From isn at c4i.org Mon May 3 03:18:42 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 3 03:56:52 2004 Subject: [ISN] Hacker Hits License Plate Database Message-ID: Forwarded from: Kurt Seifried > It was the first time a secretary of state computer system has been > hacked during Jesse White's tenure, Druker said. Shouldn't that be: "It was the first time an electronic break-in to a secretary of state computer system has been publicly reported." or at least: "It was the first time an electronic break-in to a secretary of state computer system has been detected." Somehow I doubt this is the first ever time that a break-in has occured. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ From isn at c4i.org Mon May 3 03:20:18 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 3 03:56:53 2004 Subject: [ISN] US defends cybercrime treaty - --- another proposal Message-ID: Forwarded from: VytautasB@pastas.kam.lt Dear Colleagues, Mr. Poulsen's article reminds me of a conference I attendend recently. On March 15-17 I participated at the George C. Marshall European Center for Security Studies Conference on the Political-Military Dimensions of Cyber Security http://www.marshallcenter.org/site-graphic/lang-en/page-conf-summary-index/x docs/conf/conference-summaries/0412/0412.htm . It was a very interesting and thought provoking conference that was co-sponsored by HQ EUCOM and the US DoD's Directorate of Information Assurance. Speakers came from a wide range of US and European institutions and included private industry as well. The sum of all the discussions really brought out the vulnerability of national infrastructure to cyber atttack. One german firm demonstrated a simulator that showed what happens to a country's infrastructure when the electricity runs out (in 12 hours there is no more water being pumped, after some time the transportation system fails etc,) After each day's plenary session we broke up into work groups to discuss responses to various cyber security scenarios. The work group which I was appointed to lead came up with the idea of preparing a draft statement on cyber security. Unfortunately we could not put the statement to a plenary vote since by the end of the conference we were still waiting for German and Russian translations of the text. The Marshall Center's administration was also uncomfortable with the idea of commiting the participants to some sort of binding document. So the draft Statement was never adopted and does not have the approval of the Marshall Center nor of the other co-sponsors. For your information I will enclose a draft copy of the text (see below). Maybe you or your colleagues would care to comment on it? Is there a need for an international body to deal with the cyber threat or is it enough to just rely on regional organisations like the European Union's ENISA and the proposed Convention mentioned in Mr. Poulsen's article or the G8's High Tech Crime Sub-group? International cooperation in fighting air piracy or hijacking has been successful. Sincerely yours, Vytautas Butrimas Deputy Chief Communications and Informations Systems Service Lithuanian Ministry of National Defense Vilnius, Lithuania **************************************************************** **************************************************************** Draft version 1.7 STATEMENT ON CYBER SECURITY We the information security officials from 31 countries participating at the George C. Marshall European Center for Security Studies Conference on The Political-Military Dimensions of Cyber Security held in Munich, Germany on March 15-17, 2004, recognize: that our Governments, industries, and public service sectors depend on information technology and telecommunications (ITT) to perform their functions, that our ITT infrastructure is dangerously vulnerable to electronic or cyber attack from hostile states, terrorists, criminal activities, and computer hackers , that the scale of the threat has both national and international dimensions, that there is a lack of an international legal framework for the prevention and defense against cyber attack, that a credible and effective defense requires international cooperation , and have agreed to encourage the United Nations to initiate the creation of an international body for the management of cyber security events, risk and prevention. This body should take under consideration the development of cyber security proposals based upon existing models that have been successful in dealing with the problems of other sectors such as the Stanford Agreement on air piracy and the World Health Organization on health issues. In addition, the participants at this conference agree to promote this statement in their nations. Adopted* in Munich, Germany on March 17, 2004 *N.B. "Adopted" Only mentioned in the draft text and was not put to an actual vote. Meant for review and study only. (V. Butrimas) ************************************************************** **************************************************************** -----Original Message----- From: InfoSec News [mailto:isn@c4i.org] Sent: Monday, April 26, 2004 9:34 AM To: isn@attrition.org Subject: [ISN] US defends cybercrime treaty http://www.theregister.co.uk/2004/04/24/us_defends_cybercrime_treaty/ By Kevin Poulsen, SecurityFocus Published Saturday 24th April 2004 Critics took aim this week at a controversial international treaty intended to facilitate cross-boarder computer crime probes, arguing that it would oblige the US and other signatories to cooperate with repressive regimes - a charge that the Justice Department denied. The US is one of 38 nations that have signed onto the Council of Europe's "Convention on Cybercrime," but the US Senate has not yet ratified the measure. In a letter to the Senate last November, President Bush called the pact "the only multilateral treaty to address the problems of computer-related crime and electronic evidence gathering." The treaty, "would remove or minimize legal obstacles to international cooperation that delay or endanger U.S. investigations and prosecutions of computer-related crime," he said. Drafted under strong US influence, the treaty aims to harmonize computer crime laws around the world by obliging participating countries to outlaw computer intrusion, child pornography, commercial copyright infringement, and online fraud. Another portion of the treaty requires each country to pass laws that permit the government to search and seize email and computer records, perform Internet surveillance, and to order ISPs to preserve logs in connection with an investigation. A "mutual assistance" provision then obligates the county to use those tools to help out other signatory countries in cross-border investigations: France, for example, could request from the US the traffic logs for an anonymous Hushmail user suspected of violating French law. [...] From isn at c4i.org Mon May 3 03:21:06 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 3 03:56:54 2004 Subject: [ISN] Linux Advisory Watch - April 30th 2004 Message-ID: +----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | April 30th, 2004 Volume 5, Number 18a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for eterm, mc, the Linux kernel, ssmtp, LCDproc, xine, samba, and sysklogd. The distributors include Debian, Guardian Digital's EnGarde Linux, Fedora, Gentoo, Mandrake, Red Hat, and Slackware. ---- >> FREE GUIDE-128-bit encryption << Thawte is one of the few companies that offers 128 bit supercerts. A Supercert will allow you to extend the highest allowed 128 bit encryption to all your clients even if they use browsers that are limited to 40 bit encryption. Download a guide to learn more: http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawten05 ---- Wireless Security Over the years security and network administrators have been reluctant to adopt wireless networking technologies in corporate environments. Will it provide an easy path of entry into the LAN? Will internal servers be accessible from the outside? Sometimes is necessary to implement wireless networks in an office building because of special circumstances, or pressures from management to adopt the latest technology. Installing a wireless network may be inevitable, if so how should it be approached? As with all security projects, a wireless security policy should be created. This should define the purpose and scope of the wireless network, who is going to be using it, how it should be used, etc. Also, an analysis of newly introduced threats should be formalized. This will enable the network to be designed in a matter that minimizes risk. The wireless network should be treated as an untrusted network. Precautions such as placing a firewall between the wireless network and internal LAN, requiring strong authentication, and conducting regular vulnerability assessments. When connecting to the trusted LAN over a wireless network, a VPN should be used. If not, it is advisable to only stick to secure protocols such as SSH & SSL. Wireless access points should be regularly audited and configured in the most secure manner. Passwords and WEP keys should be as defined in the Wireless Security Policy. Also, it is important to periodically check for rogue wireless access points by warwalking. Access points are ideally placed in the center of buildings. This reduces the available signal strength to outsiders. Because the wireless workstations are on an untrusted network, it is imperative that they are kept secure. This can be done by using host-based firewalls, IDS, keeping patches up-to-date, and configuration scanning. Hosts should be regularly scanned and monitored. By taking these precautions it is possible to implement wireless networking without significantly increasing risks to an organization's information security. Until next time, cheers! Benjamin D. Thomas ben@linuxsecurity.com ---- Guardian Digital Launches Next Generation Internet Defense & Detection System Guardian Digital has announced the first fully open source system designed to provide both intrusion detection and prevention functions. Guardian Digital Internet Defense & Detection System (IDDS) leverages best-in-class open source applications to protect networks and hosts using a unique multi-layered approach coupled with the security expertise and ongoing security vigilance provided by Guardian Digital. http://www.linuxsecurity.com/feature_stories/feature_story-163.html -------------------------------------------------------------------- Interview with Siem Korteweg: System Configuration Collector In this interview we learn how the System Configuration Collector (SCC) project began, how the software works, why Siem chose to make it open source, and information on future developments. http://www.linuxsecurity.com/feature_stories/feature_story-162.html -------------------------------------------------------------------- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 4/28/2004 - kernel 2.4.16 Multiple vulnerabilities Several serious problems have been discovered in the Linux kernel. This update takes care of Linux 2.4.16 for the ARM (and a few other) architectures. http://www.linuxsecurity.com/advisories/debian_advisory-4280.html 4/29/2004 - eterm Missing Input Sanitising H.D. Moore discovered several terminal emulator security issues http://www.linuxsecurity.com/advisories/debian_advisory-4287.html 4/29/2004 - mc Several Vulnerabilities Jacub Jelinek discovered several vulnerabilities in the Midnight Commander, a powerful file manager for GNU/Linux systems. http://www.linuxsecurity.com/advisories/debian_advisory-4288.html +---------------------------------+ | Distribution: EnGarde | ----------------------------// +---------------------------------+ 4/28/2004 - 'kernel' Several security and bug fixes Several Vulnerabilities This update fixes numerous vulnerabilities in the Linux Kernel. http://www.linuxsecurity.com/advisories/engarde_advisory-4285.html 4/28/2004 - kernel Multiple vulnerabilities This patch resolves a number of kernel vulnerabilities, uncluding ones involving the various journaling filesystems. http://www.linuxsecurity.com/advisories/engarde_advisory-4286.