From Yves.Roudier at eurecom.fr Tue Mar 23 14:35:34 2004 From: Yves.Roudier at eurecom.fr (Yves.Roudier@eurecom.fr) Date: Wed Mar 24 07:09:54 2004 Subject: [ISN] ESORICS 2004 - Final Call for Papers Message-ID: <200403231935.i2NJZYoq026078@zinnia.eurecom.fr> [Apologies for multiple copies of this announcement] CALL FOR PAPERS ESORICS 2004 9th European Symposium on Research in Computer Security Institut Eurécom, Sophia Antipolis, French Riviera, France September 13-15, 2004 http://esorics04.eurecom.fr ESORICS 2004 will be collocated with RAID 2004 Papers offering novel research contributions in any aspect of computer security are solicited for submission to the Ninth European Symposium on Research in Computer Security (ESORICS 2004). Organized in a series of European countries, ESORICS is confirmed as the European research event in computer security. The symposium started in 1990 and has been held on alternate years in different European countries and attracts an international audience from both the academic and industrial communities. >From 2002 it will be held yearly. The Symposium has established itself as one of the premiere, international gatherings on Information Assurance. Papers may present theory, technique, applications, or practical experience on topics including: access control accountability anonymity applied cryptography authentication covert channels cryptographic protocols cybercrime data and application security data integrity denial of service attacks dependability digital right management firewalls formal methods in security identity management inference control information dissemination control information flow control information warfare intellectual property protection intrusion tolerance language-based security network security non-interference peer-to-peer security privacy-enhancing technology pseudonymity secure electronic commerce security administration security as quality of service security evaluation security management security models security requirements engineering security verification smartcards steganography subliminal channels survivability system security transaction management trust models and trust trustworthy user devices management policies The primary focus is on high-quality original unpublished research, case studies and implementation experiences. We encourage submissions of papers discussing industrial research and development. Proceedings will be published by Springer-Verlag in the Lecture Notes in Computer Science series. PAPER SUBMISSIONS Submitted papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. Papers should be at most 15 pages excluding the bibliography and well-marked appendices (using 11-point font), and at most 20 pages total. Committee members are not required to read the appendices, and so the paper should be intelligible without them. To submit a paper, send to esorics04@dti.unimi.it a plain ASCII text email containing the title and abstract of your paper, the authors' names, email and postal addresses, phone and fax numbers, and identification of the contact author. To the same message, attach your submission (as a MIME attachment) in PDF or portable postscript format. Do NOT send files formatted for word processing packages (e.g., Microsoft Word or WordPerfect files). Submissions not meeting these guidelines risk rejection without consideration of their merits. Submissions must be received by March 26, 2004 in order to be considered. Notification of acceptance or rejection will be sent to authors by May 30, 2004. Authors of accepted papers must be prepared to sign a copyright statement and must guarantee that their paper will be presented at the conference. Authors of accepted papers must follow the Springer Information for Authors' guidelines for the preparation of the manuscript and use the templates provided there. ORGANIZING COMMITTEE General Chair Refik Molva Institut Eurécom email: Refik.Molva@eurecom.fr Program Chairs Peter Ryan Pierangela Samarati University of Newcastle upon Tyne University of Milan email: Peter.Ryan@newcastle.ac.uk email: samarati@dti.unimi.it Publication Chair Publicity Chair Dieter Gollmann Yves Roudier TU Hamburg-Harburg Institut Eurécom email: diego@tuhh.de email: roudier@eurecom.fr Sponsoring Chair Marc Dacier Institut Eurécom email: dacier@eurecom.fr PROGRAM COMMITTEE Vijay Atluri, Rutgers University, USA Joachim Biskup, Universitaet Dortmund, Germany Jan Camenisch, IBM Research, Switzerland David Chadwick, University of Salford, UK Ernesto Damiani, University of Milan, Italy Sabrina De Capitani di Vimercati, University of Milan, Italy Yves Deswarte, LAAS-CNRS, France Alberto Escudero-Pascual, Royal Institute of Technology, Sweden Simon Foley, University College Cork, Ireland Dieter Gollmann, TU Hamburg-Harburg, Germany Joshua D. Guttman, MITRE, USA Sushil Jajodia, George Mason University, USA Sokratis K. Katsikas, University of the Aegean, Greece Peng Liu, Pennsylvania State University, USA Javier Lopez, University of Malaga, Spain Roy Maxion, Carnegie Mellon University, USA Patrick McDaniel, AT&T Labs-Research, USA John McHugh, CERT/CC, USA Catherine A. Meadows, Naval Research Lab, USA Refik Molva, Institut Eurécom, France Peng Ning, NC State University, USA LouAnna Notargiacomo, The MITRE Corporation, USA Eiji Okamoto, University of Tsukuba, Japan Stefano Paraboschi, University of Bergamo, Italy Andreas Pfitzmann, TU Dresden, Germany Jean-Jacques Quisquater, Microelectronic laboratory, Belgium Steve Schneider, University of London, UK Christoph Schuba, Sun Microsystems, Inc., USA Michael Steiner, IBM T.J. Watson Research Laboratory, USA Paul Syverson, Naval Research Laboratory, USA Moti Yung, Columbia University, USA IMPORTANT DATES Paper Submission due: March 26, 2004 Acceptance notification: May 30, 2004 Final papers due: June 30, 2004 From Yves.Roudier at eurecom.fr Tue Mar 23 14:39:38 2004 From: Yves.Roudier at eurecom.fr (Yves.Roudier@eurecom.fr) Date: Wed Mar 24 07:11:14 2004 Subject: [ISN] RAID 2004 - Final Call for Papers Message-ID: <200403231939.i2NJdcaO026145@zinnia.eurecom.fr> [Apologies for multiple copies of this announcement] CALL FOR PAPERS RAID 2004 "Intrusion Detection and Society" Seventh International Symposium on Recent Advances in Intrusion Detection Institut Eurécom, Sophia-Antipolis, French Riviera, France September 15-17, 2004 http://raid04.eurecom.fr This symposium, the seventh in an annual series, brings together leading researchers and practitioners from academia, government, and industry to discuss intrusion detection technologies and issues from the research and commercial perspectives. The RAID International Symposium series is intended to further advances in intrusion detection by promoting the exchange of ideas in a broad range of topics. For RAID 2004 there is a special theme: the interdependence between intrusion detection and society. Thus, we will also welcome papers that address issues that arise when studying intrusion detection, including information gathering and monitoring, as a part of a larger, not necessarily purely technical, perspective. For example, the implication of information gathering and detection technologies on enterprises, organisations and authorities, as well as legislative and governing bodies is within scope, but also the impact and restrictions from those bodies on the design and technology. This would include issues such as privacy, risk and emergency management, crisis management, security policies, standardisation and legal issues. An increasingly important dynamic is the strategic importance of protecting national information infrastructures, which is in some tension with the fact that much of this infrastructure is in the private sector. Related to this is the potential strategic impact of attacks at the intersection of information and physical infrastructure. The RAID 2004 program committee invites three types of submissions: - Full papers presenting mature research results. Papers accepted for presentation at the Symposium will be included in the RAID 2004 proceedings published by Springer Verlag in its Lecture Notes in Computer Science (LNCS) series. Full papers are limited to 20 pages when formatted according to the instructions provided by Springer Verlag. Papers must include an abstract and a list of keywords. - Practical experience reports describing a valuable experience or a case study, such as the design and deployment of a system or actual experience from intrusion detection or network monitoring. These reports are reviewed differently from full papers and do not necessarily include fundamental scientific contributions or new research ideas. Practical experience reports are limited to 12 pages when formatted according to the instructions provided by Springer Verlag. They must include an abstract and a list of keywords. - Panel proposals for presenting and discussing hot topics in the field of intrusion detection systems. The panel proposals should include both an outline of the format of the panel and a short rationale for the panel. Panels that include time for general discussion and questions/answers between the panelists and the Symposium attendees are preferred. All topics related to Intrusion Detection Systems and Technologies are within scope, including their design, use and maintenance, integration, correlation and self-protection, just to mention a few. With reference to this year's theme and extended scope we also invite papers on the following topics, as they bear on intrusion detection and the general problem of information security: Risk assessment and risk management Intrusion tolerance Deception systems and honeypots Privacy aspects Data mining techniques Visualization techniques Cognitive approaches Biological approaches Self-learning Case studies Legal issues Critical infrastucture protection (CIP) ORGANIZING COMMITTEE General Chair: Refik Molva Program Chairs: Erland Jonsson Alfonso Valdes Publication Chair: Magnus Almgren Publicity Chair: Yves Roudier Sponsor Chair: Marc Dacier PROGRAM COMMITTEE Tatsuya Baba (NTT Data, Japan) Lee Badger (DARPA, USA) Sungdeok Cha (KAIST, Korea) Steven Cheung (SRI International, USA) Herve Debar (France Telecom R&D, France) Simone Fischer-Hübner (Karlstad University, Sweden) Steven Furnell (University of Plymouth, UK) Bill Hutchinson (Edith Cowan University, Australia) Dogan Kesdogan (RWTH Aachen, Germany) Chris Kruegel (UCSB, USA) Håkan Kvarnström (TeliaSonera R&D, Sweden) Wenke Lee (Georgia Tech, USA) Douglas Maughan (DHS HSARPA, USA) Roy Maxion (Carnegie Mellon University, USA) John McHugh (CMU/SEI CERT, USA) Ludovic Me (Supélec, France) George Mohay (Queensland University of Technology, Australia) Vern Paxson (ICSI and LBNL, USA) Giovanni Vigna (UCSB, USA) Andreas Wespi (IBM Research, Switzerland) Felix Wu (UC Davis, USA) Diego Zamboni (IBM Research, Switzerland) IMPORTANT DATES Deadline for paper submission : March 31, 2004 Deadline for panel submission : April 30, 2004 Deadline for poster submission : August 20, 2004 Notification of acceptance or rejection : June 4, 2004 Final paper camera ready copy : July 2, 2004 RAID conference dates : September 15-17, 2004 SUBMISSIONS Submissions must not substantially duplicate work that any of the authors has published elsewhere or has submitted in parallel to any other conference or workshop with proceedings. The full papers must list all authors and their affiliations; in case of multiple authors, the contact author must be indicated (note that RAID does not require anonymized submissions). Authors are invited to submit their papers electronically. A detailed description of the electronic submission procedure is available at http://raid04.eurecom.fr/submit.html. Submissions must conform to this procedure and be received within the submission deadline in order to be considered. Each submission will be acknowledged by e-mail. If acknowledgment is not received within seven days, please contact RAID 2004's PC Chair . Poster submissions should be sent as a half-page abstract. For submission or practical details, please contact Marc Dacier . All submissions and presentations must be in English. CORPORATE SPONSORS We solicit interested organizations to serve as sponsors for RAID 2004, particularly in sponsorship of student travel and other expenses for RAID. Please contact the Sponsor Chair, Marc Dacier , for information regarding corporate sponsorship of RAID 2004. REGISTRATION Detailed registration information (including fees, suggested hotels, and travel directions) will be provided at the RAID 2004 web site (http://raid04.eurecom.fr). PROCEEDINGS Accepted papers will be published by Springer Verlag in its Lecture Notes in Computer Science (LNCS) series. Instructions for authors will be provided at the RAID 2004 web site (http://raid04.eurecom.fr). STEERING COMMITTEE Chair: Marc Dacier (Eurecom, France) Hervé Debar (France Telecom R&D, France) Deborah Frincke (University of Idaho, USA) Huang Ming-Yuh (The Boeing Company, USA) Wenke Lee (Georgia Institute of Technology, USA) Ludovic Mé (Supélec, France) S. Felix Wu (UC Davis, USA) Andreas Wespi (IBM Research, Switzerland) Giovanni Vigna (UCSB, USA) For further information, please contact the Program Chairs or the General Chair. ******************************************************************** From isn at c4i.org Wed Mar 24 07:01:33 2004 From: isn at c4i.org (InfoSec News) Date: Wed Mar 24 07:11:14 2004 Subject: [ISN] Clarke book cites management, info-sharing problems at DHS Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,91561,00.html [http://www.amazon.com/exec/obidos/ASIN/0743260244/c4iorg - WK] News Story by Dan Verton MARCH 23, 2004 COMPUTERWORLD The Bush administration's homeland security strategy, including its new emphasis on cybersecurity, is poorly managed and being held hostage to decades-old cultural and turf battles, according to a new book out this week by former White House adviser Richard Clarke. Clarke's