unannounced at casinos with devices that let them compare the computer chip in a slot machine to the one on file. If there is a discrepancy, the machine is shut down, and investigated. This sort of spot-checking is not required for electronic voting. A surreptitious software change on a voting machine would be far less likely to be detected. 3. There are meticulous, constantly updated standards for gambling machines. When we arrived at the Gaming Control Board lab, a man was firing a stun gun at a slot machine. The machine must work when subjected to a 20,000-volt shock, one of an array of rules intended to cover anything that can possibly go wrong. Nevada adopted new standards in May 2003, but to keep pace with fast-changing technology, it is adding new ones this month. Voting machine standards are out of date and inadequate. Machines are still tested with standards from 2002 that have gaping security holes. Nevertheless, election officials have rushed to spend hundreds of millions of dollars to buy them. 4. Manufacturers are intensively scrutinized before they are licensed to sell gambling software or hardware. A company that wants to make slot machines must submit to a background check of six months or more, similar to the kind done on casino operators. It must register its employees with the Gaming Control Board, which investigates their backgrounds and criminal records. When it comes to voting machine manufacturers, all a company needs to do to enter the field is persuade an election official to buy its equipment. There is no way for voters to know that the software on their machines was not written by programmers with fraud convictions, or close ties to political parties or candidates. 5. The lab that certifies gambling equipment has an arms-length relationship with the manufac- turers it polices, and is open to inquiries from the public. The Nevada Gaming Control Board lab is a state agency, whose employees are paid by the taxpayers. The fees the lab takes in go to the state's general fund. It invites members of the public who have questions about its work to call or e-mail. The federal labs that certify voting equipment are profit-making companies. They are chosen and paid by voting machine companies, a glaring conflict of interest. The voters and their elected representatives have no way of knowing how the testing is done, or that the manufacturers are not applying undue pressure to have flawed equipment approved. Wyle Laboratories, one of the largest testers of voting machines, does not answer questions about its voting machine work. 6. When there is a dispute about a machine, a gambler has a right to an immediate investigation. When a gambler believes a slot machine has cheated him, the casino is required to contact the Gaming Control Board, which has investigators on call around the clock. Investigators can open up machines to inspect their internal workings, and their records of recent gambling outcomes. If voters believe a voting machine has manipulated their votes, in most cases their only recourse is to call a board of elections number, which may well be busy, to lodge a complaint that may or may not be investigated. Election officials say their electronic voting systems are the very best. But the truth is, gamblers are getting the best technology, and voters are being given systems that are cheap and untrustworthy by comparison. There are many questions yet to be resolved about electronic voting, but one thing is clear: a vote for president should be at least as secure as a 25-cent bet in Las Vegas. From isn at c4i.org Wed Jun 16 08:46:43 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 16 08:59:14 2004 Subject: [ISN] ITL Bulletin for June 2004 Message-ID: Forwarded from: Elizabeth Lennon ITL BULLETIN FOR JUNE 2004 INFORMATION TECHNOLOGY SECURITY SERVICES: HOW TO SELECT, IMPLEMENT, AND MANAGE Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce Organizations often need expert assistance in maintaining and improving the security of their information technology (IT) systems. Whether they get this assistance from internal sources or from commercial vendors of security services, organizations must review and evaluate the sources before committing to service agreements. A carefully managed process can help assure that sound decisions are made and that system security is strengthened. Guide to Information Technology Security Services NIST's Information Technology Laboratory recently published NIST Special Publication (SP) 800-35, Guide to Information Technology Security Services, Recommendations of the National Institute of Standards and Technology, which provides guidance to help organizations negotiate the many complexities and challenges in selecting information technology security services. Written by Tim Grance, Joan Hash, Marc Stevens, Kristofor O'Neal, and Nadya Bartol, NIST SP 800-35 helps those who are responsible for selecting, implementing, and managing their organization's IT security services. NIST recommends that organizations adopt systematic evaluation and decision processes to guide their selection of IT security services and to satisfy their security requirements. This ITL Bulletin summarizes the new IT services selection guide. The foundation for the selection of IT security services is a comprehensive information security management program, including risk management procedures that are applied throughout the System Development Life Cycle (SDLC). This same process also underlies the selection of IT security products, the focus of our April 2004 ITL Bulletin covering NIST SP 800-36, Guide to Selecting Information Technology Security Products. NIST SP 800-35 discusses the roles and responsibilities of the people within an organization who select, implement and manage the security services life cycle. It provides an overview of the security services life cycle and describes the issues to be addressed concerning security services. Examples of specific services are described. The appendices include lists of references and acronyms, an outline of a security services provider agreement, sample acquisition language, and answers to frequently asked questions. The services selection guide is available in electronic format from the NIST Computer Security Resource Center at http://csrc.nist.gov/publications. When used with other NIST publications, including those listed in the More Information section at the end of this bulletin, the guide will help organizations develop a comprehensive approach to organizing their overall IT security efforts, managing risks, and using IT security services. People Responsible For Security Services The people responsible for selecting, implementing, and managing services within an organization will vary depending upon the type and scope of the service needed, the service arrangement, and the size of the organization. Larger organizations that use external security service providers extensively will have different requirements and more people involved than smaller organizations with more limited requirements. The people who may be involved in the process include the following: * Chief Information Officer, who is responsible for the organization's IT planning, budgeting, investment, performance, and acquisition; * Contracting Officer, who has authority to enter into, administer, and terminate contracts; * Contracting Officer's Technical Representative, who is appointed by the Contracting Officer to manage the technical aspects of a particular contract; * IT Investment Board (or equivalent), which is responsible for planning and for managing the capital planning and investment control process for federal agencies, as specified in the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act); * IT Security Program Manager, who is responsible for developing enterprise standards for IT security, coordinating and performing system risk analyses, analyzing alternatives for minimizing risks, and supporting the acquisition of appropriate security solutions; * IT System Security Officer, who is responsible for ensuring the security of an information system throughout its life cycle; * Program Manager, who owns the data, initiates the procurement, is involved in strategic planning and is aware of functional services requirements; * Privacy Officer, who assures that the service and service arrangement meet privacy policies regarding the protection, dissemination, and disclosure of information; and/or * Other participants, who may include the system certifier and accreditor, system users, and people representing information technology, configuration management, design, engineering, and facilities groups. IT Security Life Cycle The SDLC provides the framework that enables the IT security decision makers to organize their IT security efforts-from initiation to closeout. The systematic management of the IT security services process fits into this framework. The organization's IT security is critically dependent upon the careful consideration of the many issues connected to security services, and to the prudent management of organizational risks. IT security decision makers must think about the costs involved and the underlying security requirements, as well as the potential impact of their decisions on the organizational mission, operations, strategic functions, personnel, and service provider arrangements. The selection, implementation, and management of security services are included in the following six phases of the IT security life cycle: * Phase 1: Initiation-the organization determines if it should investigate whether implementing an IT security service might improve the effectiveness of the organization's IT security program. * Phase 2: Assessment-the organization determines the security posture of the current environment using metrics and identifies the requirements and viable solutions. * Phase 3: Solution-decision makers evaluate potential solutions, develop the business case, and specify the attributes of an acceptable service arrangement solution from the set of available options. * Phase 4: Implementation-the organization selects and engages the service provider, develops a service arrangement, and implements the solution. * Phase 5: Operations-the organization ensures operational success by consistently monitoring service provider and organizational security performance against identified requirements, periodically evaluating changes in risks and threats to the organization and ensuring the organizational security solution is adjusted as necessary to maintain an acceptable security posture. * Phase 6: Closeout-the organization ensures a smooth transition as the service ends or is discontinued. Security Services: Issues and Types The factors to be considered when selecting, implementing, and managing IT security services include the type of service arrangement; service provider qualifications, operational requirements and capabilities, experience, and viability; trustworthiness of service provider employees; and the service provider's capability to deliver adequate protection for the organization systems, applications, and information. These considerations will apply to some degree to every service depending on the size, type, complexity, cost, and criticality of the services being considered and the specific needs of the organization implementing or contracting for the services. An effective security program has many layers of protection. Using risk management procedures, organizations should evaluate the value of their systems and their information, and then select the security controls that are appropriate for the determined levels of risk. Security programs at both the organizational and system levels should include an appropriate mix of management, operational, and technical controls. Technical controls alone are not sufficient for robust security. Security services can be obtained to assist organizations in addressing these management, operational, and technical issues: * Management Services: Techniques and concerns normally addressed by management in the organization's information security program, including managing risks. These services help organizations develop and maintain their security programs, effectively implement and evaluate their programs, develop security architectures, and evaluate IT security products. * Operational Services: Services focused on controls implemented and executed by people, often requiring technical or specialized expertise and relying on management activities and technical controls. These services include assistance with contingency planning, the establishment of incident handling processes, the testing of security controls, and conducting security training. * Technical Services: Services focused on the security controls that a system executes, and dependent on the proper function of the system for effectiveness. These services include firewall installation and maintenance, intrusion detection systems, and the design and development of a Public Key Infrastructure (PKI) system. While not every available security service is discussed in the guide, the issues and considerations related to the services life cycle are presented. These issues and considerations should be useful in meeting current needs and in addressing future needs as technology changes. NIST Recommendations NIST recommends that organizations planning to acquire IT security services should: * Develop careful, objective business cases. The need for an IT security service should be supported by the business needs of the organization. A business case containing an analysis of the proposed solution, cost estimate, benefits analysis, project risk analysis, and an evaluation of other considered alternatives should provide sufficient documentation to describe and support these needs. * Develop strong, specific service agreements that define the expectations of performance for each required security control, describe measurable outcomes, and identify remedies and response requirements for any identified instances of noncompliance. * Use metrics throughout the IT security life cycle. Metrics will provide the objective data to evaluate the baseline level of service in the assessment phase and assess service provider performance in the operations phase. Wherever possible, metrics should be selected to indicate progress toward the achievement or maintenance of a security condition that meets an underlying organizational need. * Develop processes and procedures that can effectively track the myriad service agreements and the metrics that will be applied throughout the life cycle of the many different and disparate IT security services within an organization. * Ensure that an appropriate transition (bedding in) period is in place between an existing service provider or capability and the new service provider. * Maintain the technical expertise necessary to understand and manage the security service being provided and to protect the data critical to an organization's mission. * Pay careful attention to six issue areas: strategy/mission, budget/funding, technology/architecture, organization, personnel, and policy/process. More Information Federal organizations should consult OMB Circular A-76, Performance of Commercial Activities, for information on establishing the foundation for decisions concerning whether activities should be performed under contract with a commercial activity or performed in-house using government facilities and personnel. For a complete list of references to publications and web pages with information that can help you in selecting, implementing, and managing IT security services, consult Appendix A of NIST SP 800-35. NIST Special Publications, including the following, are available in electronic format from the Computer Security Resource Center at http://csrc.nist.gov/publications. NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook, provides guidance on the fundamentals of information system security and an introduction to the selection of security controls and services. NIST SP 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model, explains a framework for IT security training requirements and emphasizes results-based learning. NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems, discusses developing and updating security plans. NIST SP 800-23, Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products, discusses the concept of assurance in the acquisition and use of security products. NIST SP 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication, assists federal agencies in using PKI for digital signatures and authentication over open networks. NIST SP 800-30, Risk Management Guide for Information Technology Systems, discusses the risk-based approach to security and provides guidance on conducting risk assessments. NIST SP 800-31, Intrusion Detection Systems (IDS), and NIST SP 800-41, Guidelines on Firewalls and Firewall Policy, provide information on using and deploying IDSs and firewalls. NIST SP 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure, advises federal organizations on how to determine if a PKI is appropriate for them and how to use PKI services effectively. NIST SP 800-33, Underlying Technical Models for Information Technology Security, provides information on IT security engineering principles and concepts for IT systems. NIST SP 800-34, Contingency Planning Guide for Information Technology Systems, guides organizations in preparing and maintaining IT contingency plans. NIST SP 800-36, Guide to Selecting Information Technology Security Products, helps organizations select cost-effective and useful products for their IT systems. NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, describes the fundamental concepts of the certification and accreditation processes, and details the various tasks in the processes. NIST SP 800-42, Guideline on Network Security Testing, describes available security testing techniques, their strengths and weaknesses, and the recommended frequencies for testing as well as strategies for deploying network security testing. NIST SP 800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices, discusses wireless security issues for local area networks, personal area networks, and handheld devices. NIST SP 800-50, Building an Information Technology Security Awareness and Training Program, provides guidelines to help federal organizations meet their security training responsibilities and build a comprehensive awareness and training program. NIST SP 800-53, Recommended Security Controls for Federal Information Systems, provides information about selecting security controls to meet the security requirements for the system (available in draft at http://csrc.nist.gov/publications/drafts.html). NIST SP 800-55, Security Metrics Guide for Information Technology Systems, helps organizations understand the importance of using metrics and developing a metrics program. NIST SP 800-64, Security Considerations in the Information System Development Life Cycle, discusses the analysis of system security requirements and methods for incorporating security into IT procurements. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 840-1357 From isn at c4i.org Wed Jun 16 08:46:57 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 16 08:59:16 2004 Subject: [ISN] Blackout hits major Web sites Message-ID: http://asia.cnet.com/newstech/personaltech/0,39001147,39183542,00.htm By Jim Hu CNET News.com June 16 2004 update: A domain name outage Tuesday morning that left many popular Web sites, including those of Yahoo, Google, Microsoft and Apple, temporarily inaccessible was the result of an Internet attack, according to Web infrastructure company Akamai. The attack caused problems for more than two hours--from 5:30 a.m. to 7:45 a.m. PDT. Many of the world's most popular sites suffered from widespread outages, according to Keynote Systems, which compiles statistics related to Web surfing. On a typical day, the top 40 sites measured by Keynote rarely dip below 99 percent availability. On Tuesday, however, Keynote saw availability drop to 81 percent. Where the attack struck first has yet to be determined, and the affected companies are pointing to others, not themselves. An attack on Akamai could have rippled out to Google and the other sites, or those sites might have been individually targeted, which in turn could have put pressure on a key Internet service that Akamai runs. An Akamai spokesman said it noticed an attack against four unnamed "customers" that rendered their sites inaccessible. Akamai said the strike against those customers in turn caused a failure of its own domain name server (DNS) system, which translates word-based URLs into numeric Web addresses to link surfers to company sites. "We do know that attack was against four sites that happened to be Akamai customers," company spokesman Jeff Young said. "But I don't know if the intent was to go after Akamai or go after Web properties that happened to be customers of ours." Tuesday's outage comes nearly a month after Akamai reported glitches in its content management tools, causing some slowdowns. Other parties may not agree with that assessment. Keynote earlier Tuesday reported the Akamai DNS system outage and speculated that Cambridge, Mass.-based Akamai was the target of a denial-of-service attack, which then caused the Yahoo, Google, Microsoft and Apple sites to fail. Dug Song, security architect for network security company Arbor Networks, said the outage appeared to be an Akamai problem. During the outage, Song noticed that sites such as Google were still functional, but someone typing www.google.com couldn't get to that site, because the address would not translate into its numeric Internet Protocol code. "It was definitely some sort of Akamai issue," Song said in an interview. "Their name service for all these major sites stopped working. You couldn't reach these sites, even though the sites were up. You just couldn't get to them because the name resolution wasn't working." Furthermore, Song noticed that Web-wide traffic during the outage actually declined, making it unlikely that Google and the other sites were the victims of a distributed denial-of-service attack, in which thousands of unknowing PC "slaves" would have flooded their servers with useless data or requests for data. In a recent incident, the Netsky virus used such a technique to target Kazaa and other file-sharing networks, disrupting service at some. Earlier in the year, the main Web site of the SCO Group was crippled after attacks from computers infected by the MyDoom virus. On Tuesday, David Krane, a spokesman for Google, confirmed that the search site was "affected for a short period of time earlier today" and that all systems have been restored. Krane said Google was not the target of a denial-of-service attack. Microsoft also confirmed that its sites were affected but added that it was "deferring to Akamai for additional information on the reported outage." With the sites back up, it appears that the DNS issue has been resolved. But Yahoo's new Web-based e-mail service, launched Tuesday, continues to have problems. Since early Tuesday morning, users have been reporting glitches with Yahoo Mail such as site inaccessibility, slow page loads and inoperable buttons on the site. A Yahoo spokeswoman said the company is "investigating the potential impact of a widespread DNS issue on our services." But launch-related bugs are also a possibility. "As we upgrade tens of millions of Yahoo Mail accounts for consumers worldwide, some users may experience temporary fluctuations in the service, as we update our systems," Yahoo spokeswoman Mary Osako said. "We expect Yahoo Mail accounts to resume to normal after the upgrades are completed." Representatives of Apple were not immediately available for comment. From isn at c4i.org Wed Jun 16 08:47:07 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 16 08:59:17 2004 Subject: [ISN] Putnam, Davis, propose Clinger-Cohen amendment Message-ID: http://www.fcw.com/fcw/articles/2004/0614/web-cc-06-15-04.asp By Florence Olsen June 15, 2004 Two lawmakers today announced a bill that would amend the 1996 Clinger-Cohen Act to strengthen computer security in the federal government. Rep. Adam Putnam (R-Fla.), chairman of the House Government Reform Committee's Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee, along with Rep. Tom Davis (R-Va.), committee chairman, said their bill would update Clinger-Cohen to include cybersecurity requirements in all federal information-systems planning and acquisition activities. The amendment would also give the Office of Management and Budget greater authority for advising agencies on information security. Davis said the proposed legislation, H.R. 4570, "helps ensure that every federal information system is managed in a way that minimizes the security risks." The Clinger-Cohen Act requires that agency heads establish reasonable processes to select, manage and control their information technology investments. In a statement issued late today, Putnam said, "With the many threats out there today, it is vital that we factor in security when making our IT management decisions." From isn at c4i.org Wed Jun 16 08:47:22 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 16 08:59:18 2004 Subject: [ISN] Feds' IT Security Spending Growth Set For Slowdown Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=21800461 By Eric Chabrow June 15, 2004 The rapid growth in the federal government's IT security spending is coming to a screeching halt. In fiscal 2005, which begins Oct. 1, the U.S. government will increase spending on IT security products and services by a mere 2% to $5.6 billion, according to the government market-intelligence firm Input. Since the Sept. 11, 2001, terrorist attacks, the government has spent heavily on IT security, although the increases have been declining each year. But next year's increase is significantly smaller than those in previous years. Annual IT security spending rose 10% this year, 50% in 2003, and 100% in 2002, Input reports. Single-digit increases in IT security spending will be the rule through the remainder of the decade, it says. One reason IT security spending has slowed is that agencies have failed to comply with White House requirements to fix existing IT security weaknesses before the Office of Management and Budget releases additional money for new initiatives. Last year, according to Input, more than a quarter of federal IT systems didn't have up-to-date security plans. Input senior analyst Chris Campbell says yearly reviews by OMB and Congress have uncovered a number of security lapses unresolved from previous years, leaving many legacy systems vulnerable to attacks. This means agencies must seek OMB approval to re-appropriate funds to fix security lapses in existing systems, rather than get new money for new IT security projects. Campbell says vendors that help agencies implement security solutions at reasonable costs could benefit. Still, Input sees IT security spending will pick up a bit in the second half of the decade, reaching an annual growth rate of about 5% through 2009--when IT security spending should surpass $7 billion. By 2009, Input projects, IT security spending by Defense Department agencies and the military will rise to $3 billion, up from $2.4 billion this year, a 5% annual growth rate. Similarly, civilian agencies' IT security spending will grow at a 5.2% yearly growth rate over the next five years to $2.9 billion, from $2.3 billion. Intelligence agencies' growth rate is projected to be lower--2.5%, as spending will rise to $900 million from $800 million. Two-thirds of federal IT security spending comes from just 10 agencies: the Office of the Secretary of Defense--which represents nearly one-quarter of all IT security spending--the three military branches, the departments of Homeland Security, Health and Human Services, Energy, Transportation, and Treasury, and the space agency, according to Input's analysis of government numbers. The biggest IT security contracts awarded by the government are both for $1.5 billion. A Defense contract deals with information assurance and a General Services Administration contract focuses on developing common identification smart cards. The government awards the biggest federal IT security contracts to systems integrators. In fiscal year 2003, according to Input, Northrop Grumman held 9% of the estimated federal government market share in IT security, followed by EDS at 8%, Science Applications International Corp., 5%, and General Dynamics, 4%. From isn at c4i.org Wed Jun 16 08:47:37 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 16 08:59:19 2004 Subject: [ISN] First mobile phone virus discovered Message-ID: http://www.news.com.au/common/story_page/0,4057,9860240%255E2,00.html From correspondents in Paris June 16, 2004 THE first ever computer virus that can infect mobile phones has been discovered, anti-virus software developers said today, adding that up until now it has had no harmful effect. The French unit of the Russian security software developer Kaspersky Labs said that that virus - called Cabir - appears to have been developed by an international group specialising in creating viruses which try to show "that no technology is reliable and safe from their attacks". Cabir infects the Symbian operating system that is used in several makes of mobiles, notably the Nokia brand, and propagates through the new bluetooth wireless technology that is in several new mobile phones. If the virus succeeds in penetrating the phone, it writes the inscription 'Caribe' on the screen and is then activated every time that the phone is turned on. It is able to scan for phones that are also using the Bluetooth technology and is able to send a copy of itself to the first handset that it finds. According to the anti-virus software developer F-Secure, the discovery of Cabir is proof that the technologies are now available to create viruses for mobile phones and that they are now known to the writers of computer viruses. Anti-virus experts have been warning for months that mobile phone viruses are set to multipy, given the increasingly diverse uses of mobile phones. Agence France-Presse From wk at c4i.org Thu Jun 17 06:48:52 2004 From: wk at c4i.org (William Knowles) Date: Thu Jun 17 10:52:56 2004 Subject: [ISN] Beijing wages cyberwar against DPP headquarters Message-ID: http://www.taipeitimes.com/News/front/archives/2004/06/16/2003175231 By Ko Shu-ling STAFF REPORTER June 16, 2004 An army of hackers based in China has broken into Democratic Progressive Party (DPP) databases, stealing classified information such as President Chen Shui-bian's (??????) personal itinerary, according to a Cabinet official who asked not to be named. "This is the first time we have found that the DPP headquarters' computer systems were breached by Chinese hackers," the official said. "The incident has sent jitters through the Ministry of National Defense, which deems a systematic information attack launched by China as military warfare." Information stolen from party headquarters included the personal itineraries of Chen, who doubles as DPP chairman, and those of other high-ranking party officials such as DPP Secretary-General Chang Chun-hsiung (?i?T??). Also leaked was classified information on visits to the US by high-ranking DPP officials ahead of the US presidential election. According to the Cabinet official, the DPP headquarters was an easy target and the attackers were aware it would be more difficult to break into computer systems belonging to the Presidential Office or the defense ministry, where security is tighter. The attacks were noted a few days ago and the situation has been monitored 24 hours a day since. This is not the first time that China has conducted information warfare against Taiwan. Last September, the Cabinet discovered that hackers in Hubei and Fujian provinces had spread 23 different Trojan horse programs to the networks of 10 private high-tech companies in Taiwan and used them as a springboard to break into at least 30 different government agencies and 50 private companies. The Trojan-horse programs were used against the National Police Administration, the defense ministry, the Central Election Commission and the central bank. Since it appeared no government information had been stolen, the Cabinet suspected that the program was likely aimed at paralyzing the nation's computer systems, stealing sensitive government information or preparing computers for future information warfare. Trojan-horses are one of the most serious threats to computer security. A computer user may not only have been attacked but may also be attacking others unknowingly. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* From isn at c4i.org Thu Jun 17 10:32:22 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 17 10:52:58 2004 Subject: [ISN] Nine PCs stolen from NHS hospital Message-ID: http://www.theregister.co.uk/2004/06/17/hospital_break_in/ By Lucy Sherriff 17th June 2004 A gang of thieves has stolen NHS computers containing eight years of confidential patient data from the pathology department of the Royal Shewsbury Hospital in Shropshire. The break-in on Monday night - which was captured on CCTV video - has caused severe disruption to the targeted department since the computers contained medical data, photography, emails and teaching materials. "The information hasn't been lost forever, because we back everything up on a daily basis," said NHS spokesman Phil Hipkiss. "But it is a real hassle, and no-one here is especially happy that patients' medical records have been compromised like this." There is no suggestion that the break in was specifically aimed at gaining patient information. All the stolen items - nine PCs and a laptop - were described as "saleable". "They left a lot of other, bulkier stuff behind," Hipkiss told The Register. He went on to say that this was the first incident of its kind at the hospital, although the nearby Princess Royal Hospital in Telford suffered a similar break-in last year. In that case, however, the computers stolen were in a very publicly-accessible area. The computers lifted from the pathology department were not, suggesting the robbers may have known their way around. Shropshire police are now examining the CCTV footage for clues, and have appealed for members of the public to come forward if they are offered the machines for sale. From isn at c4i.org Thu Jun 17 10:33:42 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 17 10:52:59 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-25 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-06-10 - 2004-06-17 This week : 51 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: ADVISORIES: http-equiv and eEye Digital Security have discovered two vulnerabilities in IBM Access Support ActiveX controls, which could be exploited to compromise a vulnerable system. Furthermore, according to eEye the vulnerable ActiveX controls are installed by default on many IBM machines. Owners of IBM PC's are advised to check if their PC's have the ActiveX controls installed, and if so install the "Fix Pack 2 for Access Support" from IBM. Reference: http://secunia.com/SA11072 -- A new vulnerability was identified in Internet Explorer, which could be exploited by a malicious website to bypass security zone restrictions and spoof the address bar. Additionally, Mozilla suffers from the same vulnerability. However, in Mozilla's case, this can only be used to partly spoof the address bar. Further details available in Secunia advisories below. Reference: http://secunia.com/SA11830 http://secunia.com/SA11856 -- Three different research groups have independently discovered three vulnerabilities in the popular RealPlayer, which all could be exploited to execute arbitrary code on a vulnerable system. RealNetworks has issued an update for all vulnerabilities. The update is available via the "Check for Update" feature. Reference: http://secunia.com/SA11422 VIRUS ALERTS: During the last week, Secunia issued one MEDIUM RISK virus alert. Please refer to the grouped virus profile below for more information: ZAFI.B - MEDIUM RISK Virus Alert - 2004-06-14 13:55 GMT+1 http://192.168.100.226/virus_information/9988/zafi.b/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA11793] Internet Explorer Local Resource Access and Cross-Zone Scripting Vulnerabilities 2. [SA11830] Internet Explorer Security Zone Bypass and Address Bar Spoofing Vulnerability 3. [SA11856] Mozilla Browser Address Bar Spoofing Weakness 4. [SA11422] RealPlayer Multiple Buffer Overflow Vulnerabilities 5. [SA11841] Apache mod_proxy "Content-Length:" Header Buffer Overflow Vulnerability 6. [SA10395] Internet Explorer URL Spoofing Vulnerability 7. [SA11689] Mac OS X Volume URI Handler Registration Code Execution Vulnerability 8. [SA11622] Mac OS X URI Handler Arbitrary Code Execution 9. [SA11821] Cisco CatOS TCP-ACK Denial of Service Vulnerability 10. [SA11861] Linux Kernel "__clear_fpu()" Macro Denial of Service Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA11839] AspDotNetStorefront Multiple Vulnerabilities [SA11878] Web Wiz Forums Registration Rules Cross-Site Scripting Vulnerability [SA11856] Mozilla Browser Address Bar Spoofing Weakness [SA11848] Blackboard Digital Dropbox File Retrieval Vulnerability [SA11840] WinAgents TFTP Server Long Filename Request Denial of Service [SA11857] Sygate Personal Firewall Fail-Safe Mechanism Bypass Vulnerability [SA11868] Internet Explorer File Download Error Message Denial of Service Weakness UNIX/Linux: [SA11874] Gentoo update for horde-chora [SA11869] Fedora update for subversion [SA11866] Red Hat update for httpd/mod_ssl [SA11859] OpenBSD update for httpd/mod_ssl [SA11858] Chora CVS Viewer Shell Command Injection Vulnerability [SA11855] Gentoo update for subversion [SA11854] OpenPKG update for apache [SA11853] Fedora update for CVS [SA11850] OpenPKG update for CVS [SA11842] Gentoo update for CVS [SA11841] Apache mod_proxy "Content-Length:" Header Buffer Overflow Vulnerability [SA11838] Red Hat update for squid [SA11834] Red Hat update for CVS [SA11884] Gentoo update for horde-imp [SA11883] Gentoo update for webmin [SA11879] Thy Session Handling Denial of Service Vulnerability [SA11875] Gentoo update for squirrelmail [SA11873] Gentoo update for gallery [SA11870] Red Hat update for squirrelmail [SA11863] KAME Racoon X.509 Certificate Validation Vulnerability [SA11851] Sun Solaris / SEAM Kerberos "krb5_aname_to_localname()" Vulnerabilities [SA11843] HP-UX ftp Pipe Character Arbitrary Command Execution Vulnerability [SA11837] Red Hat update for krb5 [SA11836] Red Hat update for ethereal [SA11833] Fedora update for squirrelmail [SA11862] Debian update for kdelibs [SA11872] SGI IRIX Privilege Escalation and Denial of Service Vulnerabilities [SA11867] Red Hat update for tripwire [SA11845] Mandrake ksymoops-gznm Insecure Temporary File Creation Vulnerability [SA11885] SuSE update for kernel [SA11876] Slackware update for kernel [SA11871] Fedora update for kernel [SA11861] Linux Kernel "__clear_fpu()" Macro Denial of Service Vulnerability [SA11847] NetBSD "swapctl()" Denial of Service Vulnerability Other: [SA11849] Edimax EW-7205APL Default Account and Password Disclosure [SA11882] Cisco IOS BGP Processing Denial of Service Vulnerability Cross Platform: [SA11880] Pivot Multiple Vulnerabilities [SA11844] Subversion svn Protocol String Parsing Vulnerability [SA11864] BEA WebLogic SSL Connection Handling Denial of Service Vulnerability [SA11835] cPanel "passwd" Script Database Password Manipulation Vulnerability [SA11865] BEA WebLogic Incorrect Identity RMI Method Execution Vulnerability [SA11852] PHP-Nuke Multiple Vulnerabilities [SA11846] VP-ASP Shopping Cart Cross-Site Scripting Vulnerabilities [SA11860] VICE Monitor "Memory Dump" Command Format String Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA11839] AspDotNetStorefront Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2004-06-11 Thomas Ryan has reported multiple vulnerabilities in AspDotNetStorefront, which can be exploited by malicious people to conduct cross-site scripting attacks, perform certain administrative actions, and upload arbitrary files. Full Advisory: http://secunia.com/advisories/11839/ -- [SA11878] Web Wiz Forums Registration Rules Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-06-16 Ferruh Mavituna has reported a vulnerability in Web Wiz Forums, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/11878/ -- [SA11856] Mozilla Browser Address Bar Spoofing Weakness Critical: Less critical Where: From remote Impact: Spoofing Released: 2004-06-14 A weakness has been reported in Mozilla, allowing malicious people to conduct phishing attacks. Full Advisory: http://secunia.com/advisories/11856/ -- [SA11848] Blackboard Digital Dropbox File Retrieval Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2004-06-14 Maarten Verbeek has reported a vulnerability in Blackboard, which can be exploited by malicious users to download other users' files in their dropbox. Full Advisory: http://secunia.com/advisories/11848/ -- [SA11840] WinAgents TFTP Server Long Filename Request Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2004-06-11 Ziv Kamir has reported a vulnerability in WinAgents TFTP Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11840/ -- [SA11857] Sygate Personal Firewall Fail-Safe Mechanism Bypass Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2004-06-16 Chew Keong TAN has reported a vulnerability in Sygate Personal Firewall Pro, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/11857/ -- [SA11868] Internet Explorer File Download Error Message Denial of Service Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2004-06-16 Rafel Ivgi has discovered a weakness in Internet Explorer (IE), allowing malicious people to crash a user's browser. Full Advisory: http://secunia.com/advisories/11868/ UNIX/Linux:-- [SA11874] Gentoo update for horde-chora Critical: Highly critical Where: From remote Impact: System access Released: 2004-06-16 Gentoo has issued an update for horde-chora. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11874/ -- [SA11869] Fedora update for subversion Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2004-06-15 Fedora has issued an update for subversion. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11869/ -- [SA11866] Red Hat update for httpd/mod_ssl Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-06-15 Red Hat has issued an update for httpd/mod_ssl. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11866/ -- [SA11859] OpenBSD update for httpd/mod_ssl Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, DoS, System access Released: 2004-06-14 OpenBSD has issued an update for httpd. This fixes various vulnerabilities, which can be exploited by malicious people to inject potentially malicious characters into error logfiles, bypass certain restrictions, cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11859/ -- [SA11858] Chora CVS Viewer Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-06-14 Stefan Esser has reported a vulnerability in Chora, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11858/ -- [SA11855] Gentoo update for subversion Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-06-14 Gentoo has issued an update for subversion. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11855/ -- [SA11854] OpenPKG update for apache Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-06-12 OpenPKG has issued an update for apache. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11854/ -- [SA11853] Fedora update for CVS Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-06-12 Fedora has issued an update for CVS. This fixes multiple vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11853/ -- [SA11850] OpenPKG update for CVS Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-06-11 OpenPKG has issued an update for CVS. This fixes multiple vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11850/ -- [SA11842] Gentoo update for CVS Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-06-14 Gentoo has issued an update for CVS. This fixes multiple vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11842/ -- [SA11841] Apache mod_proxy "Content-Length:" Header Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-06-10 Georgi Guninski has discovered a vulnerability in Apache, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11841/ -- [SA11838] Red Hat update for squid Critical: Highly critical Where: From remote Impact: System access Released: 2004-06-10 Red Hat has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11838/ -- [SA11834] Red Hat update for CVS Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-06-10 Red Hat has issued an update for CVS. This fixes multiple vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11834/ -- [SA11884] Gentoo update for horde-imp Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-06-16 Gentoo has issued an update for horde-imp. This fixes a vulnerability, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/11884/ -- [SA11883] Gentoo update for webmin Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2004-06-16 Gentoo has issued an update for webmin. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/11883/ -- [SA11879] Thy Session Handling Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-06-16 jethro has reported a vulnerability in Thy, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11879/ -- [SA11875] Gentoo update for squirrelmail Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-06-16 Gentoo has issued an update for squirrelmail. This fixes a vulnerability, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/11875/ -- [SA11873] Gentoo update for gallery Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-06-16 Gentoo has issued an update for gallery. This fixes a vulnerability, which can be exploited by malicious people to bypass the user authentication. Full Advisory: http://secunia.com/advisories/11873/ -- [SA11870] Red Hat update for squirrelmail Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2004-06-15 Red Hat has issued an update for squirrelmail. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting, script insertion, and SQL injection attacks. Full Advisory: http://secunia.com/advisories/11870/ -- [SA11863] KAME Racoon X.509 Certificate Validation Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-06-17 Thomas Walpuski has reported a vulnerability in KAME Racoon, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/11863/ -- [SA11851] Sun Solaris / SEAM Kerberos "krb5_aname_to_localname()" Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-06-11 Sun has acknowledged some vulnerabilities in Solaris and SEAM, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11851/ -- [SA11843] HP-UX ftp Pipe Character Arbitrary Command Execution Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-06-11 HP has acknowledged a very old vulnerability in ftp for HP-UX, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11843/ -- [SA11837] Red Hat update for krb5 Critical: Moderately critical Where: From remote Impact: System access Released: 2004-06-10 Red Hat has issued an update for krb5. This fixes some vulnerabilities, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11837/ -- [SA11836] Red Hat update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-06-10 Red Hat has issued an update for ethereal. This fixes multiple vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11836/ -- [SA11833] Fedora update for squirrelmail Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Exposure of system information, Manipulation of data, Cross Site Scripting Released: 2004-06-10 Fedora has issued an update for squirrelmail. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting, script insertion, and SQL injection attacks. Full Advisory: http://secunia.com/advisories/11833/ -- [SA11862] Debian update for kdelibs Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2004-06-15 Debian has issued an update for kdelibs. This fixes a vulnerability, which can be exploited by malicious people to create or truncate files on a user's system. Full Advisory: http://secunia.com/advisories/11862/ -- [SA11872] SGI IRIX Privilege Escalation and Denial of Service Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2004-06-16 Three vulnerabilities have been discovered in IRIX, which can be exploited by malicious, local users to gain escalated privileges or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11872/ -- [SA11867] Red Hat update for tripwire Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-06-15 Red Hat has issued an update for tripwire. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11867/ -- [SA11845] Mandrake ksymoops-gznm Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-06-12 Geoffrey Lee has discovered a vulnerability in Mandrakelinux, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/11845/ -- [SA11885] SuSE update for kernel Critical: Not critical Where: Local system Impact: DoS Released: 2004-06-16 SuSE has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11885/ -- [SA11876] Slackware update for kernel Critical: Not critical Where: Local system Impact: DoS Released: 2004-06-16 Slackware has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11876/ -- [SA11871] Fedora update for kernel Critical: Not critical Where: Local system Impact: DoS Released: 2004-06-15 Fedora has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11871/ -- [SA11861] Linux Kernel "__clear_fpu()" Macro Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2004-06-15 Stian Skjelstad has reported a vulnerability in the Linux kernel allowing malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11861/ -- [SA11847] NetBSD "swapctl()" Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2004-06-12 Evgeny Demidov has reported a vulnerability in NetBSD, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11847/ Other:-- [SA11849] Edimax EW-7205APL Default Account and Password Disclosure Critical: Moderately critical Where: From local network Impact: Exposure of sensitive information Released: 2004-06-15 msl has reported a vulnerability in Edimax EW-7205APL, which can be exploited by malicious people to access the access point and disclose administrative passwords. Full Advisory: http://secunia.com/advisories/11849/ -- [SA11882] Cisco IOS BGP Processing Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-06-16 A vulnerability has been discovered in Cisco IOS, allowing malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11882/ Cross Platform:-- [SA11880] Pivot Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-06-16 Some vulnerabilities have been discovered in Pivot, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11880/ -- [SA11844] Subversion svn Protocol String Parsing Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-06-12 ned has reported a vulnerability in Subversion, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11844/ -- [SA11864] BEA WebLogic SSL Connection Handling Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-06-15 A vulnerability has been reported in BEA WebLogic Server and WebLogic Express, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11864/ -- [SA11835] cPanel "passwd" Script Database Password Manipulation Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2004-06-14 verb0s has reported a vulnerability in cPanel, which can be exploited by certain, authenticated users to manipulate database passwords. Full Advisory: http://secunia.com/advisories/11835/ -- [SA11865] BEA WebLogic Incorrect Identity RMI Method Execution Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-06-16 A vulnerability has been discovered in BEA WebLogic Server and WebLogic Express, which can be exploited by malicious users to perform certain actions with a wrong identity. Full Advisory: http://secunia.com/advisories/11865/ -- [SA11852] PHP-Nuke Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, Exposure of sensitive information, DoS Released: 2004-06-14 Janek Vind has reported multiple vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose path information, and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11852/ -- [SA11846] VP-ASP Shopping Cart Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-06-12 Thomas Ryan has discovered multiple vulnerabilities in VP-ASP, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/11846/ -- [SA11860] VICE Monitor "Memory Dump" Command Format String Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-06-16 Spiro Trikaliotis has reported a vulnerability in VICE, which potentially can be exploited by a malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11860/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Thu Jun 17 10:34:40 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 17 10:53:00 2004 Subject: [ISN] Security UPDATE--More About Wi-Fi Security--June 16, 2004 Message-ID: ==================== ==== This Issue Sponsored By ==== Free Security White Paper from Postini http://list.winnetmag.com/cgi-bin3/DM/y/egKh0CJgSH0CBw0BJGU0Au Windows & .NET Magazine http://list.winnetmag.com/cgi-bin3/DM/y/egKh0CJgSH0CBw0BEuX0Ae ==================== 1. In Focus: More About Wi-Fi Security 2. Security News and Features - Recent Security Vulnerabilities - News: New IE Flaws Might Allow Code Injection 3. Instant Poll 4. Security Toolkit - FAQ - Featured Thread 5. New and Improved - Increased Control Over IP Network Access and Security ==================== ==== Sponsor: Postini ==== How to Preemptively Eliminate the Top 5 Email Security Threats Are worries about spam and virus attacks to your enterprise email system keeping you up at night? See why spam and viruses are only the "tip of the iceberg" when it comes to email security threats. Learn how you can eliminate the top 5 security threats to your email system, including the silent killer -- directory harvest attacks. The good news is there's an easy and effective way to arm your organization against all threats, even the latest spam and email attacks. Find out how to completely and preemptively protect against major threats including spam, viruses, directory harvest attacks (DHA), denial-of-service (DoS) attacks, as well as internal policy violations. Download this free white paper today! http://list.winnetmag.com/cgi-bin3/DM/y/egKh0CJgSH0CBw0BJGU0Au ==================== ==== 1. In Focus: More About Wi-Fi Security ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net Last week, I wrote about problems with particular Linksys and NETGEAR wireless Access Points (APs). I suggested that people might consider putting their APs behind a firewall to better protect the systems from access by outsiders who might approach the units from a WAN link. This practice might protect wireless APs against any unknown vulnerabilities that intruders might discover. Even if your APs have built-in firewalls of their own, consider also using a firewall external to them. The approach makes sense, but while cruising the Internet last week, I came across an old, but interesting article, "WiFi Security Checklist," at the Security Technique Web site that made me realize that I had overlooked another potential problem that you might want to consider. http://www.securitytechnique.com/2003/11/wsc.html As you know, wireless protocols are vulnerable to a variety of attacks. APs' very nature makes them prone to granting access to users outside your immediate working environment. And of course, once someone has connected to one of your APs, he or she is part of your network. This situation raises the question of how much of your network is exposed to your APs. If you have no additional barriers in place and your APs are essentially inside your trusted network, an intruder will also be inside your trusted network after he or she connects to one of your APs. I doubt that you want to leave that gaping hole open. So in addition to putting a firewall in between your APs and external networks (whether they be the Internet, partner networks, remote offices, or other networks), you should probably consider putting a firewall behind your APs. In that sort of configuration, you could use some sort of VPN in which wireless clients tunnel back into your private network for access to network resources. That way, if an intruder connects to one of your APs, he or she will have far less to work with when trying to penetrate your overall network. Or, if your environment uses Remote Authentication Dial-In User Service (RADIUS), you might consider using RADIUS to pass routing restrictions to your APs. For example, Randy Franklin Smith explains in "A Secure Wireless Network Is Possible," Windows & .NET Magazine, May 2004, that if a visiting business partner connects to your AP, RADIUS could pass a routing restriction to the AP that allows him or her access only to the Internet and not your internal network. If you subscribe to the print magazine, you can read Smith's article on our Web site. http://www.winnetmag.com/article/articleid/42273/42273.html ==================== ==== Sponsor: Windows & .NET Magazine ==== Get 2 Sample Issues of Windows & .NET Magazine! Every issue of Windows & .NET Magazine includes intelligent, impartial, and independent coverage of security, Active Directory, Exchange, scripting, and much more. Our expert authors deliver how-to articles and product evaluations that will help you do your job better. Try two, no-risk sample issues today, and find out why 100,000 IT professionals rely on Windows & .NET Magazine each month! http://list.winnetmag.com/cgi-bin3/DM/y/egKh0CJgSH0CBw0BEuX0Ae ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html News: New IE Flaws Might Allow Code Injection On June 7, Jelmer Kuperus posted a message to the Full Disclosure mailing list to report the existence of new vulnerabilities in Microsoft Internet Explorer (IE) and exploits that take advantage of those flaws. As a result, we might see Microsoft release at least one new IE patch before its next scheduled security patch release date of July 15. http://www.winnetmag.com/article/articleid/42959/42959.html ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) Security Patch Management Tools--Windows and Office Update Web Seminar How are you evaluating, distributing, and installing software patches? This free Webcast discusses the importance of patch management and establishing a patch-management process by using Windows and Office Update as a patch-management tool in your environment. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/egKh0CJgSH0CBw0BJAa0A1 Windows Connections October 24-27, Orlando, Florida. Save these dates for the Fall 2004 Windows Connections conference, which will run concurrently with Microsoft Exchange Connections. Register early and receive admission to both conferences for one low price. Learn firsthand from Microsoft product architects and the best third-party experts. Go online or call 800-505-1201 for more information. http://list.winnetmag.com/cgi-bin3/DM/y/egKh0CJgSH0CBw0KXQ0A3 Attend the Black Hat Briefings & Training USA Event - July 24-29, 2004 This is the world's premier technical IT security conference, hosting 2,000 delegates from 30 nations. Featuring 27 hands-on training courses and 10 conference tracks with presentations by security experts and "underground" security specialists. Early-bird registration deadline is July 1! http://list.winnetmag.com/cgi-bin3/DM/y/egKh0CJgSH0CBw0pHV0AU ==================== ==== Hot Release ==== Ultimate Windows Security Training You've read his articles... Now come to his training! Mind-meld with Windows security expert Randy Franklin Smith and learn his secrets on AD, Group Policy, WiFi Security, VPNs, IPSec, Security Log, EFS, IAS, Software Restrictions, Windows Firewall, etc. Download free security log quick reference chart. http://list.winnetmag.com/cgi-bin3/DM/y/egKh0CJgSH0CBw0BJGV0Av ==================== ==== 3. Instant Poll ==== Results of Previous Poll The voting has closed in the Windows & .NET Magazine Network Security Web page nonscientific Instant Poll for the question, "Does your company intend to implement Windows XP Service Pack 2 (SP2)?" Here are the results from the 134 votes. - 29% Yes, as soon as it's available - 31% Yes, within 3 months of its release - 7% Yes, within 6 months of its release - 19% Yes, but we're not sure when - 13% No (Deviations from 100 percent are due to rounding.) New Instant Poll The next Instant Poll question is, "Where are your wireless Access Points (APs)?" Go to the Security Web page and submit your vote for - Inside the border firewall - Outside the border firewall - Between the border firewall and an internal firewall http://www.winnetmag.com/windowssecurity ==== 4. Security Toolkit ==== FAQ: How Do I Install Microsoft Exchange Server 2003 Service Pack 1 (SP1)? by John Savill, http://www.winnetmag.com/windowsnt20002003faq A. Before you install Exchange 2003 SP1, read the release notes. They contain a number of notices that could apply to your site and might affect the order in which you upgrade servers. You also need to apply the hotfix described by the Microsoft article "FIX: IIS 6.0 compression corruption causes access violations," http://support.microsoft.com/?kbid=831464 before you install the service pack. After you have the SP1 installation files, run the update.exe program as you would for any other service pack. During the installation, the Information Store service, WWW service, and other Exchange processes are stopped, which interrupts service to users. Therefore, you should plan to perform the upgrade at a time when users don't need to access Exchange. A new version of the Exchange Server Deployment Tools is available from the link below. You can use the deployment tools to assist you in the upgrade process. The tools offer new features, including enhanced support for consolidating sites in a mixed-mode environment (i.e., an environment containing a mix of servers running any combination of Exchange 2003, Exchange 2000 Server, and Exchange Server 5.5). http://www.microsoft.com/downloads/details.aspx?familyid=271e51fd-fe7d-42ad-b621-45f974ed34c0&displaylang=en Featured Thread: Extranet Security Setup (One message in this thread) A reader wants to create an Active Server Pages (ASP) extranet application that will give his customers access to information such as the work his company has done for them, the costs, and any scheduled work. Each user should be able to view his or her own information but not other customers' information. All the information is stored in one database, so he's thinking about using views in SQL Server 2000 to ensure that customers see only their own information. You can read the reader's plans for his application and offer advice at http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=122017 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) New--Shrinking the Server Footprint: Blade Servers In this free Web seminar, you'll learn how blade servers provide native hot swappable support, simplified maintenance, modular construction, and support for scalability. And we'll talk about why you should be considering a blade server as the backbone of your next hardware upgrade. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/egKh0CJgSH0CBw0BJAQ0Ak ==================== ==== 5. New and Improved ==== by Jason Bovberg, products@winnetmag.com Increased Control Over IP Network Access and Security MetaInfo and Perfigo announced a joint marketing and integration alliance in which the companies will provide and support integration between MetaInfo's Meta IP SAFE DHCP and Perfigo's SecureSmart and CleanMachines products. By integrating the companies' complementary technologies, customers will be able to control and protect against unauthenticated access, viruses, worms, and policy noncompliance at the IP layer. While authenticating the machine's identity, the Meta IP SAFE DHCP server simultaneously requests network security validation and policy compliance checks from CleanMachines. CleanMachines conducts administrator-defined network and device-based scans that can find security vulnerabilities, such as viruses, outdated patches, spyware, and worms. For more information about this partnership, contact MetaInfo at 206-674-3700 or on the Web. http://www.metainfo.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. ==================== ==== Sponsored Links ==== Argent Comparison Paper: The Argent Guardian Easily Beats Out MOM http://list.winnetmag.com/cgi-bin3/DM/y/egKh0CJgSH0CBw0BDWV0A6 Microsoft(R) TechNet Microsoft(R) TechNet Webcasts: essential guidance, industry experts http://list.winnetmag.com/cgi-bin3/DM/y/egKh0CJgSH0CBw0BG360A1 ==================== Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@winnetmag.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== ==== Contact Our Sponsors ==== Primary Sponsor: Postini -- http://www.postini.com -- 1-888-584-3150 Hot Release Sponsor: Monterey Technology Group -- http://www.montereytechgroup.com -- 1-864-587-9720 ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z You received this email message because you asked to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Jun 17 10:36:03 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 17 10:53:01 2004 Subject: [ISN] Thieves Steal Computers at Hong Kong Fair Message-ID: http://www.baltimoresun.com/news/nationworld/world/wire/sns-ap-hong-kong-brazen-thieves,0,3405997.story?coll=sns-ap-world-headlines By Associated Press June 17, 2004 HONG KONG -- Thieves snatched two computers from a Hong Kong trade fair, a particularly brazen act considering that the victims were security companies showing off the latest crime-stopping technology. The thieves stole two laptop computers worth $2,500 from the Asia Securitex 2004 trade show on Wednesday, police spokeswoman Carrie So said. "If you can't expect good security here, where can you expect it?" exhibitor Shinah Lunty was quoted as saying in the South China Morning Post newspaper. Lunty told the newspaper that her mobile phone, worth $260, was also stolen. Hong Kong police inspector Bob White said he suspected a mainland China gang targeted the exhibition because it was seen as a place for "easy pickings," the newspaper reported. The four-day trade show started Tuesday. From isn at c4i.org Thu Jun 17 10:38:48 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 17 10:53:03 2004 Subject: [ISN] Q&A: Tom Leighton, chief scientist at Akamai Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,93875,00.html By Jaikumar Vijayan JUNE 16, 2004 COMPUTERWORLD Akamai Technologies Inc. said today that the Domain Name System problems it encountered yesterday were the result of a sophisticated and targeted distributed denial-of-service attack against the company. In an interview with Computerworld, Tom Leighton, the company's chief scientist, talked about what happened. What was the nature of the yesterday's attack? It was a name server attack against four of our customers for whom we carry their name servers. Our assumption was this was an attack against Akamai and it was perpetrated by attacking our customer name service infrastructure. It is not impossible that this was a coordinated attack against those four Web sites. Akamai has a lot of key customers, and it could just be a coincidence that the four happened to be Akamai customers. [But] we are assuming it was an attack against Akamai. Why were only four major customers affected? Actually, we had more than those four customers impacted. About 4% of our customer base [of about 1,100 customers] had the potential to be impacted by it. Half of them did not have any noticeable impact. There was a set of servers that experienced the brunt of the attack. The servers did not go down, but their ability to perform was severely hampered. They were giving out valid information, but for a small subset of customers, the performance was not there. Has the source of the attack been identified and the attack traffic stopped? That's information that we are sharing with the authorities. But the attack traffic has been eliminated. What's happened since the attack? We've had a chance to analyze the attack. We have put out several additional defensive mechanisms in place because there is a security concern. Going forward, we are continuing to place additional mechanisms in place. DNS is a critical component of the Internet and in general one of the most vulnerable. We've put a lot into securing our name server infrastructure. We have learned from this incident. Is there any indication that someone with inside knowledge could have been responsible? It was sophisticated and very large-scale, but it did not require insider knowledge. We have no reason to believe an insider was involved. Could the incident have been caused by an internal technology problem? Our systems performed normally, as they are designed to perform. It is because of this that it didn't impact more of our customer base. From isn at c4i.org Fri Jun 18 04:55:34 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 18 05:08:09 2004 Subject: [ISN] US firm spread hostage video Message-ID: http://www.news24.com/News24/World/News/0,,2-10-1462_1544211,00.html Edited by Anthea Jonathan 17/06/2004 Berlin - Video images of a US engineer taken hostage in Saudi Arabia, possibly by the al-Qaeda network, could have been put on the internet via a US firm based in California, Der Spiegel magazine reported on Thursday. The video was released on Tuesday and shows relatively high-quality film of hostage Paul Johnson, who kidnappers from a group called "al-Qaeda in the Arabian Peninsula" have threatened to kill by Friday. The origin of the video was traced to Silicon Valley Land Surveying Incorporated, a California land surveying and mapping company, said Spiegel online, the internet service for the respected German weekly. The magazine said that according to its research the move was the first time al-Qaeda had "hijacked" a website to broadcast its propaganda. The network usually spreads its message through Islamist sites but this time, Spiegel maintains, hackers created a special file at the company's web address at least an hour before global news agencies broke word of the video. The magazine said that company chief Tim Redd had refused to comment. In the video, the group had demanded that hundreds of Islamic militants being detained in Saudi Arabia be released within 72 hours. The hostage, a 49-year-old aviation engineer, was shown blindfolded with a piece of white fabric and tape. He was wearing a red shirt torn in parts so a tattoo on his left shoulder was visible. In a brief statement Johnson gave his identity, nationality and said he was working as an aviation engineer. An armed man wearing a balaclava and a belt containing explosives then introduced himself as Abdel Aziz Al-Muqrin, leader of an "al-Qaeda in the Arabian Peninsula" group. He read a lengthy statement containing the threat to kill Johnson. From isn at c4i.org Fri Jun 18 04:57:02 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 18 05:08:10 2004 Subject: [ISN] Vendor Claims Hackers Can Hijack Hotspot Authentication Message-ID: http://www.mobilepipeline.com/showArticle.jhtml?articleID=22100402 [Slow day at the Integralis Security Labs? Read the their advisory, and I'm sure you will agree that social engineering one of the employees would be considerably easier than trying to abuse three seperate technologies just to score free Hotspot airtime. - WK] By Mobile Pipeline News June 17, 2004 A security flaw in some implementations of Bluetooth enables hackers to easily steal Wi-Fi hotspot authentication information, a U.K. security firm said Thursday. According to security integrator Integralis, the Bluetooth flaw is exploited when users sign up for hotspot access using SMS text messaging, a method allowed by a variety of hotspot providers. The Bluetooth security flaw enables nearby hackers to intercept the SMS message containing log-on information as it travels between the user and the hotspot vendor, according to the company. The company issued a security advisory [1] this week about the problem. The company said it found the potential problem exists with a variety of operators including Cingular in the U.S., and T-Mobile and Vodafone in Europe. For example, T-Mobile enables its voice users to send an SMS message to a specific number containing the word "open." The company then sends a message back to the user with log-on information. The victim will be billed for all the unauthorized access while detection of the attack is virtually impossible, according to Integralis. The company said the attack can be automated and accomplished in under a minute. It said it had no evidence that such attacks have actually occurred. The company suggested users first check to see if their phones are vulnerable by accessing a separate security advisory it previously issued. It also suggested that users check for firmware updates for their phones, to switch off Bluetooth visible mode and, if possible, to not use Bluetooth in public places. [1] http://www.integralis.co.uk/about_us/press_releases/2004/150604SA.html From isn at c4i.org Mon Jun 21 02:17:58 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 21 02:39:38 2004 Subject: [ISN] Web-security group seeks to plant its flag in San Antonio Message-ID: http://www.bizjournals.com/industries/high_tech/networking/2004/06/21/sanantonio_story7.html Mike W. Thomas June 18, 2004 A new nonprofit organization for information security professionals is coming to San Antonio to spread its gospel about the need to address security from an application standpoint. The Open Web Application Security Project (OWASP) was created as an open source community where people can advance their knowledge about Web application and Web-services security issues. The Denim Group, a local information security start-up, is leading the charge to set up a San Antonio chapter of OWASP. Dan Cornell, a partner at Denim Group, is set to serve as president of the local chapter. "San Antonio is a really interesting town for a chapter for this organization because of its strong military presence ... ," Cornell says. "... I think we will see a lot of interest here in town from more traditional information security practitioners who are interested in expanding their skills so they can better understand how application development works." John Dickson, another partner at Denim Group, says OWASP serves as a forum for security people and software developers to cross-pollinate. "The security people are typically on one side of the house and the software developers speak another language," Dickson says. "So we are going to create a forum through this chapter where development people from the big companies like USAA, Valero and Clear Channel will be able to interact and trade war stories." Dickson says the information technology industry is starting to realize it is pretty much straightforward to secure most of the regular infrastructure in a computer network, but when people put custom software up on the Web, it opens up a backdoor for hackers. Cornell says when you look at traditional security practitioners compared to application security, there is both a training and a cultural difference. "Application security combines the paranoid mentality that says 'How can I break into something,' with software development," he explains. "Most information security folks are very strong at the network level, and they understand routers and firewalls and intrusion detection and patches and spam. "But they do not all have the more formal computer science background that gets you to the point where you can create software on your own." Meet the founder Cornell and Dickson will be attending an application security conference this week (June 19-20) in New York City where they will discuss setting up a local chapter of OWASP with the organization's founder, Mark Curphey. Curphey is a director of consulting at Foundstone, a leading global information security software, services and education provider based in Mission Viejo, Calif. Curphey says a few years ago, while working for a company in Atlanta that tested security systems, he found that often when he would break into an organization during a penetration test, it was through the application layer. Later, when he took a job at Charles Schwab in San Francisco heading up their application security program globally, he started communicating with other people in the financial services industry and realized they were struggling with the same set of problems. "We determined that there was a lack of good, unbiased information out there about the software security problem," Curphey says. "What was being portrayed at the time by a couple of small start-ups was a marketing campaign of fear, uncertainty and doubt with the aim of selling more of their products." But Curphey says these companies weren't addressing the real needs, so he got a group of people together to help get the word out about the real