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 4/23/2004 - kernel Multiple vulnerabilities This patch fixes a large variety of vulnerabilities in the 2.4.22 kernel, including some related to journaling filesystems. http://www.linuxsecurity.com/advisories/fedora_advisory-4278.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 4/28/2004 - ipsec-tools and iputils Denial of service vulnerability Multiple vulnerabilities Attackers may be able to craft an ISAKMP header of sufficient length to consume all available system resources, causing a Denial of Service. Further discussion of advisory at bottom. http://www.linuxsecurity.com/advisories/gentoo_advisory-4279.html 4/28/2004 - ssmtp Multiple vulnerabilities Multiple format string vulnerabilities may allow an attacker to run arbitrary code with ssmtp's privileges. http://www.linuxsecurity.com/advisories/gentoo_advisory-4282.html 4/28/2004 - LCDproc Multiple vulnerabilities Multiple remote vulnerabilities have been found in the LCDd server, allowing execution of arbitrary code with the rights of the LCDd user. http://www.linuxsecurity.com/advisories/gentoo_advisory-4283.html 4/28/2004 - xine Multiple vulnerabilities Several vulnerabilities have been found in xine-ui and xine-lib, potentially allowing an attacker to overwrite files with the rights of the user. http://www.linuxsecurity.com/advisories/gentoo_advisory-4284.html 4/29/2004 - samba Multiple Vulnerabilities There is a bug in smbfs which may allow local users to gain root via a setuid file on a mounted Samba share. Also, there is a tmpfile symlink vulnerability in the smbprint script distributed with Samba. http://www.linuxsecurity.com/advisories/gentoo_advisory-4289.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 4/28/2004 - kernel Multiple vulnerabilities This patch resolves a large number of kernel vulnerabilities at various levels of seriousness. http://www.linuxsecurity.com/advisories/mandrake_advisory-4281.html 4/29/2004 - sysklogd Vulnerability Steve Grubb discovered a bug in sysklogd where it allocates an insufficient amount of memory which causes sysklogd to write to unallocated memory. http://www.linuxsecurity.com/advisories/mandrake_advisory-4290.html +---------------------------------+ | Distribution: Openwall | ----------------------------// +---------------------------------+ 4/23/2004 - kernel Privilege escalation vulnerability Upgrade to 2.4.26 to fix a local root vulnerability. http://www.linuxsecurity.com/advisories/openwall_advisory-4277.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 4/23/2004 - kernel Privilege escalation vulnerabilities Updated kernel packages that fix two privilege escalation vulnerabilities are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4276.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 4/28/2004 - kernel Security Issues New kernel packages are available for Slackware 9.1 and -current to fix security issues http://www.linuxsecurity.com/advisories/slackware_advisory-4291.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon May 3 03:26:26 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 3 03:56:55 2004 Subject: [ISN] MI5 security advice goes online Message-ID: http://news.bbc.co.uk/2/hi/uk_news/3672221.stm Friday, 30 April, 2004 The security service MI5 has published its terrorist threat assessment and safety advice for the first time. The details, available to the public on a new website, were previously given only to a few organisations. But MI5 director general Eliza Manningham-Buller said it was important to help more people - especially businesses - protect themselves. The current assessment is that "the threat from international terrorism remains real and serious". The warning comes as the US released figures which suggest terrorist attacks are at an international 30-year low. MI5 says the main terrorist danger to the UK and to British interests overseas comes from al-Qaeda and associated groups. "Osama bin Laden has in several statements publicly named Britain and British interests as a target, and encouraged attacks to be carried out against them," it says. Al-Qaeda cells and supporters of affiliated groups are known to be active in the UK, MI5 confirms on the site. It also publishes a top 10 list of safety tips for businesses and other organisations. Bomb blast net curtains These include advice to carry out risk assessments, look at mail-handling procedures, and check that staff are who they say they are. Another section advises organisations on protection against flying glass. Experts recommend applying transparent polyester anti-shatter film (ASF) to glass, to reduce fragments and splinters. Timber-framed Georgian-style windows should also have bomb blast net curtains, says MI5. For new buildings blast resistant laminated glass or secondary glazing should be included in the design. The new site also lists the methods of attack most likely to be used by international terrorists, with bombings most common for al-Qaeda. Shootings, abductions and kidnappings have also been used and although no such attacks have yet been unleashed on the UK "al-Qaeda may seek to use chemical, biological or radiological material against the West," said MI5. Businesses are urged to protect information as terrorists are likely to try to get access to details that would be useful to them, by infiltrating organisations or getting help from an "insider". Two sections of the website have been translated into Arabic to "build on the co-operation of the Muslim community" said the security service. 'Long overdue' Additional languages will be added later. Ms Manningham-Buller said MI5 wanted to share some of its information about the threats. "For the most part details of our operations must and should remain secret," she said in a statement published on the website. "But stopping terrorists is only one part of our collective defences against terrorism. "Another part of our work is to use the knowledge we have about these organisations to provide sensible and practical advice on how best to protect yourself against these threats." Dr James Hart, commissioner of police for the City of London, said the website would be "an enormous advantage" to the counter-terrorism effort. Conservative homeland security spokesman Patrick Mercer welcomed the website, but said it was long overdue. MI5 also lists Northern-Ireland related terrorism, espionage and the proliferation of weapons of mass destruction as continuing threats to the UK. -=- TEN TIPS FOR BUSINESSES 1. Carry out a risk assessment and seek police advice 2. For new premises plan security from the outset 3. Make security awareness part of the culture 4. Keep gardens free from dense shrubbery 5. Make sure access points are kept to a minimum 6. Locks on windows and doors, CCTV, alarms, lighting 7. Set up mailroom away from main premises and train staff 8. Ensure new recruits are who they say they are 9. Use reputable IT people to help protect your information 10. Plan how you will function if something happens From isn at c4i.org Mon May 3 03:33:06 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 3 03:56:55 2004 Subject: [ISN] Charges filed in 'Deceptive Duo' hacks Message-ID: http://www.securityfocus.com/news/8559 By Kevin Poulsen SecurityFocus May 3 2004 A Florida man has been charged in federal court in Washington DC for his alleged role as one-half of the high-profile hacking team "The Deceptive Duo," responsible for defacing dozens of governmental and private Web sites with patriotically-themed messages exhorting the U.S. to shore up cyber defenses. Benjamin Stark, 22, faces a single count of breaking into and damaging computers in concert with an "unnamed individual" in the spring of 2002. A second unrelated count accuses him of trafficking in stolen credit card numbers a year earlier. The charges are in the form of an "information," rather than an indictment, which legal experts say telegraphs that Stark has likely entered into a plea agreement with prosecutors. A spokesman for the U.S. Attorney's Office in Washington declined to comment on the case. Reached by telephone, Stark referred inquiries to his mother, who also declined comment. The Deceptive Duo first drew public attention in April 2002 for cracking government websites and defacing them with a patriotic "mission outline" in which they described themselves as anonymous U.S. citizens determined to save the country from cyberterrorists by exposing security holes in critical infrastructures. "Tighten the security before a foreign attack forces you to," the Duo's defacements typically read. "At a time like this, we cannot risk the possibility of compromise by a foreign enemy." Accompanying the text was the group's logo: two handguns against the backdrop of a tattered American flag. Among their earliest hacks, the pair defaced a Federal Aviation Administration (FAA) server and posted samples from an FAA database detailing passenger screening activity at various U.S. airports in the year 2000, with each screener's name, the number of passengers he or she screened, and the number of guns, explosives or chemicals intercepted. At the time, the FAA downplayed the sensitivity of the database, claiming that it had been prepared for Congress, and was therefore public information. But in the charges against Stark filed earlier this month, prosecutors describe the list as a "sensitive database." The Deceptive Duo's campaign came to