book, Against All Enemies, hit stores yesterday and caused an immediate uproar in Washington. In it, Clarke accuses the Bush administration of politicizing the war on terror and forcing a virtual army of professional staffers to pull recalcitrant senior officials to the realization that national threats had changed and required new defenses. Clarke ended a 30-year career in government last March as chairman of the President's Critical Infrastructure Protection Board and the de facto cybersecurity czar. In 291 pages that describe detailed conversations and meetings with the president and many of his key cabinet members, Clarke paints a portrait of an administration so sidetracked by the idea of deposing Saddam Hussein that many officials charged with setting up the new Department of Homeland Security and improving information sharing across agencies quit in frustration. Even on Sept. 11, 2001, the ability of Clarke and other members of the president's senior White House staff to communicate and direct a response to the terrorist attacks was severely hampered by poor communications, according to Clarke. "The comms in this place are terrible," said Vice President Dick Cheney, according to Clarke. He was referring to the East Wing bomb shelter in the White House. "Now you know why I wanted the money for a new bunker," replied Clarke. "I could not resist," he wrote later. "The President had canceled my plans for a replacement facility." The FBI under former director Louis Freeh also falls squarely in Clarke's cross hairs for failing to take the issue of information sharing and IT infrastructure seriously. "The lack of computer support was a failure of the bureau's leadership," wrote Clarke. "Local police departments throughout the country had far more advanced data systems than the FBI. In New York, I saw piles of terrorism files on the floor of the [FBI Joint Terrorism Task Force]. There was only one low-paid file clerk there, and he could not keep up with the volume of paper that was being generated. There was no way for one agent to know what information another agent had collected, even in the same office." This was in "stark contrast to the CIA, NSA and the State Department," wrote Clarke, "which flooded my secure e-mail with over 100 detailed reports every day." Eventually, the volume of intelligence reporting became so great after the terrorist attacks that Clarke established a threat subgroup charged with tracking intelligence leads in a program made famous by the television program Threat Matrix. Many people would be surprised to learn, however, that the infamous threat matrix is nothing more than an Excel spreadsheet, according to Clarke. Clarke describes a conversation he had with a veteran FBI official who likened the agency to an aircraft carrier. "It takes a long time to stop going in one direction and turn around and go in another," the official told Clarke. Senior officials at the Department of Homeland Security are also faulted for mishandling the massive merger of 22 federal agencies and 200,000 employees. Clarke calls Secretary of Homeland Security Tom Ridge "at root a politician, not a manager nor a security expert." Clarke claims that the administration downgraded the importance of homeland security in favor of the war in Iraq, and in an interview with Computerworld last week, Clarke said cybersecurity and critical-infrastructure protection suffered the same fate. "They've demoted the issue from a White House issue to being an issue four or five levels down in the Department of Homeland Security," said Clarke. Asked about the charges that his office succumbed to industry pressure and at the last minute ripped the teeth out of the National Strategy to Security Cyber Space, which Clarke released in February 2003 just before leaving government, Clarke called such claims "an urban legend." He doesn't address the national strategy in detail in his book but does say that he and deputy Roger Cressey worked on the issue of cybersecurity for a year "before quit[ting] the administration altogether." The creation of the DHS was flawed from the start, according to Clarke. It should have been done in phases. Instead, dozens of agencies were simultaneously merged into one in an effort that was the equivalent of the AOL/Time Warner merger "multip[lied] by several orders of magnitude." Fixing the DHS will require the creation of a management cadre from the best and the brightest of the civil service, military and private sector, according to Clarke. The DHS must become a place where senior managers want to work, he wrote, saying that it must become "the GE of the government." Hiring bonuses may be needed, but creating a halo effect costs money. "Regrettably, the administration sought to do homeland security on the cheap, telling Ridge that creating the new department has to be 'revenue neutral,' jargon for no new money to implement the largest government reorganization in history," Clarke wrote. From isn at c4i.org Wed Mar 24 07:02:15 2004 From: isn at c4i.org (InfoSec News) Date: Wed Mar 24 07:11:15 2004 Subject: [ISN] When Gaming is a Gamble Message-ID: http://www.securityfocus.com/columnists/229 By Mark Rasch Mar 22 2004 As a computer security expert, you are hired by an offshore casino in the Cayman Islands to develop a security and authentication technology. Your client is a licensed Cayman casino that has been operating for over 30 years, and wants to make a foray into online gaming. You perform a standard penetration test, a security assessment, an architecture and code review, help establish the SSL and authentication protocols, and help with firewall implementation and monitoring -- you know: the full suite of security services. You test the beta site and its configuration, and give your stamp of approval. With check in hand, you return to America and days, weeks or months later, the site goes active. A few weeks after that, you are visited by an FBI agent with a federal grand jury subpoena seeking records relating to your security work. Weeks after that, a knock on the door announces the arrival of deputy U.S. Marshals with a warrant for your arrest for violation of 18 U.S.C. 1084 and 18 U.S.C. 2. Your computer security consulting may have earned yourself a one-way ticket to the hoosegow. U.S. law generally makes it a crime if you are "engaged in the business of betting or wagering" and you "knowingly [use] a wire communication facility for the transmission in interstate or foreign commerce of bets or wagers or information assisting in the placing of bets or wagers on any sporting events, or contest..." This statute, 18 USC 1084, is called the "wire act" and has been applied for more than 70 years to go after offshore bookies who seek to evade U.S. law by locating overseas. However, Internet gambling is legalized in Liechtenstein, Gibraltar, Australia, New Zealand, Costa Rica, and a few Caribbean islands. So the first question is whether Internet gaming by a company in a country that permits it is a violation of U.S. law. The U.S. Justice Department argues that it is -- and has the arrests and convictions (well, guilty pleas) to prove it. The theory is that entities that are in the business of betting or wagering (even where this is legal), who use international communications facilities like the Internet, and in some way "enter" or "affect" the United States or U.S. citizens, are violating the Wire Act. What does this mean to you, the security professional? You aren't in the "business" of betting or wagering. You haven't taken any bets over international wires. Living Vicariously A recent New York Times article reports that U.S. prosecutors are beginning to use the federal aiding and abetting statute to investigate and potentially prosecute those who, through perfectly lawful activities, assist online gaming companies that flout U.S. law. This includes banks, broadcasters, ISPs and advertisers who help these casinos get their message out. The same net could easily snare information security professionals who, either deliberately or inadvertently, assist the gamers in their activities. This represents a potentially dangerous trend for information security professionals. Security, by its nature, is intended to facilitate concealment. It ensures that only those authorized to "enter" may do so. If properly implemented, it can protect the confidentiality of communications, prevent unwanted parties from accessing files, and even arrange for files to "self destruct" when improperly accessed. With this power comes some responsibility, and some duty to inquire about the use of the technology. Clearly if a narco-trafficker in Bogota or a member of Al Qaeda in Afghanistan seeks assistance in concealing their activities, the moral as well as legal answer is a resounding, "no." In fact, in the case of the terrorist (or a group designated by the government as a terrorist organization), providing "material support" is a criminal offense, even without the aiding and abetting language. But the U.S. government's assault on those who assist gamers presents a much more difficult issue. It essentially imposes responsibility on the security professional to inquire of his or her clients the reason they are seeking confidentiality, integrity or availability, and to make an independent judgment about whether these reasons may violate the laws of any nation that may touch the networks -- all under penalty of criminal prosecution. Thus, a network administrator for Arthur Anderson who provides copies of Norton utilities runs a risk (albeit a small one) of indictment when the software is used to wipe files relating to Enron. The criminal conspiracy statute, 18 U.S.C. 371, is known as "the prosecutor's friend" because of its talent for incarcerating people even tangentially connected to criminal activity. Yet even this statute requires the government to show an agreement to commit a crime. The aiding and abetting statute requires no such proof. It only requires the government to show that, with knowledge (express or implied) that a party intends to commit a crime, the defendant provided material support for that person. And the punishment for aiding and abetting is the same as for committing the underlying crime. Applying this rationale to Internet crimes and information security professionals is a dangerous and inherently slippery slope. The information security professional who sets up a secure website for people to protest against Chinese occupation of Tibet runs the risk of criminal and capital punishment in China. The man who sets up the secure payment system for a Norwegian purveyor of dirty pictures may be prosecuted in the United States for a vicarious violation of U.S. "indecency" laws. A line must be drawn -- clearly. If a person with intent to facilitate criminal activity deliberately does so, then it's fair game to prosecute. But we should not impose on the security professional a duty to know what the laws of the world are as applied to Internet activities. Hell, even us lawyers can't keep track. SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc. From isn at c4i.org Wed Mar 24 07:02:45 2004 From: isn at c4i.org (InfoSec News) Date: Wed Mar 24 07:11:16 2004 Subject: [ISN] Lieberman blasts Bush cybersecurity plan Message-ID: http://www.fcw.com/fcw/articles/2004/0322/web-dhs-03-23-04.asp By Florence Olsen March 23, 2004 Sen. Joseph Lieberman (D-Conn.) charged the Bush administration with "lassitude and lack of leadership" in securing the nation's critical computer systems infrastructure. In a March 19 letter, Lieberman, the ranking Democrat on the Senate Governmental Affairs Committee and a frequent critic of the White House's homeland security efforts, characterized the administration's National Strategy to Secure Cyberspace as little more than vague generalities, without timeframes, deadlines or performance benchmarks. The strategy was originally announced February 2003. "It appears that the administration has been running in place, leaving us little closer to having meaningful protections for the vital computer dependent systems on which the country depends each day," Lieberman wrote in the March 19 letter to Homeland Security Department Secretary Tom Ridge. Some of the lack of progress, Lieberman argues, stems from a delay in finding someone to head DHS' National Cyber Security Division, a position now filled by Amit Yoran. The 22-page letter criticized DHS officials' performance and asked 57 questions covering areas such as what DHS is doing about reducing software vulnerabilities, and plans for continuity and contingency planning. From isn at c4i.org Wed Mar 24 07:03:21 2004 From: isn at c4i.org (InfoSec News) Date: Wed Mar 24 07:11:18 2004 Subject: [ISN] Server breach likely to delay Gnome Message-ID: http://news.com.com/2100-7349_3-5178168.html By Robert Lemos Staff Writer, CNET News.com March 23, 2004 The Gnome Project said Tuesday that its servers have apparently been breached, potentially delaying the latest release of its desktop system for Linux. In a e-mail alert sent Tuesday, the managers of the project told developers that they had found evidence indicating that the server hosting Gnome.org had been breached. Gnome and its rival KDE provide the two major desktop systems used on computers running the Linux operating system. "We are investigating further and will provide updates as we know more," Owen Taylor, a member of the Gnome system administration team and a software engineer for Red Hat's desktop group, stated in a two-paragraph advisory on the Gnome Announcements mailing list. "We hope to have the essential services hosted on the affected machine up and running again as soon as possible." The short message also stated that the administrators believed the source code repository, which contains the current development work on Gnome software, was unaffected by the breach. A member of the Gnome development team said that the next version of