problems with application security. "We came up with a common lexicon with which we could discuss the issues and put it in the open, so we could all share the same common ground," he says. "... We set about creating a guide to building secure Web applications and then released it free on the Internet. "What we discovered was that there was a huge appetite for it. People just began coming out of the woodwork and that initial document got downloaded a million and a half times in that first year in 2000." Global expansion Curphey says from that initial interest, the organization moved ahead with developing more projects on an open source basis until they got to the point where they are at today. Today, OWASP has active participants from all over the world, including local chapters in Houston and Dallas. "This year we have been absolutely going through the roof with the level of interest," Curphey says. "We have been working to develop testing standards and criteria, and we are getting a lot of adoption." Curphey says when a number of the large financial institutions and the large telecoms began coming forward to give his group money to figure out ways to enhance their work, they decided to set up a non-profit foundation. "We now have an overarching foundation that controls what we are doing," he says. "We are staffed by volunteers and everything is non-profit and open source. Everything is always licensed so that it will always be free and nobody can make money from it." From isn at c4i.org Mon Jun 21 02:18:15 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 21 02:39:40 2004 Subject: [ISN] Hackers Strike Six State Agencies Message-ID: http://times.hankooki.com/lpage/200406/kt2004062017114010440.htm By Kim Tae-gyu Staff Reporter 06-20-2004 The computer systems of six of Korea's state agencies, including a pair of sensitive defense research institutes, were cracked by an anonymous hacker or hackers, according to the National Cyber Security Center (NCSC). The anti-cyber crime institute said on Saturday that the Peep Trojan hacking program infected 64 computers at six government agencies, including the Agency for Defense Development (ADD) and the Korea Institute for Defense Analyses (KIDA). Also affected were the Korea Atomic Energy Research Institute, the Ministry of Maritime Affairs and Fisheries, the National Maritime Police Agency, and the Small and Medium Business Administration. ``As soon as we discovered some government computers were contaminated by the Peep Trojan hacking program, we took emergency measures and currently there is no risk of data outflow,'' the NCSC said in a statement. The NCSC added it shut down the hackers' posting site, distributed anti-virus programs and updated the anti-hacking system to prevent a recurrence of the dangerous incursion. The agency, however, failed to confirm whether or not confidential information was stolen from the invaded agencies before the presence of the virus was detected. The ADD and the KIDA maintain a large amount of material, the former being a research institute for developing Korea's weapon systems while the latter focuses on research related to the nation's defense policy. The Peep Trojan hacking program, which has wrought havoc this year, especially in Taiwan, was authored by Taiwanese Wang Ping-an, arrested by the country's cyber security authorities last month, the NCSC said. The information-stealing virus typically comes in the form of an e-mail attachment and executes itself when unsuspecting recipients open the attached files. Once launched, the malicious program gives unauthorized access to hackers, enabling them to write, delete or edit files on the infected machines without the owner's knowledge. In an effort to prevent the invasion of other hacking programs, the NCSC said it will beef up its monitoring process as well as establish a pan-national cyber security system in cooperation with related ministries. The agency also recommended individual computer users update vaccine programs and not open e-mail with suspicious attachments. From isn at c4i.org Mon Jun 21 02:18:31 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 21 02:39:41 2004 Subject: [ISN] Security Managers Could Face Court Penalties Message-ID: http://nwc.securitypipeline.com/showArticle.jhtml?articleID=22100927 By Mitch Wagner June 18, 2004 San Francisco - Routine efforts to improve network security could be used against IT managers in court, warned cybercrime attorney Mark Rasch. Security managers who fail to secure their company's information could be making it harder to prosecute computer crime, said Rasch, who delivered a keynote at the NetSec 2004 conference here this week. "For trade secrets to be entitled to legal protection, the person holding the trade secret has to demonstrate that they used reasonable efforts to ensure its secrecy," Rasch said. And sometimes a security manager's efforts to secure information can be used against him by a plaintiff's attorney. For example, imagine that a security manager writes a memo listing 10 measures that must be taken to secure corporate information, and the company only implements two of them. "That memo is a plaintiff's lawyer's dream," Rasch said. Likewise, security managers are routinely cautious in deploying patches to Microsoft software and other products. The patches are tested, and rolled out over a period of time. That caution be used by a plaintiff's lawyer to prove negligence. "They'd ask how much it would cost to install the patch? They'd say it doesn't cost much. You'd say it isn't just one patch, there are thousands of patches. But the jury just hears about the one patch," Rasch said. Likewise, companies that generate security logs but don't look at them are letting themselves in for legal trouble, Rasch said. The corporation is presumed to be aware of the information contained in those logs. Rasch is senior vice president and chief security counsel for Solutionary, a managed security service provider. He is former head of the U.S. Justice Department's computer crime unit, and prosecuted Robert Tappan Morris, who released one of the first Internet worms in 1988. Rasch also prosecuted the Hanover hackers, as described in "The Cuckoo's Egg," by Clifford Stoll. Another problem with computer law is that laws are written so broadly that they criminalize normal activities, Rasch said. "We define computer law so broadly that it covers things we never meant, and then we tell people, don't worry, you would never be prosecuted," Rasch said. There is no way to make the law so precisely worded that we prosecute only what we want to prosecute; we rely on prosecutorial discretion to stop unreasonable prosecutions. Computer crime is defined as unauthorized access to a computer, he said. By that standard, any time an employee violates a company policy barring personal use of the Internet, that employee is committing a felony - even if the policy is routinely violated and never enforced, Rasch said. From isn at c4i.org Mon Jun 21 02:18:58 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 21 02:39:43 2004 Subject: [ISN] Book review: The Zenith Angle by Bruce Sterling Message-ID: http://www.nytimes.com/2004/06/20/books/review/20SCIFIL.html [http://www.amazon.com/exec/obidos/ASIN/0345460618/c4iorg - WK] By GERALD JONAS NYTimes.com Sunday Book Review Published: June 20, 2004 -=- The Zenith Angle Bruce Sterling Hardcover - 352 pages (April 1, 2004) $24.95 - Del Rey Books ISBN: 0345460618 THE ZENITH ANGLE, by Bruce Sterling (Del Rey/Ballantine, $24.95), also deals with bureaucratic foot-dragging in the face of clear and present danger. Sterling, one of the progenitors of cyberpunk, allows his hero, Derek Vandeveer, a computer genius nicknamed Van, to win one for the C.C.I.A.B., the Coordination of Critical Information Assurance Board. A family man whose astronomer wife handles the child care, Van builds a security system -- based on something called a ''Grendel supercluster'' -- to safeguard the federal government's computers after 9/11. ''Grendels,'' he explains, ''are made from obsolete PC's, but clustered in parallel without any von Neumann bottlenecks.'' And that's just for starters: ''Van was planning to implement distributed streams within the Grendel. That was overkill, really. There wasn't a kode-kid, cracker, hacktivist or even intelligence agency in the whole world that could break into a Grendel. But a Grendel running streams -- man, that would be beyond all coolness.'' This is the way Van talks, and Sterling sees no reason to translate his professional enthusiasms into ordinary English. Indeed, Van's story floats on a Sargasso sea of jargon and bureaucratic acronyms that grows ever thicker as the threats escalate from ''infowar'' and ''cyberwar'' to vintage mad-scientist ''spacewar.'' At some point, even Van can't do his duty within the system, so he goes rogue with some ex-Special Ops to take down a satellite-killing laser. Van's adventures inside and outside the Beltway are treated with some amusement, but Sterling underscores their plausibility by dating them from September 1999 to September 2002. Which raises the question: how much of this is science fiction and how much is fact? When Van visits the Cheyenne Mountain Air Force base that commands America's ICBM's, he shares this technical detail: ''The entire base was supported on giant, white-painted steel springs. If half of Cheyenne Mountain vaporized in a 50-megaton first strike, the deep bunker would just bounce on its springs a little.'' I'm not sure about the Grendels, but this I believe. From isn at c4i.org Mon Jun 21 02:19:14 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 21 02:39:44 2004 Subject: [ISN] Stealth wallpaper could keep LANs secure Message-ID: http://networks.silicon.com/lans/0,39024663,39121501,00.htm By Ron Coates June 18 2004 UK defence contractor BAE Systems has developed a stealth wallpaper to beat electronic eavesdropping on company Wi-Fi and wired LANs. The company has produced panels using the technology to produce a screen that will prevent outsiders from listening in on companies' Wi-Fi traffic but let other radio and mobile phone traffic get through. The FSS (Frequency Selective Surface) panels are made in the same way as printed circuit boards - layers of copper on Kapton polymer - and used on stealth bombers and fighter jets. They come in two varieties: passive, which is effectively permanent, and active, where various areas can be switched on and off to enlarge or limit the area of the network. The panels are 50 to100 microns thick and can be applied to most surfaces including glass. A company spokesman claimed that they also helped reduce "noise" in buildings where a number of companies operate their own separate LANs. BAE Systems developed the new material with ?145,000 of funding from the Radiocommunications Agency, which is now part of Ofcom. BAE says the material is cheap and it will be developing it commercially through BAE's corporate venture subsidiary. There is no timescale for its commercial availability. From isn at c4i.org Mon Jun 21 02:19:48 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 21 02:39:45 2004 Subject: [ISN] pacsec.jp/core04 Call For Papers Message-ID: Forwarded from: Dragos Ruiu (Japanese Below) CALL FOR PAPERS PacSec.JP (Pacific Security) http://pacsec.jp Announcing the opportunity to submit papers for the PacSec/core03 network security training conference. The conference will be held November 11/12th in Tokyo. The conference focuses on emerging information security tutorials - it will be a bridge between the international information security technology community and the Japanese information security technology community. Please make your paper proposal submissions before July 5 2004. Slides for the papers must be submitted by October 1st 2004. The conference is November 11th and 12th 2004, presenters need to be available in the days before to meet with interpreters. A number of invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography and papers, speaking background to core04@pacsec.jp. Tutorials are one hour in length, but with simultaneous translation should be approximately 45 minutes in English, or Japanese. Only slides will be needed for the October paper deadline, full text does not have to be submitted. The Pacific Security (PacSec) conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of overt product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1) Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2) Employer and/or affiliations. 3) Brief biography, list of publications and papers. 4) Any significant presentation and educational experience/background. 5) Topic synopsis, Proposed paper title, and a one paragraph description. 6) Reason why this material is innovative or significant or an important tutorial. 7) Optionally, any samples of prepared material or outlines ready. Please forward the above information to core04@pacsec.jp to be considered for placement on the speaker roster. ?????????????????? PacSec.JP (Pacific Security) http://pacsec.jp ?????????PacSec/core03 ?????????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????????????????????????????????????????????2004 ???11???11???(???)???12???(???)??????????????????????????????????????????????????????? ?????? ????????????????????????????????????????????????????????????????????????????????????????????????????? ?????????????????? ????????????????????????????????????????????????????????????????????????????????????????????? ????????????????????????????????????????????????????????????????????????????????????????????????2004???7???5 ???(???)?????????????????????????????????????????????????????????????????????2004???10???1???(???)????????? ???????????????????? ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ????????????????????? ????? ???????? ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ?????????????????????????????????????????????????????????????????????????????????????? ??? ????????????????????????? ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ???????????????????????????????????????????????? core04@pacsec.jp ???????????????????????????????????????????????? ???????????????????????????1???????????????????????????????????????????????????????? ?????????????????????????????????????????????????????????????????????45?????????????????????????????? ????????????????????????????????????10???7???(???)????????????????????????????????????????????????????????????? ????????????????????????????????? ??????????????????????????? Pacific Security (PacSec) ????????????????????????????? ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ???????????????????????????????????????????????? ????????????????????????????????????????????????????????????????????????????????????????????????????? ????????? ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ????????????????? ?????????????????????????? ?????????????????????????????????????? ????????????????????? ?? ?????????????????????????????????????? ???????????????????????????????? ?????????? ????????????????????????? ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ????????????????????????????????????????????????????????????????????????????????????????????????????? ????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????????????????????????? ???????????????????????????????????????????????????????????????????????????????????????????????????????????? ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ????????????????????? ?????????????????????????????????????? ???????? ???? ?????????????????????????????????? 1) ???????? ???????????????????????????/?????????????????????? ??????????????????????????????????????????? ? ? (??????????????????????????????????????????????????????FAX??????) 2) ??????? ???????????????? 3) ?????????????????????????????????????????????????????? 4) ?????????????????????????????????????????????????????????/?????? 5) ????????????????????????????????? (???) ?????????????? ????????????????????? (??????????????????????????????) 6) ???????????????????????????????????????????????????????????????????????????????????????????????? ???????????????????????????????????? 7) ???????????????????????????????????????????????????????????? ????????????????????????????????????????????????????????????????????????????????????????? ?????? core04@pacsec.jp ???????????????????????? -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan Nov 11-12 2004 http://pacsec.jp pgpkey http://dragos.com/ kyxpgp From isn at c4i.org Mon Jun 21 02:20:16 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 21 02:39:46 2004 Subject: [ISN] Linux Advisory Watch - June 18, 2004 Message-ID: +---------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | June 18, 2004 Volume 5, Number 25a | +---------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes point This week, advisories were released for cvs, krb5, kernel, subversion, ethereal, squirrelmail, gallery, Webmin, squid, aspell and tripwire The distributors include Debian, Fedora, Gentoo, Red Hat, Slackware, Suse, and Trustix. ----- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=3Dgdn10 ----- Open Source Vulnerability Database The open source community has long been fueled by the drive and inspiration of those wishing to produce software for the good of everyone. Open source allows its users to achieve things that would have otherwise not been possible. Often, proprietary software is too expensive, not flexible, and full of bugs. Users of proprietary software work at the mercy of their vendors with little to no influence on features or functionality. Those organizations who demand security often have trouble getting proprietary software vendors to comply. Open source is a great solution for those wishing to have complete control including over security, flexibility, and functionality. Open source thrives on those wishing to share their work for the benefit of the community. To have a successful open source project, it must be backed by individuals who are ultimately committed to the project. Contributors must be willing donate time and money for the advancement of the cause. Often, open source projects are not properly funded until they are already well established. Recently, I have had the great pleasure of talking with Tyler Owen, a contributor to the Open Source Vulnerability Database project. He, and others associated with the project have shown a lot of initiative. Although it has been slow getting off the ground, there has been a renewed commitment to provide the open source community with a database that indexes security vulnerabilities. Rather than individual open source users being burdened with keep track of them, OSVDB is striving for it to be a more collaborative process so that work is not duplicated and everyone can benefit. Full Interview Text Available: http://www.linuxsecurity.com/feature_stories/feature_story-156.html Until next time, cheers! Benjamin D. Thomas ben@linuxsecurity.com ----- Interview with Brian Wotring, Lead Developer for the Osiris Project Brian Wotring is currently the lead developer for the Osiris project and president of Host Integrity, Inc.=C3=8AHe is also the founder of knowngoods.org, an online database of known good file signatures.=C3=8A Bri= an is the co-author of Mac OS X Security and a long-standing member of the Shmoo Group, an organization of security and cryptography professionals. http://www.linuxsecurity.com/feature_stories/feature_story-164.html -------------------------------------------------------------------- Guardian Digital Launches Next Generation Secure Mail Suite Guardian Digital, the premier open source security company, announced the availability of the next generation Secure Mail Suite, the industry's most secure open source corporate email system. This latest edition has been optimized to support the changing needs of enterprise and small business customers while continually providing protection from the latest in email security threats. http://www.linuxsecurity.com/feature_stories/feature_story-166.html -------------------------------------------------------------------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 6/17/2004 - cvs Multiple vulnerabilities Sebastian Krahmer and Stefan Esser discovered several vulnerabilities in the CVS server during a code audit. http://www.linuxsecurity.com/advisories/debian_advisory-4483.html 6/17/2004 - krb5 Buffer overflow vulnerability This overflow only applies if aname_to_localname is enabled in the configuration (not default). http://www.linuxsecurity.com/advisories/debian_advisory-4484.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 6/17/2004 - kernel 2.6.6 Security enchancement This upgrade is not specifically secuity; it fixes many kernel bugs and adds support for stack non-execution on some systems, which is important in guarding against buffer overflows. http://www.linuxsecurity.com/advisories/fedora_advisory-4478.html 6/17/2004 - cvs Multiple vulnerabilities Many vulnerabilities, discovered in a recent audit of cvs, are fixed. http://www.linuxsecurity.com/advisories/fedora_advisory-4479.html 6/17/2004 - subversion Heap overflow vulnerability If using the svnserve daemon, an unauthenticated client may be able execute arbitrary code as the daemon's user. http://www.linuxsecurity.com/advisories/fedora_advisory-4480.html 6/17/2004 - kernel 2.6.6 Denial of service vulnerability This update includes a fix for the local denial of service as described in linuxreviews.org. http://www.linuxsecurity.com/advisories/fedora_advisory-4481.html 6/17/2004 - ethereal Security patch correction These new packages fix a bug in the last errata where the actual security patch didn't get applied. http://www.linuxsecurity.com/advisories/fedora_advisory-4482.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 6/17/2004 - subversion Heap overflow vulnerability Subversion is vulnerable to a remote Denial of Service that may be exploitable to execute arbitrary code http://www.linuxsecurity.com/advisories/gentoo_advisory-4470.html 6/17/2004 - squirrelmail Cross site scripting vulnerability Squirrelmail fails to properly sanitize user input, which could lead to a compromise of webmail accounts. http://www.linuxsecurity.com/advisories/gentoo_advisory-4471.html 6/17/2004 - Horde-Chora Code injection vulnerability Cross site scripting vulnerability A vulnerability in Chora allows remote code execution and file upload. http://www.linuxsecurity.com/advisories/gentoo_advisory-4472.html 6/17/2004 - gallery Privilege escalation vulnerability Vulnerability may allow an attacker to gain administrator privileges within Gallery. http://www.linuxsecurity.com/advisories/gentoo_advisory-4473.html 6/17/2004 - Horde-IMP Input validation vulnerability Privilege escalation vulnerability Horde-IMP fails to properly sanitize email messages that contain malicious HTML or script code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4474.html 6/17/2004 - Webmin Multiple vulnerabilities Webmin contains two security vulnerabilities which could lead to a denial of service attack and information disclosure. http://www.linuxsecurity.com/advisories/gentoo_advisory-4475.html 6/17/2004 - squid Buffer overflow vulnerability Squid contains a bug where it fails to properly check bounds of the 'pass' variable. http://www.linuxsecurity.com/advisories/gentoo_advisory-4476.html 6/17/2004 - aspell Buffer overflow vulnerability A bug in the aspell utility word-list-compress can allow an attacker to execute arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4477.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 6/17/2004 - squirrelmail Multiple vulnerabilities This patch resolves cross-site scripting and SQL injection vulnerabilities. http://www.linuxsecurity.com/advisories/redhat_advisory-4467.html 6/17/2004 - tripwire Format string vulnerability If Tripwire is configured to send reports via email, a local user could gain privileges by creating a carefully crafted file. http://www.linuxsecurity.com/advisories/redhat_advisory-4468.html 6/17/2004 - httpd,mod_ssl Buffer overflow vulnerability Format string vulnerability Updated httpd and mod_ssl packages that fix minor security issues in the Apache Web server are now available for Red Hat Enterprise Linux 2.1. http://www.linuxsecurity.com/advisories/redhat_advisory-4469.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 6/15/2004 - kernel 2.4.26 Denial of service vulnerability Patch resolves ability of local user to crash the kernel. http://www.linuxsecurity.com/advisories/slackware_advisory-4463.html +---------------------------------+ | Distribution: Suse | ----------------------------// +---------------------------------+ 6/17/2004 - kernel Denial of service vulnerability The Linux kernel is vulnerable to a local denial-of-service attack by non-privileged users. http://www.linuxsecurity.com/advisories/suse_advisory-4465.html 6/17/2004 - subversion Heap overflow vulnerability This heap overflow is exploitable even before authentication of users. http://www.linuxsecurity.com/advisories/suse_advisory-4466.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 6/17/2004 - kernel Denial of service vulnerability Stian Skjelstad discovered a bug whereby a non-privileged user can crash the kernel. http://www.linuxsecurity.com/advisories/trustix_advisory-4464.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From Yves.Roudier at eurecom.fr Mon Jun 21 13:25:25 2004 From: Yves.Roudier at eurecom.fr (Yves.Roudier@eurecom.fr) Date: Tue Jun 22 07:10:32 2004 Subject: [ISN] ESORICS 2004 - Call for Participation Message-ID: <200406211725.i5LHPPA3029390@zinnia.eurecom.fr> [Apologies for multiple copies of this announcement] CALL FOR PARTICIPATION ESORICS 2004 9th European Symposium on Research in Computer Security Sponsored by SAP and @sec Institut Eurecom, Sophia Antipolis, French Riviera, France September 13-15, 2004 http://esorics04.eurecom.fr ESORICS 2004 will be collocated with RAID 2004 ============================================================================== IMPORTANT NOTICE: special hotel rates have been negotiated, but the deadline for some hotels is June 30. Please check the hotel information at: http://esorics04.eurecom.fr/Hotels.htm ============================================================================== ******************************************* EARLY REGISTRATION DEADLINE: July 20, 2004 ******************************************* Since 1990, ESORICS has been confirmed as the European research event in computer security, attracting audience from both the academic and industrial communities. The symposium has established itself as one of the premiere, international gatherings on Information Assurance. This year's three days program will feature a single technical track with 27 full papers selected from almost 170 submissions. PRELIMINARY PROGRAM ------------------- Monday, September 13th ====================== 09:15 - 09:30 opening remarks 09:30 - 10:30 invited talk 10:30 - 11:00 coffee break 11:00 - 12:30 Access control -------------- Incorporating Dynamic Constraints in the Flexible Authorization Framework Shiping Chen, Duminda Wijesekera, Sushil Jajodia Access-Condition-Table-driven Access Control for XML Database Naizhen Qi, Michiharu Kudo An Algebra for Composing Enterprise Privacy Policies Michael Backes, Markus Duermuth, Rainer Steinwandt 12:30 - 14:00 lunch 14:00 - 15:30 Cryptographic protocols ----------------------- Deriving, attacking and defending the GDOI protocol Catherine Meadows, Dusko Pavlovic Better Privacy for Trusted Computing Platforms Jan Camenisch A Cryptographically Sound Dolev-Yao Style Security Proof of the Otway-Rees Protocol Michael Backes 15:30 - 16:00 coffee break 16:00 - 17:30 Anonymity and information hiding -------------------------------- A Formalization of Anonymity and Onion Routing Sjouke Mauw, Jan Verschuren, Erik de Vink Breaking Cauchy Model-based JPEG Steganography with First Order Statistics Rainer Böhme, Andreas Westfeld Comparison between two practical mix designs Claudia Diaz, Len Sassaman, Evelyne Dewitte Tuesday, September 14th ======================= 09:00 - 10:30 Distributed data protection --------------------------- Signature Bouquets: Immutability for Aggregated/Condensed Signatures Einar Mykletun, Maithili Narasimha, Gene Tsudik Towards a theory of data entanglement James Aspnes, Joan Feigenbaum, Aleksandr Yampolskiy, Sheng Zhong Portable and Flexible Document Access Control Mechanisms Mikhail Atallah, Marina Bykova 10:30 - 11:00 coffee break 11:00 - 12:30 Information flow and security properties ---------------------------------------- Possibilistic Information Flow Control in the Presence of Encrypted Communication Dieter Hutter, Axel Schairer Information flow control revisited: Noninfluence = Noninterference + Nonleakage David von Oheimb Security Property Based Administrative Controls Jon A. Solworth, Robert H. Sloan 12:30 - 14:00 lunch 14:00 - 15:30 Authentication and trust management ----------------------------------- A Vector Model of Trust for Developing Trustworthy Systems Indrajit Ray, Sudip Chakraborty Parameterized Authentication Michael J. Covington, Mustaque Ahamad, Irfan Essa, H. Venkateswaran Combinatorial Design of Key Distribution Mechanisms for Wireless Sensor Networks Bulent Yener, Seyit A. Camtepe 15:30 - 16:00 coffee break 16:00 - 17:30 Cryptography ------------ IPv6 Opportunistic Encryption Claude Castelluccia, Gabriel Montenegro, Julien Laganier, Christoph Neumann On the role of key schedules in attacks on iterated ciphers Lars R. Knudsen, John E. Mathiassen A Public-Key Encryption Scheme with Pseudo-Random Ciphertexts Bodo Moller Wednesday, September 15th ========================= 09:00 - 10:30 Operating systems and architecture ---------------------------------- A Host Intrusion Prevention System for Windows Operating Systems Roberto Battistoni, Emanuele Gabrielli, Luigi Vincenzo Mancini Re-establishing Trust in Compromised Systems: Recovering from Rootkits that Trojan the System Call Table Julian Grizzard, John Levine, Henry Owen ARCHERR: Runtime Environment Driven Program Safety Ramkumar Chinchani, Anusha Iyer, Bharat Jayaraman, Shambhu Upadhyaya 10:30 - 11:00 coffee break 11:00 - 12:30 Intrusion detection ------------------- Sets, Bags, and Rock and Roll Analyzing Large Data Sets of Network Data John McHugh Redundancy and diversity in security Bev Littlewood, Lorenzo Strigini Discover Novel Attack Strategies from INFOSEC Alerts Xinzhou Qin, Wenke Lee ORGANIZING COMMITTEE -------------------- General Chair Refik Molva Institut Eurecom email: Refik.Molva@eurecom.fr Program Chairs Peter Ryan Pierangela Samarati University of Newcastle upon Tyne University of Milan email: Peter.Ryan@newcastle.ac.uk email: samarati@dti.unimi.it Publication Chair Publicity Chair Dieter Gollmann Yves Roudier TU Hamburg-Harburg Institut Eurecom email: diego@tuhh.de email: roudier@eurecom.fr Sponsoring Chair Marc Dacier Institut Eurecom email: dacier@eurecom.fr PROGRAM COMMITTEE ----------------- Vijay Atluri, Rutgers University, USA Joachim Biskup, Universitaet Dortmund, Germany Jan Camenisch, IBM Research, Switzerland David Chadwick, University of Salford, UK Ernesto Damiani, University of Milan, Italy Sabrina De Capitani di Vimercati, University of Milan, Italy Yves Deswarte, LAAS-CNRS, France Alberto Escudero-Pascual, Royal Institute of Technology, Sweden Simon Foley, University College Cork, Ireland Dieter Gollmann, TU Hamburg-Harburg, Germany Joshua D. Guttman, MITRE, USA Sushil Jajodia, George Mason University, USA Sokratis K. Katsikas, University of the Aegean, Greece Peng Liu, Pennsylvania State University, USA Javier Lopez, University of Malaga, Spain Roy Maxion, Carnegie Mellon University, USA Patrick McDaniel, AT&T Labs-Research, USA John McHugh, CERT/CC, USA Catherine A. Meadows, Naval Research Lab, USA Refik Molva, Institut Eurecom, France Peng Ning, NC State University, USA LouAnna Notargiacomo, The MITRE Corporation, USA Eiji Okamoto, University of Tsukuba, Japan Stefano Paraboschi, University of Bergamo, Italy Andreas Pfitzmann, TU Dresden, Germany Jean-Jacques Quisquater, Microelectronic laboratory, Belgium Steve Schneider, University of London, UK Christoph Schuba, Sun Microsystems, Inc., USA Michael Steiner, IBM T.J. Watson Research Laboratory, USA Paul Syverson, Naval Research Laboratory, USA Moti Yung, Columbia University, USA VENUE / TRAVEL -------------- ESORICS 2004 will be held on the French Riviera coast, about 20 km West of Nice and 15 km Northeast of Cannes. The conference will take place at Institut Eurecom / CICA, in the Sophia Antipolis science park, which can easily be reached thanks to the nearby Nice international airport. For more information, refer to: http://esorics04.eurecom.fr/visitor_information.html IMPORTANT DATES --------------- Special rates for hotels: see http://esorics04.eurecom.fr/Hotels.htm Early registration before: July 20, 2004 (see http://esorics04.eurecom.fr/register.html) From Yves.Roudier at eurecom.fr Mon Jun 21 13:25:51 2004 From: Yves.Roudier at eurecom.fr (Yves.Roudier@eurecom.fr) Date: Tue Jun 22 07:10:34 2004 Subject: [ISN] RAID 2004 - Call for Participation Message-ID: <200406211725.i5LHPp41029483@zinnia.eurecom.fr> [Apologies for multiple copies of this announcement] CALL FOR PARTICIPATION RAID 2004 "Intrusion Detection and Society" Seventh International Symposium on Recent Advances in Intrusion Detection Sponsored by SAP and France Telecom Institut Eurecom, Sophia-Antipolis, French Riviera, France September 15-17, 2004 http://raid04.eurecom.fr RAID 2004 will be collocated with ESORICS 2004 ============================================================================== IMPORTANT NOTICE: special hotel rates have been negotiated, but the deadline for some hotels is June 30. Please check the hotel information at: http://raid04.eurecom.fr/Hotels.htm ============================================================================== ******************************************* EARLY REGISTRATION DEADLINE: July 20, 2004 ******************************************* The RAID symposium brings together leading researchers and practitioners from academia, government, and industry to discuss intrusion detection technologies and issues from research and commercial perspectives. This year's program features a single technical track with 14 full papers and 2 practical experience reports selected from almost 120 submissions. It also includes invited speakers, a poster session as well as an abstracts' session. The abstracts' session offers attendees the opportunity to present preliminary research results or summaries of work published elsewhere. Poster presentations of similar research results are also possible on Wednesday evening. Abstract submissions from people not presenting posters are also welcome. Submissions to either poster or abstract session should be sent to . For details see http://raid04.eurecom.fr/ . PRELIMINARY PROGRAM ------------------- Wednesday, September 15th ========================= 09.00 Registration opens 12.30 Lunch 14.00 - 14.15 Welcome 14.15 - 15.15 Invited Talk Bruce Schneier, Counterpane Internet Security, CA, USA 15.15 - 15.45 Coffee break 15.45 - 16.45 Modelling process behaviour - Chair: Alfonso Valdes, (SRI International, USA) Automatic Extraction of Accurate Application-Specific Sandboxing Policy, Lap-chung Lam and Tzi-cker Chiueh, Rether Networks Inc., Centereach N.Y., USA Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths, Haizhi Xu, Wenliang Du, and Steve J. Chapin, Systems Assurance Institute, Syracuse University, USA 16.45 - 17.00 Break 17.00 - 18.00 Abstract session 18.00 - Poster session Thursday, September 16th ======================== 09.00 - 10.30 Detecting Worms and Viruses - Chair: John McHugh (CMU/SEI CERT, USA) HoneyStat: Local Worm Detection Using Honeypots, David Dagon, Xinzhou Qin, Guofei Gu, Julian Grizzard, John Levine, Wenke Lee, and Henry Owen, Georgia Institute of Technology, USA Fast Detection of Scanning Worm Infections, Jaeyeon Jung (1), Stuart E. Schechter (2), and Arthur W. Berger (1), (1) MIT CSAIL, USA (2) Harvard DEAS, USA. Detecting Unknown Massive Mailing Viruses Using Proactive Methods Ruiqi Hu and Aloysius K. Mok, Dept of Computer Sciences, University of Texas at Austin, USA 10.30 - 11.00 Coffee break 11.00 - 12.30 Attack and Alert Analysis - Chair: Diego Zamboni (IBM Research, Switzerland) Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection, Tadeusz Pietraszek, IBM Zürich Research Laboratory, Switzerland. Attack Analysis and Detection for Ad Hoc Routing Protocols Yi-an Huang, Wenke Lee, College of Computing, Georgia Institute of Technology, USA. On the Design and Use of Internet Sinks for Network Abuse Monitoring Vinod Yegneswaran (1), Paul Barford (1), Dave Plonka (2), (1) Dept of Computer Science, University of Wisconsin, Madison, USA, (2) Dept of Information Technology, University of Wisconsin, Madison, USA 12.30 - 14.00 Lunch 14.00 - 15.00 Invited Talk: TBD 15.00 - 15.30 Coffee break 15.30 - 16.30 Practical Experience - Chair: Hakan Kvarnstrom (TeliaSonera R&D, Sweden) Monitoring IDS Background Noise Using EWMA Control Charts and Alert Information Jouni Viinikka and Herve Debar, France Telecom R&D, Caen, France Experience with a Commercial Deception System, Brian Hernacki, Jeremy Bennett, Thomas Lofgren, Symantec Corporation, Redwood City, USA 16.30 - 17.30 Poster session Friday, September 17th ====================== 09.00 - 10.30 Anomaly Detection - Chair: Christopher Kruegel, (Technical University of Vienna, Austria) Anomalous Payload-based Network Intrusion Detection Ke Wang Salvatore J. Stolfo, Computer Science Dept, Columbia University, USA Anomaly Detection Using Layered Networks Based on Eigen Co-occurrence Matrix Mizuki Oka (1), Yoshihiro Oyama (2,3), Hirotake Abe (1), and Kazuhiko Kato (1,3), (1) University of Tsukuba, Japan, (2) University of Tokyo, Japan, (3) Japan Science and Technology Cooperation, Japan Seurat: A Pointillist Approach to Anomaly Detection Yinglian Xie (1), Hyang-Ah Kim (1), David R. O'Hallaron (1,2) Michael K. Reiter (1,2), and Hui Zhang (1,2), (1) Dept of Computer Science, Carnegie-Mellon University, USA (2) Dept of Electrical and Computer Engineering, Carnegie-Mellon University, USA 10.30 - 11.00 Coffee Break 11.00 - 12.30 Formal Analysis for Intrusion Detection - Chair: Wenke Lee (Georgia Tech, USA) Detection of Interactive Stepping Stones with Maximum Delay Bound: Algorithms and Confidence Bounds Avrim Blum, Dawn Song, Shobha Venkataraman Carnegie Mellon University, USA. Formal Reasoning about Intrusion