an abrupt end in May 2002, less than three weeks after it began, when FBI and Defense Department investigators raided Stark's home, and searched the California home of then 18-year-old Robert Lyttle, who was already on juvenile probation for an earlier Web site defacement spree. Using the handle "Pimpshiz," Lyttle had replaced some 200 Web pages with electronic graffiti supporting Napster. In early March, Lyttle said he expected to face federal charges in Northern California for some of the Deceptive Duo hacks, but that his case had been delayed when his prosecutor was reassigned. On Friday his attorney, Omar Figuroa, said he wasn't troubled by the prospect of Stark making a plea deal, even if it turns out he's rolling over on his former partner. "What's Ben going to say, that they hacked into the systems? Sure. But Robert has a great necessity defense," says Figuroa, who's argued that the Deceptive Duo's hacking was aimed at preventing terrorist attacks on the information infrastructure. "I'm confident that Robert would be completely exonerated if charges were filed." The Washington DC case charges Stark with a single felony for 10 of the Deceptive Duo's alleged intrusions. The U.S. government agencies listed as victims are the Federal Aviation Administration, the Department of Transportation's Federal Highway Administration, the Defense Logistics Agency, the Department of Defense's Health Affairs office, the Department of Energy's Sandia National Lab, the Naval Air Systems Command, and the Air Force Publishing Office. Two private companies are also listed: Dynamic Systems Inc., and Wisconsin-based Midwest Express. Bundled into the same offense is the 2001 defacement of a U.S. Army Corp of Engineers website under Stark's pre-Deceptive Duo moniker, "The-Rev." A second charge accuses Stark of another solo mission: allegedly selling a bundle of 447 stolen credit card numbers in an IRC chat room for $250 in June 2001. Each of the Deceptive Duo intrusions allegedly resulted in financial damage ranging from about $1,000 to $15,000 each, except for the Midwest Express hack, which cost the company $57,500, the government claims. In some intrusions, the pair gained access to personal identifiable information like passport and social security numbers. Stark is scheduled to enter a plea on May 19th. From wk at c4i.org Tue May 4 07:17:23 2004 From: wk at c4i.org (William Knowles) Date: Tue May 4 07:34:57 2004 Subject: [ISN] Network Card Theft Causes Internet Outage Message-ID: http://www.eweek.com/article2/0,1759,1583347,00.asp By Sean Gallagher May 3, 2004 UPDATED: The theft of network cards from a Verizon central office in New York has caused some customers there to lose their Internet access. A handful of corporate customers were left without e-mail and Internet access Monday after the theft of networking equipment from a New York City office late Sunday. Law enforcement officials said four DS-3 cards were reported missing from a Manhattan co-location facility owned by Verizon Communications Inc. The theft at 240 E. 38th St. occurred just after 10:30 p.m. on Sunday and is being investigated by New York City Police and members of the joint terrorism task force, according to NYPD spokesman Lt. Brian Burke. The outage affected area customers of Sprint Corp., including Ziff Davis Media Inc., the publisher of eWEEK.com. "We found backup cards in the area," said Charles Fleckenstein, spokesman for Sprint in Overland Park, Kan. "All of the cards are now on site in New York. [They] are being installed at this moment." Service was being restored to customers as the cards were being installed, he said. Sprint officials said other ISPs were affected by the incident, but declined to identify them. Verizon spokesman Dan Diaz would not identify which providers were affected by the theft of the equipment. Diaz said no Verizon Internet customers were affected by the outage. Fleckenstein said that the outage was "not major," and not large enough to require a report to the Federal Communications Commission. In addition, no notice of the outage was posted to Sprint's Scheduled Maintenance and Outage page. Under FCC rules, phone carriers must report outages affecting more than 50,000 subscribers within two hours. Editor's Note: This story was updated with later information from Sprint. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* From isn at c4i.org Tue May 4 07:20:03 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 4 07:34:59 2004 Subject: [ISN] Linux Security Week - May 3rd 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | May 3rd, 2004 Volume 5, Number 18n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "File and email encryption with GnuPG," "Managing Security for Mobile Users," and "Prelude IDS Framework: Open Source Security's Best Kept Secret." ---- >>>> FREE GUIDE-128-bit encryption << Thawte is one of the few companies that offers 128 bit supercerts. A Supercert will allow you to extend the highest allowed 128 bit encryption to all your clients even if they use browsers that are limited to 40 bit encryption. Download a guide to learn more: http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawten05 ---- LINUX ADVISORY WATCH: This week, advisories were released for eterm, mc, the Linux kernel, ssmtp, LCDproc, xine, samba, and sysklogd. The distributors include Debian, Guardian Digital's EnGarde Linux, Fedora, Gentoo, Mandrake, Red Hat, and Slackware. http://www.linuxsecurity.com/articles/forums_article-9248.html ---- Guardian Digital Launches Next Generation Internet Defense & Detection System Guardian Digital has announced the first fully open source system designed to provide both intrusion detection and prevention functions. Guardian Digital Internet Defense & Detection System (IDDS) leverages best-in-class open source applications to protect networks and hosts using a unique multi-layered approach coupled with the security expertise and ongoing security vigilance provided by Guardian Digital. http://www.linuxsecurity.com/feature_stories/feature_story-163.html ---- >>>> Bulletproof Virus Protection << Protect your network from costly security breaches with Guardian Digital's multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn04 -------------------------------------------------------------------- Interview with Siem Korteweg: System Configuration Collector In this interview we learn how the System Configuration Collector (SCC) project began, how the software works, why Siem chose to make it open source, and information on future developments. http://www.linuxsecurity.com/feature_stories/feature_story-162.html ---- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Linux Vulnerable to Infiltration April 29th, 2004 Linux source code could be infiltrated by dubious elements, including spies, according to a white paper released by Dan O'Dowd, chief executive officer of Green Hills Software Inc. This is his second white paper in a series that his company describes as being focused on "the urgent security threat posed by the use of the Linux operating system in U.S. defense systems, including the Future Combat System and Global Information Grid." http://www.linuxsecurity.com/articles/host_security_article-9243.html * Management central to securing Linux April 29th, 2004 After performing more security assessments than he can count, Gijo Mathew has seen every worst practice imaginable. He's even seen an IT shop replace virus-violated data with an unpatched backup that succumbed to the same virus. A security strategist for Computer Associates International Inc., Mathew has 10 years of experience in software development, computer technology, networks and security. http://www.linuxsecurity.com/articles/general_article-9247.html * Open source databases climb corporate ladder April 28th, 2004 Analysts are telling companies committed to open source software that the time is right to consider an open source database server. Vendors like MySQL and SleepyCat are adding more enterprise-class functionality to the software, and that could eventually threaten the hold Oracle, IBM and Microsoft have on the market. http://www.linuxsecurity.com/articles/general_article-9238.html * File and email encryption with GnuPG (PGP) part six April 28th, 2004 Last time I showed you how to exchange and verify public PGP keys with an individual. After you've verified a user's key (KeyID, bits, type, fingerprint, and user's actual identity) you should sign their key. Signing a key tells the PGP software (GnuPG in most cases for us Linux heads) that you've acknowledged the key is legitimate when verifying the signature. Let's take a look at the different verification possibilities. http://www.linuxsecurity.com/articles/documentation_article-9241.html * What is gpgdir? April 26th, 2004 gpgdir is a perl script that uses the CPAN GnuPG module to encrypt and decrypt directories using a gpg key specified in ~/.gpgdirrc. gpgdir supports recursively descending through a directory in order to make sure it encrypts or decrypts every file in a directory and all of its subdirectories. In order to help save space all files are compressed using gzip before being encrypted and decompressed upon decryption. http://www.linuxsecurity.com/articles/projects_article-9231.html +------------------------+ | Network Security News: | +------------------------+ * Protecting Road Warriors: Managing Security for Mobile Users April 29th, 2004 Managing security within the confines of an organization or enterprise is a difficult job. Worms, viruses, spam, malware, port scans and perimeter defense probes are constant threats. Servers and desktop systems require regular patching and monitoring, and IDS signatures and firewall rules are under constant review and tweaking. http://www.linuxsecurity.com/articles/network_security_article-9246.html * Prelude IDS Framework: "Open Source Security's Best Kept Secret" April 28th, 2004 Everyone both involved in information security and many that are not have heard of Snort NIDS (Network Intrusion Detection System). But not many have heard of a little jewel by the name of Prelude. Prelude is an open source framework for building distributed Hybrid Intrusion Detection Systems (HIDS). The reason it is called 'Hybrid' is that it utilizes sensors which are network based (NIDS). http://www.linuxsecurity.com/articles/projects_article-9242.html * DOD decentralizes Wi-Fi April 27th, 2004 The Defense Department's new wireless fidelity policy seeks help from many of its agencies to ensure their employees and contractors use caution when operating wireless computer devices at military installations. http://www.linuxsecurity.com/articles/government_article-9235.html +------------------------+ | General Security News: | +------------------------+ * Quantum crypto coming to light April 30th, 2004 Quantum cryptography, a technology that uses photons to encrypt communications over fibre-optic lines and the air, is starting to come out of the laboratory and into commercial use. http://www.linuxsecurity.com/articles/cryptography_article-9251.html * Security has its privileges April 30th, 2004 Maybe an innocent bystander can be excused for not seeing and stopping a crime about to happen, but IT security administrators can't. They need to keep their eyes open, according to Gijo Mathew, a security strategist for Computer Associates International Inc. http://www.linuxsecurity.com/articles/general_article-9249.