the software, Gnome 2.6, will likely be delayed a few days while the project members investigate the breach. The software was scheduled to be released on Wednesday. "We don't expect any significant effect on Gnome development," the team member said on condition of anonymity. "Because it happened right before the 2.6 release, we'll probably have to push (the release) back a few days but that should be all." The apparent trespass is the latest blow for the security of open-source development projects. In November, the servers for two Linux projects--Debian and Gentoo--were compromised. Earlier the same month, an attacker managed to gain access to a server that mirrored the latest version of the code for the Linux kernel. And in March and December separate attacks on servers hosting software under development by the GNU Project, the source of much of the free software used by Linux, successfully breached those systems. Members of the Gnome Project noticed some "suspicious processes running on the Gnome.org" server, said the developer. An investigation revealed several files in a temporary directory that led the team to believe that someone was able to run commands and to search for vulnerabilities. "As far as we know at this point no damage was done other than the loss of services while we clean up and get things back in place," said the team member. "We're, of course, investigating thoroughly to make sure that we know the full extent of the break-in and will provide a full update to the community when we finish that." From Lists at RunyanRants.Net Wed Mar 24 14:45:02 2004 From: Lists at RunyanRants.Net (JD Runyan) Date: Thu Mar 25 05:57:56 2004 Subject: [ISN] Lieberman blasts Bush cybersecurity plan In-Reply-To: References: Message-ID: <200403241345.07670.Lists@RunyanRants.Net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 24 March 2004 06:02, InfoSec News wrote: > http://www.fcw.com/fcw/articles/2004/0322/web-dhs-03-23-04.asp > > By Florence Olsen > March 23, 2004 > > The 22-page letter criticized DHS officials' performance and asked 57 > questions covering areas such as what DHS is doing about reducing > software vulnerabilities, and plans for continuity and contingency > planning. Since when is the government in the business of righting software? How do they reduce software vulnerabilities? I don't understand how DHS can deal with these issues. The most they can do is increase the standards, and institute a reliable mechanism of enforcing the standards. There certainly have been more security auditing and expectations in a post 9/11 government. I don't know what it has bought us, but the government is more acutely aware of the issues. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAYeVD5m+UfoWV2WURAue1AJ0cczSA2xCwSqqP9JmrT/a1SeTFMgCfarfW H4akFDq18Dox9+9XX+mxVSU= =lNqG -----END PGP SIGNATURE----- From isn at c4i.org Thu Mar 25 05:44:27 2004 From: isn at c4i.org (InfoSec News) Date: Thu Mar 25 05:57:58 2004 Subject: [ISN] ITL Bulletin for March 2004 Message-ID: Forwarded from: Elizabeth Lennon ITL Bulletin, March 2004 FEDERAL INFORMATION PROCESSING STANDARD (FIPS) 199, STANDARDS FOR SECURITY CATEGORIZATION OF FEDERAL INFORMATION AND INFORMATION SYSTEMS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce A new Federal Information Processing Standard (FIPS), recently approved by the Secretary of Commerce, will help federal agencies protect the information and information systems that support their operations and assets. FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, is an important component of a suite of standards and guidelines that NIST is developing to improve the security in federal information systems, including those systems that are part of the nation's critical infrastructure. (See listing of these planned publications at the end of this bulletin.) FIPS 199 will enable agencies to meet the requirements of the Federal Information Security Management Act (FISMA) and improve the security of federal information systems. The security standard will also make it possible for federal agencies to establish priorities for protecting their information systems, ranging from very sensitive, mission-critical operations to lower-priority systems performing less critical operations. Background information on NIST's efforts to provide the security standards, guidelines, and technical tools for implementing FISMA is available at: http://csrc.nist.gov/sec-cert/ca-background.html. FIPS 199 was approved after an open public review and comment process that included notices published in the Federal Register and posted on the NIST website. Comments and recommendations were received from more than thirty individuals and groups. The new FIPS 199 is available electronically at: http://csrc.nist.gov/publications/fips. Applicability of FIPS 199 FIPS 199 is effective immediately and applies to: All information within the federal government other than that information that has been determined pursuant to Executive Order 12958, as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status; and All federal information systems other than those information systems designated as national security systems as defined in 44 United States Code Section 3542(b)(2). Why Security Categorization Standards Are Needed FISMA, Title III of the E-Government Act of 2002 (Public Law 107-347), was passed by the one hundred and seventh Congress and signed into law by the President in December 2002. This legislation recognizes the importance of information security to the economic and national security interests of the United States, and tasked NIST with responsibilities for standards and guidelines, including the development of: * Standards to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels; * Guidelines recommending the types of information and information systems to be included in each category; and * Minimum information security requirements (i.e., management, operational, and technical controls) for information and information systems in each such category. By providing a common framework and method for categorizing information and information systems, FIPS 199 responds to the first task assigned to NIST. Use of this standard will enable agencies to identify and prioritize their most important information and information systems by defining the maximum impact a breach in confidentiality, integrity, or availability could have on the agency's operations, assets, and/or individuals. A FIPS 199 security categorization serves as the starting point for the selection of security controls for an agency's information system-controls that are commensurate with the importance of the information and information system to the agency. Additional NIST guidance will instruct agencies how to use FIPS 199 to select minimum security controls for an information system and subsequently assess the controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the system. The standard also promotes more effective management, oversight, and expenditure of agency information security resources and more consistent reporting on the agency's security accomplishments to the Office of Management and Budget (OMB) and to the Congress. Future NIST standards and guidelines will focus on the second and third tasks above. A Risk-Based Approach FISMA and earlier legislation, the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), provide for a risk-based approach to information security. OMB provides guidance in its Circular A-130, Appendix III, on carrying out the risk-based approach and requires agencies to: * Plan for adequate security of each information systems as part of the agency management and planning processes, * Ensure that appropriate officials are assigned responsibilities for security, * Periodically review the security controls in their information systems, and * Authorize system processing prior to operations, and periodically thereafter. The objective is to conduct agency operations and accomplish agency missions with adequate security or security commensurate with risk, considering threats, vulnerabilities, value of the information system or application, and the effectiveness of current or proposed security controls. The risk-based approach should be applied throughout the System Development Life Cycle (SDLC). Security Objectives, Impact Levels, and Security Categorization FIPS 199 is predicated on a simple and well-established concept-determining appropriate priorities for agency information systems and subsequently applying appropriate measures to adequately protect those systems. The security controls applied to a particular information system should be commensurate with the system's criticality and sensitivity. FIPS 199 assigns this level of criticality and sensitivity, called security categorization, to information and information systems based on potential impact on agency operations (mission, functions, image, or reputation), agency assets, or individuals should there be a breach in security due to the loss of confidentiality (i.e., unauthorized disclosure of information), integrity (i.e., unauthorized modification of information), or availability (i.e., denial of service). In FIPS 199, confidentiality, integrity, and availability are defined as security objectives for information and information systems: * Confidentiality: "Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information..." A loss of confidentiality is the unauthorized disclosure of information. * Integrity: "Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity..." A loss of integrity is the unauthorized modification or destruction of information. * Availability: "Ensuring timely and reliable access to and use of information..." A loss of availability is the disruption of access to or use of information or an information system. For each type of information that is processed, stored, or transmitted by an information system and for the information system itself, FIPS 199 requires assigning a security category to the information and information system. The security category consists of an impact level for each of the three security objectives of confidentiality, integrity, and availability. An impact level of low (L), moderate (M), or high (H) represents the impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals should there be a breach in security in the respective security objective areas (i.e., for each security objective area, the impact level could be L, M, or H). The assignment of security categories must take place within the context of each organization and the overall national interest. Impact levels are defined in FIPS 199 as follows: The potential impact is low if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse effect could mean that the loss of confidentiality, integrity, or availability might: * Cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; * Result in minor damage to organizational assets, minor financial loss, or minor harm to individuals. The potential impact is moderate if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A serious adverse effect could mean that the loss of confidentiality, integrity, or availability might: * Cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; * Result in significant damage to organizational assets, significant financial loss, or significant harm to individuals, but not loss of life or serious life threatening injuries. The potential impact is high if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. A severe or catastrophic adverse effect could mean that the loss of confidentiality, integrity, or availability might: * Cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; * Result in major damage to organizational assets, major financial loss, or severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries. Security Categorization Applied to Information Types and Information Systems The security category of an information type that is processed, stored, or transmitted by an information system can be associated with both user information and system information, and can be applicable to information in either electronic or non-electronic form. System information such as network routing tables, password files, and cryptographic key management information must always be protected at a level that is appropriate for the most critical or sensitive user information. In establishing the appropriate security category of an information type, organizations should determine the potential impact for each security objective associated with the particular information type. For example, an organization might determine that there is low potential impact from a loss of confidentiality of its public information, that there is a moderate potential impact from a loss of integrity, and that there is a moderate potential impact from a loss of availability. FIPS 199 provides examples of how to determine and to express the security categories of information types. In establishing the appropriate security category of an information system, organizations should consider the security categories of all information types that are processed, stored, or transmitted on the information system. For a system, the potential impact values assigned to the respective security objectives of confidentiality, integrity, and availability should be the highest values from among those security categories that have been determined for each type of information processed. For example, an organization might determine the security category for sensitive contract information in a system used for acquisitions is moderate (for confidentiality), moderate (for integrity), and low (for availability). The organization might also determine that security category for routine administrative information processed on the same system is low (for confidentiality), low (for integrity), and low (for availability). The security category for the information system should be expressed in terms