Detection Systems Tao Song (1), Calvin Ko (2), Jim Alves-Foss (3), Cui Zhang (4), and Karl Levitt (1), (1) Computer Security Laboratory, University of California, Davis, USA, (2) NAI LAbs, Network Associates Inc., Santa Clara, CA, USA, (3) Center for Secure and Dependable Systems, University of Idaho, USA (4) Computer Science Dept, California State University, Sacramento, USA. RheoStat : Real-time Risk Management Ashish Gehani and Gershon Kedem, Dept of Computer Science, Duke University, USA 12.30 - 12.45 Concluding remarks 12.45 - 14.00 Lunch ORGANIZING COMMITTEE -------------------- General Chair: Refik Molva Program Chairs: Erland Jonsson Alfonso Valdes Publication Chair: Magnus Almgren Publicity Chair: Yves Roudier Sponsor Chair: Marc Dacier PROGRAM COMMITTEE ----------------- Tatsuya Baba (NTT Data, Japan) Lee Badger (DARPA, USA) Sungdeok Cha (KAIST, Korea) Steven Cheung (SRI International, USA) Herve Debar (France Telecom R&D, France) Simone Fischer-Hubner (Karlstad University, Sweden) Steven Furnell (University of Plymouth, UK) Bill Hutchinson (Edith Cowan University, Australia) Dogan Kesdogan (RWTH Aachen, Germany) Chris Kruegel (Technical University of Vienna, Austria) Hakan Kvarnstrom (TeliaSonera R&D, Sweden) Wenke Lee (Georgia Tech, USA) Douglas Maughan (DHS HSARPA, USA) Roy Maxion (Carnegie Mellon University, USA) John McHugh (CMU/SEI CERT, USA) Ludovic Me (Supelec, France) George Mohay (Queensland University of Technology, Australia) Vern Paxson (ICSI and LBNL, USA) Giovanni Vigna (UCSB, USA) Andreas Wespi (IBM Research, Switzerland) Felix Wu (UC Davis, USA) Diego Zamboni (IBM Research, Switzerland) STEERING COMMITTEE ------------------ Chair: Marc Dacier (Eurecom, France) Herve Debar (France Telecom R&D, France) Deborah Frincke (University of Idaho, USA) Huang Ming-Yuh (The Boeing Company, USA) Wenke Lee (Georgia Institute of Technology, USA) Ludovic Me (Supelec, France) S. Felix Wu (UC Davis, USA) Andreas Wespi (IBM Research, Switzerland) Giovanni Vigna (UCSB, USA) VENUE / TRAVEL -------------- RAID 2004 will be held on the French Riviera coast, about 20 km West of Nice and 15 km Northeast of Cannes. The conference will take place at Institut Eurecom / CICA, in the Sophia Antipolis science park, which can easily be reached thanks to the nearby Nice international airport. For more information, refer to: http://raid04.eurecom.fr/visitor_information.html IMPORTANT DATES --------------- Deadlines for special rates for hotels : see http://raid04.eurecom.fr/Hotels.htm Deadline for early registration : July 20, 2004 Deadline for abstract/poster submission : August 30, 2004 (contact: Marc Dacier ) RAID conference dates : September 15-17, 2004 From isn at c4i.org Tue Jun 22 06:57:17 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 22 07:10:35 2004 Subject: [ISN] Linux Security Week - June 21, 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 21, 2004 Volume 5, Number 25n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Using Jabber as a log monitor," "Ease the security burden with a central logging server" and "Managing the security of data flow". ---- >> Bulletproof Virus Protection << Protect your network from costly security breaches with Guardian Digital's multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=3Dgdn04 ---- LINUX ADVISORY WATCH: This week, advisories were released for cvs, krb5, kernel, subversion, ethereal, squirrelmail, gallery, Webmin, squid, aspell and tripwire. The distributors include Debian, Fedora, Gentoo, Red Hat, Slackware, Suse, and Trustix. http://www.linuxsecurity.com/articles/forums_article-9425.html ---- Open Source Leaving Microsoft Sitting on the Fence? The open source model, with special regard to Linux, has no doubt become a formidable competitor to the once sole giant of the software industry, Microsoft. It is expected when the market share of an industry leader becomes threatened, retaliation with new product or service offerings and marketing campaigns refuting the claims of the new found competition are inevitable. However, in the case of Microsoft, it seems they have not taken a solid or plausible position on the use of open source applications as an alternative to Windows. http://www.linuxsecurity.com/feature_stories/feature_story-168.html -------------------------------------------------------------------- Interview with Brian Wotring, Lead Developer for the Osiris Project Brian Wotring is currently the lead developer for the Osiris project and president of Host Integrity, Inc.He is also the founder of knowngoods.org, an online database of known good file signatures. Brian is the co-author of Mac OS X Security and a long-standing member of the Shmoo Group, an organization of security and cryptography professionals. http://www.linuxsecurity.com/feature_stories/feature_story-164.html -------------------------------------------------------------------- Guardian Digital Launches Next Generation Secure Mail Suite Guardian Digital, the premier open source security company, announced the availability of the next generation Secure Mail Suite, the industry's most secure open source corporate email system. This latest edition has been optimized to support the changing needs of enterprise and small business customers while continually providing protection from the latest in email security threats. http://www.linuxsecurity.com/feature_stories/feature_story-166.html ---- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Baiting the Hook to Catch the Hacker June 18th, 2004 The hacking community has cost organisations around the globe many millions of dollars in lost time and revenue. In SA, hackers pose a huge security threat - even though companies often do not openly admit this.Graham Vorster, chief technology officer at Duxbury Networking, says it's time to take a more aggressive stance with hackers as he describes new methods of 'hacker baiting'. http://www.linuxsecurity.com/articles/general_article-9423.html * Defacement spree hits government sites June 18th, 2004 The IT security of Australian Web-hosting providers has come under serious question, with more than 30 state and local government Web sites defaced in the last six months - including the homepages of two locally hosted foreign diplomatic missions and the highly sensitive NSW Casino Control Board. http://www.linuxsecurity.com/articles/hackscracks_article-9422.html * HNS Audio Learning Session: Alternatives to Passwords June 17th, 2004 The third annual survey into office scruples conducted by Infosecurity Europe 2004 found that office workers are still not information security savvy. A survey of office workers found that 71% were willing to part with their password for a chocolate bar. In this 8 minutes long audio learning session, John Stuart, Signify CEO, discusses what are the alternatives to passwords. http://www.linuxsecurity.com/articles/network_security_article-9420.html * New Linux Security Hole Found June 15th, 2004 A Linux bug was recently uncovered by a young Norwegian programmer that, when exploited by a simple C program, could crash most Linux 2.4 or 2.6 distributions running on an x86 architecture. "Using this exploit to crash Linux systems requires the (ab)user to have shell access or other means of uploading and running the program--like cgi-bin and FTP access," reports the discoverer, =C3=98yvind S=C3=A6ther. http://www.linuxsecurity.com/articles/server_security_article-45.html +------------------------+ | Network Security News: | +------------------------+ * Wireless Infidelity June 21st, 2004 While the growth of 802.11b wireless networking has been explosive, problems with security of data being transmitted have plagued the technology almost since its conception. Still in spite of its drawbacks 802.11b has some compelling reasons for its deployment, both by the consumer and in the enterprise. Those reasons include its low cost, its ease of deployment and the tremendous convenience that wireless networking offers. http://www.linuxsecurity.com/articles/network_security_article-9433.html * Application Denial of Service (DoS) Attacks June 18th, 2004 Denial of Services attacks aimed at disrupting network services range from simple bandwidth exhaustion attacks and those targeted at flaws in commercial software to complex distributed attacks exploiting specific COTS software flaws. These types of attack are not new and have been used to devastating effect to prevent normal operation of the victim sites. Historically, these attacks by hacktivists and extortionists alike have targeted companies as diverse as eBay and Microsoft, the RIAA and SCO, and a plethora of online gambling companies. http://www.linuxsecurity.com/articles/network_security_article-9426.html * Ease the security burden with a central logging server June 16th, 2004 Every network device on your network has some type of logging capability. Switches and routers are extremely proficient in logging network events. Your organization's security policy should specify some level of logging for all network devices. http://www.linuxsecurity.com/articles/network_security_article-50.html * Using Jabber as a log monitor June 14th, 2004 Jabber, the streaming XML technology mainly used for instant messaging, is well-suited to its most common task. However, Jabber is a far more generic tool. It's not a chat server per se, but rather a complete XML routing framework. This has some pretty far-reaching implications. http://www.linuxsecurity.com/articles/network_security_article-39.html +------------------------+ | General Security News: | +------------------------+ * Open source Internet protocol security project gets nod from Novell June 18th, 2004 Novell announced that it is sponsoring and contributing to the popular open source Linux implementation of the IP security (IPsec) standard development project, Openswan. The open source project brings all of the features needed for building and deploying secure commercial grade virtual private networks (VPNs) to Linux. http://www.linuxsecurity.com/articles/projects_article-9424.html * Evaluating the ROSI: Where's the problem? June 17th, 2004 Many believe that demonstrating a ROSI in the enterprise is nigh impossible because there are no metrics that measure the ROSI unless a company is attacked or security is outsourced to a managed security provider. However, I've always been astounded by this attitude, as to me it appears that the most obvious point has been completely missed; organisations must begin with information risk assessments in order to evaluate the true effectiveness of their ROSI. http://www.linuxsecurity.com/articles/network_security_article-9419.html * First mobile phone virus discovered June 16th, 2004 The first ever computer virus that can infect mobile phones has been discovered, anti-virus software developers said today, adding that up until now it has had no harmful effect. http://www.linuxsecurity.com/articles/network_security_article-9414.html * Managing the security of data flow June 14th, 2004 Customer Relationship Management (CRM) systems are cited as one of the major technology successes of the last decade. These 'super databases' enable the real-time sharing of information across global organisations, increasing the visibility of the sales pipeline and providing a central control of the customer experience. A far cry from the early databases which were supported in the locally networked environment, CRM systems have pushed database capabilities into the enterprise arena, providing accurate monitoring of customer information and enabling corporations to sell and market to customers through a centrally managed delivery mechanism. http://www.linuxsecurity.com/articles/network_security_article-41.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Jun 22 06:57:47 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 22 07:10:36 2004 Subject: [ISN] REVIEW: "Information Security Risk Analysis", Thomas R. Peltier Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKINSCRA.RVW 20040509 "Information Security Risk Analysis", Thomas R. Peltier, 2001, 0-8493-0880-1 %A Thomas R. Peltier %C 920 Mercer Street, Windsor, ON N9A 7C2 %D 2001 %G 0-8493-0880-1 %I Auerbach Publications %O +1-800-950-1216 orders@crcpress.com %O http://www.amazon.com/exec/obidos/ASIN/0849308801/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0849308801/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0849308801/robsladesin03-20 %P 281 p. %T "Information Security Risk Analysis" Chapter one, supposedly discussing effective risk management, outlines a number of points important to the process, but in a rather scattered manner. Material seems to have been gathered from a variety of sources, but the gaps between those references and articles have not been filled. The information given is inconsistent in terms of significance: a list of natural threats lists "air pollution" (there is no corresponding "water pollution") and "earthquakes" as generic issues, but breaks weather conditions down into items as specific as "Alberta Clipper" and "lake effect snow" (as well as a very odd mention of "yellow snow," defined as snow coloured by pollen). Risk analysis methods are generally divided into quantitative and qualitative, so one would assume that chapter two, "Qualitative Risk Analysis," would present the concepts of this idea, leaving quantitative analysis for another section. Neither of those assumptions is true: chapter two lists three different methods that would probably be seen as qualitative, but does not analyse or compare them, and quantitative analysis is not reviewed in any specific part of the book. Chapter three, entitled "Value Analysis," is an extremely terse mention of the importance of calculating the value of assets. Five more qualitative procedures are listed in chapter four. Another such, the Facilitated Risk Analysis Process (FRAP), suitable for a quick risk review in a small department, is described in chapter five, along with some related, but incompletely described, forms and charts. "Other Uses of Qualitative Risk Analysis," in chapter six, enumerates a few other risk analysis factors, mostly to do with business impact analysis. Chapter seven is supposed to be a case study using FRAP, but consists of fifty pages of unexplained forms. The appendices contain various forms, again without commentary or exegesis, including a questionnaire that bears a strong resemblence to the US NIST (National Institute of Standards and Technology) security self-assessment form. The basics of risk analysis are here, but, aside from a padding of verbiage, there is not much else. A decent article on the subject, such as Ozier's in the "Information Security Management Handbook" (cf. BKINSCMH.RVW), covers every bit as much territory, and in a more concise manner. copyright Robert M. Slade, 2004 BKINSCRA.RVW 20040509 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu There are no *printed* instructions, but I found a CD-ROM called `How to Set Up Your Computer.' - Dan Piraro http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Tue Jun 22 06:58:07 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 22 07:10:38 2004 Subject: [ISN] Akamai Attack Reveals Increased Sophistication Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,93977,00.html By Jaikumar Vijayan JUNE 21, 2004 COMPUTERWORLD An attack last week against Akamai Technologies Inc. demonstrated the disruption of key Web site activity that a well-placed assault on the Internet's Domain Name System can cause. The incident also revealed a troubling capability on the part of hackers to target core Internet infrastructure technologies, security experts said. Several major customers of Akamai's DNS hosting services, including Microsoft Corp., Yahoo Inc. and Google Inc., suffered brief but severe Web performance slowdowns on June 15 as a result of a large-scale attack on Akamai's DNS servers. Keynote Systems Inc., a San Mateo, Calif.-based third-party Web site performance measurement firm, said that in some cases, availability of affected sites dropped to nearly zero for a brief period. Microsoft, Yahoo and Google confirmed that their Web sites suffered performance problems but deferred further comment to Akamai. Cambridge, Mass.-based Akamai initially blamed a widespread Internet attack. But Chief Scientist Tom Leighton subsequently said that the company appeared to have been the victim of a targeted distributed denial-of-service attack (DDoS) that affected about 50 of its roughly 1,100 customers. "Our assumption was this was an attack against Akamai and it was perpetrated by attacking our customer name service infrastructure," Leighton said, referring to the DNS. The question of what went wrong at Akamai is important because of the nature of the attack, security experts said. The DNS is a critical component of the Internet because it maps Web names to IP addresses. The fact that the attackers were successful in finding these systems and then compromising them at a company that specializes in protecting the DNS infrastructure is another key concern. Also important is that the attack simultaneously disrupted service - however briefly - at some of the largest Web sites in the world. Alternative Scenarios Some security experts, however, said a DDoS attack is unlikely to have been the cause of the problem simply because of the amount of bandwidth an attacker would have needed to overwhelm an operation such as Akamai's. "Akamai is not a two-bit operation. These guys are designed to stay up. They are huge and well distributed, so it doesn't add up," said Bruce Schneier, chief technology officer at Counterpane Internet Security Inc. in Mountain View, Calif. "My guess is that it [was] some kind of an internal failure within Akamai or maybe a targeted attack against them by someone with insider knowledge and access." Moreover, there was no suspicious Internet traffic or DNS patterns to suggest that such a massive and distributed attack had taken place, said Craig Labovitz, director of network architecture at Arbor Networks Inc., a Lexington, Mass., provider of DoS mitigation technologies. Arbor's network monitoring tools are installed on several carrier networks around the world. In any case, the event was marked by being a step beyond "simple bandwidth attacks" on individual Web sites to more sophisticated targeting of core upstream Internet routers, DNS servers and bandwidth bottlenecks, according to Labovitz. "It's a fairly scary escalation," Labovitz said. "What we are seeing is a shift away from completely brain-dead attackers to folks who know a little bit about the network topology, trace routes and about where the DNS might live" on a network, he said. "DNS is an attractive target because so many things rely on it, from the Web to e-mail to VoIP call routing," said Paul Mockapetris, inventor of the DNS and chairman of IP address management vendor Nominum Inc. in Redwood City, Calif. The growing load is taxing the infrastructure and making it more vulnerable to the type of DDoS attack that hit all 13 of the Internet's root DNS servers in October 2002, experts warned. "We are afraid that even if we make DNS servers run four times faster, we are on a treadmill," Mockapetris said. "Attackers will eventually just recruit five times as many zombies" to launch DoS attacks, he said. From isn at c4i.org Tue Jun 22 06:58:22 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 22 07:10:39 2004 Subject: [ISN] Report shows holes in cybersecurity plan Message-ID: http://www.govexec.com/dailyfed/0604/062104tdpm1.htm By William New National Journal's Technology Daily June 21, 2004 A report sent to a House oversight committee last month details the Homeland Security Department's progress in implementing the national cybersecurity strategy issued early last year. The 35-page report, sent in reply to a request by the House Homeland Security Committee for a detailed account of the strategy's implementation, shows both progress and remaining work. There has been no formal progress report from the Bush administration since the strategy's release in January 2003. The report also breaks down the fiscal 2005 funding request for each item. The department's National Cyber Security Division is leading the implementation. The report shows that an assessment of vulnerabilities to critical infrastructures long sought by Congress is targeted for 2005, with a process for assessing Internet weaknesses due later this year. Perhaps the most touted accomplishment in the report is the establishment of a public-private structure for responding to national-level cyber incidents by designating the U.S. Computer Emergency Readiness Team (US-CERT) as the department's cybersecurity operational body. US-CERT, a long-respected operation at Carnegie-Mellon University, launched a national cyber-alert system in January. US-CERT now includes the former Federal Computer Incident Response Center (FedCIRC) transferred to Homeland Security from the General Services Administration. This summer, it is launching a private-public partnership involving the panorama of stakeholders in the critical infrastructure community, and this year the center will update various aspects of a "partner portal," a secure Web site for coordination and information sharing. Work remains on an "ambitious and necessary" mandate in the strategy to develop a round-the-clock cyber-response center, the department said. "There exist a number of active and planned projects within the [cybersecurity division] to locate and combine the correct mix of people, processes and technology needed to create this capability," the report said. For instance, a new "watch center" combining various functions is being built for early next year. The department is expanding the Critical Infrastructure Warning Information Network (CWIN), a private communications network for voice and data with no dependence on the Internet or public network. CWIN terminals have been installed in key government and industry network centers and in a United Kingdom facility. Other extensions are underway in the project, for which $12.8 million is requested for fiscal 2005. The Cyber Interagency Incident Management Group, created to coordinate intra-governmental preparedness and response operations, was created after the Livewire simulated terrorist attack exercise in October 2003. A compromise amendment to the Homeland Security appropriations bill on the Senate floor this week would move more funding within the cybersecurity division's budget to cyber exercises, increasing that item from $1.85 million to $3.5 million, according to an administration official. The report describes a number of active exercises nationwide. The report also identifies issues related to: overcoming private-sector reluctance to share proprietary information with the government, authenticating electronic transactions, improving the security of government work "outsourced" to the private sector, securing wireless networks, improving state and local information sharing and analysis centers, and enhancing the ability to identify sources of cyber attacks. From isn at c4i.org Tue Jun 22 06:58:37 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 22 07:10:40 2004 Subject: [ISN] City firms still failing to guard WLans Message-ID: http://www.microscope.co.uk/articles/article.asp?liArticleID=131413 By Bill Goodwin 22 June 2004 Businesses in Europe's leading financial centres are failing to secure their wireless access points despite the risk of "drive-by" hacking. More than 33% of businesses surveyed in London, Milan, Paris and Frankfurt are still making fundamental security mistakes, research by RSA Security revealed. The failure of companies to use basic wireless security standards, such as WEP (Wired Equivalent Privacy), is leaving otherwise well-protected corporate networks with holes that could be exploited by hackers. "Once hackers are connected, they can do what they like," said Tim Pickard, director at RSA. "This instantly negates the effort and investment organisations have made in other areas to secure the corporate infrastructure." The survey found that the number of wireless networks has increased by 770% to more than 1,000 in London during the past three years. Although awareness of wireless security has improved, 33% of wireless access points in London firms still do not use basic WEP encryption. London businesses have also left 25% of wireless networks on their default settings, broadcasting information about companies' IT systems to potential hackers. These lapses leave businesses open to hackers, who are able to locate vulnerable access points by doing "drive-by" attacks armed with low-cost equipment. "In the worst case scenario, hackers could bypass a lot of the traditional security, including firewalls, giving them access to vulnerable parts of the network," said Pickard. The picture is even worse in Frankfurt, where 41% of wireless networks are unencrypted, along with 72% in Milan. From isn at c4i.org Tue Jun 22 06:58:53 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 22 07:10:42 2004 Subject: [ISN] Network Associates Up For Sale, Sources Say Message-ID: http://www.crn.com/sections/breakingnews/breakingnews.jhtml;jsessionid=UBOYD1ZT3NRE0QSNDBESKHA?articleId=22101131 By Dan Neel CRN Jun. 21, 2004 Network Associates is for sale, and Microsoft is rumored to be the buyer. The maker of McAfee antivirus and security products has not made it public, but a "for sale" sign figuratively hangs from Network Associates' front door, according to Wall Street sources and channel partners. A public announcement concerning either the pending or closed sale of the company to a buyer could come as early as July 1 when Network Associates also plans to announce layoffs associated with the company's for-sale status, these sources said. Network Associates executives declined to comment and would neither confirm nor deny that the Santa Clara, Calif.-based company is for sale or planning layoffs. Network Associates' reseller partners across the United States said more than a few of the company's field representatives have recently begun circulating resumes. "A lot of [Network Associates] salespeople have opened up feelers for where they are going to land," one partner said. Some Network Associates employees gave partners July 1 as the date Network Associates planned to execute the layoffs. The partners asked to remain anonymous. Microsoft enters the picture as a potential buyer based on the Redmond, Wash.-based software giant's desire to ascend to a level in the security market competitive with Network Associates rivals such as Symantec, Computer Associates International and Trend Micro, sources said. Microsoft is armed with a number of antivirus tools for Windows and is rolling out a next-generation application layer firewall, a VPN and a Web cache solution. But possession of Network Associates' extensive intellectual property would complete a security offering for Microsoft that could go head-to-head with Symantec, CA, Trend Micro and others. Microsoft representatives said it was policy not to comment on the company's acquisition plans. Still, Microsoft may also be the only willing buyer, Wall Street sources said, as few companies with the wherewithal to purchase Network Associates are interested. It appears that Network Associates has been grooming itself to fit the bill for an acquisition by Microsoft, many Network Associates partners said. One partner, who is also a veteran of the Digital Equipment Corp./Compaq merger, said the signs coming from Network Associates are similar to that of pre-merger DEC, citing Network Associates' sale of its PGP encryption product line, its Gauntlet firewall business and most recently its Sniffer network monitoring division. The partner said Network Associates' downsizing was exactly what DEC did in order to fit within Compaq. "It was a divestiture of all the things Compaq didn't want," the partner said. The sudden, announced departure of Donna Troy, Network Associates' executive vice president of worldwide channel sales, and the sudden, unannounced departure of Gary Brand, director of channel sales, each resonated with partners as signs of impending change. At Network Associates' recent Partner Symposium in San Antonio partners were repeatedly encouraged to make sure their product licensing was up to date, another sign that the company was trying to set its house in order prior to a sale, partners said. From wk at c4i.org Wed Jun 23 06:57:29 2004 From: wk at c4i.org (William Knowles) Date: Wed Jun 23 07:14:12 2004 Subject: [ISN] PRC surfers hack into DPP Web site Message-ID: http://www.etaiwannews.com/Taiwan/2004/06/23/1087958173.htm By Wang Chung-ming 2004-06-23 Taiwan News Staff Reporter Democratic Progressive Party officials yesterday confirmed that hackers, believed to have originated in the People's Republic of China, recently attacked the home page of the party's official Web site. On Monday night, the DPP home page was replaced with a picture described as the "inauguration portrait" of President Chen Shui-bian (??????) and Vice President Annette Lu (?f?q??). In the picture, the two politicians are frontally nude with Japanese kimonos draped over their backs. The picture is framed with the slogans, "Overthrow A-bian" and "Oppose Taiwan Independence." Another picture posted on the DPP home page portrayed a Chinese soldier who is taking aim as he prepares to shoot a rifle, with a caption that reads: "I am proud of being Chinese as well as a brave Chinese senior soldier." Paralyzed by this latest wave of hacking, the DPP computer system was temporarily shut off and no data was thought to have been leaked, according to the DPP information security department. DPP Cultural and Information Department Deputy Director Lee Shi-ming said the party's Web site would be restored today, as DPP headquarters was closed yesterday for the Dragon Boat Festival. Chung Chia-bin, DPP deputy secretary-general, added that his party had notified the National Information and Communication Security Task Force to ask for help following the hacker attacks. The Cabinet-level NICST is responsible for monitoring all computer systems of Taiwan government agencies or major private companies, especially with an eye to preventing the PRC from engaging in cyber-warfare exercises. The People's Liberation Army is believed to be placing great emphasis on cyberspace attacks that intend paralyze the computer operations of strategic targets as part of an effort to "decapitate" Taiwan in a shock attack. The DPP is among the organizations monitored regularly by NICST, Chung said, who noted that China's attacks against the party are on the rise. "We often detect that DPP Web sites - including those of the central headquarters and local branches - have been attacked by hackers," Chung said. "But this week has seen a trend where the hacking has been intensified." In recent years, PRC hacker threats toward Taiwan have often been intensive campaigns, launched in retaliation against local political moves opposed by Beijing. In May 2003, for example, when activists enthusiastically campaigned for the rectification of Taiwan's name, a hacker's Web site in China threatened to hack into the official Web sites of Taiwanese government agencies for 11 days to retaliate against the country's pro-independence activities. Taiwan recently completed a computer-simulated war game and may coordinate these exercises with the United States and Japan in the future in an effort to enhance its information technology capabilities. But China is now gearing up for large-scale military exercises which are to take place in June and July on Dongshan Island in southeastern Fujian Province just 150 nautical miles west of Taiwan's Penghu Islands, with the goal of the games being to "take control of the Taiwan Strait." It is believed that cyber warfare will be part of the exercises. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* From isn at c4i.org Wed Jun 23 07:00:08 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 23 07:14:14 2004 Subject: [ISN] Book Review: Network Security Architectures by Sean Convery Message-ID: Forwarded from: Gary Hinson %T Network Security Architectures - expert guidance on designing secure networks %A Sean Convery CCIE %I Cisco Press, IN, USA %D April 2004 %G ISBN 158705115X %P 739 pages %O $55 from www.amazon.com/exec/obidos/ASIN/158705115X/wwwnoticeborc-20 This comprehensive textbook is ideal for information security architects tasked with designing secure networks, both as a teaching text and as a reference. It covers: - Good practice network security design guidelines ('axioms') - Purpose and definition of network security policies - Good advice on designing the ^?network security system (i.e. the overarching network security architecture into which individual network devices must fit) from the ground up (i.e. physical security to application security - OSI layers 1 to 7) - Specific technical advice on configuring network devices for security ('hardening') - Technical descriptions of the vulnerabilities in network services, accompanied by advice on how to secure them - Typical design considerations for network perimeter ('edge') security, internal network ('campus') security and remote access (teleworker) security - Secure network management and network security management (compared and contrasted in 40 pages) I appreciate the author^?s emphasis on architectural security design but he also succeeds in giving a reasonably comprehensive introduction to more specific elements of network security. This is not a hand-waving helicopter-overview of the topic but a far more substantial tome. At the same time, the clear writing style, simple diagrams and nuggets of practical advice make it an enjoyable read. The book is liberally sprinkled with URLs to useful additional resources although I fear some of them will be out of date before this book is out of print (an accompanying reference website might have been useful, Cisco!). Each chapter concludes with exam-style review questions (with answers) and further questions intended to stimulate the reader to think about the material in their local organizational context. The topic almost inevitably involves loads of acronyms so thankfully a succinct glossary is included. Three network security design examples (mini case studies) towards the end of the book demonstrate the techniques previously described. These are good for getting readers to practice thinking like a network security architect. Despite being published by Cisco Press, the book is not specifically about Cisco products. However, the examples and several of the security features are Cisco-specific. Given the market presence of Cisco, this is not a serious drawback but a little more balance would have added credibility (e.g. security vulnerabilities in LEAP, Cisco's wireless LAN authentication protocol, are not described but merely hinted-at). All in all, this book has already proved its worth to me. I read it cover-to-cover in a couple of days and have already started using it as a reference. Recommended reading for those with a professional interest in information security architecture. Copyright 2004, IsecT Ltd. All rights reserved. From isn at c4i.org Wed Jun 23 07:00:26 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 23 07:14:15 2004 Subject: [ISN] Holes found in IBM's PC support control Message-ID: http://www.computerweekly.com/articles/article.asp?liArticleID=131444 Matthew Broersma Techworld.com 22 June 2004 Hackers could use two of IBM ActiveX controls designed for automated PC support to attack PCs through the Internet Explorer browser, according to security firm eEye Digital Security. The company found flaws in the eGatherer 2.0.0.16 and acpRunner 1.2.5.0 ActiveX controls - the first of which is installed by default on many IBM PCs - that could allow attackers to write malicious files anywhere on a computer's hard disc via a special web page. Because the controls are signed by IBM, users who agree to "trust" IBM components could be compromised, eEye said. The company published example exploits for both controls. Also last week, Linux suppliers began patching several new, but less serious holes in the 2.6 and 2.4 kernels and in the Gentoo and Debian distributions. The controls are simply badly designed, according to eEye, making available unsafe methods of accessing a user's PC. "ActiveX is a very profound web technology. As a profound web technology it may be abused," wrote eEye in its advisory. "Designers might create an ActiveX which could perform any function on an user's computer. The responsibility rests with the creator of the ActiveX, as in any trust model." IBM has released a fix for the problem on its website. Security tools such as eEye's Retina Network Security Scanner are also capable of protecting PCs. The hole is similar in some ways to two linked flaws in Internet Explorer publicised earlier this month. Those flaws also allowed a malicious web page to write files onto a user's hard drive without being detected. In that case, the bug was already being exploited by web pages in order to place spyware on users' PCs. The earlier exploit also made use of a "help" file. Because Internet Explorer and its connected technologies thoroughly dominate the web browser market, attackers tend to focus their efforts on the software, said industry analysts. This situation makes a convincing case for businesses to switch to another browser, such as Mozilla or Opera, according to some security experts. Linux suppliers Red Hat and Trustix said they had discovered vulnerabilities in several drivers in the Linux 2.6 kernel, allowing local users to elevate their privileges or gain access to the kernel memory. The bugs, affecting the aironet, asus_acpi, decnet, mpu401, msnd, and pss drivers, were discovered through a review of the 2.6 kernel source code, but some of them also affect the 2.4 kernel, Trustix said. Gentoo Linux reported a bug in a popular spell-checking program called aspell, affecting versions up to 0.50.5-r1, which could allow a malicious user to execute the code of their choice on the system. The most recent version of the package corrects the problem. Security firm Secunia said the bug could be used to execute malicious code remotely, with the privileges of the user, but would require extensive social engineering. Debian released patches for the components rlpr, www-sql, sup and super, fixing bugs which could allow certain local users to elevate privileges or compromise a system. From