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue May 4 07:20:45 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 4 07:35:00 2004 Subject: [ISN] Who Hacked the Voting System? The Teacher Message-ID: http://www.nytimes.com/2004/05/03/technology/03vote.html By JOHN SCHWARTZ Published: May 3, 2004 BALTIMORE, April 29 - The fix was in, and it was devilishly hard to detect. Software within electronic voting machines had been corrupted with malicious code squirreled away in images on the touch screen. When activated with a specific series of voting choices, the rogue program would tip the results of a precinct toward a certain candidate. Then the program would disappear without a trace. Luckily, the setting was not an election but a classroom exercise; the conspirators were students of Aviel D. Rubin, a professor at Johns Hopkins University. It might seem unusual to teach computer security through hacking, but a lot of what Professor Rubin does is unusual. He has become the face of a growing revolt against high-technology voting systems. His critiques have earned him a measure of fame, the enmity of the companies and their supporters among election officials, and laurels: in April, the Electronic Frontier Foundation gave him its Pioneer Award, one of the highest honors among the geekerati. The push has had an effect on a maker of electronic voting machines, Diebold Inc., as well. California has banned the use of more than 14,000 electronic voting machines made by Diebold in the November election because of security and reliability concerns. Also, the company has warned that sales of election systems this year are slowing. In April, the company said its first-quarter earnings rose 13 percent compared with the same quarter a year earlier. It also reported $29.2 million in revenue on nearly $500 million in sales in the latest period. But it lowered expectations for election systems sales for this year to a range of $80 million to $95 million from $100 million in sales a year earlier. Professor Rubin took center stage in the national voting scene last July, when he published the first in-depth security analysis of Diebold's touch-screen voting software. The software had been pulled off an unprotected Diebold Internet site by Bev Harris, a publicist-turned-muckraker who posted the software and other documents she found as part of her campaign against what she calls "black box voting." Professor Rubin and his colleagues at Hopkins and Rice University in Houston subjected the 49,000 lines of code to a deep review over a two-week period. Their report painted a grim picture: "Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts," they wrote. "We conclude that, as a society, we must carefully consider the risks inherent in electronic voting, as it places our very democracy at risk." That shot across the bow was met with outrage from the industry and from election officials who had spent tens of millions of dollars on Diebold machines. Mr. Rubin was denounced as irresponsible and uninformed. "I think when he's talking about computers, he's very good and knows what he's doing," said Britain J. Williams, a professor emeritus of computer science at Kennesaw State University in Georgia, and a consultant on voting systems. "When he's talking about elections, he doesn't know what he's talking about." Typically, Professor Rubin decided to confront the issue of whether he had experience with elections by taking part in one. During the March presidential primary, he signed up to become an election judge and found himself sitting all day at a precinct in a church at Lutherville, Md., helping voters use the same Diebold touch-screen machines that he had criticized so roundly. He then went home and wrote a full account and posted it to the Internet. Over the day, he wrote, "I started realizing that some of the attacks described in our initial paper were actually quite unrealistic, at least in a precinct with judges who worked as hard as ours did and who were as vigilant. At the same time, I found that I had underestimated some of the threats before." Ultimately, he said, "I continue to believe that the Diebold voting machines represent a huge threat to our democracy." When asked to comment on Professor Rubin's work, the company issued a statement that did not mention him by name. "Our collective goal should always be to provide voters with the assurance that their vote is important, voting systems are accurate and their individual vote counts," the company said. While the debate has largely been constructive, Diebold said: "A key consideration in this dialogue, though, should be that the debate be positive and productive. We must not frighten voters or inadvertently provide any type of disincentive to voting, because at that point the dialogue itself begins to disenfranchise voters - the very thing this beneficial discussion is trying to prevent." Professor Rubin is not the first person to take on the risks of high-tech voting. Since Professor Rubin's paper came out last year, other reports have broadened and deepened his conclusions. But Professor Rubin is in a class by himself, said David Jefferson, a computer scientists at Lawrence Livermore National Laboratory in California, who calls him "the most important figure in the United States in articulating the security problems with electronic and Internet voting." The only damage Professor Rubin has sustained along the way is largely self-inflicted. Last August, he resigned from an unpaid technical advisory position for a voting company, VoteHere Inc., and turned in stock options that he had received but never redeemed. Professor Rubin, 36, a child of two college professors, seems too soft-spoken to be a firebrand. But his quiet exterior conceals a deeply competitive streak: he has played soccer as a blood sport for most of his life, breaking both wrists and ankles repeatedly over the years. He still plays twice a week, he says, but now it is "a more social game, without slide tackles." Born in Kansas, he grew up in Birmingham, Ala., Haifa, Israel, and Nashville, and got his computer science training at the University of Michigan, where he earned bachelor's, master's and Ph.D. degrees by 1994. In late 2002, he became the technical director of the Information Security Institute here at Hopkins. Because of his passionate advocacy for his views, many people expect Professor Rubin to be something of a "smart aleck" in person, said Gerald Masson, the head of the institute. Instead, he said, "He comes across as someone who sincerely believes that what he's doing is right, and he has the technological depth to support it." From isn at c4i.org Tue May 4 07:20:57 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 4 07:35:01 2004 Subject: [ISN] Bank aims to link scanning and patching Message-ID: http://www.computerweekly.com/articles/article.asp?liArticleID=130309 By Bill Goodwin Tuesday 4 May 2004 Standard Chartered Bank is developing technology to speed up and prioritise its patching processes, as pressure grows to protect systems from new vulnerabilities before hackers can exploit them. The bank is concerned that the time between new vulnerabilities being discovered and hacking tools which exploit them appearing on the internet has fallen from weeks to hours, leaving IT systems more exposed than ever. Standard Chartered is developing a security system that will combine risk analysis of its networks and software with vulnerability scanning, allowing it to prioritise patching to the most business-critical systems. The system, which it hopes to have in place by the end of the year, will eventually model the behaviour of security threats, such as worms and denial of service attacks. It will automatically identify which systems are likely to be most vulnerable when a new threat appears. Standard Chartered has spent the past 12 months developing a risk database, dubbed "Riskwise", to build up a profile of the risks associated with each new software development. The database covers 50 of the bank's 450 applications and it will be extended to cover the remaining legacy systems by the middle of next year, said John Meakin, group head of information security at the bank. Standard Chartered plans to integrate the database with its Qualsys vulnerability scanning system to create a system capable of identifying vulnerabilities and prioritising repair work. "We want to have a comprehensive picture of risk. When a zero-day attack comes along, you need that kind of modelling," said Meakin. From isn at c4i.org Tue May 4 07:21:07 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 4 07:35:01 2004 Subject: [ISN] Schools plan security test lab Message-ID: http://www.fcw.com/fcw/articles/2004/0503/web-mcafee-05-03-04.asp By Brian Robinson May 3, 2004 McAfee Research was selected last week as the industry partner for three universities to round out the team constructing a large-scale cybersecurity test bed that will help develop new defenses against computer worms and viruses. The three-year, $10.8 million project involves teams at the University of California at Berkeley, the University of Southern California's Information Sciences Institute and Pennsylvania State University. It's funded through grants from the National Science Foundation and the Homeland Security Department. Although worms and viruses increasingly pose a threat to the Internet and its systems, there is no test that can simulate how events on such large-scale networks. The program was started to create such a test. McAfee, the research arm of security vendor Network Associates Technology Inc., will provide design help on two separate programs, the Cyber Defense Technology Experimental Research (DETER) network and Evaluation Methods for Internet Security. DETER will eventually consist of 1,000 computers with multiple network interface cards and simulate the entire Internet, from servers and hubs to the desktop, without an actual connection to the Internet. It will serve as a shared laboratory in which researchers from government, industry and academia can put their security technologies to the test. In addition to the income from the