of the maximum potential impact values for each security objective from the various information types resident on the acquisition system. In this example, the system's security category would be moderate (for confidentiality), moderate (for integrity), and low (for availability). System Development Life Cycle and Future Standards and Guidelines Employed within the System Development Life Cycle (SDLC), FIPS 199 can be used as part of an agency's risk management program to help ensure that appropriate security controls are applied to each information system and that the controls are adequately assessed to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the system security requirements. The following activities, consistent with NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems, can be applied to both new and legacy information systems within the SDLC- * Categorize the information system (and the information resident within that system) based on a FIPS 199 impact analysis (See NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, for guidance in assigning security categories and refining the impact analysis). * Select an initial set of security controls for the information system (as a starting point) based on the FIPS 199 security categorization (See NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, or FIPS 200, Security Controls for Federal Information Systems, which will replace NIST Special Publication 800-53 in December 2005 in fulfillment of the FISMA legislative requirement for mandatory minimum security requirements for federal information systems.) * Refine the initial set of security controls selected for the information system based on local conditions including agency-specific security requirements, specific threat information, cost-benefit analyses, the availability of compensating controls, or other special circumstances. * Document the agreed upon set of security controls in the security plan for the information system including the agency's rationale and justification for any refinements or adjustments to the initial set of controls (See NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems). * Implement the security controls in the information system. For legacy systems, some or all of the security controls selected may already be in place. * Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. (See NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, summer 2004). * Determine the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the planned or continued operation of the information system (See NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems). * Authorize system processing (or for legacy systems, authorize continued system processing) if the level of risk to the agency's operations, assets, or individuals is acceptable to the authorizing official (See NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems). * Monitor selected security controls in the information system on an continuous basis including documenting changes to the system, conducting security impact analyses of the associated changes, and reporting the security status of the system to appropriate agency officials on a regular basis (See NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems). Since some of the documents referenced above are either in development or planned at the time this bulletin was published, the reader should consult: http://www.csrc.nist.gov for up-to-the minute progress reports on the FISMA program and related guidance documents. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. From isn at c4i.org Thu Mar 25 05:45:24 2004 From: isn at c4i.org (InfoSec News) Date: Thu Mar 25 05:57:59 2004 Subject: [ISN] Windows & .NET Magazine Security UPDATE--Help Shape This Newsletter--March 24, 2004 Message-ID: ==================== ==== This Issue Sponsored By ==== Symantec V2i Protector ? Real-time Backup/Recovery http://list.winnetmag.com/cgi-bin3/DM/y/efBZ0CJgSH0CBw0BGbS0As Symantec ON iPatch - Enterprise Patch Management Solution http://list.winnetmag.com/cgi-bin3/DM/y/efBZ0CJgSH0CBw0BGbT0At ==================== * In Focus: Help Shape This Newsletter * Security News and Features - News: New RSS Feeds; Cisco Buys Twingo; Windows XP2; cPanel Problems; Storage Utilities - Sneak Preview: SUS 2.0 Beta Is Now WUS - News: Chat with Microsoft About WUS and More; New Shell-Coders Resource; eEye on Security; Phishing for Fargo - News: VoIP Security; More Phishing; New Mac OS X Released * New and Improved - Ensure the Reliability of Your Network Security ==================== ==== Sponsor: Symantec V2i Protector ==== In the event of a security event or disaster V2i Protector provides a real-time, disk-based backup and disaster recovery solution designed to capture a system's active state, including all server/desktop files and configurations. Using V2i Protector, you can quickly restore failed systems to a specified point-in-time without taking hours to manually reinstall and restore data from tape backup or rebuilding from scratch. Perform a full system restoration, a complete bare metal restoration or restore individual files and folders in minutes. V2i Protector also creates exact backups of volumes/partitions through the use of snapshot technology. This captures all files and system personalities and configurations. Backups are created without disrupting data access or application usage. Click here to download an evaluation version today: http://list.winnetmag.com/cgi-bin3/DM/y/efBZ0CJgSH0CBw0BGbS0As ==================== ==== In Focus: Help Shape This Newsletter ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net >From time to time, we like to ask readers how we might improve our products. It's been a while since we've asked you--the readers of Security UPDATE--for your opinions. So this week, we want to pose some general questions and request your input into how we can improve this newsletter. One question we often contemplate is whether Security UPDATE is too long, too short, or just right. Knowing how busy you all are, we try to keep it as short as we can, but please tell us what you think about the length. For example, do you prefer to have the complete In Focus in the newsletter, or would you rather see a short summary of it with a link to the full text on our Web site? Are our News and Feature summaries long enough, or are they too short? In each Security UPDATE, we typically include In Focus, news, an FAQ, a forum thread, and new products. We sometimes (although not each week) include feature-article summaries and Virus Alerts. Do you want to see more or less of any of the above? Are there other types of information you'd like to see covered? You might have noticed that we've recently adjusted the format of Security UPDATE's table of contents (TOC). We wonder whether you like having a TOC, and if so, whether you prefer a complete TOC or an abbreviated one. Also, does a numbered TOC (with matching numbers in the body of the newsletter) help you navigate the newsletter, or do you prefer a simple bulleted TOC? Those are some of the particular areas we'd like your opinion about, but we're also open to any other suggestions, critiques, and comments you might want to share with us. So please feel free to send any feedback to me at "mark at ntsecurity dot net." Please use a subject prefix of "SECUPD:" to help me more easily identify responses to this editorial. One other content-related item I want to point out this week is our new Really Simple Syndication (RSS) feeds. We've recently added several such feeds to our Web site, and you can learn more about them in the "New RSS Feeds" news story below. ==================== ==== Sponsor: Symantec ON iPatch ==== ON iPatch allows you to proactively patch and secure thousands of computers simultaneously - including remote and mobile computers, no matter where they are located or connected - and rapidly recover from virus corruption, without the significant cost and time delay by sending IT staff to remote locations. As a result, ON iPatch allows you to cost effectively protect all your business-critical systems and minimize the substantial risk of lost revenue and downtime caused by future virus and worms. Click here for more information: http://list.winnetmag.com/cgi-bin3/DM/y/efBZ0CJgSH0CBw0BGbT0At ==================== ==== Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html News: New RSS Feeds; Cisco Buys Twingo; Windows XP2; cPanel Problems; Storage Utilities Windows & .NET Magazine has numerous new Really Simple Syndication (RSS) feeds that you can use to stay abreast of our latest news and articles or to integrate our content into your own Web site. Cisco Systems bought desktop security company Twingo Systems for $5 million in cash. Windows XP Service Pack 2 (SP2) is on the way--you can learn more about it now. New bugs were discovered in cPanel. Making the storage utility a compelling service offering isn't easy. Jerry Cochran talks about how manageability--including Storage Resource Management (SRM), disaster recovery and business continuance, and security--is one key reason for the difficulty. http://www.winnetmag.com/article/articleid/42046/42046.html Sneak Preview: SUS 2.0 Beta Is Now WUS Microsoft announced that Software Update Services (SUS) 2.0 is now renamed Windows Update Services (WUS). The company released the new version of the product into public beta testing and evaluation on March 16. You can learn all about it in the documentation (in Microsoft Word format) on the Microsoft Web site and sign up for the beta or evaluation program. http://www.winnetmag.com/article/articleid/42051/42051.html News: Chat with Microsoft about WUS and More; New Shell Coders Resource; eEye on Security; Phishing for Fargo If you missed the March 16 chat with Microsoft about Windows Update Services (WUS), you might find the chat archived for your review on the Microsoft chat Web page. Or chat with the company about other security topics and other Microsoft products. A new book is available from John Wiley & Sons that helps you learn shell-coding techniques to help you defend your network. eEye Digital Security's eEye Research discovered five new vulnerabilities in IBM, Apple Computer, and Microsoft products. A new phishing scam targets Wells Fargo customers, so watch out. http://www.winnetmag.com/article/articleid/42075/42075.html News: VoIP Security; More Phishing; New Mac OS X Released Because Voice over IP (VoIP) technologies rely on computers, software, and networks, you must consider many potential threats when implementing them. Learn more about defending VoIP. Yet another phishing scam is under way, targeting users of the Regulations.gov Web site. The Federal Trade Commission (FTC) has issued a consumer alert. Apple Computer released Mac OS X 10.3.3, which includes--among other enhancements--all previous standalone security updates. http://www.winnetmag.com/article/articleid/42050/42050.html ==================== ==== Sponsor: Virus Update from Panda Software ==== Are your traditional antivirus solutions really protecting your network? Panda Antivirus GateDefender is a dedicated hardware device installed at the Internet gateway to block viruses before they contaminate your network. It scans 7 different communication protocols, achieving optimum protection against external attacks. Panda Antivirus GateDefender 7100 (25-500 seats) & Panda Antivirus GateDefender 7200 (500 seats+) provide the highest scalability with native load balancing that transparently adapts to traffic volume. Visit "Panda's GateDefender Stands Guard!" at http://list.winnetmag.com/cgi-bin3/DM/y/efBZ0CJgSH0CBw0BEGa0Ad for more information. ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) Free eBook--"The Expert's Guide for Exchange 2003: Preparing for, Moving to, and Supporting Exchange Server 2003" This eBook will educate Exchange administrators and systems managers about how to best approach the migration and overall management of an Exchange 2003 environment. The book will concentrate on core issues such as configuration management, accounting, and monitoring performance with an eye toward migration, consolidation, security, and management. http://list.winnetmag.com/cgi-bin3/DM/y/efBZ0CJgSH0CBw0BGSd0Au Event Central--a Comprehensive Resource for the Latest Events in Your Field Looking for one place to find the latest Web seminars, roadshows, and conferences? Event Central has every topic you're looking for. Stay current on the latest developments in your field. Visit Event Central and find answers now! http://list.winnetmag.com/cgi-bin3/DM/y/efBZ0CJgSH0CBw0BEtb0AP Get 2 Sample Issues of SQL Server Magazine! SQL Server Magazine is a 360-degree resource loaded with must-read information covering database modeling, ADO.NET, XML, performance tuning, security, and the latest topics that SQL Server database developers, administrators, and business intelligence architects need to know. Try two (no-risk) sample issues today, and discover the timesaving qualities the magazine has to offer. Click here: http://list.winnetmag.com/cgi-bin3/DM/y/efBZ0CJgSH0CBw0BGbU0Au ==================== ==== Hot Release ==== FREE DOWNLOAD: New Sitekeeper(R) 3.0 Find machines that are missing patches and service packs, distribute patches and updates, track licenses, and inventory hardware and software-all within an hour of installation! Sitekeeper makes automated systems management fast, affordable and easy. Start managing your systems RIGHT NOW-Download FREE Sitekeeper trialware! http://list.winnetmag.com/cgi-bin3/DM/y/efBZ0CJgSH0CBw0BGbV0Av ==================== ==== Instant Poll ==== Results of Previous Poll The voting has closed in the Windows & .NET Magazine Network Security Web page nonscientific Instant Poll for the question, "Does your company plan to implement a server-based mail-authentication solution?" Here are the results from the 187 votes. - 53% Yes, Sender Policy Framework - 3% Yes, DomainKeys - 5% Yes, Caller ID for E-Mail - 11% Yes, two or more of the above - 27% No (Deviations from 100 percent are due to rounding.) New Instant Poll The next Instant Poll question is, "Does your company use or intend to use Voice over IP (VoIP) technology?" Go to the Security Web page and submit your vote for - Yes, we use it now - Yes, we intend to use it - No, we don't plan to use it - Not sure http://www.winnetmag.com/windowssecurity ==== Security Toolkit ==== Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.winnetmag.com/windowssecurity/panda FAQ: After I use the Microsoft Exchange Server 2003 Recovery Storage Group, do I need to delete its contents? by John Savill, http://www.winnetmag.com/windowsnt20002003faq A. Yes, after you finish a recovery operation, you should delete all databases in the Recovery Storage Group and delete the group itself. If you fail to do so, you'll encounter problems when you try to perform a typical restore because Exchange might still store the data in the Recovery Storage Group instead of placing it in the usual storage group (SG) location. If you want to leave the Recovery Storage Group in place, you must tell the backup API to ignore the group by performing the following steps: 1. Start a registry editor (e.g., regedit.exe). 