isn at c4i.org Wed Jun 23 07:00:39 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 23 07:14:16 2004 Subject: [ISN] LayerOne Hacking Exposed Message-ID: http://www.tomshardware.com/business/20040622/index.html By Humphrey Cheung June 22, 2004 THG regularly covers LAN Parties, during which gamers drink, socialize and, of course, play games. However, hackers and other technology professionals have also been doing this for several years at conventions such as Defcon, Toorcon and more recently at (LayerOne) the first annual LayerOne conference June 12-13 at the Westin Hotel near the Los Angeles International Airport. The main attraction of these hacker conventions is the informative talks given by technology experts. They range from legal advice to technical wizardry. Social events such as free alcohol and evening parties also help bring security professionals, law enforcement and hackers together for fun and mayhem. Are these conventions for you? How does the LayerOne conference compare with the massive Defcon Hacker convention in Las Vegas? Read on and find out. Who Goes To These Conventions? The Crowd. The primary purpose of "hacker" conventions is to learn. Informative and sometimes downright scary talks are given on the latest computer vulnerabilities, legal situations and hacker lifestyles. The quality of the talks attracts full-time computer security professionals, law enforcement agents and the traditional hacker. Although the mix sounds like a recipe for disaster, everyone seems to get along well. While it is hard to state the percentages of hardcore hackers to computer professionals, LayerOne seemed to attract a more sedate and higher-end crowd. Defcon, which attracts about 6,000 people each summer, seems to attract an even mix of young hackers to computer pros. [...] From isn at c4i.org Wed Jun 23 07:00:55 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 23 07:14:17 2004 Subject: [ISN] Largest ISPs Attack 'Zombies' Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A61759-2004Jun22.html By Jonathan Krim Washington Post Staff Writer June 23, 2004 The country's largest e-mail account providers called yesterday for a worldwide industry assault on "zombies," personal computers that have been unwittingly commandeered by spammers and used to send out unwanted e-mail and malicious programs. The Anti-Spam Technical Alliance, which includes America Online Inc., Yahoo Inc., Microsoft Corp. and EarthLink Inc., urged all Internet providers to police their networks more aggressively and cut off machines suspected of being launching pads for spam. By some estimates, hundreds of thousands of computers around the world have been infected with software that lets them be used without their owners' knowledge. Such machines now account for as much as 40 percent of all spam. Large Internet providers typically monitor traffic on their networks and pinpoint machines that are sending out inordinate amounts of e-mail. When such machines are found, some Internet providers block their Internet access until their owners come forward, at which point they are given help to remove the software code used by the spammers before being reconnected. The zombie problem, said representatives of the group, is going largely unchecked because other Internet providers are not taking such action. "We're throwing the gauntlet down," said Ken Hickman, senior mail director at Yahoo. "We're saying, 'Hey, secure your networks.' " The proposal suggests that Internet providers that are quarantining zombies might reject all mail from networks that are not doing so. "If the ISP does not reasonably control abusive traffic, it is at risk of being blocked by other ISPs," said the group's report. "These machines are a security risk," added Brian Sullivan, senior technical director of mail operations at AOL. Mike Jackman, executive director of the California ISP Association, responded that smaller Internet providers generally do watch their networks closely and act when they see zombies. "They are doing it because it's in their interest to do it," Jackman said. Spammers "are eating up bandwidth." Jeffrey Sullivan, director of Verizon Communications Inc.'s Internet operations, said his company will not cut off a machine's Internet access until it has contacted the account owner. He said Verizon participated in the group's deliberations but is not a member. The group, which also includes Comcast Corp. and British Telecom, said the industry should standardize several other practices, including making sure that spammers cannot automatically register for e-mail accounts without verifying their identities. In addition, the group said, ISPs should not have servers -- computers that process mail -- that allow third parties to relay e-mail through them without being verified as legitimate account holders. But the group was not yet ready with unified standards for verifying the identity of e-mail senders, which is one of the industry's biggest initiatives. The four largest ISPs have been testing systems for authenticating senders to make it more difficult for spammers to disguise their identities and locations. The companies are working with Internet organizations that help develop technical specifications, and the process is likely to take until the end of the year. In the meantime, the group urges ISPs to prevent people from sending mail until they have been deemed valid account holders. Usually, the report said, this can be done by requiring user names and passwords to be provided before users are allowed onto e-mail systems. Anti-spam groups that have often been critical of ISPs for not being aggressive enough said the recommendations were hardly surprising. "It's a codification of existing best practices rather than anything that's truly new," said John Mozena, executive director of the Coalition Against Unsolicited Commercial Email. He said that while unplugging zombies is important, the system still depends on voluntary compliance. Mozena's group and others have sought legislation to allow consumers to hold network owners accountable for permitting spam. From mmaiffret at eEye.com Thu Jun 24 07:25:07 2004 From: mmaiffret at eEye.com (Marc Maiffret) Date: Thu Jun 24 07:56:14 2004 Subject: [ISN] EEYE: DoD selects eEye as enterprise wide Vulnerability Management solution... Message-ID: <098A9BA9A97D474FAD883D2A0560B7CC015C10@owa.eeye.com> eEye Digital Security's Technology Selected for DISA Task Order Valued at Over $6 Million to Provide Information Assurance Vulnerability Management ALISO VIEJO, Calif.--June 23, 2004--(Secure Configuration Compliance Validation Tool) eEye(R) Digital Security, a leading developer of vulnerability management software for enterprise security, today announced that the Defense Information Systems Agency (DISA) has selected eEye's vulnerability management software in conjunction with a Task Order under the DISA I-ASSURE Contract to serve as the basis for an Information Assurance Vulnerability Management (IAVM) solution worth up to $6 million if all options are exercised. The requirement was sponsored by the United States Strategic Command (USSTRATCOM) on behalf of the Department of Defense. Under the Task Order, eEye and its partner DigitalNet (Nasdaq:DNET), a premier provider of network computing solutions, will develop and deploy an automated IAVM tool that will provide network administrators and security personnel a mechanism for verifying application or non-application of Department of Defense (DoD) Computer Emergency Response Team (CERT) Information Assurance Vulnerability Management Notices. The IAVM tool will scan networks in order to mitigate security vulnerabilities found in software and those related to incorrect system configurations, as well as security issues related to policy and compliance. This proactive approach to security -- eliminating vulnerabilities rather than thwarting attacks -- allows the DoD to better secure the vital digital assets under its purview. The eEye/DigitalNet IAVM solution offered to DISA includes an integrated family of vulnerability management solutions to help DoD safeguard their digital assets. This solution will dramatically mitigate the DoD's risk from attack and significantly reduce the likelihood that potential attacks can penetrate its networks and cause security breaches and financial loss. This solution includes Retina(R) Network Security Scanner and REM(TM) Security Management Console. eEye's flagship product, the Retina Network Security Scanner, leads the industry in accuracy, its ability to scan enterprise networks without crashing systems and its open, modular architecture, making it the easiest product on the market to deploy, use and integrate with existing enterprise applications. "The DoD will represent one of the largest deployments of vulnerability management software anywhere in the world," stated Firas Raouf, eEye's COO. "eEye's industry-leading accuracy, scale and ease of integration with large networks make us ideally suited for this type of implementation. Already, our unique approach to network security has resulted in over 7,500 customer deployments worldwide." About eEye Digital Security eEye Digital Security is a leading developer of security software and an active contributor to network security research and education. eEye provides complete vulnerability management solutions that address the full lifecycle of security threats: before, during, and after attacks. eEye's award-winning products include vulnerability assessment, vulnerability prevention and vulnerability forensics solutions. eEye protects the networks and digital assets of more than 2,500 corporate and government entities in over eighty countries, including AT&T Wireless, Avon, Citigroup, Continental Airlines, Dow Jones, Ernst & Young, Prudential, Viacom, and Wyeth. Founded in 1998, eEye is a privately held, venture-backed firm with headquarters in Orange County, Calif. For more information, visit www.eeye.com. From isn at c4i.org Thu Jun 24 07:34:46 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 24 07:56:16 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-26 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-06-17 - 2004-06-24 This week : 44 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: New Features at Secunia.com Secunia has implemented various statistical features at the websites for both Secunia advisories and Virus Information. Secunia Advisories Statistics: http://secunia.com/advisory_statistics/ Examples of Specific Product Statistics: http://secunia.com/product/11/ (Internet Explorer 6) http://secunia.com/product/761/ (Opera 7.x) http://secunia.com/product/1480/ (Mozilla 1.3) Secunia Virus Information Statistics: http://secunia.com/virus_statistics/ Furthermore, Secunia has made it possible for you to include all graphs available at secunia.com on your own website. This is described in detail at: http://secunia.com/secunia_image_inclusion/ ======================================================================== 2) This Week in Brief: ADVISORIES: Luigi Auriemma has again found a vulnerability in the very popular Unreal Engine, which can be exploited to compromise users' systems. The Unreal Engine is used in many different First Person Shooter games. A complete list of affected games was provided by Luigi Auriemma and is also available in the Secunia advisory below. Reference: http://secunia.com/SA11900 -- Various Firewall products from Symantec have been proven vulnerable to DNS cache poisoning. This can be exploited to insert fake information in the DNS cache, which can be used to direct users to malicious web sites or just prevent them from accessing certain web sites. Symantec has released hotfixes for the affected products. Reference: http://secunia.com/SA11888 VIRUS ALERTS: During the last week, Secunia issued one MEDIUM RISK virus alert. Please refer to the grouped virus profile below for more information: Korgo.R - MEDIUM RISK Virus Alert - 2004-06-24 07:07 GMT+1 http://secunia.com/virus_information/10219/korgo.r/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA11793] Internet Explorer Local Resource Access and Cross-Zone Scripting Vulnerabilities 2. [SA11900] Unreal Engine "secure" Query Buffer Overflow Vulnerability 3. [SA11856] Mozilla Browser Address Bar Spoofing Weakness 4. [SA11901] Opera Address Bar Spoofing Security Issue 5. [SA11830] Internet Explorer Security Zone Bypass and Address Bar Spoofing Vulnerability 6. [SA11888] Symantec Various Firewall Products DNS Proxy Cache Poisoning Vulnerability 7. [SA11072] IBM Access Support ActiveX Controls Various Insecure Methods 8. [SA10395] Internet Explorer URL Spoofing Vulnerability 9. [SA11877] IPsec-Tools Denial of Service and Certificate Validation Vulnerabilities 10. [SA11914] Microsoft MN-500 Multiple Connections Denial of Service ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA11895] Snitz Forums 2000 "register.asp" Email Field Script Insertion Vulnerability UNIX/Linux: [SA11917] Gentoo update for apache [SA11889] Gentoo update for squid [SA11887] SuSE update for subversion [SA11922] Gentoo update for IPsec-Tools [SA11918] SqWebMail "print_header_uc()" Function Script Insertion Vulnerability [SA11933] Fedora update for dhcp [SA11929] SuSE update for dhcp/dhcp-server [SA11927] Mandrake update for dhcp [SA11923] ISC DHCP Buffer Overflow Vulnerabilities [SA11907] Debian update for rlpr [SA11906] rlpr "msg()" Function Buffer Overflow and Format String Vulnerabilities [SA11904] Debian update for sup [SA11898] SUP Logging Functionality Format String Vulnerabilities [SA11910] IRCD-Hybrid / ircd-ratbox Socket Dequeuing Denial of Service Vulnerability [SA11909] Fedora update for libpng [SA11908] Red Hat update for libpng [SA11896] Gentoo update for usermin [SA11890] Gentoo update for aspell [SA11897] GNU Radius SNMP Invalid OID Denial of Service Vulnerability [SA11932] Mandrake update for kernel [SA11924] cplay Insecure Temporary File Creation Vulnerability [SA11921] Conectiva update for kernel [SA11916] EnGarde update for kernel [SA11905] Debian update for super [SA11903] Debian update for www-sql [SA11902] WWW-SQL Include Command Buffer Overflow Vulnerability [SA11899] super Unspecified Format String Vulnerability [SA11893] HP-UX xfs Privilege Escalation Vulnerability [SA11892] Red Hat update for kernel [SA11891] Linux Kernel Various Drivers Userland Pointer Dereference Vulnerabilities [SA11930] Sun Solaris Basic Security Module Denial of Service Vulnerability [SA11926] rssh File Existence Information Disclosure Weakness Other: [SA11919] D-Link DI-614+ AirPlus DHCP Script Insertion Vulnerability [SA11912] Infoblox DNS One Script Insertion Vulnerability [SA11914] Microsoft MN-500 Multiple Connections Denial of Service [SA11913] Netgear FVS318 Multiple Connections Denial of Service [SA11911] Linksys BEFSR41 Connection Handling Denial of Service [SA11915] nCipher netHSM Logfile Pass Phrase Disclosure Cross Platform: [SA11900] Unreal Engine "secure" Query Buffer Overflow Vulnerability [SA11920] PHP-Nuke Multiple Vulnerabilities [SA11894] phpMyChat Multiple Vulnerabilities [SA11888] Symantec Various Firewall Products DNS Proxy Cache Poisoning Vulnerability [SA11901] Opera Address Bar Spoofing Security Issue ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA11895] Snitz Forums 2000 "register.asp" Email Field Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-06-21 Pete Foster has reported a vulnerability in Snitz Forums 2000, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/11895/ UNIX/Linux:-- [SA11917] Gentoo update for apache Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2004-06-22 Gentoo has issued an update for apache. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11917/ -- [SA11889] Gentoo update for squid Critical: Highly critical Where: From remote Impact: System access Released: 2004-06-17 Gentoo has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11889/ -- [SA11887] SuSE update for subversion Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-06-17 SuSE has issued an update for subversion. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11887/ -- [SA11922] Gentoo update for IPsec-Tools Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-06-23 Gentoo has issued an update for ipsec-tools. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11922/ -- [SA11918] SqWebMail "print_header_uc()" Function Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-06-22 Luca Legato has reported a vulnerability in SqWebMail, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/11918/ -- [SA11933] Fedora update for dhcp Critical: Moderately critical Where: From local network Impact: System access, DoS Released: 2004-06-24 Fedora has issued an update for dhcp. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11933/ -- [SA11929] SuSE update for dhcp/dhcp-server Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-06-23 SuSE has issued an update for dhcp/dhcp-server. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a Denial of Service or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11929/ -- [SA11927] Mandrake update for dhcp Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-06-23 MandrakeSoft has issued an update for dhcp. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11927/ -- [SA11923] ISC DHCP Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-06-23 Two vulnerabilities have been reported in DHCP, which potentially can be exploited by malicious people to cause a Denial of Service or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11923/ -- [SA11907] Debian update for rlpr Critical: Moderately critical Where: From local network Impact: System access Released: 2004-06-21 Debian has issued an update for rlpr. This fixes some vulnerabilities in rlpr, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11907/ -- [SA11906] rlpr "msg()" Function Buffer Overflow and Format String Vulnerabilities Critical: Moderately critical Where: From local network Impact: System access Released: 2004-06-21 Jaguar has reported some vulnerabilities in rlpr, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11906/ -- [SA11904] Debian update for sup Critical: Moderately critical Where: From local network Impact: System access Released: 2004-06-21 Debian has issued an update for sup. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11904/ -- [SA11898] SUP Logging Functionality Format String Vulnerabilities Critical: Moderately critical Where: From local network Impact: System access Released: 2004-06-21 Jaguar has reported a vulnerability in sup, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11898/ -- [SA11910] IRCD-Hybrid / ircd-ratbox Socket Dequeuing Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-06-22 Erik Sperling Johansen has reported a vulnerability in IRCD-Hybrid and ircd-ratbox, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11910/ -- [SA11909] Fedora update for libpng Critical: Less critical Where: From remote Impact: DoS Released: 2004-06-21 Full Advisory: http://secunia.com/advisories/11909/ -- [SA11908] Red Hat update for libpng Critical: Less critical Where: From remote Impact: DoS Released: 2004-06-21 Full Advisory: http://secunia.com/advisories/11908/ -- [SA11896] Gentoo update for usermin Critical: Less critical Where: From remote Impact: Security Bypass, DoS Released: 2004-06-21 Gentoo has issued an update for usermin. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/11896/ -- [SA11890] Gentoo update for aspell Critical: Less critical Where: From remote Impact: System access Released: 2004-06-18 Gentoo has issued an update for aspell. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11890/ -- [SA11897] GNU Radius SNMP Invalid OID Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-06-22 A vulnerability has been reported in GNU Radius, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11897/ -- [SA11932] Mandrake update for kernel Critical: Less critical Where: Local system Impact: Exposure of sensitive information, DoS Released: 2004-06-24 MandrakeSoft has issued an update for the kernel. This fixes two vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11932/ -- [SA11924] cplay Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2004-06-23 Martin Michlmayr has reported a vulnerability in cplay allowing malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/11924/ -- [SA11921] Conectiva update for kernel Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation, DoS Released: 2004-06-23 Conectiva as issued an update for the kernel. This fixes two vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service), gain knowledge of sensitive information, or gain escalated privileges. Full Advisory: http://secunia.com/advisories/11921/ -- [SA11916] EnGarde update for kernel Critical: Less critical Where: Local system Impact: Exposure of sensitive information, DoS Released: 2004-06-22 Guardian Digital has issued an update for the kernel. This fixes two vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11916/ -- [SA11905] Debian update for super Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-06-21 Debian has issued an update for super. This fixes a vulnerability, which can be exploited by certain local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11905/ -- [SA11903] Debian update for www-sql Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-06-21 Debian has issued an update for www-sql. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11903/ -- [SA11902] WWW-SQL Include Command Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-06-21 Ulf H?rnhammar has reported a vulnerability in WWW-SQL, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11902/ -- [SA11899] super Unspecified Format String Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-06-21 Max Vozeler has reported a vulnerability in super, which can be exploited by certain local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11899/ -- [SA11893] HP-UX xfs Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-06-18 watercloud has reported a vulnerability in HP-UX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11893/ -- [SA11892] Red Hat update for kernel Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS Released: 2004-06-21 Red Hat has issued an update for the kernel. This fixes various vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service), disclose kernel memory, or gain escalated privileges. Full Advisory: http://secunia.com/advisories/11892/ -- [SA11891] Linux Kernel Various Drivers Userland Pointer Dereference Vulnerabilities Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information, Privilege escalation Released: 2004-06-21 Vulnerabilities have been discovered in various drivers for the Linux kernel, which can be exploited by malicious, local users to disclose kernel memory or gain escalated privileges. Full Advisory: http://secunia.com/advisories/11891/ -- [SA11930] Sun Solaris Basic Security Module Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2004-06-23 A vulnerability has been discovered in Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11930/ -- [SA11926] rssh File Existence Information Disclosure Weakness Critical: Not critical Where: Local system Impact: Security Bypass, Exposure of system information Released: 2004-06-23 William F. McCaw has discovered a weakness in rssh, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/11926/ Other:-- [SA11919] D-Link DI-614+ AirPlus DHCP Script Insertion Vulnerability Critical: Moderately critical Where: From local network Impact: Cross Site Scripting Released: 2004-06-22 Gregory Duchemin has reported a vulnerability in D-Link DI-614+ AirPlus, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/11919/ -- [SA11912] Infoblox DNS One Script Insertion Vulnerability Critical: Moderately critical Where: From local network Impact: Cross Site Scripting Released: 2004-06-21 Gregory Duchemin has reported a vulnerability in DNS One, potentially allowing malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/11912/ -- [SA11914] Microsoft MN-500 Multiple Connections Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2004-06-21 Paul Kurczaba has reported a security issue in Microsoft MN-500, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11914/ -- [SA11913] Netgear FVS318 Multiple Connections Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2004-06-21 Paul Kurczaba has reported a security issue in Netgear FVS318, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11913/ -- [SA11911] Linksys BEFSR41 Connection Handling Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2004-06-21 Paul Kurczaba has reported a security issue in Linksys BEFSR41, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11911/ -- [SA11915] nCipher netHSM Logfile Pass Phrase Disclosure Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information Released: 2004-06-22 A security issue has been reported in nCipher netHSM, which may disclose sensitive information to malicious, local users. Full Advisory: http://secunia.com/advisories/11915/ Cross Platform:-- [SA11900] Unreal Engine "secure" Query Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-06-22 Luigi Auriemma has reported a vulnerability in the Unreal Engine, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11900/ -- [SA11920] PHP-Nuke Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2004-06-23 Janek Vind has reported some vulnerabilities in PHP-Nuke, potentially allowing malicious people to reveal sensitive information, conduct cross-site scripting, script insertion, and SQL injection attacks. Full Advisory: http://secunia.com/advisories/11920/ -- [SA11894] phpMyChat Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information Released: 2004-06-18 HEX has reported a vulnerability in phpMyChat, which can be exploited by malicious people to bypass authentication, conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/11894/ -- [SA11888] Symantec Various Firewall Products DNS Proxy Cache Poisoning Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing, Manipulation of data Released: 2004-06-18 fryxar has discovered a vulnerability in various Symantec firewall products, which can be exploited by malicious people to poison the DNS cache. Full Advisory: http://secunia.com/advisories/11888/ -- [SA11901] Opera Address Bar Spoofing Security Issue Critical: Less critical Where: From remote Impact: Spoofing Released: 2004-06-22 bitlance winter has reported a security issue in the Opera browser, which potentially can be exploited by malicious people to conduct phishing attacks against a user. Full Advisory: http://secunia.com/advisories/11901/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Thu Jun 24 07:35:02 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 24 07:56:17 2004 Subject: [ISN] Feds urge secrecy over network outages Message-ID: http://www.securityfocus.com/news/8966 By Kevin Poulsen SecurityFocus June 23 2004 Giving the public too many details about significant network service outages could present cyberterrorists with a "virtual road map" to targeting critical infrastructures, according to the U.S. Department of Homeland Security, which this month urged regulators to keep such information secret. At issue is an FCC proposal that would require telecom companies to report significant outages of high-speed data lines or wireless networks to the commission. The plan would rewrite regulations that currently require phone companies to file a publicly-accessible service disruption report whenever they experience an outage that effects at least 30,000 telephone customers for 30 minutes or more. Enacted in the wake of the June 1991 AT&T long-distance crash, the FCC credits the rule with having reversed a trend of increased outages on the phone network, as telecom companies used the disclosures to develop best practices and learn from each others' mistakes. The commission is hoping for similar results on the wireless and data networks that have become integral to the U.S. economy and emergency response capability. The proposal would expand the landline reporting requirement to wireless services, and generally measure the impact of a telecom outage by the number of "user minutes" lost, instead of the number of customers affected. It would also require telecom and satellite companies to start issuing reports when high-speed data lines suffer significant outages: specifically, whenever an outage of at least 30 minutes duration affects at least 1,350 "DS3 minutes." A DS3 line carries 45 megabits per second, the equivalent of 28 DS1 or T1 lines. The reports would include details like the geographic area of the outage, the direct causes of the incident, the root cause, whether not there was malicious activity involved, the name and type of equipment that failed, and the steps taken to prevent a reoccurrence, among other things. To the Department of Homeland Security, that's a recipe for disaster. "While this information is critical to identify and mitigate vulnerabilities in the system, it can equally be employed by hostile actors to identify vulnerabilities for the purpose of exploiting them," the DHS argued in an FCC filing this month. "Depending on the disruption in question, the errant disclosure to an adversary of this information concerning even a single event may present a grave risk to the infrastructure." If the FCC is going to mandate reporting, the DHS argued, it should channel the data to a more circumspect group: the Telecom ISAC (Information Sharing and Analysis Center), an existing voluntary clearinghouse for communications-related vulnerability information, whose members include several government agencies and all the major communications carriers. Data exchanged within the Telecom-ISAC is protected from public disclosure. "[T]he ultimate success of our critical infrastructure protection effort depends, in large part, not merely on having the necessary information, but on having it available when and where it is most needed," the DHS argues. The FCC hasn't ruled on the matter. Telecom companies are generally against the proposed new reporting requirements, arguing that the industry's voluntary efforts are sufficient. From isn at c4i.org Thu Jun 24 07:35:14 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 24 07:56:18 2004 Subject: [ISN] Security qualification makes the grade Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,94042,00.html By John E. Dunn JUNE 23, 2004 TECHWORLD.COM LONDON -- IT departments looking to hire new staff will be interested to learn that one of the world's leading security qualifications, the CISSP (certified information systems security professional), has become the first in the industry to meet the new ISO/IEC 17024 standard. The 17204 benchmark was launched last year by the International Standards Organization as a way of assessing whether qualifications across a range of professions could demonstrate minimum standards. Despite its drab name, it's a good example of the way in which professional qualifications -- and those affecting IT and security in particular -- are increasingly coming under international scrutiny. The CISSP security qualification, awarded by the not-for-profit industry consortium (ISC)2, is held by 25,000 IT staff globally. Passing the test requires taking an six-hour exam that marks candidates on their understanding of broad-based security concepts, and is only open to professionals with at least four years' experience. "Qualifications are important but they're not the be all and end all. But if I interview someone with a CISSP, I know they have a baseline of knowledge," said (ISC)2 president John Colley. He stressed that it wasn't designed to rival vendor-specific qualifications such as Cisco Systems Inc.'s CCNP or Microsoft Corp.'s MCSE, but instead to provide a higher-level equivalent that demonstrated knowledge of a range of systems. Such qualifications would become more important as security moved to the center of the IT department and with staff increasingly hired on the basis of their proven security knowledge, Colley said. The CISSP was unlikely to become a necessity to getting a security job, but he suggested it was establishing itself as necessary for those members of the IT team tasked with hiring other security staff in industries such as banking. From isn at c4i.org Thu Jun 24 07:35:27 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 24 07:56:19 2004 Subject: [ISN] Top Navy officials say security will not be compromised in new network Message-ID: http://www.govexec.com/dailyfed/0604/062304d1.htm By David McGlinchey dmcglinchey@govexec.com June 23, 2004 One of the primary benefits of the Navy Marine Corps Intranet project is a dramatic improvement in network security, Navy officials said. That additional security, however, is also hampering the seamless development of the $8 billion network, according to Navy Secretary Gordon England, who spoke at the 2004 NMCI Industry Symposium in New Orleans. "A lack of security was probably the most deficient aspect of our legacy networks," England said. A system that does not contain classified information could be fielded without as many delays, but the Navy does not have that option. Many Navy personnel, he said, "do not like the compromises that we make for security, but security is paramount." During a speech to the symposium, England praised the NMCI effort and said it offers a variety of capabilities, including better tracking of IT expenses and more effective communications and management. The network, which is being developed by prime contractor EDS, is currently the largest intranet in the world with hundreds of thousands of Navy and Marine Corps personnel connected. NMCI has suffered from substantial delays since its inception in October 2000 and some military leaders at the New Orleans conference have criticized the network for poor connectivity and slow delivery. Other service officials say NMCI customer satisfaction overall is high, and some problems are to be expected with the development and fielding of a massive information technology system. Navy Rear Adm. Charles Munns, who is leading the NMCI effort, said military and industry officials should now focus on stepping up the development of the system. They must "maintain that security, but increase the speed," Munns said. England also directed a statement to Navy and Marine Corps personnel who are disgruntled with what they see as stringent security and slow rollout of the new network. "We're not going to change the system. Our users have to get used to this," he said. England appealed to service members to embrace NMCI. "People forget where we were before NMCI. We cannot go back to where we were five years ago." From isn at c4i.org Thu Jun 24 07:35:42 2004 From: isn at c4i.org (InfoSec News) Date: Thu Jun 24 07:56:21 2004 Subject: [ISN] AOL Employee Charged in Theft Of Screen Names Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A860-2004Jun23.html [The Smoking Gun has the amended complaint at: http://www.thesmokinggun.com/archive/0623042aol1.html - WK] By Jonathan Krim and David A. Vise Washington Post Staff Writers June 24, 2004 A 24-year-old software engineer at America Online Inc. was arrested yesterday on federal charges that he hacked into the company's computers to steal 92 million e-mail addresses that were later sold and used to bombard AOL members with spam. Jason Smathers, who worked at the company's Dulles headquarters, is accused of illegally obtaining the e-mail addresses of nearly all of the Internet provider's customers in May 2003. Smathers allegedly sold the names for $100,000 to Sean Dunaway, 21, who ran an Internet gambling business in Las Vegas, prosecutors said. Dunaway then sold the list to unidentified spammers, who used it early this year to send millions of e-mails peddling herbal penile enhancement products, according to a criminal complaint filed in federal court in the Southern District of New York. Smathers, who became an AOL employee in 1999, obtained other AOL member information as well, including telephone numbers, Zip codes and types of credit cards used by members, though not credit card numbers, according to the complaint. The company said those numbers are stored in a separate, secure facility. The revelations come as AOL and other Internet providers have ramped up their efforts to track down the purveyors of spam, which has grown into a maddening scourge that costs consumers and businesses billions of dollars a year. "I am very, very angry about this," said Jonathan F. Miller, AOL's chief executive, in an e-mail to employees yesterday. "We will absolutely not tolerate wrongdoing by employees. . . . We will do everything we can to uncover abuse and assist law enforcement in prosecuting it." The company, which helped investigators surreptitiously monitor Smathers for the past two months, said in a statement that it is reviewing and strengthening its internal controls. AOL uncovered the scheme after it filed suit in March against another spammer. In the course of that case, a source told an AOL official that one of its employees was stealing screen names from the company and selling them to a third party. According to prosecutors, Smathers was not authorized to access AOL's customer database, which can be viewed by only a small number of employees and is "housed" in secure computers. But in May 2003, Smathers used the computerized employee identification code of another AOL worker to gain entry to the data and compile the lists of AOL's roughly 30 million users, many of whom maintain more than one screen name. "I think I found the member database," Smathers wrote in an instant message to an unidentified person who used the handle The Brews. "There are going to be millions of them so, will take time to extract. I will do them a chunk at a time." The text of the instant message was in an e-mail found by investigators, including Secret Service members, on a company laptop belonging to Smathers. Computer logs also showed that Smathers apparently was also able to get access to the data from his home in Harpers Ferry, W. Va. The informant who alerted AOL to the scheme told investigators that roughly a month after Smathers accessed the data, Dunaway sold him the 92 million names in 26 separate blocks, one for each letter of the alphabet, for $52,000. He provided investigators with CD-ROMs containing the lists, which matched the way the data was stored by AOL. The source told investigators that early this year he bought a revised list from Dunaway for roughly $32,500. That list was much smaller, about 18 million screen