contract award, McAfee officials expect the work they do with partners to help them develop new tools that the company can provide for future customers, said Erik Mettala, vice president of McAfee Research. Brian Robinson is a freelance journalist based in Portland, Ore. He can be reached at hullite @ mindspring.com. From isn at c4i.org Tue May 4 07:21:36 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 4 07:35:02 2004 Subject: [ISN] Microsoft, law enforcement officials pursuing Sasser author Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,92870,00.html By Paul Roberts MAY 03, 2004 IDG NEWS SERVICE Microsoft Corp. is working with law enforcement to find the author of the Sasser worm, which first appeared on Friday and targets machines running the company's Windows operating system. Microsoft said it's working closely with authorities, including the Northwest CyberCrime Taskforce, to analyze Sasser's code and "identify those responsible for this malicious activity." The investigation is ongoing, according to Microsoft. Sasser exploits a recently disclosed hole in a component of Windows called the Local Security Authority Subsystem Service, or LSASS. Microsoft released a software patch, MS04-011, on April 13 that plugs the LSASS hole. Sasser is similar to an earlier worm, Blaster, in that users don't need to receive an e-mail message or open a file to be infected. Instead, just having a vulnerable Windows machine connected to the Internet with communications Port 445 is enough to get infected. Microsoft issued a statement yesterday saying that it is working with the task force to analyze malicious code in Sasser and in a Trojan program called Agobot, which was also modified to take advantage of the LSASS vulnerability. The task force is a joint effort of the FBI, the U.S. Secret Service and local law enforcement agencies in Washington state, where Microsoft is based. Microsoft referred questions about the investigation to the task force. Calls to the FBI, the Secret Service and the Seattle police weren't immediately returned. The company also announced other steps it's taking to lessen the damage caused by Sasser, which is estimated to have infected hundreds of thousands of Windows XP and Windows 2000 machines on the Internet. Microsoft released a free software program to clean Windows systems infected with Sasser. The company also published information on how to configure firewalls to stop the worm's spread and encouraged customers to enable their personal firewalls and install the Microsoft Windows patch that fixes the vulnerability Sasser exploits. Besides working with law enforcement, Microsoft also offers bounties for information leading to the arrest of those responsible for major viruses and worms. In November, the company announced that it was allocating $5 million to a reward fund for the arrest of virus authors. In January, it offered a $250,000 reward for information leading to the arrest and conviction of the author of the Mydoom.B worm. From isn at c4i.org Thu May 6 06:05:02 2004 From: isn at c4i.org (InfoSec News) Date: Thu May 6 06:23:36 2004 Subject: [ISN] Microsoft, law enforcement officials pursuing Sasser author Message-ID: Forwarded from: matthew patton when will it be that Visual C will datamark all it's output so that we can know which license, which IP (granted could be a RFC1918 IP) it was compiled on or snarfing some kind of identifying information? Wasn't there a paper about what happens when you can't trust your compiler? From isn at c4i.org Thu May 6 06:07:55 2004 From: isn at c4i.org (InfoSec News) Date: Thu May 6 06:23:37 2004 Subject: [ISN] [Vmyths.com ALERT] Hysteria over ''Sasser'' worm Message-ID: Forwarded from: Vmyths.com Virus Hysteria Alert Vmyths.com Virus Hysteria Alert {5 May 2004, 00:20 CT} ------- Want to unsubscribe from this mailing list? No sweat! You'll find easy instructions at the bottom of this email... ------- Headlines around the world warn of the spread of multiple variants of the "Sasser" worm. "Sasser's toll likely stands at 500,000 infections," a typical headline reads. Vmyths notes security experts have tended to make guesses in the same ballpark -- ranging from 200,000 to one million infected computers. News stories at first identified those who made guesstimates, but the current batch of stories no longer directly cites sources for these figures. "500,000 to one million infected PCs" is now widely accepted by the media as if it were a fact rather than a conjecture. A News.com story penned by Rob Lemos pointed out that "while [these] numbers sound overwhelming, the compromised PCs make up a fraction of a percent of the computers connected to the Internet." Vmyths agrees with Lemos' assessment. Security experts FAILED to predict the Sasser worm would focus more on home computers than business PCs. The reasons for it are obvious in hindsight to these experts, so Vmyths must ask a rhetorical question -- "why didn't security experts predict the obvious?" And speaking of predictions... Security experts didn't agree on what day they thought the Sasser worm would achieve "peak activity." American experts predicted it would peak on Monday "as millions of workers bring their laptops back to their offices, after using them over the weekend to access the Internet from relatively unsecured home locations." On the other hand, experts who live outside the U.S. predicted Sasser would peak on Tuesday due to long holiday weekends in some parts of the world. (Conflicting accounts of the worm's spread make it difficult to gauge the accuracy of these predictions.) Panicky firms have damaged themselves over the years in a trend known as "precautionary disconnects." (See http://Vmyths.com/rant.cfm?id=241&page=4 for details.) In the latest example, an AFP newswire revealed "Sampo, Finland's third largest bank, closed its 130 branch offices across the country to prevent the Sasser Internet worm from infecting its systems... 'We decided to close our offices as a precaution, since we knew that our virus protection hadn't been updated,' Sampo spokesman Hannu Vuola [said]." In other words, Finland's third-largest bank voluntarily made itself Finland's SMALLEST bank -- because they didn't trust their "antivirus solution" to protect them in a time of crisis. Contrary to widespread reports, Australia's "RailCorp" railway system may NOT have been hampered by the Sasser worm. CEO Vince Graham was quoted as saying their most recent woes "could very well be a matter related to a virus getting into [RailCorp's] system." Graham did NOT confirm anything, and this is an important distinction. Vmyths readers may recall security experts incorrectly blamed a computer worm for the U.S. electrical blackout of 2003. Vmyths has observed new buzz phrases in the media's coverage of the Sasser worm. For example, did you know there is now a "network telescope" which can peer into "the dark matter of the Internet"? See http://news.com.com/2100-7349_3-5205107.html for details. Normally, Vmyths would expect to see "global damage estimates" for the Sasser worm, courtesy of a company known as mi2g. (See http://Vmyths.com/resource.cfm?id=64&page=1 for details on this firm's antics.) However, mi2g has remained oddly silent since mid-April. Still, Vmyths will watch for mi2g to add Sasser's costs to their astronomical tally for virus damages. Stay calm. Stay reasoned. And stay tuned to Vmyths. Rob Rosenberger, editor http://Vmyths.com (319) 646-2800 --------------- Useful links ------------------ Remember this when virus hysteria strikes http://Vmyths.com/resource.cfm?id=31&page=1 Common clich?s in the antivirus world http://Vmyths.com/resource.cfm?id=22&page=1 False Authority Syndrome http://Vmyths.com/fas/fas1.cfm From isn at c4i.org Thu May 6 06:08:36 2004 From: isn at c4i.org (InfoSec News) Date: Thu May 6 06:23:38 2004 Subject: [ISN] Windows & .NET Magazine Security UPDATE--New Worms Target Unpatched Web Servers--May 5, 2004 Message-ID: ==================== ==== This Issue Sponsored By ==== Ecora Software http://list.winnetmag.com/cgi-bin3/DM/y/efkS0CJgSH0CBw0BHtT0Am Exchange & Outlook Administrator http://list.winnetmag.com/cgi-bin3/DM/y/efkS0CJgSH0CBw0BEf10Au ==================== 1. In Focus: New Worms Target Unpatched Web Servers 2. Security News and Features - Recent Security Vulnerabilities - News: Problems with Microsoft's Patch MS04-011 - News: Need ISC Bind DNS Support? - News: Network Associates to Consolidate and Change Name - News: Microsoft Presents Antispyware Strategy 3. Instant Poll 4. Security Toolkit - FAQ - Featured Thread 5. New and Improved - All-in-One ADSL Modem, Firewall Router, and Switch ==================== ==== Sponsor: Ecora Software ==== Rely on our great reports to make your patch management headaches go away! Start automating your backlog of security patches today! Network Computing magazine has just named our previous version as the "Editor's Choice" tool for Patch Management. Our newest version is loaded with even more high-performance benefits such as 500% faster scanning and analysis loading, cross-platform support, enhanced user interfaces, policy compliance features, and our great admin and management reports. Go directly to our free trial page and see for yourself, first-hand, what our automated patch solution is all about. Special Bonus: The first 100 people to trial Patch Manager 3.1 from the link below will receive a FREE T-Shirt. Try us now- http://list.winnetmag.com/cgi-bin3/DM/y/efkS0CJgSH0CBw0BHtT0Am ==================== ==== 1. In Focus: New Worms Target Unpatched Web Servers ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net Last week, I wrote about the most recent security patches from Microsoft as well as new exploits that take advantage of related problems. I also mentioned that if you haven't loaded the Microsoft Security Bulletin MS04-011 (Security Update for Microsoft Windows) patch, then your systems are sitting ducks. As it turns out, duck hunting season just opened. Several worms are now spreading and taking advantage of problems that can be remedied by the MS04-011 patch. According to the SANS Institute's Internet Storm Center, variants of the Gaobot worm target systems that don't have the MS04-011 patch. In addition, at least three variants of the Sasser worm target the same vulnerabilities. http://www.incidents.org/diary.php?date=2004-05-02 Of course, all the companies that provide preventive measures, including makers of antivirus software and Intrusion Detection Systems, are updating their tools to provide protection. Some have also provided removal tools in case your systems have become infected by the Sasser worm variants. If your systems have become infected and you need quick help removing worms, check with your antivirus vendor to determine whether it's released