2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\MSExchangeIS\ParametersSystem registry subkey. 3. From the Edit menu, select New, DWORD Value. 4. Enter the name Recovery SG Override, double-click the new value, set it to 1, then click OK. Be careful when you perform these steps. If you later delete the Recovery Storage Group but you neglect to delete (or set to 0) the registry value that you created in steps 3 and 4 and another administrator later recreates the Recovery Storage Group for a restore operation, that restore operation will overwrite the original database rather than use the Recovery Storage Group database. This behavior will result in serious production problems. Featured Thread: How Do I Encrypt Everything? (Two messages in this thread) A reader writes that his or her company has decided to encrypt all the data on the company systems as well as data traveling to and from the systems. The company has a Windows 2000 and Active Directory (AD) environment and wants to know whether anyone can recommend one solution that handles data encryption for desktops, laptops, servers, TCP/IP networks, Web, and email. Lend a hand or read the responses: http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=118325 ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://list.winnetmag.com/cgi-bin3/DM/y/efBZ0CJgSH0CBw0BEtb0AP ) New--Microsoft Security Strategies Roadshow! We've teamed with Microsoft, Avanade, and Network Associates to help you better protect your infrastructure and applications against security threats. Learn how to implement a patch-management strategy; lock down servers, workstations, and network infrastructure; and implement security policy management. Register now for this free event. http://list.winnetmag.com/cgi-bin3/DM/y/efBZ0CJgSH0CBw0BELe0Am ==== New and Improved ==== by Jason Bovberg, products@winnetmag.com Ensure the Reliability of Your Network Security MetaInfo announced Meta IP NG Feature Pack 4, which extends the functionality of Meta IP DHCP through three separately deployable modules: the DHCP MAC Address Authentication module, the Check Point UserAuthority Authentication module, and the Authenex ASAS module. Each module ensures that only authenticated users can obtain leases to privileged IP addresses. Meta IP NG Feature Pack 4 also extends the software's reliability features. Users can create scheduled backups of Meta IP system configurations within the UI and from the command line, creating further layers of redundancy and failover consistency across networks. For more information about Meta IP NG Feature Pack 4, including pricing, contact MetaInfo at sales@metainfo.com, 206-674-3700, or on the Web. http://www.metainfo.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. =================== ==== Sponsored Links ==== Microsoft(TM) Enter the Microsoft Windows Server 2003 Challenge. Win BIG prizes. http://list.winnetmag.com/cgi-bin3/DM/y/efBZ0CJgSH0CBw0BGIT0AU =================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== ==== Contact Our Sponsors ==== Primary/Secondary Sponsor: Symantec -- http://www.symantec.com Hot Release Sponsor: Executive Software -- http://www.executive.com ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Mar 25 05:46:15 2004 From: isn at c4i.org (InfoSec News) Date: Thu Mar 25 05:58:00 2004 Subject: [ISN] Are you interested in a local CISSP & GIAC Boot Camp? Message-ID: Forwarded from: Mark Bernard Dear Associates, I am conducting a survey to gage the interest of local Maritime Information Technology Professionals. As you know one of the best ways to raise awareness of Information Security threats, risks and ways to protect ourselves including our businesses is by building a base of professionals who can bridge the gap between business and technology. These professionals share similar beliefs and concerns within the local and regional business community. In conjunction with the NRC PST*Net research seminar scheduled for the week of October 10th - 16th 2004 we are considering the following. We would like to host one or two boot camps for those who are interested in earning either the designation of Certified Information Systems Security Professional (CISSP) and/or Global Information Assurance Certification (GIAC). * For more information about the CISSP follow this link; https://www.isc2.org/cgi/content.cgi?category=19 * For more information about the GIAC follow this link; http://www.giac.org/ What I would like to ask of you, is to spread the word and have those who are interested email me A.S.A.P. so that we can begin to plan for this event. We will need to meet a minimum headcount requirement to make this a reality. I will compile a list and provide you with a summarized status update within two weeks time. Thanks in advance for your time and consideration!! Please assist, Mark. Mark E. S. Bernard, CISM, PA, e-mail: mbernard@nbnet.nb.ca Phone: (506) 375-6368 "Someone's sitting in the shade today because someone planted a tree a long time ago.", Warren Buffett From isn at c4i.org Thu Mar 25 05:46:28 2004 From: isn at c4i.org (InfoSec News) Date: Thu Mar 25 05:58:01 2004 Subject: [ISN] Dutch Internet blackmailer gets 10 years Message-ID: http://www.theregister.co.uk/content/55/36485.html By Jan Libbenga Posted: 24/03/2004 A 46-year-old Dutch chip programmer who tried to blackmail dairy giant Campina using the most up-to-date Internet technologies, has been jailed for 10 years by a Dutch court on blackmail charges and five counts of attempted murder. The blackmailer put agricultural poison in Campina Stracciatella desserts in a bid to extort ?200,000. To conceal his tracks he used a US anonymizer - a privacy service that allows users to visit web sites without leaving a trail. In this case, however, it didn?t quite work out like that. The man was convinced he was going to commit the perfect crime. He forced Campina to open a bank account and asked them to deposit ? 200,000. Campina was issued with a credit card for the account which the blackmailer intended to use to withdraw the cash. But not the original card. To avoid breaking cover, he asked Campina to buy a credit card reader and extract the information from the card's magnetic stripe. The output, together with the card's pin code, was sent to him electronically via steganography - a technology for encoding information into pictures. Campina received an envelope containing a floppy with a stego program and some instructions. The company then had to encode the credit card data into a picture of a VW Golf in an online advertisement for used cars. The blackmailer downloaded the picture, decoded the information it contained, created his own copy of the card, and finally went to withdraw the cash. To download the online picture, he used the Anonymizer.com service, believing the company?s privacy policy would protect him. Not so. Dutch police worked closely with the US company and the FBI to track him down. He was caught red-handed last year when he withdrew the money from a cash machine using his copy of the credit card. Which just goes to show that even criminal masterminds can make simple mistakes. The error, experts say, could have been easily avoided if the blackmailer had visited an internet caf? to download the encoded picture, rather than using his own PC. What's more, he paid for the Anonymizer service through Paypal, giving his personal email address. From isn at c4i.org Thu Mar 25 05:46:45 2004 From: isn at c4i.org (InfoSec News) Date: Thu Mar 25 05:58:01 2004 Subject: [ISN] Is hacking ethical? Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,91549,00.html Opinion by Marcia J. Wilson MARCH 24, 2004 COMPUTERWORLD The definition of hacker has changed radically over the years. With the aid of the mass media, the word has developed a negative connotation rather than the positive one it used to have. Add ethical in front of hacker, and it's even more confusing. For the purposes of this article, I'll define those hackers with malicious intent as "crackers." Hackers can be categorized into the following three buckets: 1. Hacktivists: Those who hack as a form of political activism. 2. Hobbyist hackers: Those who hack to learn, for fun or to share with other hobbyists. 3. Research and security hackers: Those concerned with discovering security vulnerabilities and writing the code fixes. Since The Hacker Manifesto was published in 1986, computer security has become a national concern, especially after the terrorist attacks of Sept. 11, 2001. The casual hacker no longer has the freedom to poke around public or private networks without raising the concerns of law enforcement agencies. Laws have been passed or refined that make it a crime to hack. Many hacktivists and hobbyists are more careful when pursuing their activities to avoid being arrested, fined or jailed for their activities. Many have legitimized their activities and hobbies by taking jobs in the computer security profession, starting their own security consulting companies, working in the open-source community or through other openly public and cooperative ways. The Computer Security Act of 1987 has received more notice since the Sept. 11 attacks. The act is a declaration by Congress that improving the security and privacy of sensitive information in federal computer systems is in the public interest. The threat of cyberterrorism has increased focus on this piece of legislation, as well as the more recent USA Patriot Act. As a result of increased anxiety over terrorist threats, federal and state laws have changed to make it an offense to "break and enter" a private or public network without permission. Federal law has required companies to comply with privacy requirements, business controls and corporate governance standards. These laws have brought pressure to bear on our increasing responsibility to secure the infrastructure and have made it more difficult for hackers to practice their hacktivism, hobbies or research. Technology has also affected hacking activities. In response to legislation about privacy, business controls and terrorism, companies interested in capitalizing on the opportunities that exist have developed and manufactured sophisticated security hardware and software. The increased sophistication of these products has made the job of the hacker more difficult, and the casual hacker may stupidly get caught when attempting to circumvent a complex security system. Education and awareness campaigns have also made an impact on hacking activities. Companies and government agencies have become more aware of security issues. Some train their employees on security-conscious use of their computers. The famous hacker Kevin Mitnick declared that social engineering was his primary tool. Where have all the hackers gone? Have they gone more underground or taken "real" jobs? There is continuing debate over the ethics of hiring a former cracker, especially one with a criminal record, and placing him in a position of responsibility in a security capacity. I suspect that this is going to continue to be a difficult debate. Since the laws have become stricter, hacktivists and hobbyists are at risk of being labeled crackers. What should our response be to crackers, who focus on hacking for personal gain and whose intent is to steal, threaten and destroy? Throw them in jail and throw away the key! What should our response be to the three categories of hackers? Do the First and Fourth Amendments of the U.S. Constitution protect hacktivism? Is there a way that hobbyists can work with the community to serve their interests, maintain their integrity and gain the trust of the public and private sector? Can we embrace the hobbyists and separate the crackers from the mix and treat the two groups differently? Can we educate our children on the differences, emphasizing right from wrong while supporting and promoting passion, creativity and freedom? Is hacking ethical? It is if viewed within the context of the three definitions offered: hacktivist, hobbyist and researcher. We have the right in this country to protest, and if our activism takes a digital or electronic form, we have the right to do so. But don't take my word for it, explore this excellent article by Dorothy E. Denning at Georgetown University, "Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy." It will make you think. We have the right to peaceably assemble, and that may mean "sitting in" on a Web site or physically locking arms side by side with others in a large city's downtown intersection. We have the right to free speech. Researching vulnerabilities and reporting those vulnerabilities is also our right, even if big companies like Oracle Corp., Apache Digital