names, and Dunaway said it was more up to date and "a more risky proposition for his AOL insider to obtain" because it had other subscriber data, according to the complaint. Prosecutors said Dunaway boasted that spamming for his Internet gambling business was earning between $10,000 and $20,000 a day. Smathers was arrested yesterday morning at his home, made an initial appearance in federal court in Alexandria and was held in jail overnight, pending a detention hearing scheduled for today. He was assigned a public defender, who declined to comment. Dunaway was arrested yesterday at his home in Las Vegas. The charges against both men include conspiring to transport stolen goods across state lines, gaining unauthorized access to computers and sending out deceptive bulk e-mail with disguised origins. Each man faces a maximum sentence of five years in prison and a fine of $250,000. The government said that the source was cooperating in hopes of winning leniency and that his information has been independently corroborated. "It is a very disturbing fact of life that an employee with criminal intentions can betray our members' trust by working around systems and procedures that are in place to protect data from disclosure," AOL said in statement. Staff writer Jerry Markon contributed to this report From isn at c4i.org Fri Jun 25 09:05:46 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 25 09:22:16 2004 Subject: [ISN] Police: Thief was unaware of laptop's secret data Message-ID: http://www.haaretz.com/hasen/spages/443144.html By Roni Singer and Tsahar Rotem June 25, 2004 The thief who stole a laptop containing sensitive information on undercover police agents was apparently unaware of its contents, so the information probably remains uncompromised, police sources said yesterday. Nevertheless, Major General Ilan Franco, the head of the police intelligence division, yesterday ordered all operations involving undercover agents frozen until Sunday, to enable further examination of the data in the laptop and its possible ramifications. The laptop was stolen overnight Tuesday from the Herzliya residence of a police psychologist working for the intelligence department. The thieves also took the officer's car, which bore police license plates, and various other items. The laptop was recovered in the West Bank city of Tul Karm less than 24 hours later. Contrary to previous reports, the Shin Bet security service was not involved in the recovery. The Sharon District Police intelligence unit maintains its own network of contacts in the West Bank, primarily in Tul Karm and Qalqilyah, as stolen goods from that part of Israel often end up in that part of the territories. This network was activated to discover the laptop's whereabouts. The intelligence unit's sources soon located the laptop in Tul Karm, and at that point, the effort to recover it began. The police's informants in the territories employed intermediaries to offer to buy the computer from the thief, so that neither the thief nor the intermediaries would know the police force was the real customer. Police said no negotiations were held over the price; the buyer was simply instructed to pay the asking price, which was NIS 5,000. Sources in the intelligence unit insisted yesterday that no sensitive information was stored on the laptop: it contained psychological evaluations of current and potential agents, but these included neither the agents' names nor any other identifying details, and also gave no details of their methods of operation. Other senior police officers, however, said this was not uniformly true; some of the evaluations did contain names or other identifying details. Nevertheless, the police got lucky: The thief apparently wiped the computer's memory almost immediately so he would be able to sell it as new. This means the information was very probably not compromised, and also indicates that the laptop was not stolen for its information, but was merely taken in the course of an ordinary theft. This theory is also bolstered by the modest price for which the thief sold it back. "If he had known [how important it was], the price would have been much higher," said one police source. Police intelligence sources added that they have received no information indicating that any of the agents is in danger. Nevertheless, they said, there is as yet no guarantee that the thief did not copy the information before erasing it. Police were apparently able to reconstruct the wiped memory files, so the missing data will not impair future police operations. Police are now seeking to arrest the thief and his accomplices. They have not yet decided whether to file disciplinary charges against the psychologist for keeping sensitive information at home instead of securing it properly. From isn at c4i.org Fri Jun 25 09:06:00 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 25 09:22:18 2004 Subject: [ISN] Hackers Attack Through Popular Web Sites Message-ID: http://www.pcworld.com/news/article/0,aid,116689,00.asp By James Niccola Paul Roberts Martyn Williams IDG News Service June 25, 2004 Internet users visiting some of the most popular sites on the Web may unwittingly be downloading malicious code that compromises their computers and sets up a relay network for a future onslaught of spam, a security services company warns. NetSec, which provides managed security services for large businesses and government agencies, began detecting suspicious traffic on several of its customers' networks on Thursday morning, says Chief Technology Officer Brent Houlahan. Examining firewall logs and other data points on those networks, NetSec found that when users visit certain popular Web sites--including an online auction, a search engine, and a comparison shopping site--they unwittingly download a piece of malicious JavaScript code attached to an image or graphics file on the site. Without the user's knowledge, the code connects their PC to one of two IP addresses in North America and Russia. From those systems they unknowingly download a piece of malicious code that appears to install a keystroke reader and probably some other malicious code on the computer, Houlahan says. The code may be gathering the addresses of Web sites visited by affected users and the passwords used to access them. In addition, the IP address in Russia is a known source of spam, and the code may be creating a network of infected machines that could be used to relay spam across the Internet at some later date, he says. Under Investigation He stressed that NetSec is still examining the code and has yet to determine the exact payload or the intent of the attack. The SANS Institute's Storm Center is also studying the outbreak and has found that the code surreptitiously downloads and installs a Trojan horse program named msits.exe, according to Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Center. Ullrich did not specify what functions are performed by the msits.exe Trojan. NetSec declines to name the affected Web sites for liability reasons but says they are "big, big sites." It is probably the Web hosting facilities that cache content for those sites that are infected, rather than the "origin servers" at the Internet service providers themselves, Houlahan says. "The tricks used in this particular attack method are nothing new. What's significant about this is the fact that it impacts major Web hosting facilities," says Dan Frasnelli, who manages NetSec's technical assistance center. The attack affects only users running Microsoft's Windows operating system and Internet Explorer browser, he says. It was unclear Thursday how the attack originated, but it may exploit a known vulnerability in Microsoft's IIS (Internet Information Services) Web Server software at the Web hosting facilities, Frasnelli says. The U.S. Computer Emergency Response Team (CERT) called on system administrators running IIS version 5 to verify to ensure there is no unusual JavaScript appended to the bottom of pages served by their system. Widespread Problem? It was also unclear Thursday afternoon how many systems had been compromised and how widespread the problem was. NetSec says it had protected its own customers by writing custom intrusion detection signatures and blocking its customers' PCs from visiting the IP addresses involved in the attack. "There's a potential for widespread impact because currently the [antivirus] vendors don't have a signature for it," Frasnelli says. CERT says the attack is another example of why users must exercise caution when JavaScript is enabled on their systems and recommended it be disabled unless it is absolutely necessary. The group warned even Web servers trusted by the user may be affected by this attack and contain malicious code. From isn at c4i.org Fri Jun 25 09:06:17 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 25 09:22:19 2004 Subject: [ISN] Stephen Northcutt needs your help Message-ID: Forwarded from: Stephen Northcutt Hello, This note is intended for U.S. citizens and is a personal note from Stephen Northcutt. For the past few weeks CERT and SEI, DoD government funded organizations, have been purchasing google adwords so that when people search for "SANS Training" they see an advertisement for CERT/SEI's network manager course. I have a couple of concerns about this. The first is trademark or brand related, when you search for SANS training, you should get SANS training. Other competing commercial training companies have also engaged in this behavior and when I have written them and asked if this how they want to be remembered by the security community, they have discontinued this practice. I wrote cert@cert.org a couple weeks ago and they continue this practice. My second concern is that the government offering the course violates the spirit and letter of OMB A 76. "Two of the key principles of Circular A-76 has always been that "in the process of governing, the Government should not compete with its citizens" and that "a commercial activity is not a governmental function." http://www.whitehouse.gov/omb/circulars/a076/comments/a76-289.pdf The course: http://www.sei.cmu.edu/products/courses/cert/infosec-net-mgrs.html The funding: http://www.sei.cmu.edu/about/about.html http://www.cert.org/faq/cert_faq.html#A4 My third concern is the amount of tax we pay as citizens. The government is in the process of authorizing about 481 billion dollars for DoD spending. The Department of Defense clearly has too much money if they can afford to create training that mirrors material widely available from SANS, MISTI, CSI, Intense School and other training organizations. I believe the money spent on CERT, SEI and the Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics should each be reduced by at least 10% immediately. So I am asking for your help. If you agree with me please write your congress person and either use this note as a base or write your own. I would be honored if you would copy me, Stephen@sans.org. If you don't agree with me, or don't want to help me, that is fine, but before you send me a knee jerk email flame would you do three things. Look at your last paycheck stub and remind yourself how much tax you pay, second, consider the impact of the U.S. deficit (http://www.brillig.com/debt_clock/ ) and finally think about how you would feel if the government decided to compete in a disreputable manner with a course that took you months to write, SANS Security Leadership. After that, if you disagree with me, I would love to hear what you have to say. So please help me and write your congressman and tell them your home address, make sure they know you vote and you agree that the government has no business wasting taxpayer money competing with a course Stephen Northcutt does a better job of anyway. To find your representative: http://www.house.gov/writerep/ To find your congressional representative, the best link I could find is: http://www.senate.gov/ Thank you for taking the time to help! Needless to say, I write this note as a private citizen and the author of SANS Security Leadership and am certain this note does not reflect the collective views and opinions of The SANS Institute. Stephen Northcutt Stephen@sans.org (808) 823-1375 From isn at c4i.org Fri Jun 25 09:06:34 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 25 09:22:20 2004 Subject: [ISN] LayerOne Hacking Exposed Message-ID: Forwarded from: The LayerOne Staff @ layerone.info How Tom's Hardware Guide Got It All Wrong There's that well worn saying that declares "There's no such thing as bad press." After seeing all the traffic that Tom's Hardware Guide drove to the LayerOne site yesterday, we'd almost be ready to agree. We pulled in almost 6000 unique visitors yesterday. That's four times the amount of traffic we picked up from a mention on Slashdot the day before. To be honest, anyone should be satisfied with this sort of buzz. We know we are. But we're also disappointed with the reasons why people are flocking to the site. The article [1] on Tom's Hardware Guide, borders on sensationalist journalism. Despite having things clarified to the author in both public and private forums, the article still ran with a slew of half-truths and included events that were altogether unrelated to the conference. The first and perhaps most distressing portrayal that the article made is that LayerOne is yet another hacker conference. While it's nice to be listed amongst the ranks of Defcon and Toorcon, we've strived really hard to make LayerOne it's own beast. Sure the inspiration for LayerOne came from ToorCon, but we also pulled ideas and inspiration from events like CodeCon and O'Reilly's Emerging Tech. As Danny O'Brien said in the intro to NTK's NotCon the weekend prior to LayerOne, the whole idea of the conference was to "cross the streams". After hearing Justin Mason say that he picked up a few good ideas for Spamassassin while talking with some folks at the conference we knew we were on to something. In fact we think there's a new breed of conferences on the horizon. One where open source coders can mingle with the people who look for security vulnerabilities. One where spam fighters can mingle with biology majors to go off on the tangent of treating junk email as a virus. One where people who want to take a look at the amazing new stuff people are working on but can't justify paying $1000 a head to do so. That was the whole concept for LayerOne: Make it cool. Encourage growth and exploration. Keep it cheap. We think we're on our way to doing that - but being dismissed as a hacker con sort of takes the wind our of our sails. Now, before we lose focus on why we're here we have a few more reflections on the THG article that we found to be less than pleasing. To his merit, the author does a moderately decent job converting three talks into Reader's Digest style summaries. Only towards the end of Dan Kaminsky's talk does he overreach a bit by trying to draw a dotted line between the Akamai DNS outage on June 16th, 2004 to Dan's talk. Dan hasn't released any of the tools used in his talk yet, and if one actually sat in on his talk you'd know the last thing any of the tools could be used for would be to launch a Denial of Service attack. Even if the author didn't make that claim outright, he seemed to make an affront to something sinister. Finally, to clarify some things, the Irvine Underground party where there was apparently a wrestling match between attendees was not a sanctioned LayerOne event. We had no altercations between attendees at the actual conference, but we didn't really expect any either. Even though the author claims that we may never know why the hotel's fire alarm was tripped twice on Sunday the answer is actually simple; A piece of paper had fallen over on the exhaust vent on the hotel's sauna. It wasn't any malicious hackers or miscreant kids causing trouble as the author suggests. It was a piece of paper and some wind. This was also explained to the author but he seemed to not report it. I guess the truth is boring. Still, the saddest part of all of this is the author seems to have a thing for blowing things out of proportion. He said "The rumors will morph into something outrageous by next year." in a public forum [2] as if it were some sort of consolation. The author of the article seems to think that spreading rumors and disinformation will actually do us some sort of favor. If that was the type of event we were trying to put on, perhaps it would assist us in some way. But we're not looking for those types of favors, nor are we attempting to address the crowd he seems to think we are. We thank you for taking the time out of your busy day to give us a few minutes to set things straight. Your Servants, The LayerOne Staff [1] http://www.tomshardware.com/business/20040622/index.html [2] http://forum.defcon.org/showpost.php?p=46982&postcount=12 From isn at c4i.org Fri Jun 25 09:06:58 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 25 09:22:21 2004 Subject: [ISN] Feds urge secrecy over network outages Message-ID: Forwarded from: Richard Forno re: Feds urge secrecy over network outages Here's another example of "security through obscurity" being proposed by those in our government without Technology Clue One. While this may give such cluebots a warm-fuzzy feeling about keeping such information away from the public eye -- and "potential terrorists" -- it's a feel-good thumb-in-the-dike solution ... There are any number of other ways to get the same information or monitor our long-haul networks. At the very least, affected customers would complain and news would get out to the greater internet community in short order. (Or do they also plan to prohibit third-party network monitoring services and software because their use may "induce" such knowledge to facilitate 'bad' things, ala Sen Hatch's new copyright bill?) This goes back to the debate over disclosure of vulnerabilities, both in cyberspace and the physical world. Remember the post-0911 rush to remove public information about landmarks, utilities, and critical infrastructures that allegedly could be used to "assist" an "adversary"? At the time, those of us with a clue about real security shook our heads in disbelief at the government's unwavering belief this would be an effective countermeasure. Sure, it looked "security-like" to conduct such activities in the name of protecting the homeland, but looking beyond that spin and thinking objectively about the matter you quickly begin to see it did little if anything to really improve security. In his latest book "Beyond Fear", security expert Bruce Schneier calls this kind of thinking "security theater" -- the ongoing desire to present the reassuring illusion of security instead of providing the real thing that works effectively. I call it the Ostrich Security Solution -- the cyber equivalent of sticking one's collective head in the sand and hoping the problem/danger goes away before you look up again. And unfortunately, that's the approach Uncle Sam seems to be taking. Rick -infowarrior.org "But politicians like to panic -- it's their substitute for achievement." - Sir Humphrey Appleby From isn at c4i.org Fri Jun 25 09:09:32 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 25 09:22:23 2004 Subject: [ISN] Book Review: Network Security Architectures by Sean Convery Message-ID: Forwarded from: Ido Dubrawsky On Wed, Jun 23, 2004 at 06:00:08AM -0500, InfoSec News wrote: > Forwarded from: Gary Hinson > > %T Network Security Architectures - expert guidance on designing secure networks > %A Sean Convery CCIE > %I Cisco Press, IN, USA > %D April 2004 > %G ISBN 158705115X > %P 739 pages > %O $55 from www.amazon.com/exec/obidos/ASIN/158705115X/wwwnoticeborc-20 > > > The book is liberally sprinkled with URLs to useful additional > resources although I fear some of them will be out of date before this > book is out of print (an accompanying reference website might have > been useful, Cisco!). Each chapter concludes with exam-style review > questions (with answers) and further questions intended to stimulate > the reader to think about the material in their local organizational > context. The topic almost inevitably involves loads of acronyms so > thankfully a succinct glossary is included. I wanted to forward this bit of information from Sean Convery (the author of the book) to the list regarding the request for an accompanying reference website for the book: : Thanks for sending the review along. I'm very glad folks are finding : the book useful. One small point of note: the reference website : requested does indeed exist. I reference it in the preface. All the : links in URL form are posted here: : : http://www.seanconvery.com/nsalinks.html : : There's also some other book related stuff off of the root, : including a sample chapter and a repository for errata as we find : it. : : Thanks again, : : Sean Ido -- =========================================================================== | Ido Dubrawsky, CISSP E-mail: idubraws@cisco.com | | | Network Security Architect :|: :|: | VSEC Technical Marketing, SAFE Architecture Team :|||: :|||: | Cisco Systems, Inc. .:|||||||:..:|||||||:. | Silver Spring, MD. 20902 =========================================================================== From isn at c4i.org Fri Jun 25 09:10:13 2004 From: isn at c4i.org (InfoSec News) Date: Fri Jun 25 09:22:25 2004 Subject: [ISN] Security UPDATE--Mobile Computing Security Through Obscurity--June 23, 2004 Message-ID: ==================== ==== This Issue Sponsored By ==== Windows & .NET Magazine http://list.winnetmag.com/cgi-bin3/DM/y/egR50CJgSH0CBw0BEuX0Au Implementing Client Security on Windows 2000/XP http://list.winnetmag.com/cgi-bin3/DM/y/egR50CJgSH0CBw0BHGO0A3 ==================== 1. In Focus: Mobile Computing Security Through Obscurity 2. Security News and Features - Recent Security Vulnerabilities - eBook: Preemptive Email Security and Management - News: Audit Reveals Spyware Infestation - News: Secure SMS and Your Passwords 3. Security Toolkit - FAQ - Featured Thread 4. New and Improved - Monitor Your System and Applications - Protect Your Privacy ==================== ==== Sponsor: Windows & .NET Magazine ==== Get 2 Sample Issues of Windows & .NET Magazine! Every issue of Windows & .NET Magazine includes intelligent, impartial, and independent coverage of security, Active Directory, Exchange, scripting, and much more. Our expert authors deliver how-to articles and product evaluations that will help you do your job better. Try two, no-risk sample issues today, and find out why 100,000 IT professionals rely on Windows & .NET Magazine each month! http://list.winnetmag.com/cgi-bin3/DM/y/egR50CJgSH0CBw0BEuX0Au ==================== ==== 1. In Focus: Mobile Computing Security Through Obscurity ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net I wonder if part of your job as security administrator or manager includes handling mobile phone security? Someone at your company should be tending to that responsibility, especially if employees are storing company information on their phones. Last week, Kaspersky Labs announced the discovery of the first virus to infect mobile phones. The virus, which Kaspersky named Cabir, affects mobile phones that use the Symbian OS. The virus is relatively harmless--its only purpose is to propagate itself, and it does so only to other phones that have Bluetooth enabled and are broadcasting their presence. However, Denis Zenkin, head of Corporate Communications at Kaspersky Labs, said that sooner or later, more malicious forms of mobile phone malware that will possibly destroy or steal data will begin to spread. http://www.viruslist.com/eng/viruslist.html?id=1689517 Since Cabir spreads to mobile phones that broadcast their presence via Bluetooth wireless technology, you might want to configure Symbian to use Bluetooth in an invisible mode that doesn't broadcast the phone's presence. Configure other mobile phone OSs too to prevent any future attacks against them. Using invisible mode is similar to configuring wireless Access Points (APs) to not broadcast their SSID. If an AP broadcasts its SSID, intruders can detect it and use it as a starting point for penetrating your network. Bluetooth invisible mode is also similar to using a firewall, which makes your internal networks invisible to connected networks. These security measures are probably common sense for you, but they might not be for mobile phone users in your organization. You could explain the security needs to users by comparing their Bluetooth-broadcasting mobile phone to a wallet or purse left lying on a car seat while they're out of the car. The wallet or purse is essentially begging somebody to break into the car and steal it. A little security through obscurity might save a lot of frustration sooner or later. Some people might disagree, but I think you can gain a fair amount of security by obscuring the presence of anything, whether it be a wallet, purse, or wireless network. Of course, you can gain plenty of security by adding device protection, such as antivirus software for mobile phones, which is available from many antivirus software vendors. And, as I mentioned earlier, you might also consider some configuration changes to your mobile phone OS, particularly disabling Bluetooth broadcasts to make the devices somewhat invisible. If you're interested in other problems with Bluetooth and mobile phones, you might want to read about a few other related vulnerabilities, which are mentioned in a recent Integralis press release. http://www.integralis.co.uk/about_us/press_releases/2004/150604PR.html ==================== ==== Sponsor: Implementing Client Security on Windows 2000/XP ==== Learn the requirements for securing client computers in environments where Windows Server 2003, Windows 2000 and Windows NT 4.0 servers are present. You will also learn how to implement best practices for clients in extreme high-security environments. The session will discuss the use of Group Policy and Administrative Templates to secure Windows 2000 and Windows XP installations and provide guidance on software restriction policies, anti-virus strategies, and distributed firewall technologies. This session also covers configuring Microsoft Office and Internet Explorer to help achieve a secure client environment. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/egR50CJgSH0CBw0BHGO0A3 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html eBook: Preemptive Email Security and Management In this free eBook, author Peter Bowyer details a preventive approach to eliminating spam and viruses, stopping directory harvest attacks, guarding content, and improving email performance. The first two chapters of the book are already online. You can download them in PDF format from our Windows IT Library. http://www.windowsitlibrary.com/ebooks/emailsecurity/index.cfm News: Audit Reveals Spyware Infestation An April audit conducted by EarthLink and Webroot Software scoured 420,761 computer systems. The audit discovered more than 11.3 million instances of spyware and Trojan horse programs installed on the computers. http://www.winnetmag.com/article/articleid/43016/43016.html News: Secure SMS and Your Passwords Microsoft released two new security-related articles that cover Systems Management Server (SMS) environments and user password management. The SMS article, "Scenarios and Procedures for Microsoft Systems Management Server 2003: Security," details security fundamentals, how to secure SMS, and how to maintain SMS security. The password article, "Mind Those Passwords!" addresses the problems many users face in managing numerous passwords. http://www.winnetmag.com/article/articleid/43021/43021.html ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) Attend the Black Hat Briefings & Training USA Event - July 24-29, 2004 This is the world's premier technical IT security conference, hosting 2,000 delegates from 30 nations. Featuring 27 hands-on training courses and 10 conference tracks with presentations by security experts and "underground" security specialists. The early-bird registration deadline is July 1! http://list.winnetmag.com/cgi-bin3/DM/y/egR50CJgSH0CBw0pHV0Ak The Conference on Securing and Auditing Windows Technologies, July 20-21 New for 2004, The Conference on Securing and Auditing Windows Technologies will be held July 20-21, 2004, at the Fairmont Copley Plaza in Boston, MA. In vendor-neutral sessions on today's hottest topics, you'll get practical strategies for mitigating risk and safeguarding your systems. For more information, call 508-879-7999 or go to: http://list.winnetmag.com/cgi-bin3/DM/y/egR50CJgSH0CBw0BHtU0At Free eBook--"Preemptive Email Security and Management" Chapter 2 available now, "Evolving techniques for eliminating spam, email virus and worm threats." In this eBook, you'll discover a preventive approach to eliminating spam and viruses, stopping directory harvest attacks, guarding content, and improving email performance. Download this eBook today! http://list.winnetmag.com/cgi-bin3/DM/y/egR50CJgSH0CBw0BJJe0AV ==================== ==== 3. Security Toolkit ==== FAQ: How Can I Enable the Security Tab at the Exchange Organization Level? by John Savill, http://www.winnetmag.com/windowsnt20002003faq A. By default, the Security tab isn't displayed on an Exchange organization's properties page. To display the tab, perform these steps: 1. Start the registry editor (regedit.exe). 2. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin subkey. 3. From the Edit menu, select New and click DWORD Value. 4. Enter the name ShowSecurityPage and press Enter. 5. Double-click the new value and set it to 1. Click OK. 6. Close the registry editor. The Security tab will now be displayed on the Exchange organization's properties page. On the Security tab, you can turn off the Send As and Receive As deny settings to grant Exchange administrators full access to all mailboxes in the organization. Using the Security tab to allow full access is a simpler way to grant administrators access to users' mailboxes than the technique described in the FAQ "How can I configure Microsoft Exchange Server 2003 administrators so that they can access all users' mailboxes?" at the URL below. However, keep in mind that the Security tab lets you grant access only to all mailboxes or none. http://www.winnetmag.com/articles/index.cfm?articleid=42867 Featured Thread: Port Filtering on Windows 2000 Server (One message in this thread) Jeff writes that he needs to tighten security on a Windows 2000 Advanced Server Web server. He wants to allow most UDP traffic, except through ports 161 and 445. He doesn't want to use the OS's IP filtering because it only lets you define allowed ports, not blocked ports, which means that he'd have to manually create a long list of allowed ports. Do you know an easy way to accomplish this task? Lend a hand or read the responses: http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=122412 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) We're Bringing the Experts Directly to You with 2 New IT Pro Workshop Series About Security And Exchange Don't miss two intense workshops designed to give you simple and free tools to better secure your networks and Exchange servers. Discover how to prevent hackers from attacking your network and how to perform a security checkup on your Exchange Server deployment. Get a free 12-month subscription to Windows & .NET Magazine and enter to win an Xbox. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/egR50CJgSH0CBw0BJJg0AX ==================== ==== 4. New and Improved ==== by Jason Bovberg, products@winnetmag.com Monitor Your System and Applications Anfibia Software announced Watchman 6.0, an application-monitoring and system-protection tool. Watchman's new GUI offers file protection, application-usage logging, and access-control management. You can stop unwanted applications and protect documents from tampering. The software works on Windows 2003/XP/2000/Me/NT 4.0/98 systems, and single licenses start at $45. You can download a fully functional evaluation version from the company Web site. http://www.anfibia-soft.com Protect Your Privacy WinGuides released Privacy Guardian 3.0, a privacy protection tool that deletes Internet tracks and program history information stored on your computer. Information from the Web sites you visit is stored on your computer in hidden locations including temporary files, cookies, the registry, and the index.dat file. Privacy Guardian cleans out these hidden files. Privacy Guardian runs on Windows XP/2000/Me/9x, and prices begin at $29.95 for a single-user license. For more information, contact WinGuides at 877-576-2445 or info@winguides.com. You can download a free trial version of Privacy Guardian from the company's Web site. http://www.winguides.com/privacy Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. ==================== ==== Sponsored Links ==== Argent Comparison Paper: The Argent Guardian Easily Beats Out MOM http://list.winnetmag.com/cgi-bin3/DM/y/egR50CJgSH0CBw0BDWV0AN CommVault CommVault - Free White Paper: Managing the Infinite Inbox http://list.winnetmag.com/cgi-bin3/DM/y/egR50CJgSH0CBw0BJKg0AY VERITAS Software VERITAS White Paper: Reclaim 30% of Your Windows Storage Space Now! http://list.winnetmag.com/cgi-bin3/DM/y/egR50CJgSH0CBw0BJJh0AY ==================== Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@winnetmag.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Mon Jun 28 05:45:02 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 28 06:07:54 2004 Subject: [ISN] Stephen Northcutt is sadly mistaken Message-ID: Forwarded from: hellNbak Cc: stephen@sans.org I am not a US citizen but seeing how this got spammed across multiple mailing lists and seeing how the Internet is in deed a global thing I thought I would respond. > This note is intended for U.S. citizens and is a personal note from > Stephen Northcutt. For the past few weeks CERT and SEI, DoD > government funded organizations, have been purchasing google adwords > so that when people search for "SANS Training" they see an > advertisement for CERT/SEI's network manager course. So the purchase of Google ads by DoD funded organization is cause for a personal note from the great Stephen Northcutt? They have a service to sell so why is this an issue? Welcome to a capatilist society. You have to spend money to make money. Either that or you need to sucker a bunch of volunteers to work for free.... > I have a couple of concerns about this. The first is trademark or > brand related, when you search for SANS training, you should get > SANS training. Other competing commercial training companies have > also engaged in this behavior and when I have written them and asked > if this how they want to be remembered by the security community, > they have discontinued this practice. I wrote cert@cert.org a > couple weeks ago and they continue this practice. So take the millions you have made on the backs of SANS volunteers and purchase your own Google adds or hell, purchase Google and fix search engines for all. Imagine the nerve of a search engine to give other results when someone searches for SANS traning. Why doesn't SANS purchase their own ads? I mean isn't this how Internet marketing / Search engine placement is *supposed* to work? > My second concern is that the government offering the course > violates the spirit and letter of OMB A 76. "Two of the key > principles of Circular A-76 has always been that "in the process of > governing, the Government should not compete with its citizens" and > that "a commercial activity is not a governmental function." Commercial activity? Correct me if I am wrong but isn't SANS a non-profit? Has SANS not enjoyed years of government support via attendance and government targetted events? Did SANS not once receive government funding or support? I read the PDFs you linked to and no where in those documents does it say that SANS should be the be all and end all of Security Training. > My third concern is the amount of tax we pay as citizens. The > government is in the process of authorizing about 481 billion > dollars for DoD spending. The Department of Defense clearly has too > much money if they can afford to create training that mirrors > material widely available from SANS, MISTI, CSI, Intense School and > other training organizations. I believe the money spent on CERT, SEI > and the Office of the Under Secretary of Defense for Acquisition, > Technology, and Logistics should each be reduced by at least 10% > immediately. Or perhaps SANS can help solve this problem by reducing the cost of their traning courses. I mean being a non-profit and all and with all the volunteer work -- courses should be free. > I would be honored if you would copy me, Stephen@sans.org. Consider yourself honored. > how you would feel if the government decided to compete in a > disreputable manner with a course that took you months to write, > SANS Security Leadership. After that, if you disagree with me, I > would love to hear what you have to say. So please help me and > write your congressman and tell them your home address, make sure > they know you vote and you agree that the government has no business > wasting taxpayer money competing with a course Stephen Northcutt > does a better job of anyway. Unless things have changed in the SANS world over the last year or so, many of the courses are the work of volunteers -- volunteers for a not for profit organization. So competition should not be an issue. In fact, eventhough I am not a US citizen, I support the government spending a little advertising money, perhaps they have noticed your paystubs and seen the potential of such courses as a very profitable business model. The government is doing nothing disreputable at all. If something as simple as purchasing search engine ads is disreputable perhaps you should look at the history of SANS. Hmmm, Hi pot, this is kettle... ummmm black! If SANS cared one bit more about security than their business model this would be a non-issue. The more training courses, and the more knowledge that people can obtain on this subject benifets the community in general. So there is one more competitor to SANS, that is how business works. I leave you with this definition of the word Sans from The American Heritage Dictionary of the English Language, Fourth Edition \Sans\ (s[aum]n; E. s[a^]nz), prep. [F., from L. sine without.] Without; deprived or destitute of. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- hellNbak at NMRC.org http://www.nmrc.org/~hellnbak http://www.vulnwatch.org "There are voices in my head and they don't like you" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The standard this is my opinion and no one else's stuff applies to this and any email I send from this address. From isn at c4i.org Mon Jun 28 05:45:19 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 28 06:07:57 2004 Subject: [ISN] S. Korea to create cyber terrorism unit Message-ID: http://washingtontimes.com/upi-breaking/20040626-050238-9016r.htm June 26, 2004 Seoul, South Korea, Jun. 26 (UPI) -- South Korea's National Police Agency has announced plans to create an anti-cyber terror unit within the year, the Korea Times reported. The announcement follows recent government agency network hackings and the spread of images of beheaded Korean translator Kim Sun-il in Iraq. "The envisioned unit will consist of 110 people and will be headed by a high-ranking police officer," an NPA official said. A small division of the police agency has so far assumed full responsibility for coping with cyber terror. From isn at c4i.org Mon Jun 28 05:45:40 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 28 06:07:58 2004 Subject: [ISN] Gates fussy over security in Sydney Message-ID: http://www.theage.com.au/articles/2004/06/28/1088274658575.html By Nathan Cochrane June 28, 2004 Years spent battling Washington have left an impression on Bill Gates. The Microsoft co-founder and one of the world's richest men is in Sydney today for a press appearance so tightly scripted and controlled it could have been orchestrated by US President George W. Bush's media office. A tactic the Bush camp uses - and which Mr Gates will adopt - is to stifle discussion by accepting just one question from each reporter. Also like a visiting head of state, Mr Gates will share a podium with Prime Minister John Howard for a stage managed pre-election publicity photo opportunity. The two will join charity groups to launch a scheme that puts computers running the company's software within reach of the disadvantaged. Similar schemes running free software and donated recycled PCs have operated for the last decade without such high-profile backing or funding. Mr Gates borrows another play out of the US President's Secret Service manual, requiring all journalists to submit their passports for verification prior to entry, and then locking them inside a hotel meeting room where the conference will be held. At least the assembled do not have to submit their retinas or fingerprints for scanning - possibly because Microsoft can't come to grips with good security. Despite launching its "Trustworthy Computing" campaign two-and-a-half years ago, secure IT systems still elude the world's biggest software maker. Roundly criticised by computer security experts as little more than a marketing ploy, Microsoft's plan to secure every PC in the world that runs its software never got on the rails. Following years of almost weekly security stuff-ups, last month the company back-flipped on a promise to release critical security updates to those it alleges have pirated its PC operating system, the ubiquitous Windows. Microsoft was roundly condemned by security experts for what will, in effect, remove a software "condom" from the internet, laying at risk all users. And then last Friday, websites running Microsoft's Internet Information Server - software that delivers usually corporate web pages to surfers - suffered what may be the company's most embarrassing glitch to date. A "trojan horse" program variously called "Download.Ject'', "Scob'' and "Toofer'' that, like the warriors of Homer's epic who hid inside an innocuous outer shell only to wreak havoc once brought inside, hopped from one site to the next exploiting security lapses in Microsoft software that could lead to theft of confidential information such as credit card details. Anyone visiting a compromised website had everything they typed copied to a computer in Russia, researchers said. The exploit, which Microsoft and independent researchers gave the highest threat-level of "critical", short-circuited most security precautions on both the infected corporate server and on the surfer's PC. The hacker's server was shut-down at the weekend by Russian law enforcement, but the perpetrators remain at large. Those running the market-leading open source Apache web server, who use desktop operating systems such as Mac OS X or GNU/Linux, or Windows web browsers other than Explorer (such as Opera or Mozilla) were inoculated from the virus. From isn at c4i.org Mon Jun 28 05:45:58 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 28 06:08:00 2004 Subject: [ISN] DoS Attack May Tap Web Graphics Flaw Message-ID: http://www.eweek.com/article2/0,1759,1617046,00.asp By Dennis Fisher June 24, 2004 Security experts are tracking a new piece of malware that appears to be compromising large numbers of Windows PCs and may be laying the groundwork for the creation of a large spamming network or a major attack in the future. Analysts at NetSec Inc., a managed security services provider, began seeing indications of the compromises early Thursday morning and have since seen a large number of identical attacks on their customers' networks. The attack uses a novel vector: embedded code hidden in graphics on Web pages. When visitors to a few particular Web sites?including popular auction, shopping and price-comparison sites?request pages that include the malicious graphics, the code automatically downloads itself onto their machines. Once installed, the code unpacks itself and loads a keystroke logger on the PC. NetSec officials said the attack seems to exploit a vulnerability in Internet Explorer. The code then forces the machine to contact two IP addresses?one in Russia and one in the United States. The Russian site is hosted on a broadband connection and is part of a network known for spamming and other transgressions. After contacting these sites, the tool then downloads some other files to the compromised machine. NetSec officials said they are still analyzing the code and are unsure what the exact purpose of the new attack is. "We think it's probably a staging activity for further attacks," said Brent Houlahan, chief technology officer at NetSec, based in Herndon, Va. "It may be setting up for a large DDoS [distributed denial of service] attack or setting these machines up as spam relays." Compromised PCs often are used by attackers to launch large-scale DDoS attacks against one or more targets. And they also are valued by spammers who like to install software that enables them to send large volumes of spam messages from the machines. Using dozens or hundreds of compromised PCs makes it virtually impossible for investigators to track attacks or spam back to the original source. Houlahan said he was unsure how many machines had been compromised at this point. From isn at c4i.org Mon Jun 28 05:48:17 2004 From: isn at c4i.org (InfoSec News) Date: Mon Jun 28 06:08:01 2004 Subject: [ISN] Wi-Fi hopper guilty of cyber-extortion Message-ID: http://www.theregister.co.uk/2004/06/26/wifi_hopper_extortion/ By Kevin Poulsen SecurityFocus 26th June 2004 A Maryland man with a grudge against a Connecticut-based patent firm used unsecured wireless networks at homes and businesses in the Washington DC area to penetrate the company's computers and deliver untraceable threats and extortion demands, until an FBI surveillance team caught him in the act. Myron Tereshchuk, 42, pleaded guilty this month to a single charge of "attempted extortion affecting commerce" for demanding a $17m ransom in exchange for not broadcasting proprietary information he obtained from MicroPatent, LLC, an intellectual property firm that packages patent and trademark information for law firms. Tereshchuk ran a small, competing patent document service that ran into trouble when he was allegedly caught removing files from US Patent and Trademark Office, and was temporarily banned from the facility. Tereshchuk believed he was the victim of corruption at the patent office, and blamed MicroPatent, according to court records. He began penetrating the company's computers, going through its trash, and pseudonymously sending harassing e-mails to its customers and president. At one point, the company president tried to use a "Web bug" to trace his cyber tormenter, but Tereshchuk detected the ruse. Meanwhile, FBI agents traced some of the emails and intrusions to two homes and a dentist's office in Arlington, Virginia. The residents, and the dentist, made poor suspects, and the agents learned that all three were running unsecured 802.11b networks. Though he went to some lengths to make himself untraceable technically, past altercations between Tereshchuk and the company made him the prime suspect from the start, according to court records. The clearest sign came when he issued the $17m extortion demand, and instructed the company to "make the check payable to Myron Tereshchuk." The FBI began following Tereshchuk, and in March a surveillance team watched as he drove to a computer lab at the University of Maryland, where he used a purloined student account to send more threatening email. "During this drive he was observed driving erratically and was paying a lot of attention to something in the front passenger side seat," an FBI affidavit notes. The Bureau got a search warrant for Tereshchuk's home, where they found evidence of his campaign against MicroPatent, as well as the components for hand grenades and the formula and ingredients necessary for making Ricin, according to prosecutors, who say the FBI is still investigating some aspects of the case. Tereshchuk is scheduled for sentencing on October 22nd. From clee at myhome.homeip.net Mon Jun 28 11:26:52 2004 From: clee at myhome.homeip.net (Christopher Lee) Date: Tue Jun 29 09:47:21 2004 Subject: [ISN] Stephen Northcutt is sadly mistaken In-Reply-To: Message-ID: <20040628152652.E83D26684E@wolverine.myhome.homeip.net> Interesting comments from hellNbak@nmrc.org... Just one response to his comment about SANS training should be free to all... Apart from nothing is free in this world, it does cost money to provide SANS training to a large number of audience. It costs money to rent the venue (and all the equipments to go with it), to print the materials, and to pay the speaker and the proctors for those conferences. Yes, the volunteers plays a large role in SANS successes, but there are also some full time staff dedicated to run the organization and plan the events. Just look around the people wearing SANS staff badges in those conference, and you will see only some of them are "volunteers". Granted, some of the folks on this list self-taught everything they knew about this craft, but many still relies on top-notch trainings to know how to identify and to defend their corporate/personal information assets. If one is to measure the value of any commercially available trainings, SANS Institute, in my opinion, provides the best bang for the buck by far. Oh, perhaps everyone on this list will also be interested to know other options of receiving authentic SANS trainings: online self-study, online instructor-led, and locally mentored study sessions. All details are available at www.sans.org. P/S, I am not, in any way, defending Mr. Northcutt's statement, but simply want to clear up any misconception about SANS riding their success on the shoulders of an army of volunteers "suckered" into it. Cheers, Chris -----Original Message----- From: isn-bounces@attrition.org [mailto:isn-bounces@attrition.org] On Behalf Of InfoSec News Sent: June 28, 2004 5:45 AM To: isn@attrition.org Subject: [ISN] Stephen Northcutt is sadly mistaken Forwarded from: hellNbak Cc: stephen@sans.org I am not a US citizen but seeing how this got spammed across multiple mailing lists and seeing how the Internet is in deed a global thing I thought I would respond. > This note is intended for U.S. citizens and is a personal note from > Stephen Northcutt. For the past few weeks CERT and SEI, DoD > government funded organizations, have been purchasing google adwords > so that when people search for "SANS Training" they see an > advertisement for CERT/SEI's network manager course. So the purchase of Google ads by DoD funded organization is cause for a personal note from the great Stephen Northcutt? They have a service to sell so why is this an issue? Welcome to a capatilist society. You have to spend money to make money. Either that or you need to sucker a bunch of volunteers to work for free.... > I have a couple of concerns about this. The first is trademark or > brand related, when you search for SANS training, you should get > SANS training. Other competing commercial training companies have > also engaged in this behavior and when I have written them and asked > if this how they want to be remembered by the security community, > they have discontinued this practice. I wrote cert@cert.org a > couple weeks ago and they continue this practice. So take the millions you have made on the backs of SANS volunteers and purchase your own Google adds or hell, purchase Google and fix search engines for all. Imagine the nerve of a search engine to give other results when someone searches for SANS traning. Why doesn't SANS purchase their own ads? I mean isn't this how Internet marketing / Search engine placement is *supposed* to work? > My second concern is that the government offering the course > violates the spirit and letter of OMB A 76. "Two of the key > principles of Circular A-76 has always been that "in the process of > governing, the Government should not compete with its citizens" and > that "a commercial activity is not a governmental function." Commercial activity? Correct me if I am wrong but isn't SANS a non-profit? Has SANS not enjoyed years of government support via attendance and government targetted events? Did SANS not once receive government funding or support? I read the PDFs you linked to and no where in those documents does it say that SANS should be the be all and end all of Security Training. > My third concern is the amount of tax we pay as citizens. The > government is in the process of authorizing about 481 billion > dollars for DoD spending. The Department of Defense clearly has too > much money if they can afford to create training that mirrors > material widely available from SANS, MISTI, CSI, Intense School and > other training organizations. I believe the money spent on CERT, SEI > and the Office of the Under Secretary of Defense for Acquisition, > Technology, and Logistics should each be reduced by at least 10% > immediately. Or perhaps SANS can help solve this problem by reducing the cost of their traning courses. I mean being a non-profit and all and with all the volunteer work -- courses should be free. > I would be honored if you would copy me, Stephen@sans.org. Consider yourself honored. > how you would feel if the government decided to compete in a > disreputable manner with a course that took you months to write, > SANS Security Leadership. After that, if you disagree with me, I > would love to hear what you have to say. So please help me and > write your congressman and tell them your home address, make sure > they know you vote and you agree that the government has no business > wasting taxpayer money competing with a course Stephen Northcutt > does a better job of anyway. Unless things have changed in the SANS world over the last year or so, many of the courses are the work of volunteers -- volunteers for a not for profit organization. So competition should not be an issue. In fact, eventhough I am not a US citizen, I support the government spending a little advertising money, perhaps they have noticed your paystubs and seen the potential of such courses as a very profitable business model. The government is doing nothing disreputable at all. If something as simple as purchasing search engine ads is disreputable perhaps you should look at the history of SANS. Hmmm, Hi pot, this is kettle... ummmm black! If SANS cared one bit more about security than their business model this would be a non-issue. The more training courses, and the more knowledge that people can obtain on this subject benifets the community in general. So there is one more competitor to SANS, that is how business works. I leave you with this definition of the word Sans from The American Heritage Dictionary of the English Language, Fourth Edition \Sans\ (s[aum]n; E. s[a^]nz), prep. [F., from L. sine without.] Without; deprived or destitute of. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- hellNbak at NMRC.org http://www.nmrc.org/~hellnbak http://www.vulnwatch.org "There are voices in my head and they don't like you" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The standard this is my opinion and no one else's stuff applies to this and any email I send from this address. _________________________________________ ISN mailing list Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie! (Broke? Spend 15 minutes a day on the project!) From isn at c4i.org Tue Jun 29 09:24:01 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 29 09:47:23 2004 Subject: [ISN] Microsoft Blames Hackers, Not Vulnerability, For Web Attack Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=22102487 By Gregg Keizer TechWeb News June 28, 2004 The Web attack that was stopped dead in its tracks on Friday when a Russian Web site was taken offline remained under investigation Monday by a host of security firms still puzzled over the method used to infect a number of Microsoft Internet Information Services servers. But the evidence now is leading them to accept Microsoft's explanation that the IIS 5.0 servers were hacked manually and that the server software doesn't have an unknown vulnerability. "Nobody yet knows how these servers were infected," said Ken Dunham, director of malicious code research at iDefense. "But if it was a widespread vulnerability, how come there weren't more servers infected? If that was the case, we should have heard reports by now about lots of other computers" being infected with the malicious JavaScript code. Microsoft released a statement Saturday claiming that the attack--which infected an unknown number of IIS servers, which, in turn, delivered malicious code to any Internet Explorer user who surfed sites hosted by those servers--"is not a worm or virus. In other words, this attack is a targeted manual attack by individuals or entities towards a specific server." Symantec's Corp.'s research, said Oliver Friedrichs, a senior manager with the company's virus response team, also leans toward manual hacks. "That's what it looks like," he said. "It's certainly not a worm or an automated exploit." Microsoft said that all the compromised servers were running IIS 5.0 unpatched against a vulnerability disclosed in April. Some security firms last week theorized that even patched IIS systems were vulnerable, but that now seems to have been a false alarm. One security analyst who requested anonymity said that it was more likely that those reports originated with IT administrators trying to do damage control. "Perhaps they applied the patch but it didn't take, thought they had the patch in place but didn't, or they didn't apply the patch at all but now say they did. It's easier to say 'there are some clever hackers out there' than to admit you got caught with your pants down." An accounting of infected servers was provided Monday by Cyveillance, a vendor of online risk and management tools. As of Sunday, Cyveillance detected 641 sites that were infected by the malicious code. The company used its June audit of more than 50 million domains to pinpoint the 6.2 million sites known to run IIS 5.0, then collected and analyzed pages from those sites to test for infection. If Cyveillance's numbers are on the money, that means fewer than one hundredth of 1% of the IIS 5.0 servers in use remained compromised Sunday. The picture is clearer on the client side, where Internet Explorer 5.0 and 6.0 remain vulnerable to future iterations of this kind of malicious code delivery system. Last week's attack exploited two vulnerabilities in the browser, one known and patched, the other known but not yet fixed. "This is huge," argued Dunham, whose company has traced the attack to a well-known group of hackers dubbed HangUP, based in Russia. HangUP "has a new trick in their bag to attack Internet Explorer users at will." The group has accumulated hundreds of megabytes of stolen financial information, said Dunham, and sells it on the black market. Last week's attack was ultimately meant to deliver key loggers and Trojan horses to compromised users' machines to steal account information and credit-card numbers. Nor is the group going to stop. "Even if they sell a credit-card number for just $1 to $3 a pop--and they have hundreds of megabytes of data--you do the math," Dunham said. "A million dollars in Russia is a lot of money. And they're able to recruit new members because they have an illicit business model that works." In other words, expect more such attacks. "The potential for future attacks is real," Friedrichs said. "We could see them in a couple of days or a couple of weeks." Until the unpatched vulnerability is fixed by Microsoft, users can rely on a combination of safe surfing practices and some technical workarounds to make sure they're secure. Large, trusted commercial sites, said Symantec's Friedrichs, can be assumed to be patched against the IIS vulnerability, but smaller sites may not. "Use common sense when you surf," he advised. Other experts recommend that users execute the "kill bit" setting for IE within the Windows registry to disable ActiveX. * Create a registry key called: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}* Then, create a dword value named "Compatibility Flags" and give it a value of 400. Microsoft recommends that users set Internet's security to "High," but that setting will interfere with normal surfing. Another option is to download and install the still-not-final release candidate of Windows XP Service Pack 2, which Microsoft says isn't susceptible to this type of attack. From isn at c4i.org Tue Jun 29 09:24:17 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 29 09:47:24 2004 Subject: [ISN] Jail for Playboy blackmailer Message-ID: http://www.thisissouthampton.co.uk/hampshire/southampton/news/SOTON_NEWS_NEWS2.html 28 June 2004 By Echo reporter A SUPERMARKET shelf stacker woke up to find Hampshire detectives and the US Secret Service on his doorstep after he blackmailed Playboy for $100. Simon Jones, 25, used his computer knowledge to obtain user names and passwords for the private section of the American porn empire's website. >From the bedroom of his Rownhams home, the science degree holder e-mailed Playboy, claiming he belonged to an elite band of hackers whose sole aim was to gain access to adult-based servers to retrieve account information. He told them: "Our current account listing runs to about 21,000 individual compromised accounts and is growing steadily. "While many hackers do this purely for the purpose of hacking and gaining control of Web servers, my motives are far simpler. I want to sell the accounts on to the owner or highest bidders." He told the shocked security staff: "There are currently ten accounts from playboy.com that you get first choice. I look forward to hearing from you," signing himself as Pastmaster 69. Charles Thomas, prosecuting at Southampton Crown Court, described how Jones had obtained the user names and passwords through access to a different site which was an Internet channel. Armed with that information, he then approached Playboy for money. They indicated they were interested in buying the accounts for $50 each. Playboy bought two initially for which $100 was forwarded through an Internet-based payment system into his account. Mr Thomas said Playboy carried out their own review at a cost of $6,500 and found their database had not been compromised, otherwise it would have cost about $1m to set up again with the potential loss of subscribers fearful of their identity being compromised. Jones was arrested at home by police accompanied by the American Secret Service after the payment had been traced to his bank account. Jones, of Greenwood Avenue, pleaded guilty to blackmail and was jailed for two years. He was of previous good character, the court heard. In mitigation, James Leonard said Jones had got himself into considerable trouble through "a whim" and no subscribers had been compromised. He said: "There cannot be very many young people waking up one morning to find the police and the American Secret Service inquiring about their Internet use. "Jones only made one demand before he was arrested six months later. A more dedicated, sophisticated blackmailer would have carried on. On the face of it, he had this steady flow of income to be exploited, but it stopped." Mr Leonard added: "It shows how far he was prepared to go. It shows no criminal sophistication but naivety. "He is genuinely bewildered by the consequences and wants to apologise for all the trouble he has caused and didn't wish to compromise Playboy." Passing sentence, Judge John Boggis QC accepted neither the Playboy database nor its subscribers had been compromised, that Jones had received only $100 and that he was remorseful. He said: "You were bored and disappointed you didn't find employment in the computer world as you hoped for. But this was a planned invasion. Your e-mail to Playboy set out your motive to extract money." From isn at c4i.org Tue Jun 29 09:24:32 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 29 09:47:25 2004 Subject: [ISN] Security: The root of the problem Message-ID: http://acmqueue.com/modules.php?name=Content&pa=showpage&pid=160 By Marcus J. Ranum ACM Queue vol. 2, no. 4 June 2004 Security bug? My programming language made me do it! Failing Miserably It doesn't seem that a day goes by without someone announcing a critical flaw in some crucial piece of software or other. Is software that bad? Are programmers so inept? What the heck is going on, and why is the problem getting worse instead of better? One distressing aspect of software security is that we fundamentally don't seem to "get it." In the 15 years I've been working the security beat, I have lost track of the number of times I've seen (and taught) tutorials on "how to write secure code" or read books on that topic. It's clear to me that we're: * Trying to teach programmers how to write more secure code * Failing miserably at the task We're stuck in an endless loop on the education concept. We've been trying to educate programmers about writing secure code for at least a decade and it flat-out hasn't worked. While I'm the first to agree that beating one's head against the wall shows dedication, I am starting to wonder if we've chosen the wrong wall. What's Plan B? Indeed, as I write this, I see that Microsoft, Intel, and AMD have jointly announced a new partnership to help prevent buffer overflows using hardware controls. In other words, the software quality problem has gotten so bad that the hardware guys are trying to solve it, too. Never mind that lots of processor memory-management units are capable of marking pages as nonexecutable; it just seems backward to me that we're trying to solve what is fundamentally a software problem using hardware. It's not even a generic software problem; it's a runtime environment issue that's specific to a particular programming language. Normally, when someone mentions programming languages in an article about software quality, it's an invitation for everyone to jump in with useful observations such as, "If we all programmed in [my favorite strongly hyped programming language], we wouldn't have this problem!" That might be true in some cases, but it's not reality. We tried legislating a change of programming languages with Ada back in the 1990s. Remember Ada? That was an expensive disaster. Then we tried getting everyone to switch to a "sandboxed" environment with Java in the late 1990s, and it worked better?except that everyone complained about wanting to bypass the "sandbox" to get file-level access to the local host. In fact, Java worked so well, Microsoft responded with ActiveX, which bypasses security entirely by making it easy to blame the user for authorizing bad code to execute. Please, let's not have any more alternative programming languages that will solve all our problems! What's Plan B? I think that Plan B is largely a matter of doing a lot more work on our compiler and runtime environments, with a focus on making them embed more support for code quality and error checking. We've got to put it "below the radar screen" of the programmer's awareness, just as we did with compiler optimization, the creation of object code, and linking. We've done a great job building programming environments that produce fast executables without a lot of hand-holding from the programmer. In fact, most programmers today take optimization completely for granted?why not software security analysis and runtime security, too? For that matter, why are we still treating security as a separate problem from code quality? Insecure code is just buggy code! [...] From isn at c4i.org Tue Jun 29 09:25:20 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 29 09:47:27 2004 Subject: [ISN] Linux Security Week - June 28, 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 28, 2004 Volume 5, Number 26n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Linux users under threat", "Stealth wallpaper could keep WLANs secure" and "Secure Development Framework". ---- >> Bulletproof Virus Protection << Protect your network from costly security breaches with Guardian Digital's multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn04 ---- LINUX ADVISORY WATCH: This week, advisories were released for sup, super, rlpr, Multiple, kernel, libpng and Usermin. The distributors include Debian, EnGarde, Fedora, Gentoo, Openwall, RedHat, Trustix, and Turbolinux. http://www.linuxsecurity.com/articles/forums_article-9448.html ---- Open Source Leaving Microsoft Sitting on the Fence? The open source model, with special regard to Linux, has no doubt become a formidable competitor to the once sole giant of the software industry, Microsoft. It is expected when the market share of an industry leader becomes threatened, retaliation with new product or service offerings and marketing campaigns refuting the claims of the new found competition are inevitable. However, in the case of Microsoft, it seems they have not taken a solid or plausible position on the use of open source applications as an alternative to Windows. http://www.linuxsecurity.com/feature_stories/feature_story-168.html -------------------------------------------------------------------- Interview with Brian Wotring, Lead Developer for the Osiris Project Brian Wotring is currently the lead developer for the Osiris project and president of Host Integrity, Inc.He is also the founder of knowngoods.org, an online database of known good file signatures. Brian is the co-author of Mac OS X Security and a long-standing member of the Shmoo Group, an organization of security and cryptography professionals. http://www.linuxsecurity.com/feature_stories/feature_story-164.html -------------------------------------------------------------------- Guardian Digital Launches Next Generation Secure Mail Suite Guardian Digital, the premier open source security company, announced the availability of the next generation Secure Mail Suite, the industry's most secure open source corporate email system. This latest edition has been optimized to support the changing needs of enterprise and small business customers while continually providing protection from the latest in email security threats. http://www.linuxsecurity.com/feature_stories/feature_story-166.html ---- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Linux users under threat June 24th, 2004 A newly discovered security hole in Linux, published on an open source website, has raised questions about how Linux security issues should be handled. The vulnerability could allow malicious users to bring down Linux machines with just 24 lines of code, which are available from several open source websites and internet news groups. http://www.linuxsecurity.com/articles/server_security_article-9444.html * Latest Web services spec tackles application flaws June 24th, 2004 OASIS addressed another layer of security concerns around Web services Wednesday when it ratified the Application Vulnerability Description Language (AVDL) 1.0 as a standard, the organization's highest level of ratification. AVDL is an XML schema that enables security products to communicate information about new and existing Web application vulnerabilities between themselves, according to AVDL Technical Committee co-chairman Kevin Heineman. http://www.linuxsecurity.com/articles/projects_article-9445.html * Secure Development Framework June 21st, 2004 This whitepaper deals with developing a secure framework, both for internal and outsourced development. Within this context, secure development is considered to be the process of producing reliable, stable, bug and vulnerability free software. http://www.linuxsecurity.com/articles/projects_article-9436.html +------------------------+ | Network Security News: | +------------------------+ * Wireless endpoint security: Tie up the loose ends June 28th, 2004 Endpoint security transcends the use of personal firewalls and antivirus software. Endpoint devices such as laptops, home-office and remote desktops, and Internet-enabled handhelds are some of the biggest headache sources for security managers. It's hard enough keeping your in-house workstations and servers secure with up-to-date antivirus software and the latest patches and updates. http://www.linuxsecurity.com/articles/network_security_article-9450.html * Building a Linux Router-Firewall June 25th, 2004 This site is an introduction to simple hardware routers for small networks built from old, obsolete hardware and free software. The intended audience for this site are Newbies to both Linux and to hardware routers and firewalls. Included are instructions for hardware assembly and software configuration. One page is a primer for Network security and discusses Firewalls, Anti-Virus and other security tools. http://www.linuxsecurity.com/articles/firewalls_article-9447.html * HNS Audio Learning Session: The Benefits of SSL VPNs June 23rd, 2004 Secure Sockets Layer (SSL) Virtual Private Networks are quickly gaining popularity as serious contenders in the remote-access marketplace. Analysts predict that products based on SSL VPN technology will rival - or even replace - IP Security Protocol (IPSec) VPNs as remote-access solutions. http://www.linuxsecurity.com/articles/network_security_article-9440.html * Stealth wallpaper could keep WLANs secure June 21st, 2004 UK defence contractor BAE Systems has developed a stealth wallpaper to beat electronic eavesdropping on company Wi-Fi networks. The company has produced panels using the technology to produce a screen that will prevent outsiders from listening in on companies' Wi-Fi traffic but let other radio and mobile phone traffic get through. http://www.linuxsecurity.com/articles/privacy_article-9435.html +------------------------+ | General Security News: | +------------------------+ * Book Review: HackNotes Network Security Portable Reference June 25th, 2004 The HackNotes series quickly became one of the best selling titles in the computer security publishing sector. With some great marketing, mostly derived from the famous Hacking Exposed titles, it wasn't a tough job for Foundstone staffers to create this series of successful portable reference publications. Today I'm taking a look at one of the HackNotes titles that is concentrated on Network Security. http://www.linuxsecurity.com/articles/documentation_article-9449.html * Security qualification makes the grade June 24th, 2004 IT departments looking to hire new staff will be interested to learn that one of the world's leading security qualifications, the CISSP (certified information systems security professional), has become the first in the industry to meet the new ISO/IEC 17024 standard. The 17204 benchmark was launched last year by the International Standards Organization as a way of assessing whether qualifications across a range of professions could demonstrate minimum standards. http://www.linuxsecurity.com/articles/general_article-9443.html * Secure Web Based Mail Services June 23rd, 2004 There used to be a time when secure e-mail management was simple. "Managing" meant sorting through your e-mail messages and putting them into appropriate folders. Secure e-mail back then meant using a simple password for e-mail access. However, today, with e-mail being a business-critical application, more threats against e-mail than ever before, and government regulatory concerns, secure e-mail management takes on a whole different meaning. http://www.linuxsecurity.com/articles/privacy_article-9441.html * City firms still failing to guard WLans June 22nd, 2004 Businesses in Europe's leading financial centres are failing to secure their wireless access points despite the risk of "drive-by" hacking. More than 33% of businesses surveyed in London, Milan, Paris and Frankfurt are still making fundamental security mistakes, research by RSA Security revealed. http://www.linuxsecurity.com/articles/network_security_article-9439.html * Akamai Attack Reveals Increased Sophistication June 22nd, 2004 An attack last week against Akamai Technologies Inc. demonstrated the disruption of key Web site activity that a well-placed assault on the Internet's Domain Name System can cause. The incident also revealed a troubling capability on the part of hackers to target core Internet infrastructure technologies, security experts said. http://www.linuxsecurity.com/articles/network_security_article-9437.