Sasser removal tools. Microsoft has released a bulletin regarding the Sasser worm as well as a tool that helps with worm removal. You can find it at the first URL below. If you need help with worm removal, remember that Microsoft provides free support for security matters. United States and Canadian residents can reach the company toll free at 866-727-2338, or anyone can go to the second URL below and click the "Send us an online request for support" link. http://www.microsoft.com/downloads/details.aspx?familyid=76c6de7e-1b6b-4fc3-90d4-9fa42d14cc17&displaylang=en http://www.microsoft.com/security/protect/support.asp If you've loaded the patch already and have experienced problems or if you're considering loading the patch soon, be aware that known problems with the patch might affect your network environment. For more information, see the first News item below. ==================== ==== Sponsor: Exchange & Outlook Administrator ==== Try a Sample Issue of Exchange & Outlook Administrator! If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and downtime. Request a sample issue today, and discover tools you won't find anywhere else to help you migrate, optimize, administer, and secure Exchange and Outlook. Order now! http://list.winnetmag.com/cgi-bin3/DM/y/efkS0CJgSH0CBw0BEf10Au ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html News: Problems with Microsoft's Patch MS04-011 The Microsoft article "Your computer stops responding, you cannot log on to Windows, or your CPU usage for the System process approaches 100 percent after you install the security update that is described in Microsoft Security Bulletin MS04-011," http://support.microsoft.com/?kbid=841382 , released on April 28, discusses problems that have been discovered in the recently released Microsoft Security Bulletin MS04-011 (Security Update for Microsoft Windows). According to the article, problems can arise on Windows 2000 OSs if any of three drivers (ipsecw2k.sys, imcide.sys, or dlttape.sys) are loaded. People might experience lockups at boot time, the inability to log on, or 100 percent CPU utilization. http://www.winnetmag.com/article/articleid/42505/42505.html News: Need ISC Bind DNS Support? Nonprofit company Internet Software Consortium (ISC), makers of ISC Bind DNS software, have announced the availability of support contracts. You can choose 24 x 7 support, 12 x 7 support (from 8 A.M. to 8 P.M., Eastern Standard Time--EST), or 9 x 5 support (from 9 A.M. to 6 P.M., EST, Monday through Friday). http://www.winnetmag.com/article/articleid/42459/42459.html News: Network Associates to Consolidate and Change Name Network Associates announced that the company will sell its Sniffer product line, focus exclusively on security solutions, and change its name to McAfee. Silver Lake Partners and Texas Pacific Group will buy the Sniffer technology for $275 million. http://www.winnetmag.com/article/articleid/42458/42458.html News: Microsoft Presents Antispyware Strategy Deceptive software, also known as spyware, now accounts for more than 50 percent of the Windows failures reported to Microsoft and is becoming an important industry concern. Microsoft's partners report that spyware is the number-one support problem and is costing the industry millions of dollars a year in support costs. Microsoft and other companies detailed to the US Federal Trade Commission (FTC) the steps they're taking to reduce the threat and problems spyware causes. http://www.winnetmag.com/article/articleid/42432/42432.html ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) The Conference on Securing and Auditing Windows Technologies, July 20-21 New for 2004, The Conference on Securing and Auditing Windows Technologies will be held July 20-21, 2004, at the Fairmont Copley Plaza in Boston, MA. In vendor-neutral sessions on today's hottest topics, you'll get practical strategies for mitigating risk and safeguarding your systems. For more information, call 508-879-7999 or go to: http://list.winnetmag.com/cgi-bin3/DM/y/efkS0CJgSH0CBw0BHtU0An Register Today for Microsoft Tech Ed 2004 Dont miss Tech Ed 2004 -- May 23-28, 2004 in San Diego, CA -- the definitive Microsoft conference for building, deploying, securing and managing connected solutions. You'll find 11 conference tracks and over 400 sessions. Get answers to your technical questions, meet industry experts, evaluate new products, and take advantage of extensive networking opportunities. Register today. http://list.winnetmag.com/cgi-bin3/DM/y/efkS0CJgSH0CBw0BGE40AS Small Servers for Small Businesses Web Seminar Today a small business can be as agile as a large business by understanding which technology can be leveraged to create a centralized server environment. In this free Web seminar, you'll learn the perils of peer-to-peer file sharing, backup and recovery, migration from desktop to servers, and Small Business Server basics. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/efkS0CJgSH0CBw0BHpZ0Ao ==================== ==== 3. Instant Poll ==== Results of Previous Poll The voting has closed in the Windows & .NET Magazine Network Security Web page nonscientific Instant Poll for the question, "As a security administrator, what's your most important task?" Here are the results from the 77 votes. - 43% Security monitoring and auditing - 13% Policy management and enforcement - 23% Patch management - 19% End-user education - 1% Other (Deviations from 100 percent are due to rounding.) New Instant Poll The next Instant Poll question is, "Has your company become infected by the Sasser or Gaobot worm?" Go to the Security Web page and submit your vote for - Yes - No - I'm not sure http://www.winnetmag.com/windowssecurity ==== 4. Security Toolkit ==== FAQ: Password-Change Web Page by John Savill, http://www.winnetmag.com/windowsnt20002003faq Q: How can I create a Web page at which users can change their passwords? A. You can write an Active Server Pages (ASP) script that creates a password-change Web page. ASP gives you complete access to Microsoft Active Directory Service Interfaces (ADSI), which lets you perform a variety of functions, such as changing passwords or creating accounts. When you write such a script, you must consider factors such as the user account under which the script will run and the permissions you want to use when the script runs. To see a script and further explanation, go to this FAQ on our Web site. http://www.winnetmag.com/article/articleid/42425/42425.html Featured Thread: Group Membership Issue (findgrp error 234) (Three messages in this thread) A reader writes that he has a problem with the membership of user accounts in global groups. One symptom is that some applications are not aware of local or domain administrator rights and those applications don't allow installation or configuration. When the reader executes the findgrp command (from the Microsoft Windows 2000 Resource Kit) he receives error 234, "finding global groups: Unknown Error: 234." However, the local groups are listed correctly. The reader is using Windows XP Professional Service Pack 1 (SP1) and all patches in a Windows 2000 Server Active Directory (AD) environment. As far as he can determine, only XP systems have this problem. He thinks a particular patch might be causing the behavior and would like advice. Lend a hand or read the responses: http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=120231 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) Popular Web Seminar--The Spam Problem Solved: Hensel Phelps Construction Company Case Study Find out how Hensel Phelps Construction, a multibillion-dollar national contractor, has implemented a multilayered antispam solution to increase user productivity and decrease the burden on IT staff resources, infrastructure, and budget. Sign up now for this free Web seminar! http://list.winnetmag.com/cgi-bin3/DM/y/efkS0CJgSH0CBw0BGzb0A6 ==================== ==== 5. New and Improved ==== by Jason Bovberg, products@winnetmag.com All-in-One ADSL Modem, Firewall Router, and Switch TRENDware International announced TEW-435BRM and TW100-BRM504, all-in-one ADSL modem, firewall router, and four-port switch packages for the small office/home office (SOHO) environment. TW100-BRM504 is designed for wired networks, whereas TEW-435BRM supports both wired and 802.11g wireless networks. Advanced security features include Stateful Packet Inspection (SPI) and a Rules-Based Firewall. You can control users' Internet access by URL, time, and MAC address, and you can use the product's logs and reports to monitor intrusion attempts and traffic. For more information, contact TRENDware International at 310-891-1100 or on the Web. http://www.trendnet.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. ==================== ==== Sponsored Links ==== Argent Comparison Paper: The Argent Guardian Easily Beats Out MOM http://list.winnetmag.com/cgi-bin3/DM/y/efkS0CJgSH0CBw0BDWV0AH Microsoft(R) TechNet Microsoft(R) TechNet Webcasts: essential guidance, industry experts http://list.winnetmag.com/cgi-bin3/DM/y/efkS0CJgSH0CBw0BG360AC ==================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== ==== Contact Our Sponsors ==== Primary Sponsor: Ecora Software -- http://www.ecora.com -- 1-877-92-ECORA ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z You received this email message because you asked to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu May 6 06:09:41 2004 From: isn at c4i.org (InfoSec News) Date: Thu May 6 06:23:39 2004 Subject: [ISN] The Internet's Wilder Side Message-ID: http://www.nytimes.com/2004/05/06/technology/circuits/06chat.html By SETH SCHIESEL Published: May 6, 2004 IT was just another Wednesday on the sprawling Internet chat-room network known as I.R.C. In a room called Prime-Tyme-Movies, users offered free pirated downloads of "The Passion of the Christ'' and "Kill Bill Vol. 2.'' In the DDO-Matrix channel, illegal copies of Microsoft's Windows software and "Prince of Persia: The Sands of Time,'' an Xbox game, were ripe for downloading. In other chat rooms yesterday, whole albums of free MP3's were hawked with blaring capital letters. And in a far less obtrusive channel, a hacker may well have been checking his progress of hacking into the computers of unsuspecting Internet users. Even as much of the Internet has come to resemble a pleasant, well-policed suburb, a little-known neighborhood known as Internet Relay Chat remains the Wild West. While copyright holders and law enforcement agencies take aim at their adversaries on Web sites and peer-to-peer file-sharing networks like Napster, I.R.C. remains the place where people with something to hide go to do business. Probably no more than 500,000 people are using I.R.C. worldwide at any time, and many of them are engaged in legitimate activities, network