Corp., Microsoft Corp. or Hewlett-Packard Co. get angry and threaten us with lawsuits. That's par for the course. I would like to see citizens better protected against big business and government. I don't want a huge company with lots of money to snuff out the fire, passion or interests in my life, and I don't want the federal or state government telling me what I can and can't do by broadening their powers via the Patriot Act. I believe hackers have a lot to offer. They provide a balance of power by virtue of their creativity and technical skills. I think we need to protect and recognize them and find ways of working together. Yes, I do believe that hacking -- when properly defined -- is an ethical activity. And yes, I do believe that understanding our freedoms and rights and protecting all that's good in our society while preventing all that's bad is the right approach. From isn at c4i.org Thu Mar 25 05:47:30 2004 From: isn at c4i.org (InfoSec News) Date: Thu Mar 25 05:58:02 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-13 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-03-18 - 2004-03-25 This week : 43 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The world doesn't patch - by Thomas Kristensen, Secunia. How is it possible for the Bagle.Q worm to exploit a very well known 7 month old vulnerability? August 2003, Secunia warned about an extremely critical vulnerability in the popular browser Internet Explorer, which allowed web sites and emails to download and execute any code on a user's system. Medias all over the world wrote about the vulnerability, which got even more attention when scammers and adult sites started to exploit it to install back doors and dialer programs on innocent people's PCs by sending malicious SPAM emails. More articles were published when Microsoft failed to plug the hole properly in the first attempt, effectively leaving hundreds of millions of people vulnerable from 7th September when Microsoft's plug publicly was proven inadequate until the final patch arrived on 4th October 2003. One should have thought that by now everyone, who are even the least concerned about IT security should have gotten the message and have installed the patch - and the troubled days should be over. Since sometime in October 2003, we haven't heard much about the Object Data vulnerability, despite the fact that it is very easy and simple to exploit; so simple that even the most impaired amateur hacker could do it blind folded. The worm breaks out... Finally, on 18th March 2004 the Bagle.Q worm hits people's inboxes and we were all about to learn how many really patched up. Based on the apparently rapid spread of Bagle.Q, it seemed that too many had failed, forgotten, or simply didn't care to patch up. The Bagle.Q virus downloaded the malicious payload from a large number of infected or compromised hosts as soon as it was viewed in the preview pane using Outlook or Outlook Express. Fortunately, the Bagle.Q virus made the mistake of downloading the payload from a number of fixed hosts. This allowed anti-virus fighters and authorities to shut down or block access to the distribution servers, limiting the distribution rate. Once again Secunia warned about the old flaw and some Internet medias warned about the new threat and asked their readers to take Secunia's online test to see if they were still vulnerable. Secunia's online test, which allows everyone to check if they are vulnerable. From our statistics it appears that a shocking 29% still are vulnerable. It should also be taken into account that those, who actually take such a test, are the ones concerned about security. This raises a big question about the vast number of people, who don't know or care about security. One thing is certain, millions of Windows users are still vulnerable and have yet to feel the sting of a greedy adult web master breaking laws and all ethic rule-sets to earn a profit or a malicious virus wiping the hard-drive or mass-mailing your love letters. Secunia's MS03-032 Online Test: http://secunia.com/ms03-032/?s ======================================================================== 2) This Week in Brief: Stefan Esser has discovered no less than 13 buffer overflow vulnerabilities in Ethereal, which potentially can be exploited to execute arbitrary code on a vulnerable system. An updated version is reportedly available from the vendor. Reference: http://secunia.com/SA11185 -- Mark Litchfield of NGSSoftware has discovered vulnerabilities in Symantec Norton AntiSpam and Symantec Internet Security, which can be exploited to compromise a vulnerable system. For both products applies that this can be exploited through HTML documents e.g. by visiting a website. Symantec has reported that updates are available for both products via the "LiveUpdate" feature. Reference: http://secunia.com/SA11168 http://secunia.com/SA11169 -- eEye Digital Security discovered a vulnerability in the way multiple products from Internet Security Systems (ISS) handles ICQ Server Responses. The vulnerability could be exploited via a specially crafted packet with a source port of 4000/UDP. Just one day after the disclosure from eEye and release of patches from ISS, a worm began exploiting this vulnerability. Please refer to the Secunia Advisory below for more information about this vulnerability. Reference: http://secunia.com/SA11073 ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA10395] Internet Explorer URL Spoofing Vulnerability 2. [SA9935] Microsoft Internet Explorer Update fixes the Object Data Vulnerability 3. [SA11139] OpenSSL SSL/TLS Handshake Denial of Service Vulnerabilities 4. [SA9580] Microsoft Internet Explorer Multiple Vulnerabilities 5. [SA11168] Symantec Internet Security ActiveX Component Arbitrary File Execution 6. [SA11073] ISS Multiple Products ICQ Server Response Processing Vulnerability 7. [SA11169] Symantec Norton AntiSpam ActiveX Component Buffer Overflow Vulnerability 8. [SA11170] Apache 2 Connection Denial of Service Vulnerability 9. [SA10736] Internet Explorer File Download Extension Spoofing 10. [SA9729] Eudora Multiple Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA11182] Terminator 3: War Of The Machines Broadcast Buffer Overflow [SA11169] Symantec Norton AntiSpam ActiveX Component Buffer Overflow Vulnerability [SA11168] Symantec Internet Security ActiveX Component Arbitrary File Execution [SA11205] DameWare Mini Remote Control Weak Encryption Implementation [SA11204] Kerio WinRoute HTTP Header Parser Denial of Service [SA11201] VP-ASP Shopping Cart "catalogid" Parameter SQL Injection Vulnerability [SA11180] News Manager Lite Multiple Vulnerabilities [SA11179] Member Management System Multiple Vulnerabilities [SA11206] WS_FTP Server Multiple Vulnerabilities [SA11199] Microsoft Visual C++ Constructed ISAPI Extensions Denial of Service UNIX/Linux: [SA11198] Debian update for ecartis [SA11183] Sun Cobalt update for Pine [SA11195] PHP-Nuke Script Insertion Vulnerabilities [SA11186] XWeb Directory Traversal Vulnerability [SA11181] 4D WebSTAR update for OpenSSL [SA11177] Clam AntiVirus RAR Archive Processing Denial of Service Vulnerability [SA11175] LiteSpeed Web Server OpenSSL Vulnerabilities [SA11171] Fedora update for OpenSSL [SA11163] OpenPKG update for OpenSSL [SA11161] Trustix update for OpenSSL [SA11197] Red Hat update for mod_ssl [SA11193] SSH Tectia Server ssh-passwd-plugin Private Host Key Exposure [SA11190] Xine Insecure Temporary File Creation Vulnerability [SA11172] Borland Interbase "admin.ib" Insecure Default File Permissions [SA11162] Trustix update for systat Other: [SA11184] Blue Coat Products update for OpenSSL [SA11167] NetScreen Instant Virtual Extranet update for OpenSSL [SA11188] Novell NetWare Admin/Install Password Disclosure Cross Platform: [SA11196] Mod_Survey Script and SQL Insertion Vulnerability [SA11194] Invision Gallery! SQL Injection Vulnerabilities [SA11192] First Virtual Communications Products H.323 Implementation Vulnerabilities [SA11187] Invision Power Top Site List SQL Injection Vulnerability [SA11185] Ethereal Multiple Vulnerabilities [SA11178] Stonesoft Multiple Products OpenSSL Vulnerability [SA11174] Tarantella Enterprise OpenSSL Vulnerability [SA11170] Apache 2 Connection Denial of Service Vulnerability [SA11166] Jetty Unspecified Denial of Service Vulnerability [SA11164] Error Manager Cross Site Scripting Vulnerabilities [SA11203] MS-Analysis Multiple Vulnerabilities [SA11191] FirstClass "TargetName" Parameter Cross Site Scripting Vulnerability [SA11189] phpBB "profile.php" Cross Site Scripting Vulnerability [SA11173] Tarantella Enterprise CGI Utilities Cross-Site Scripting Vulnerabilities [SA11176] Apache 2 mod_disk_cache Stores Credentials ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA11182] Terminator 3: War Of The Machines Broadcast Buffer Overflow Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-03-22 Luigi Auriemma has reported a vulnerability in Terminator 3: War Of The Machines, allowing malicious people to cause a Denial of Service or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11182/ -- [SA11169] Symantec Norton AntiSpam ActiveX Component Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-03-19 NGSSoftware has discovered a vulnerability in Norton AntiSpam 2004, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11169/ -- [SA11168] Symantec Internet Security ActiveX Component Arbitrary File Execution Critical: Highly critical Where: From remote Impact: System access Released: 2004-03-19 NGSSoftware has discovered a vulnerability in Norton Internet Security 2004, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11168/ -- [SA11205] DameWare Mini Remote Control Weak Encryption Implementation Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2004-03-24 ax09001h has reported a design error in DameWare Mini Remote Control, possibly allowing malicious people to gain knowledge of the encryption key. Full Advisory: http://secunia.com/advisories/11205/ -- [SA11204] Kerio WinRoute HTTP Header Parser Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-03-24 The vendor has reported an unspecified vulnerability in the HTTP header parser, which may allow malicious people to cause a Denial of Service. Full Advisory: http://secunia.com/advisories/11204/ -- [SA11201] VP-ASP Shopping Cart "catalogid" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-03-24 The vendor has reported a vulnerability in VP-ASP Shopping Cart, allowing malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/11201/ -- [SA11180] News Manager Lite Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2004-03-22 Manuel L?pez has reported some vulnerabilities in News Manager Lite, allowing malicious people to gain administrative access, conduct Cross Site Scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/11180/ -- [SA11179] Member Management System Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-03-22 Manuel L?pez has reported some vulnerabilities in Member Management System, allowing malicious people to conduct script insertion, Cross Site Scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/11179/ -- [SA11206] WS_FTP Server Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2004-03-24 Hugh Mann has reported multiple vulnerabilities in WS_FTP Server, which can be exploited by malicious users to cause a DoS (Denial-of-Service), gain escalated privileges, or compromise the system. Full Advisory: http://secunia.com/advisories/11206/ -- [SA11199] Microsoft Visual C++ Constructed ISAPI Extensions Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2004-03-24 A vulnerability has been reported in Microsoft Visual C++, which potentially can be exploited by malicious people to cause a DoS (Denial-of-Service) on certain applications. Full Advisory: http://secunia.com/advisories/11199/ UNIX/Linux:-- [SA11198] Debian update for ecartis Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2004-03-24 Debian has issued updated packages for ecartis. These fix some vulnerabilities, which can be exploited by malicious people to expose mail addresses and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11198/ -- [SA11183] Sun Cobalt update for Pine Critical: Highly critical Where: From remote Impact: Released: 2004-03-23 Sun has issued updates for Pine, which fix some unspecified vulnerabilities. Full Advisory: http://secunia.com/advisories/11183/ -- [SA11195] PHP-Nuke Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-03-24 Janek Vind "waraxe" has reported some vulnerabilities in PHP-Nuke, allowing malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/11195/ -- [SA11186] XWeb Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-03-23 Donato Ferrante has discovered a vulnerability in XWeb, allowing malicious people to read arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/11186/ -- [SA11181] 4D WebSTAR update for OpenSSL Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-03-22 The vendor has acknowledged a vulnerability in the 4D WebSTAR OpenSSL implementation, which can be exploited by malicious people to cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11181/ -- [SA11177] Clam AntiVirus RAR Archive Processing Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-03-22 A vulnerability has been discovered in Clam AntiVirus, which can be exploited by malicious people to cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11177/ -- [SA11175] LiteSpeed Web Server OpenSSL Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-03-22 An updated version has been released of LiteSpeed Web Server. This fixes some vulnerabilities in the OpenSSL implementation, which can be exploited by malicious people to cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11175/ -- [SA11171] Fedora update for OpenSSL Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-03-23 Fedora has issued updated packages for OpenSSL. These fix three vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11171/ -- [SA11163] OpenPKG update