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Jun 29 09:25:38 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 29 09:47:28 2004 Subject: [ISN] ISO endorses key security certification Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,94169,00.html By Jaikumar Vijayan JUNE 28, 2004 COMPUTERWORLD The International Standards Organization last week gave its stamp of approval to the CISSP security certification for IT workers, and a half-dozen security managers said the endorsement should help enhance the certification's legitimacy and acceptance. They added that boosting CISSP's credibility would be a welcome development at a time when companies are increasingly being asked by their boards of directors and by auditors and regulators to prove that they have done due diligence on all matters related to IT security -- including the hiring of security managers and other IT staffers. The American National Standards Institute, the U.S. representative to the Geneva-based ISO, announced that the standards bodies are granting certificate accreditation to the Certified Information Systems Security Professional credential. Roy Swift, an ANSI program director, said CISSP is the first IT certification to be accredited under ISO/IEC 17024, a global benchmark for workers in various professions. The accreditation will hopefully give CISSP a shot in the arm, said Christofer Hoff, director of enterprise security services at Western Corporate Federal Credit Union, a San Dimas, Calif.-based company with $25 billion in assets. "While broadly accepted as a benchmark credential, it's still viewed in some circles as being somewhat soft in the certification process," he added. In fact, most IT certification programs "are often under fire for being too lenient and not reflecting the actual skills of the person," said Andrew Plato, president of Anitian Corp., a network security consulting firm and systems integrator in Beaverton, Ore. "The ISO accreditation will likely help dispel notions that the CISSP certification is meaningless." 'A Positive Step' The CISSP credential is awarded by International Information Systems Security Certification Consortium Inc., a nonprofit organization in Vienna, Va., known informally as (ISC)2. Although it's just one of several similar certifications, CISSP is considered the most popular. More than 27,000 IT security workers have earned the certification so far, according to (ISC)2. The ISO's accreditation of CISSP should lessen some of the uncertainty that now exists for IT managers because of the competing certification programs, said Kim Milford, information security manager in the IT department at the University of Wisconsin-Madison. "It's made hiring more confusing at times, as we need to weigh the strengths of different certifications against each other," Milford said. The university now plans to require security professionals to have CISSP credentials in order to qualify for senior positions, she added. David Stacey, global IT security director at St. Jude Medical Inc. in St. Paul, Minn., already requires a CISSP certificate for any senior security position at the $1.6 billion maker of cardiovascular equipment. Stacey said the ISO's official recognition of the certification program is a positive step, given the growing importance of IT security to companies like his. "Security is now a business enabler, and security leaders need to be better trained, more experienced and more business-savvy," Stacey said. "The CISSP is a good metric of that leadership ability." However, Swift said other organizations that offer IT security certifications have also applied to the ISO for accreditation. "There's a strong demand for third-party review of these certifications to reassure the consumer and the government that the people who have these certifications do have the knowledge and skills they say they have," he added. Alan Paller, director of research at the SANS Institute in Bethesda, Md., said his organization is seeking accreditation for its IT security certification program. The Information Systems Audit and Control Association in Rolling Meadows, Ill., has filed similar applications for separate certifications it offers to IT security managers and auditors. To qualify for CISSP certification, security professionals need to have either four years of work experience or a three-year college degree in a related field, said James Duffy, executive director of (ISC)2. They must also pass a six-hour exam designed to test their knowledge of technology and business issues related to information security. Swift said the accreditation was granted after a review of (ISC)2's policies and procedures, including those for testing, maintaining, reviewing and withdrawing certification. The test itself was also reviewed to ensure that the questions are relevant to the skills being assessed, he said. From isn at c4i.org Tue Jun 29 09:26:05 2004 From: isn at c4i.org (InfoSec News) Date: Tue Jun 29 09:47:29 2004 Subject: [ISN] REVIEW: "Exploiting Software", Greg Hoglund/Gary McGraw Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKEXPLSW.RVW 20040531 "Exploiting Software", Greg Hoglund/Gary McGraw, 2004, 0-201-78695-8, U$49.99/C$71.99 %A Greg Hoglund %A Gary McGraw %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2004 %G 0-201-78695-8 %I Addison-Wesley Publishing Co. %O U$49.99/C$71.99 416-447-5101 fax: 416-443-0948 %O http://www.amazon.com/exec/obidos/ASIN/0201786958/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0201786958/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0201786958/robsladesin03-20 %P 471 p. %T "Exploiting Software: How to Break Code" I have learned to beware of books with titles like this, which generally indicate a hastily compiled set of old vulnerabilities, benefitting nobody save the author. This work, however, turns out to have a lot of value for those interested in security of software. Although it does not deal with the factors inherent in software that almost ensure problems, chapter one outlines the fact of bugs in software, the relative rate and increasing prevalence, and future developments that may exacerbate the issue. Chapter two provides taxonomies of general types of software problems (distinguishing, for example, between a bug and a flaw), patterns of attack activities (pointing out that most exploits are used in combination), and types of system scanning activities (used to determine specific attacks that might be effective). This material is very useful in structuring the debate about software exploits and attacks in general, but, ironically, the chapter (and book) itself could benefit from better organization. Reverse engineering, both via black box testing and through code analysis, is described in chapter three. The discussion is general, and presents the different activities that can be undertaken, usually at a fairly abstract level. (This is not true in all cases: there is a chunk of twelve pages of code for a plug-in module and eight pages of script for the IDA disassembler, which is of questionable utility, depending on the familiarity the reader may have with that particular program.) At this point in the book, the issue of the validity of the "learn to exploit in order to learn to protect" philosophy should be addressed. In general, the "hack to protect" books do not provide much that is of value for the defenders. That statement is not necessarily true of this work. Since most of the presentation is at a conceptual level, it is the ideas, and not particular exploits, that are being reviewed. The authors are explaining tools and techniques that, yes, can be used by attackers, but can equally be used by those who wish to probe a given system for weaknesses in order to determine vulnerabilities to be patched. (There appears to be only one exception in chapter three: the authors note that vendor patches tend to act as a roadmap for vulnerabilities, and it is difficult to say how this technique is useful for defence, other than to note that the probability of an exploit increases after a patch has been issued.) Chapter four lists types of attacks on server software, while five looks at clients, primarily web browsers. Indications pointing to patterns of malformed input that are likely to generate successful exploits are described in chapter six. The classic and ubiquitous buffer overflow gets a detailed explanation (supported with a number of examples) in chapter seven, which has a strangely extensive section on RISC (Reduced Instruction Set Computer) architectures. Chapter eight is rather disappointing in light of the tone of the rest of the book: it is primarily concerned with how to create and program rootkits, and the worth for defence is doubtful. While ultimately of greatest use to a rather select audience (those specifically concerned with finding and patching loopholes in software), this book does have a lot to say to most security professionals. The security aspects of software development tend to be glossed over too quickly in most general works on security. Specific examples of malformed input are used, in too many security texts, as evidence of the author's superior security erudition, rather than to explain the underlying concepts. Hoglund and McGraw have prepared solid tutorials and definitions of these important ideas (although one could wish that they had prepared the arrangement of the book with the same degree of care). copyright Robert M. Slade, 2004 BKEXPLSW.RVW 20040531 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Vah! Denuone Latine loquebar? Me ineptum. Interdum modo elabitur. Oh! Was I speaking Latin again? Silly me. Sometimes it just sort of slips out. http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed Jun 30 09:57:24 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 30 10:41:24 2004 Subject: [ISN] ISTS TAG R&D Agenda Release Message-ID: Forwarded from: Kevin O'Shea [With no attachments to the list allowed, please grab the report from their site listed below. - WK] INSTITUTE FOR SECURITY TECHNOLOGY STUDIES AT DARTMOUTH COLLEGE Technical Analysis Group Law Enforcement Tools and Technologies for Investigating Cyber Attacks: Research and Development Agenda June 29, 2004 Please find attached a new report, Law Enforcement Tools and Technologies for Investigating Cyber Attacks: A National Research and Development Agenda. This study is the culmination of a multi-year research effort by the Technical Analysis Group at the Institute for Security Technology Studies (ISTS). In this document we present the top band of critical problem areas encountered during cyber attack investigations that may be addressed through research and development. Solving the needs outlined in this work would significantly increase law enforcement's ability to investigate and prosecute cyber attack cases. We offer this agenda to serve as a resource for decision makers, developers, and researchers, in government, industry, and academic institutions across the country. Additional copies of the report are available at: < www.ists.dartmouth.edu/TAG/randd.htm > Previous authoritative reports called for further study of law enforcement needs; ISTS responded by conducting a series of three focused national studies to identify, analyze and prioritize the technology needs of cyber attack investigators and prosecutors. ISTS researchers worked in cooperation with federal, state, and local law enforcement organizations, private sector groups, academic institutions, and government sponsored research and development entities in the United States to produce the National Research and Development Agenda. The data in this report, third in the series, was collected and analyzed from September 2001 to December 2003. Readers wishing to learn more about all of the law enforcement needs discovered during this study may refer to the two reports that preceded the Research and Development Agenda titled Law Enforcement Tools and Technologies for Investigating Cyber Attacks: A National Needs Assessment and Law Enforcement Tools and Technologies for Investigating Cyber Attacks: Gap Analysis Report available from < http://www.ists.dartmouth.edu/TAG >. Sincerely, Kevin O'Shea Research Associate Technical Analysis Group Institute for Security Technology Studies Dartmouth College 45 Lyme Rd. Hanover, NH 03755 603-646-0700 tag@ists.dartmouth.edu From isn at c4i.org Wed Jun 30 10:23:29 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 30 10:41:25 2004 Subject: [ISN] Another big Apache hole found Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,94191,00.html By Matthew Broersma JUNE 28, 2004 TECHWORLD.COM LONDON - Linux and Unix vendors are releasing fixes for a critical bug in the popular Web server Apache that could allow attackers to crash the system or execute malicious code. The bug affects Apache 1.3.x installations configured to act as proxy servers, which relay requests between a Web browser and the Internet. When a vulnerable server connects to a malicious site, a specially crafted packet can be used to exploit the vulnerability, according to security researcher Georgi Guninski, who has publicly released exploit code. The bug is most serious on BSD installations, where it may allow code execution, while on other platforms the most likely effect is a system crash, researchers said. A reference in the Common Vulnerabilities and Exposures database can be found here. Guninski released information about the proxy-server bug earlier this month, and last month discovered a similar vulnerability in an Apache component offering Secure Sockets Layer encryption, but he said the bugs don't reflect on Apache's overall security relative to competitors such as Microsoft's Internet Information Services. "Still Apache is much better than Windows," he said in an advisory. Debian released a patch for the bug today, and Gentoo Linux released its own patch last week. Red Hat Inc., OpenBSD and OpenPKG have also released updates fixing the bug, while Novell Inc.'s Suse Linux said in an advisory last week it is testing a patch. Researchers said Apple's BSD-based Mac OS X is likely affected, but Apple has not yet released a patch. Apache versions 1.3.31, 1.3.29, 1.3.28, 1.3.27 and 1.3.26 are affected, while the bug has been fixed in 1.3.32-dev, according to security experts. System administrators can also get around the problem by switching off Apache's proxy-server module. "If I were running a BSD system, I would be very careful with this," said Thomas Kristensen, CTO of Secunia, which maintains a database tracking vulnerability advisories. "It's important to note that the potential for code execution has not been proven to be exploitable, but it pays to be safe." BSD is frequently used by Web hosting companies, he said. Kristensen said that despite the recent bugs, Apache's security is solid overall. Both Apache and IIS have been so thoroughly studied that few vulnerabilities are now discovered in their core components, he said - with both servers, problems are now mostly found in extensions such as mod_ssl and mod_proxy. "It's pretty solid as long as you remember to configure it correctly and to disable the extensions that are not necessary for your business," Kristensen said. The bug in Apache's mod_proxy module means that a negative user-specified length value may be used in a memory copy operation, leading to corruption of memory and a buffer overflow. The exploit can take effect when a remote server sends a negative Content-Length: HTTP header field to the proxy server. The proxy bug is the sixth vulnerability in Apache 1.3.x reported this year, according to Secunia, which has recorded 10 such advisories in 2003 and 2004. Half of these were moderately or highly critical, usually meaning they allowed remote access to the system or denial of service. For comparison, IIS 5.x also had 10 advisories in the same period, 40% of which were highly or extremely critical, Secunia said. In 2002, the Slapper worm took advantage of a month-old bug in Apache's mod_ssl component, causing widespread disruption. From isn at c4i.org Wed Jun 30 10:24:02 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 30 10:41:27 2004 Subject: [ISN] NIST aims to ease XP security setup Message-ID: http://www.fcw.com/fcw/articles/2004/0628/web-nist-06-29-04.asp By Florence Olsen June 29, 2004 Officials at the National Institute of Standards and Technology hope their new publication will help simplify the process of setting security controls on Microsoft Corp.'s Windows XP Professional operating system. NIST officials, who released the draft of Special Publication 800-68 this week, said the recommendations and security configuration checklists will help federal agencies fulfill their responsibilities for computer and information security under the Federal Information Security Management Act of 2002. The document's authors acknowledge the difficulty of setting reasonable security controls on an operating system as complex as Windows XP Pro. A publication that guides systems administrators and technical users through the process should help other federal agencies avoid time-consuming and costly mistakes, NIST officials said. They worked with the Defense Information Systems Agency, the National Security Agency, Microsoft and the nonprofit Center for Internet Security to reach a consensus on security settings for Windows XP and for productivity applications, e-mail, Web browsers, personal firewalls and antivirus programs that run on XP. Next month, NIST officials will release a separate publication on the agency's new Security Configuration Checklists Program. Under that program, NIST will operate a Web portal that enables users to search for software products by name, product type and security level. Federal officials will be able to make purchasing decisions, for example, based on whether a security configuration checklist exists for a particular product. Software makers, businesses and government agencies are beginning to reach consensus on security controls that can be tolerated without breaking the programs that run on computers, said Clint Kreitner, president and chief executive officer of the Center for Internet Security. The center develops security configurations through a process based on consensus and testing. On the basis of those consensus configurations, Kreitner said, companies such as Dell Inc. have begun shipping computers with a secure configuration of Windows 2000. In a few months, Dell will sell computers with a similar security configuration for Windows XP. Microsoft also has shipped its Windows Server 2003 software with recommended security settings in place, Kreitner said. And the company is working with the configuration standards group to do the same with Exchange 2003, Microsoft's suite of collaboration software. From isn at c4i.org Wed Jun 30 10:24:20 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 30 10:41:28 2004 Subject: [ISN] US-CERT: Beware of IE Message-ID: http://www.internetnews.com/security/article.php/3374931 June 29, 2004 By Ryan Naraine The U.S. government's Computer Emergency Readiness Team (US-CERT) is warning Web surfers to stop using Microsoft's Internet Explorer (IE) browser. On the heels of last week's sophisticated malware attack that targeted a known IE flaw, US-CERT updated an earlier advisory to recommend the use of alternative browsers because of "significant vulnerabilities" in technologies embedded in IE. "There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME-type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different Web browser, especially when browsing untrusted sites," US-CERT noted in a vulnerability note. The latest US-CERT position comes at a crucial time for Microsoft , which has invested heavily to add secure browsing technologies in the coming Windows XP Service Pack 2. The software giant has spent the last few months talking up the coming IE security improvements but the slow response to patching well-known -- and sometimes "critical" -- browser holes isn't sitting well with security experts. On discussion lists and message boards, security researchers have spent a lot of time beating the "Dump IE" drum, and the US-CERT notice is sure to lend credibility to the movement away from the world's most popular browser. US-CERT is a non-profit partnership between the Department of Homeland Security (DHS) and the public and private sectors. It was established in September 2003 to improve computer security preparedness and response to cyber attacks in the United States. It has been more than two weeks since Microsoft confirmed the existence on an "extremely critical" IE bug, which was being used to load adware/spyware and malware on PCs without user intervention but, even though the company hinted it would go outside its monthly security update cycle to issue a fix, the flaw remains unpatched. US-CERT researchers say the IE browser does not adequately validate the security context of a frame that has been redirected by a Web server. It opens the door for an attacker to exploit the flaw by executing script in different security domains. "By causing script to be evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE," according to the advisory. "Functional exploit code is publicly available, and there are reports of incidents involving this vulnerability." To protect against the flaw, IE users are urged to disable Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker). Other temporary workarounds include the application of the Outlook e-mail security update; the use of plain-text e-mails and the use of anti-virus software. Surfers must also get into the habit of not clicking on unsolicited URLs from e-mail, instant messages, Web forums or internet relay chat (IRC) sessions. From isn at c4i.org Wed Jun 30 10:24:39 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 30 10:41:29 2004 Subject: [ISN] Seven habits of highly secure companies Message-ID: http://www.itbusiness.ca/index.asp?theaction=61&lid=1&sid=56003 By Sheldon Gordon 6/30/2004 Companies, like the humans who make them run, are creatures of habit. Some of those habits can make information systems more secure, rather than less. There's no such thing as absolute security, of course. But the seven best practices of highly secure companies are a standard against which CEOs can measure their organizations. "If you can't afford the security, you can't afford the project," says Rosaleen Citron, CEO of Toronto-based security firm WhiteHat Inc., citing a well-known axiom in the information security industry. On the other hand, "most businesses, big or small, can't afford to defend everything," says Mary Kirwan, an independent security expert in Toronto. Indeed, they would impede their productive business activity if they tried. An effective approach to information security involves making choices. Companies must compromise, deciding what are the most important assets that need to be protected and then deploying a proportionate level of security around them. 1. Assess and audit Have a risk assessment and a regular security audit performed by an outside pair of eyes. The risk assessment creates an inventory of assets and undertakes a detailed threat assessment. It assigns ratings to threats, and proposes a list of counter-measures. The security audit is designed to show whether those measures have been adequately implemented. How "regular" a security audit should be depends on the business and how much information is being exchanged with customers and suppliers. "We're seeing most companies have an audit three or four times a year if they have a lot of online interactions with their clients," says Victor Keong, a partner with Deloitte & Touche LLP in Toronto. Also, have a consultant rather than the internal I.T. staff perform the audits. "An independent set of eyes is necessary to probe and to test what was done inside," says Mary Kirwan, an independent security expert in Toronto. "It's a conflict issue. Think of the security audit as you would a financial audit." 2. Update your security software Make sure your firewalls and anti-virus systems are up to date. Enterprises need to ensure that firewalls on the underlying operating systems are secure and that "edge-protection devices" such as anti-virus software, intrusion detection boxes and upstream routers from the ISP are up to date. "Ninety per cent of companies have these devices in place," says Keong, "so why are they still vulnerable to viruses? It's because of remote users. Their anti-virus signatures are not updated like those in the office environment." Personal firewalls must be installed on laptops and other remote computers. Keong also recommends event correlation software that will enable the IT department, when logging security-related events, to better discern when a genuine attack is occurring and then take action. 3. Put policy into place Have an IT policy that is written and enforceable and covers all the critical systems as well as employees of the enterprise. "The baseline of any security architecture has got to be policy," says Ray Gazaway, vice-president of professional security services, Internet Security Systems Inc. (ISS) in Atlanta. >From a legal perspective, the policy should prohibit pornography, conversing with competitors and circulating sexist, racist or defamatory e-mails. Beyond the strictly legal implications, however, the policy should incorporate a digital disaster recovery plan. It should address the basic issue of whom to call in the event of an emergency. The enterprise's IT department should be an integral part of writing the policy relating to IT issues, says Gazaway, "but it should be the HR group that really owns the policy. It should make sure that employees sign off that they've read it, understand it, and are aware of the consequences of violations." 4. Backup plan Have a disaster recovery plan. Denial-of-service attacks have sensitized enterprises to the danger of being knocked offline. "If your livelihood is coming off e-commerce, you had better have that [Web site] backed up, just as you do your data," says Citron. "Back it up at least once a week so that you've always got the latest version." But digital disaster doesn't only take the form of deliberate attacks on IT assets, she cautions. The disaster recovery plan has to anticipate unintentional disruptions such as last August's power failure and the SARS crisis. "I've seen data centres burn down, and we go to the hot site, and away we go," says Citron. "But we'd never seen a situation where companies had to sequester work groups. Companies immediately had to layer security onto notebooks that hadn't been used before but now were needed to enable people to work from home." 5. Train and authenticate Minimize the internal threat by properly training and authenticating employees. Enterprises should have not only a policy but also an awareness program informing employees not to open e-mail attachments from unknown sources and not to bring in disks from home. In addition, firms need to have rigorous authentication and access policies. "We're still seeing a lot of very poor password procedures in place," says Gazaway. Companies should make employees change their passwords at least monthly -- and explain why. Role-based access to systems is another important safeguard. "There needs to be a concerted effort in a corporation to say, 'This employee is only working in this particular role and should only have access to this particular group.' It's amazing how often we see new employees come to a corporation and get access to everything. There's no reason for a person working in a mailroom to have access to financial records or HR records. It's a question of who needs to have access and why. And that needs to be reviewed on a regular basis." 6. Encrypt your data The use of encryption technology has become widespread in enterprises for e-commerce transactions and wireless communications, but not for stored data. "Encryption of the data at rest is just as important as encryption of the data in transit," says Mark Fabro, chief security scientist with AMS Information Security Services Group in Fairfax, Va. Not only has stored data become more susceptible to exposure due to open networking requirements, says Fabro. In addition, stored data tends to be in an aggregated format that, when considered together with other data, can have a much more harmful impact if compromised than data in transit. "The overall asset value of what is being encrypted will dictate the level of encryption that needs to be deployed to secure the data," says Fabro. "If the information is valuable for one week and it would take a dedicated attacker only half a week to decrypt it, then that encryption is not the right one to use." 7. Report to the CEO Appoint a chief information security officer (CISO) to be responsible for IT security. Ideally, the CISO shouldn't report directly to the chief information officer. A tangential relationship is necessary because the CISO's recommendations will be implemented through the activities of the CIO. "The direct reporting should be to the CEO, because it is the CISO who is ultimately going to be responsible for the crafting of information security policies," says Fabro. "And those policies will only be effective if they have top-level buy-in. It is not the CIO who is going to be pressing adherence to an information security policy. It is going to be the highest representation of the company." That should not be the board of directors, however, because employees may not fully grasp the importance of boards, Fabro says. From isn at c4i.org Wed Jun 30 10:24:59 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 30 10:41:30 2004 Subject: [ISN] Campaign Sites Lack Security Message-ID: http://www.wired.com/news/infostructure/0,1377,64036,00.html By Michelle Delio June 30, 2004 George W. Bush and John Kerry may be tied in the polls, but Bush appears to be well ahead of Kerry in the number of security holes on his official campaign website. On Sunday, security analyst Richard Smith did a quick check of the Bush and Kerry campaign sites and found several security problems on each, all of which are common on many other websites. But after Smith posted a report of his findings to several security lists, others opted to do a deeper analysis and found some significant problems on Bush's website. One researcher used a commercial program called GFI LANguard to scan Bush's site. He said he found over 30 security faults. The researcher asked not to be identified because of concern that his scans could be construed as illegal under the Patriot Act. He submitted a digital copy of the results of the scan to Wired News. According to the scan, the security problems on the Bush site include potential vulnerabilities that could conceivably allow a malicious attacker to gain remote control over the server, crash it, tamper with information on Web pages and compromise stored information. "Several of the faults are critical; they can be easily exploited with serious repercussions," said the researcher. "And the fact I could run this scan remotely points to the complete lack and utter uselessness of their network security." The researcher said Kerry's site stopped the GFI LANguard scan before he could get any data. "From a network perspective, Kerry's site is not too bad as these things go. Most websites have nasty security issues. Few sites are written by professional programmers, and even fewer are written with security in mind." Smith's analysis indicated that Kerry's campaign site shows signs of being vulnerable to SQL injection errors, which could put the site's server at risk. An SQL injection error can be used to break into a website's backend database, and could allow an attacker access to private information from the database. Additionally, cross-site scripting errors (sometimes called XSS errors) exist on both sites, Smith said. These could allow malicious pranksters to create bogus Web pages that appear to originate from the Bush or Kerry websites. "A prankster could post fake news stories, slogans telling visitors to vote for the other candidate or doctored photos," said Smith. Both sites contain firm statements assuring visitors that security is a primary concern. The Bush site's privacy policy informs visitors, "Strict security measures are in place to protect the loss, misuse and alteration of any and all information pertaining to GeorgeWBush.com. In addition, GeorgeWBush.com is run on servers located in a secure server room and locked in a rack. Staff is onsite 24 hours a day, monitoring equipment and services." Kerry's privacy policy states "JohnKerry.com has state of the art, extensive security measures in place to protect against the loss, misuse or alteration of the information under our control. Our server is located in a locked, secure environment, with a guard posted 24 hours a day. Access to your information is granted only to you and authorized Kerry Committee staff." Neither campaign responded to phone calls and e-mails seeking comment. Despite these guarantees, Smith and other security experts weren't surprised to see the security problems. "These problems are typical," said security consultant Robert Ferrell. "They don't represent any significant issues you couldn't find on hundreds of other sites. Yeah, you could probably have fun with some of them, but it wouldn't be worth the fed attention you'd probably pull down on yourself." Smith also pointed out that both sites also have potential privacy problems. The Bush site has hired a company called Omniture to track visitors to the site. On its website, Omniture asks potential customers to imagine its service as "a device that could be placed by the front door of a department store to tell the store manager all kinds of detailed information about customers -- what store they came from, who they were referred by, if they have been to the store previously, what advertisement they were responding to and much more." Smith said his concern is that the Bush site's relationship with Omniture is not spelled out in the privacy policy. He discovered the presence of Omniture monitoring by looking at the HTML of the GeorgeWBush.com homepage, which contains these lines: "< ! - - SiteCatalyst code version: G.5. Copyright 1997-2003 Omniture, Inc. More info available at http://www.omniture.com - - >" "The use of Omniture Web bugs at the Bush site is a bit strange," said Smith. "It's one thing (for a commercial site) to track what kind of things people are interested in, but tracking political issues crosses the line for me." Both sites encourage visitors to add banner ads for the candidates to their own Web pages. The Bush banner ad uses JavaScript supplied from the Bush Web server. The Kerry banner ads use an embedded iframe. Smith said both methods allow the campaigns to track visitors to any Web pages where the banner ads appear. And for those who evaluate a candidate's choice of operating systems when choosing their president, Smith's check showed that the Kerry site is housed on an Apache Web server running on a Red Hat Linux box. The Bush website is hosted on a Microsoft IIS 5.0 server and uses Microsoft's ASP.net. Smith said he attempted to contact Kerry and Bush representatives by e-mail regarding the problems he discovered, but has received no reply. From isn at c4i.org Wed Jun 30 10:29:08 2004 From: isn at c4i.org (InfoSec News) Date: Wed Jun 30 10:41:31 2004 Subject: [ISN] Re: Stephen Northcutt needs your help Message-ID: Forwarded from: security curmudgeon To: InfoSec News , ip@v2.listbox.com Cc: stephen@sans.org [Editorial note: Due to a little technological error at this end, ISN is going out a little late, also I have about six pro and con mails about SANS I need to cut and paste, then I will kill this thread, any future mails can go directly to Stephen Northcutt. - WK] SANS may be a non-profit but that doesn't mean the organization's employees work for free. Those who are full-time with SANS get paid for their work - and they are paid very well. While there may be some dispute regarding SANS and their reliance on "volunteer work", let's not forget they have chosen not to pay certain speakers in the past despite previously agreeing to do so. Also interesting is the timing of Northcutt's email. It seems just as he wants CERT out of SANS' turf, the SANS diary gets updated with information about the latest and greatest threat received from a conference call full of government, & military folks, including some from CERT. Despite their teeth-gnashing, they are certainly benefitting from their CERT relationship. The course Northcutt is referring to is a Carnegie Mellon Software Engineering Institute course (CM SEI), that receives government funding. He argues that due to said government funding, CERT shouldn't be able to provide training if a commercial organization provides the same or similar service. Following this "logic", CERT advisories and bulletins should stop since several commercial outfits provide the same service. The CERT VU/KB vulnerability database should go away since there are other free and commercial VDBs being maintained. I'm sure this wouldn't have any adverse effects on the security community at all. Plain and simple, Northcutt's complaint is shallow & selfish. If a person wants general security training, what are they going to search for? "Security Training" - which brings up SANS as the first result. I don't know if things have changed since the post, but searching for "SANS Training" gets a link to giac.org first, sans.org second. Is this really an issue? And is the real complaint the supposed violation of OMB A 76 Or is this a concern over your next paycheck, Mr. Northcutt? As it stands, SANS offers classes for as much as US$2,645 for five days of training. If you have only ten students in class, that is $26,450 incoming. Remove instructor fee, equipment cost and room rental and that is still a significant amount of money. If SANS isn't using a paid instructor (or they do, and opt not to pay them), SANS must make a killing on this training: SANS also offers a Volunteer Program through which, in return for acting as an important extension of SANS' conference staff, volunteers may attend classes at no cost. Volunteers are most definitely expected to pull their weight and the educational rewards for their doing so are substantial. Add to the above general hypocrisy from SANS, and it's nearly impossible not to laugh at Northcutt's letter. Let's look at another letter from Northcutt in the wake of the "Code Red" worm: http://www.attrition.org/errata/sec-co/sans02.html SANS Instructors, Jason Fossen and Eric Cole are available during the next few weeks to teach a special one-day course on Securing IIS. We haven't determined pricing yet, but it would be inappropriate to try to capitalize off of this attack. This is blatant ambulance chasing, something that seems more reprehensible than anything CERT has done with a few google ad-words. Jericho Security Curmudgeon ps: Does anyone else find the fact that "sans" in French means "without" or "lacking" - somewhat ironic?