administrators say. Yet that pirated copy of Microsoft Office or Norton Utilities that turns up on a home-burned CD-ROM may well have originated on I.R.C. And the Internet viruses and "denial of service'' attacks that periodically make news generally get their start there, too. This week, the network's chat rooms were abuzz with what seemed like informed chatter about the Sasser worm, which infected hundreds of thousands of computers over the weekend. "I.R.C. is where you are going to find your 'elite' level pirates,'' said John R. Wolfe, director for enforcement at the Business Software Alliance, a trade group that fights software piracy. "If they were only associating with each other and inbreeding, maybe we could coexist alongside them. But it doesn't work that way. What they're doing on I.R.C. has a way of permeating into mainstream piracy.'' Two weeks ago, the F.B.I., in conjunction with law enforcement agencies in 10 foreign countries, announced an operation called Fastlink, aimed at shutting down the activities of almost 100 people suspected of helping operate illegal software vaults on the Internet. The pirated copies of music, films, games and other software were generally distributed using a separate Internet file-transfer system, said a Justice Department spokesman, but the actual pirates generally used I.R.C. to communicate and coordinate with one another. "The groups targeted as part of Fastlink are alleged to have used I.R.C. to have committed their crimes, like almost all other warez groups,'' the spokesman, Michael Kulstad, said in a telephone interview. Warez, pronounced like wares, is techie slang for illegally copied software. When I.R.C. started in the 1980's, it was best known as a way for serious computer professionals worldwide to communicate in real time. It is still possible - though sometimes a bit difficult - to find mature technical discussions among the tens of thousands of I.R.C. chat rooms, known as channels, operating at any one time. There are also respectable I.R.C. systems and channels - some operated by universities or Internet service providers - for gamers seeking opponents or those who want to talk about sports or hobbies. Still, I.R.C. perhaps most closely resembles the cantina scene in "Star Wars'': a louche hangout of digital smugglers, pirates, curiosity seekers and the people who love them (or hunt them). There seem to be I.R.C. channels dedicated to every sexual fetish, and I.R.C. users speculate that terrorists also use the networks to communicate in relative obscurity. Yet I.R.C. has its advocates, who point to its legitimate uses. "I.R.C. is where all of the kids come on and go nuts,'' William A. Bierman, a college student in Hawaii who helps develop I.R.C. server software and who is known online as billy-jon, said in a telephone interview. "All of the attention I.R.C. has gotten over the years has been because it's a haven for criminals, which is a very one-sided view. "The whole idea behind I.R.C. is freedom of speech. There is really no structure on the Internet for policing I.R.C., and there are intentionally no rules. Obviously you're not allowed to hack the Pentagon, but there are no rules like 'You can't say this' or 'You can't do that.' " It is almost impossible to determine exactly how many people use I.R.C. and what they use it for, because it takes only some basic technical know-how to run an I.R.C. server. Because it is generally a text-only medium, it does not require high-capacity Internet connections, making it relatively easy to run a private I.R.C. server from home. Some Internet experts believe that child pornography rings sometimes use their own private, password-protected I.R.C. servers. Particularly wary users can try to hide their identity by logging in to I.R.C. servers only through intermediary computers. There are, however, scores of public I.R.C. networks, like DALnet, EFNet and Undernet. Each typically ties together dozens of individual chat servers that may handle thousands of individual users each. "We're seeing progressively more and more people coming onto the network every year,'' said Rob Mosher, known online as nyt (for knight), who runs a server in the EFNet network. "As more and more people get broadband, they are moving away from AOL and they still want to have chat.'' For end users, using I.R.C. is relatively simple. First, the user downloads an I.R.C. client program (in the same way that Internet Explorer is a Web client program and Eudora is an e-mail client program). There are a number of I.R.C. clients available, but perhaps the most popular is a Windows shareware program known as mIRC (www.mirc.com). When users run the I.R.C. program, they can choose among dozens of public networks. Within a given network, it does not really matter which individual server one uses. Alternately, if users know the Internet address of a private server, they can type in that address. Once logged in to a public server, the user can generate a list of thousands of available channels. On an unmoderated network, the most popular channels are often dedicated to trading music, films and software. That is because in addition to supporting text-only chat rooms, I.R.C. allows a user to send a file directly to another user without clogging the main server. That capability has a lot of legitimate uses for transferring big files that would be rejected by an e-mail system. Want to send your brother across the country a digital copy of your home movie without burning a disc and putting it in the mailbox? The file-transfer capability in I.R.C. may be the most convenient way. Naturally, that file-transfer capability also has a lot of less legitimate uses. Advanced I.R.C. pirates automate the distribution of illegally copied material so that when a user sends a private message, the requested file is sent automatically. It is fairly common on I.R.C. for such a system to send out hundreds or even thousands of copies of the same file (like a music album or a pirated copy of Windows) over a few weeks. An official from the Recording Industry Association of America said that some hackers even obtain albums that have been recorded but not yet released. "Quite often, once they get their hands on a prerelease, they will use I.R.C. as the first distribution before it goes out into the wider Internet,'' Brad A. Buckles, the association's executive vice president for antipiracy efforts, said in a telephone interview. But perhaps the most disruptive use of I.R.C. is as a haven and communications medium for those who release viruses or try to disable Web sites and other Internet servers. In some ways, the biggest problem is Microsoft Windows itself. Windows has holes that can allow a hacker to install almost anything on a computer that lacks a protective program or device called a firewall. Users' vulnerability can be compounded if they have not installed the latest patches from Microsoft. Hackers scan through millions of possible Internet addresses looking for those unprotected computers and then use them to initiate coordinated "denial of service'' attacks, which flood the target machine (say, a Web site) with thousands or millions of spurious requests. In all of the noise, legitimate users find the target site unavailable. How can a hacker direct his army of compromised drones to the target of the day? Through I.R.C. "Each time it breaks into a new computer and turns it into a drone, the program copies itself and proceeds to keep scanning, and so very quickly you can have a very large number of drones,'' Mr. Bierman said, adding that a worm may well include a small custom-made I.R.C. client. "Then all of the drones connect to I.R.C. and go into one channel made especially for them. Then the runner can give commands to all of those drones.'' Chris Behrens, an I.R.C. software developer in Arizona known online as Comstud, said: "It's amazing how many machines at home are hacked or have been exploited in some way. We have seen 10,000 hacked machines connect to I.R.C. at one time, and they all go park themselves in a channel somewhere so someone can come along and tell them who to attack.'' Mr. Bierman and other I.R.C. developers and administrators said that they were contacted by federal law enforcement officials fairly often. Mr. Bierman said that he sometimes cooperated in helping the government track down specific people using I.R.C. to wage major attacks. He added, however, that he had refused government officials' requests to build a back door into his I.R.C. software that would allow agents to monitor I.R.C. more easily. "Basically the F.B.I. is interested in the best way to monitor the traffic,'' Mr. Bierman said. Mr. Kulstad of the Justice Department declined to comment on its specific contacts with the I.R.C. community. Mr. Bierman and other I.R.C. administrators said that in addition to their free-speech concerns, they were also reluctant to confront hackers, because angry hackers often turn their drones against I.R.C. servers themselves. Mr. Mosher echoed other I.R.C. administrators in saying that attempts to regulate the shady dealings online were doomed to failure. "Look, if we find one channel and close it, they move to another,'' he said. "It's been like this for years. You can't really stop it.'' From isn at c4i.org Thu May 6 06:09:59 2004 From: isn at c4i.org (InfoSec News) Date: Thu May 6 06:23:40 2004 Subject: [ISN] Sasser infections hit Amex, others Message-ID: http://www.nwfusion.com/news/2004/0504sasseinfec.html By Paul Roberts IDG News Service 05/04/04 Security experts are continuing to issue warnings about the Sasser Internet worm as organizations struggled to clean up the damage caused by infected hosts. American Express joined a number of U.S. universities in reporting infections from the Sasser worm on Monday and the SANS Institute's Internet Storm Center (ISC) maintained a yellow warning Tuesday despite expectations earlier in the day that the Sasser outbreak would wind down Monday, according to interviews. Sasser exploits a recently disclosed hole in a component of Microsoft's Windows operating system called the Local Security Authority Subsystem Service, or LSASS. Microsoft released a software patch, MS04-011, on April 13. The SANS Institute's Internet Storm Center said on Monday that it was maintaining its yellow alert, indicating a "significant new threat" on the Internet due to "the continuing spread of Sasser and other malicious code targeting the MS04-011 vulnerabilities," according to the ISC. Among other things, modifications in new Sasser variants Sasser.C and Sasser.D, which appeared on Monday, prompted the ISC to maintain the yellow alert on Tuesday. Internet Storm Center chief technology officer Johannes Ullrich said he expected Sasser to die down Monday, prompting a return