for OpenSSL Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-03-19 OpenPKG has issued an updated package for OpenSSL. These fix two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11163/ -- [SA11161] Trustix update for OpenSSL Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-03-19 Trustix has issued updated packages for OpenSSL. These fix three vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11161/ -- [SA11197] Red Hat update for mod_ssl Critical: Less critical Where: From remote Impact: DoS Released: 2004-03-23 Red Hat has issued updated packages for mod_ssl. These fix a vulnerability allowing malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11197/ -- [SA11193] SSH Tectia Server ssh-passwd-plugin Private Host Key Exposure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-03-23 A vulnerability has been discovered in SSH Tectia Server, which can be exploited by malicious, authenticated users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11193/ -- [SA11190] Xine Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-03-24 Shaun Colley has reported a vulnerability in Xine, potentially allowing malicious users to escalate their privileges. Full Advisory: http://secunia.com/advisories/11190/ -- [SA11172] Borland Interbase "admin.ib" Insecure Default File Permissions Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-03-20 iDEFENSE has reported a vulnerability in Borland Interbase, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11172/ -- [SA11162] Trustix update for systat Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-03-19 Trustix has issued updated packages for sysstat. These fix a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11162/ Other:-- [SA11184] Blue Coat Products update for OpenSSL Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-03-23 The vendor has acknowledged two vulnerabilities in the Blue Coat operating systems' OpenSSL implementation, which can be exploited by malicious people to cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11184/ -- [SA11167] NetScreen Instant Virtual Extranet update for OpenSSL Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-03-19 NetScreen Technologies has issued an update for OpenSSL on the IVE platform. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11167/ -- [SA11188] Novell NetWare Admin/Install Password Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-03-24 A security issue has been discovered in NetWare 6.5 Support Pack 1.1, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11188/ Cross Platform:-- [SA11196] Mod_Survey Script and SQL Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-03-24 Joel Palmius has reported a vulnerability in Mod_Survey, allowing malicious people to conduct code insertion attacks. Full Advisory: http://secunia.com/advisories/11196/ -- [SA11194] Invision Gallery! SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-03-23 JeiAr has reported some vulnerabilities in Invision Gallery!, allowing malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/11194/ -- [SA11192] First Virtual Communications Products H.323 Implementation Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-03-23 First Virtual Communications has acknowledged some vulnerabilities in various products' H.323 protocol implementation, which can be exploited by malicious people to cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11192/ -- [SA11187] Invision Power Top Site List SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Exposure of system information, Manipulation of data Released: 2004-03-23 JeiAr has reported a vulnerability in Invision Power Top Site List, allowing malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/11187/ -- [SA11185] Ethereal Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-03-23 Multiple vulnerabilities have been discovered in Ethereal, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11185/ -- [SA11178] Stonesoft Multiple Products OpenSSL Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-03-22 Stonesoft has reported that some products may be affected by a vulnerability in the OpenSSL implementation. This can potentially be exploited by malicious people to cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11178/ -- [SA11174] Tarantella Enterprise OpenSSL Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-03-22 The vendor has acknowledged a vulnerability in the Tarantella OpenSSL implementation, which can be exploited by malicious people to cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11174/ -- [SA11170] Apache 2 Connection Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-03-20 The vendor has reported a vulnerability in Apache 2, which can be exploited by malicious people to cause a Denial of Service. Full Advisory: http://secunia.com/advisories/11170/ -- [SA11166] Jetty Unspecified Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-03-19 An unspecified vulnerability has been reported in Jetty, which can be exploited by malicious people to cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11166/ -- [SA11164] Error Manager Cross Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information Released: 2004-03-19 Janek Vind has reported some vulnerabilities in Error Manager for PHP-Nuke, allowing malicious people to see the installation path and conduct Cross Site Scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/11164/ -- [SA11203] MS-Analysis Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-03-24 Janek Vind has reported some vulnerabilities in MS-Analysis, allowing malicious people to conduct Cross Site Scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/11203/ -- [SA11191] FirstClass "TargetName" Parameter Cross Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-03-23 Richard Maudsley has reported a vulnerability in FirstClass, allowing malicious people to conduct Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/11191/ -- [SA11189] phpBB "profile.php" Cross Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-03-23 Cheng Peng Su has reported a vulnerability in phpBB, allowing malicious people to conduct Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/11189/ -- [SA11173] Tarantella Enterprise CGI Utilities Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-03-20 Sanjay Shah has discovered two vulnerabilities in Tarantella Enterprise, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/11173/ -- [SA11176] Apache 2 mod_disk_cache Stores Credentials Critical: Not critical Where: Local system Impact: Exposure of sensitive information Released: 2004-03-22 Andreas Steinmetz has reported a weakness in Apache 2 mod_disk_cache, allowing a malicious, administrative user to see user credentials for remote web sites. Full Advisory: http://secunia.com/advisories/11176/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Mar 26 03:26:45 2004 From: isn at c4i.org (InfoSec News) Date: Fri Mar 26 03:40:10 2004 Subject: [ISN] Ottawa to set up secure communication system safe from hackers Message-ID: http://money.canoe.ca/News/Other/2004/03/25/395748-cp.html By JIM BRONSKILL 2004-03-25 OTTAWA (CP) - A government-wide secret communication system is in the works to ensure federal officials can talk to each other without hackers or terrorists snooping on them. Public Safety Minister Anne McLellan said the project is part of a larger effort to help organizations with security responsibilities communicate more easily. "Communications are absolutely key. Intelligence gathering is key," McLellan said after a speech to security and police officials Thursday. "If you're going to prevent various kinds of terrorist attacks, the better your intelligence, the better prepared you are. And you also need to be secure around making sure that those communications are shared." McLellan suggested existing systems in government departments are quite secure, but form a piecemeal network of different technologies that sometimes make communication a challenge. The emphasis on better flow of intelligence was likely a pre-emptive move as Auditor General Sheila Fraser prepares to release a report Tuesday scrutinizing the technical barriers that hamper the exchange of messages between Canada's security information systems. Fraser's report will examine overall federal handling of the $7.7 billion allotted to security initiatives following the Sept. 11, 2001, terrorist attacks on the United States. She will zero in on the co-ordination of intelligence among departments and agencies, their ability to provide information to police, the state of fingerpring identification systems, and the assessment of airport workers who require clearances to restricted areas. McLellan, while acknowledging some security gaps remain, denied the private conversations of Canadian officials are falling into the wrong hands. "I'm not saying there are problems. This is about a continuous improvement, if you like," she told reporters. "We know since Sept. 11 we live in a very unpredictable world." The government announced $605 million in new money for security over five years in its budget this week. It will go toward shoring up weaknesses at marine ports, better analysis of potential threats and investments in technology. The government will consult Canadians as it drafts a national security policy in coming months, McLellan promised. She also stressed ongoing co-operation with U.S. counterpart Tom Ridge on border security. Canada must refuse to be a weak link or a haven from which terrorists can attack others, she said. McLellan pointed to the terrorist bombs that ripped through commuter trains in Madrid two weeks ago, killing 190 people and injuring many others. "There are no direct or specific threats against Canada. But I think what Madrid tells us is a heightened state of vigilance and surveillance is absolutely key. "We cannot overreact, but we cannot be complacent." From isn at c4i.org Fri Mar 26 03:27:00 2004 From: isn at c4i.org (InfoSec News) Date: Fri Mar 26 03:40:11 2004 Subject: [ISN] 'Piracy' extradition case rejected Message-ID: http://australianit.news.com.au/articles/0,7204,9071448%5E15331%5E%5Enbv%5E15306-15318,00.html Simon Hayes MARCH 25, 2004 A MAGISTRATE has rejected an application to extradite an Australian man US authorities alleged headed an internet piracy syndicate. Hew Raymond Griffiths, 41, of Berkeley Vale on the NSW Central Coast, was indicted by a grand jury in the state of Virginia last year with one count of criminal copyright infringement and one count of conspiracy to commit criminal copyright infringement. The US indictment alleged he was a member and later the leader of Drink or Die, a high-profile piracy ring founded in Russia in the 1990s, and later headquartered in the US. The indictment alleged Mr Griffiths controlled access to a drop site for pirated software at the Massachusetts Institute of Technology computer network. It was alleged the drop site often received software weeks ahead of a publishers' official release, and group members then cracked the copyright protection, testing the software and packing it. Downing Centre Local Court Magistrate Daniel Reiss said he was not persuaded that the Commonwealth Director of Public Prosecutions, acting on behalf of US authorities, had made out a case for extradition. He highlighted the unusual nature of the matter, including that the offences were alleged to have occurred in Australia, and that Mr Griffiths - who had never travelled to the US - had "never been a fugitive fleeing or hiding from the extradition country". In his judgement, he said the case highlighted the need for Parliament to update extradition laws to take account of new technologies. "It appears that it would be timely for the parliament to give consideration to addressing the difficulties that have arisen over a number of years in respect to the scope and application (of the laws)," he said. "It also may be timely to give consideration to amending the Act to include provisions ... that can deal with the kind of factual circumstances that prevailed in respect to this application." Outside the court Mr Griffiths' Legal Aid Commission solicitor Antony Townsden said his client was relieved at the decision in what he described as an "outrageous" case. "A number of persons were charged in the UK and the US, but the only person where extradition was sought was Mr Griffiths," he said. "He is a person of no means whatsoever, and it was never suggested that he had gained anything of a material nature." "It would have been an impossible task for him to represent himself in the US, where he would have had no ties and no support in what would have been an extremely complex matter. "One would have thought it should have been tried in his own country." From isn at c4i.org Fri Mar 26 03:27:13 2004 From: isn at c4i.org (InfoSec News) Date: Fri Mar 26 03:40:12 2004 Subject: [ISN] Interior Dept. back online as judge mulls site security Message-ID: http://news.com.com/2100-1028_3-5179563.html March 25, 2004 By Reuters The U.S. Interior Department was back online Thursday after an appeals court said it could connect to the Internet while the court considers whether payments owed to American Indians are vulnerable to hackers. Interior Department employees had been unable to use e-mail, and most of the department's Web sites had been offline after a federal judge concluded on March 15 that the agency had not fixed security holes that threaten Indian trust-fund payments. A U.S. appeals court in Washington said Wednesday that the department could restore Internet operations until it heard the case. The court could hear the case as early as next week. "The department will continue to work aggressively with the U.S. Department of Justice in our appeal," Interior Secretary Gale Norton said in a statement on the agency's Web site. The Interior Department oversees one-fifth of the nation's land, including national parks, and handles relations with American Indians. Internet operations have been shut down three times since 2001, when an investigator found that hackers could easily steal money from a system that allocates royalties to 300,000 Indians for the use of their land. The blackouts stem from a class-action lawsuit between the agency and Indians who allege that it has mismanaged trust accounts set up in the late 19th century to handle proceeds from oil, gas and minerals extracted from their lands. Lead plaintiff Elouise Cobell, a member of Montana's Blackfeet tribe, charges that the government has lost track of billions of dollars. She wants the judge to transfer control of the accounts to a court-ordered receiver. The Interior Department regularly ranks at the bottom of computer security assessments conducted by congressional and government investigators. An Interior spokesman said the agency had spent tens of millions of dollars to beef up the computer systems that handle the trust accounts, at the expense of other operations. "If you had a teenager, a high school student who focused all their efforts on getting an 'A' in biology and let other subjects go by the wayside, you'd have a low GPA too," spokesman Dan DuBray said. A lawyer for Cobell said the department could resolve the issue by simply getting independent certification that its trust-fund systems are secure, as the lower court has required. "If it was once problematic, it is their obligation to show that it's no longer problematic," said attorney Keith Harper. "You have to allow for some type of process, some type of protocol to ensure that what you say is happening publicly has in fact happened." From isn at c4i.org Fri Mar 26 03:27:28 2004 From: isn at c4i.org (InfoSec News) Date: Fri Mar 26 03:40:12 2004 Subject: [ISN] Microsoft program: 'You patch, we pay' Message-ID: http://www.nwfusion.com/news/2004/0325mspatch.html By Paul Roberts IDG News Service 03/25/04 Under a new program, Microsoft is paying for security assessments of its customers' networks to help improve policies in areas such as software patch management and assuage fears about the security risks posed by Microsoft products. The Microsoft Patch Assurance Security Service was started in late 2003. As part of the program, Microsoft is offering free security audits to all of its enterprise customers and paying for the services of third party security consultants, including Internet Security Systems Inc., to do the audits, according to interviews with those involved in the program. In many cases, Microsoft's patch management products and services, including Systems Management Server (SMS) and Software Update Services (SUS), are recommended to customers as part of the audit, interviewees said. Figures on the total cost of the Patch Assurance Security Service were not available, but it is an extensive program to reach out to Microsoft's entire enterprise customer base, defined as customers with 500 or more Windows desktops, said Peter Noelle, a partner account manager at Microsoft in Atlanta. Microsoft has contacted around 75% of the 200 enterprise customers in the district that includes Atlanta regarding the program and the "vast majority," more than 90% of those companies, have signed up for the free service. The company hopes to contact all its enterprise customers by the end of its fiscal year in June 2004, he said. Microsoft is offering the same service in each of 17 regional districts in the U.S., using local and national consulting partners to perform the assessments, he said. In the southeast district, Microsoft is working through Blackstone & Cullen, an Atlanta IT consulting company and Microsoft Gold Certified Partner, said David Sie, security practice manager and Blackstone & Cullen. "We're an extension of Microsoft. Microsoft lets us know which of their customers they'd like us to help them perform the services... then they decide what the priority (of the customer) and the scope (of the security assessment) is for the customer," he said. In turn, Blackstone & Cullen has contracted with Internet Security Systems (ISS), also of Atlanta, to conduct vulnerability assessments for the Microsoft customers, Sie said. Microsoft pays for the services of both companies on behalf of its customers, which are typically Microsoft-centric organizations using a "significant amount" of Microsoft technology, Sie said. The purpose of the program is to reduce the number of Microsoft customers who do not apply software updates from the Redmond, Wash., company by promoting patch management best practices. Secondarily, Microsoft is hoping to boost its credibility in the enterprise space on issues of security, Noelle said. Assessments can last from days to weeks and range from "best practices" cases where few recommendations are needed to "dark pictures" where a "very significant" amount of work is required, he said. Typically, the assessment concludes with a set of recommendations and "actionable steps" that companies should take to improve their patch management processes, Noelle and Sie said. Microsoft's sales organization follows up on the recommendations with the customer. In addition, Microsoft's partner companies often land contract work stemming from the assessments they perform, Noelle said. When patch management technology is needed, Blackstone & Cullen recommend Microsoft's SMS change and configuration management technology, Sie said. "Naturally, Microsoft is recommending the use of their SMS, but its up to the customer to decide," he said. That limited product focus could be a problem for Microsoft customers, said John Pescatore, vice president at Gartner. "The problem is that SMS is not a strong product... When people ask us about (patch management), we talk about SMS but we don't consider it a leader," he said. Products from Novadigm, Altiris and others outperform SMS, and an independent assessment would mention such products in its findings, Pescatore said. Microsoft is not the only company hoping to cash in on the recommendations that follow the assessments. ISS is planning on Monday to formally announce a range of security assessment, remediation and management services for Microsoft customers. ISS will offer a program to perform "deep assessments" of Microsoft customer networks with the goal of improving software patching processes and systems, said Kerry Armistead , product manager for professional security services and education at ISS. The ISS program will offer its customers three levels of assessment, "basic," "gold" and "platinum," that couple vulnerability assessments with patch management plans. The company will add services such as system policy design and best-practices recommendations for customers that select the higher-level offerings, Armistead said. "The goal is to leave you with a system in place to keep up with patches -- give you change- and release-management processes so that as new patches roll out, you have a well-oiled machine to distribute them before malicious code is released," he said. At CareGroup Healthcare System in Boston, consultants from Microsoft's Services group did a free security assessment at Beth Israel Deaconess Medical Center (BIDMC) in late 2003, said John Halamka, CareGroup's chief information officer. That followed a series of critical security alerts and Internet worms concerning Microsoft products at that time, he said. "When Microsoft had all those security issues, we decided that we needed an enterprise view of things. It was getting too hard to deal with the daily patch routine," Halamka said. Following the assessment, CareGroup launched a "hardening project" with Microsoft Services consultants to move the nonprofit health care organization to the latest generation of Redmond's products including Microsoft Exchange 2003 and the latest versions of Windows XP and Microsoft Office. CareGroup will use SMS 2003 to apply patches and remotely manage 4,500 Windows desktops, he said. That project will be done by the end of 2004 and is going "very well," he said. However, not all customers have been receptive to the free offer, Noelle said. "We get all kinds of responses, some do it. Some just don't like Microsoft. There's all kinds of feedback," he said. Microsoft's free patch assessment program is similar to previous Redmond efforts to smooth over big technology shifts by giving away consulting services, Pescatore said, citing programs linked to the introduction of Active Directory and the Kerberos authentication protocol. The program might succeed in improving patching procedures at some organizations. However, for most companies, faster patching will not solve the problem of insecure products, he said. Most enterprises still need a month to fully test Microsoft patches, distribute them to their user desktops and servers, and troubleshoot following deployment. In the meantime, software exploit and virus writers have shortened the length of time between disclosure of a vulnerability and the release of malicious code that takes advantage of that hole to just a few days, he said. "You can't just say 'Here's a new patch. Quick, push it out.' If it breaks an application, they're worse off than when they were unpatched," he said. From isn at c4i.org Fri Mar 26 03:35:00 2004 From: isn at c4i.org (InfoSec News) Date: Fri Mar 26 03:40:13 2004 Subject: [ISN] Lieberman blasts Bush cybersecurity plan Message-ID: Forwarded from: blitz But its the political season, and everyone is out from under their rock, bemoaning anything that will give their candidate an edge. Obviously, the goverment shouldn't be in the software assurance business, that is unless you're for a complete micro-management of life as it exists on this planet by big brother. (Obviously, some like Lieberman are for this) The government wasn't able to protect us 9.11, and today even in places where we have copious amounts of government troops, well armed and backed up by a large military contingent we still have random acts of attack and terror. Now post 9.11, the agencies who failed us are given promotions, and huge budget increases. So much for encouragement and rewarding competence.. And just WHO does Lieberman think would be qualified to "assure" that software? The NIST? The FCC? The department of Tree-hugging weirdness? No, obviously this is a call for another huge bureaucracy, the "Department of Software Assurance" perhaps? Following current practice, once authorized, all the jobs will be offshored to India, where the people who break our software in the first place and steal our jobs will have a second go around at it, "assuring" the software will always be broke and the DSA (Department of Software Assurance) will have plenty political jobs to hand out. > > > > The 22-page letter criticized DHS officials' performance and asked > > 57 questions covering areas such as what DHS is doing about > > reducing software vulnerabilities, and plans for continuity and > > contingency planning. > > > > Since when is the government in the business of righting software? > How do they reduce software vulnerabilities? I don't understand how > DHS can deal with these issues. The most they can do is increase the > standards, and institute a reliable mechanism of enforcing the > standards. There certainly have been more security auditing and > expectations in a post 9/11 government. I don't know what it has > bought us, but the government is more acutely aware of the issues. From jericho at attrition.org Wed Mar 31 23:38:55 2004 From: jericho at attrition.org (security curmudgeon) Date: Fri Apr 2 08:03:59 2004 Subject: [ISN] Open Source Vulnerability Database Opens for Public Access Message-ID: Open Source Vulnerability Database Releases Free Security Data to the Public The Open Source Vulnerability Database, a project to catalog and describe the world's computer security vulnerabilities, opened for public use on 31 March 2004. According to statistics gathered by CERT, a respected security resource at Carnegie Mellon University, the number of new computer security vulnerabilities found each year has risen over two thousand percent since 1995. Tracking these vulnerabilities and their remedies is critical for those who protect networked systems against accidental misuse and deliberate attack, whether at home, in small businesses, or across globe-spanning enterprises. The Open Source Vulnerability Database (OSVDB) is an open project to collect and distribute vulnerability information freely to everyone. The project team contains skilled volunteers working together to document every security vulnerability that arises. Formed in 2002, the OSVDB project has now completed its development of an online system to store and deliver vulnerability data. "The OSVDB's main goal is to be complete and without bias," says Jake Kouns, chief moderator of the OSVDB project team. "This database will serve as one-stop shopping for all vulnerability needs." The OSVDB collects vulnerability data on every type of computer software and operating system. Like other open-source projects, the OSVDB depends on the wide expertise of its contributors to provide dependable information on many technologies and security problems. The project's open-source license makes the results freely available to users worldwide. Warren Ward, in charge of research at Winterforce, an e-commerce and security consultancy, says "Other vulnerability databases do exist. But there are frequently restrictions on their use. The OSVDB's open license frees us to serve our clients." In addition to its current capabilities, the OSVDB is planning the release of several new services and data products in the upcoming months. Some will make database access easier for end users, others will support the specialized tasks of software developers and security analysts. The OSVDB online system can be found at www.OSVDB.org. ### More Information: Jake Kouns Open Source Vulnerability Database Project +1.804.306.8412 jkouns@osvdb.org Warren Ward Winterforce +1.780.708.0099 vpresearch@winterforce.com