to the "green" status by the end of the day. American Express experienced Sasser infections on employee desktops beginning Sunday that disrupted the company's internal networks, but did not have an impact on customer services according to Judy Tenzer, a company spokeswoman. American Express refused to reveal how many computers were affected, or how the worm penetrated the company's network, but the infections were limited to employee desktops and did not affect critical servers at the company, she said. Reports surfaced Monday of unexplained computer problems at other companies, as well. Delta Airlines experienced technical difficulties on Saturday that forced the cancellations of some flights. The computer problems began at 2:50 P.M. local time on Saturday and were fixed by 9:30 Saturday evening, said Katie Connell, a Delta spokeswoman. Connell would not common on the cause of the problems, or which systems were affected, citing a continuing investigation. Delta does use Microsoft products and the Windows operating system, she said. In Boston, colleges and universities felt the effects of the worm, according to David Escalante, director of computer policy and security information technology at Boston College (BC), in Chestnut Hill, Mass. Around 200 machines on BC's campus network were infected with Sasser, most of them laptop and desktop computers owned by students, he said. BC blocked traffic on port 445, which is used by the Sasser worm to spread, before the outbreak. IT staff are analyzing the infections, which may have come from students who brought infected laptops back onto campus from home, Escalante said. Staff are also struggling with complications caused by Sasser, which causes many Windows XP and Windows 2000 machines to crash repeatedly, preventing students from logging onto the desktop and installing the appropriate software patch. Making matters worse, BC students are approaching final exam period. The Sasser outbreak prompted a run on the student computer center Saturday, with panicked students worried about the welfare of term projects and other materials on Sasser-infected machines, he said. Other schools also faced large-scale outbreaks, including more than 1,000 machines at Boston University, according to a source. Among leading financial services companies, the impact of Sasser was generally light. Companies including Citibank and Lehman Brothers Holdings had around a dozen Sasser infections, rather than hundreds or thousands of systems infections, according to a source. Microsoft's recent decision to move from weekly to monthly software patches has raised the stakes for companies that ignore the security bulletins and updates, said Firas Raouf, COO of eEye Digital Security, which discovered the LSASS vulnerability. "Now you have a handful of vulnerabilities that are addressed by a single patch, so if you don't deploy a patch, you're opened four or five doors to your network," he said. Large companies are often reluctant to press software patches into service out of fear they will break critical applications used by employees or customers. However, waiting too long to apply a software patch exposes companies to infection by a worm or virus that takes advantage of the software hole fixed by the patch, Raouf said. The most important thing is for organizations to have a process in place to handle new vulnerabilities when they are revealed so that they can act quickly to scan for vulnerable machines, test patches, deploy patches or apply workarounds as needed, he said. From isn at c4i.org Fri May 7 09:49:35 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 7 10:19:57 2004 Subject: [ISN] [Vmyths.com ALERT] Hysteria over ''Sasser'' worm Message-ID: Forwarded from: T Rob scribbled: > http://Vmyths.com/rant.cfm?id=241&page=4 for details.) In the > latest example, an AFP newswire revealed "Sampo, Finland's third > largest bank, closed its 130 branch offices across the country to > prevent the Sasser Internet worm from infecting its systems... 'We > decided to close our offices as a precaution, since we knew that our > virus protection hadn't been updated,' Sampo spokesman Hannu Vuola > [said]." In other words, Finland's third-largest bank voluntarily > made itself Finland's SMALLEST bank -- because they didn't trust > their "antivirus solution" to protect them in a time of crisis. I've not read AFP newswire story but MTV3 news (Finnish TV channel) reported that Sampo actually got infected. As we all know it can sometimes be difficult to find the piece of truth from news stories but in this case I find it hard to believe that Sampo would have closed their branch offices as a "precautionary measure". Peace, --T -- echo https://www.T72.org/pgp/tee.asc | perl -ne 'map{print STDERR;select$T,$7,$2,.072}split//' 27C9 469D 213F 5C18 7D60 8378 E64E 474A FE75 4614 From isn at c4i.org Fri May 7 09:50:23 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 7 10:19:58 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-19 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-04-29 - 2004-05-06 This week : 56 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia has launched a new service called Secunia Virus Information. Secunia Virus Information is based on information automatically collected from seven different anti-virus vendors. The data will be parsed and indexed, resulting in a chronological list, a searchable index, and grouped profiles with information from the seven vendors. Furthermore, when certain criteria are triggered virus alerts will be issued. You can sign-up for the alerts here: Sign-up for Secunia Virus Alerts: http://secunia.com/secunia_virus_alerts/ Secunia Virus Information: http://secunia.com/virus_information/ ======================================================================== 2) This Week in Brief: ADVISORIES: Check Point has reported a vulnerability in various VPN-1 Products, which can be exploited to compromise a vulnerable system. Check Point has a hotfix available for this vulnerability. Please refer to referenced Secunia Advisory. Reference: http://secunia.com/SA11546 -- eEye Digital Security has found a vulnerability in Apple Quicktime, which can be exploited to compromise a vulnerable user's system. eEye Digital Security writes in their advisory: "It is difficult to express just how textbook this vulnerability scenario really is". Moreover stating that "exploitation of the vulnerability is self-evident". However, Apple claims that this vulnerability only can be exploited to crash a vulnerable player. Please also view the Secunia Advisory regarding the security update for Mac OS X described below. Reference: http://secunia.com/SA11071 -- Apple has issued a security update, which fixes several vulnerabilities in Mac OS X. Special note from the Secunia Advisory: -QUOTE- NOTE: The severity has been set to "Highly critical" because the unspecified issues are likely to be more severe than claimed by the vendor. This conclusion is based on the fact that Apple merely describes vulnerability "3" as an attempt to "improve the handling of long passwords". However, according to @stake, the vulnerability can in fact be exploited to compromise a vulnerable system. -END QUOTE- All users of the Mac OS X are advised to download the updates available from Apple. Reference: http://secunia.com/SA11539 VIRUS ALERTS: During the last week, Secunia issued two MEDIUM RISK virus alerts and one HIGH RISK virus alert for three new Sasser worms. Please refer to the grouped virus profiles below for more information: SASSER.C - MEDIUM RISK Virus Alert - 2004-05-03 12:58 GMT+1 http://secunia.com/virus_information/9155/sasser.c/ SASSER.B - HIGH RISK Virus Alert - 2004-05-03 08:51 GMT+1 http://secunia.com/virus_information/9147/sasser.b/ Sasser.a - MEDIUM RISK Virus Alert - 2004-05-01 13:28 GMT+1 http://secunia.com/virus_information/9142/sasser.a/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA11482] Windows Explorer / Internet Explorer Long Share Name Buffer Overflow 2. [SA11539] Mac OS X Security Update Fixes Multiple Vulnerabilities 3. [SA11064] Microsoft Windows 14 Vulnerabilities 4. [SA10395] Internet Explorer URL Spoofing Vulnerability 5. [SA11071] Apple QuickTime "QuickTime.qts" Heap Overflow Vulnerability 6. [SA11510] LHA Multiple Vulnerabilities 7. [SA11546] Check Point VPN-1 Products ISAKMP Buffer Overflow Vulnerability 8. [SA10736] Internet Explorer File Download Extension Spoofing 9. [SA11505] libpng Potential Denial of Service Vulnerability 10. [SA11492] Siemens S55 SMS Send Prompt Bypass Weakness ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA11547] Titan FTP Server Aborted LIST Denial of Service Vulnerability [SA11542] Aweb Exposure of Sensitive Information [SA11525] Web Wiz Forum SQL Injection and Security Bypass UNIX/Linux: [SA11539] Mac OS X Security Update Fixes Multiple Vulnerabilities [SA11528] Pound "logmsg()" Format String Vulnerability [SA11553] PHP-Nuke Multiple Vulnerabilities [SA11548] OpenBSD update for cvs [SA11544] Slackware update for LHA [SA11538] Slackware update for xine-lib [SA11527] ProFTPD CIDR Addressing ACL Security Issue [SA11521] Red Hat update for OpenOffice [SA11512] Red Hat update for xchat [SA11510] LHA Multiple Vulnerabilities [SA11500] MPlayer and xine-lib RTSP Handling Vulnerabilities [SA11498] Debian update for eterm [SA11552] FreeBSD update for kadmind [SA11550] Heimdal kadmind Heap Overflow Vulnerability [SA11545] Fedora update for mc [SA11543] UnixWare / Open Unix update for Apache [SA11540] Slackware update for libpng [SA11537] Slackware update for rsync [SA11531] SquirrelMail Folder Name Cross-Site Scripting Vulnerability [SA11523] Debian update for rsync [SA11520] Red Hat update for libpng [SA11517] Debian update for libpng [SA11515] Trustix update for rsync [SA11514] rsync Allows Writing Files Outside the Intended Directory [SA11509] OpenPKG update for png [SA11507] Mandrake update for libpng [SA11505] libpng Potential Denial of Service Vulnerability [SA11551] FreeBSD update for heimdal [SA11541] SuSE update for kernel [SA11530] Debian update for flim [SA11529] FLIM Insecure Temporary File Creation Vulnerability [SA11526] ipmenu Insecure Temporary File Creation Vulnerability [SA11522] Red Hat update for mc [SA11519] Red Hat update for utempter [SA11508] Debian update for mc [SA11506] Mandrake update for mc [SA11503] Gentoo update for samba [SA11502] Midnight Commander Multiple Unspecified Vulnerabilities [SA11501] Slackware update for kernel [SA11518] PaX Denial of Service Vulnerability Other: [SA11499] Zonet ZSR1104WE Wireless Router NAT Implementation Weakness [SA11516] Network Appliances Data ONTAP and NetCache Denial of Service Vulnerability [SA11504] 3Com NBX 100 Communications System Denial of Service Cross Platform: [SA11546] Check Point VPN-1 Products ISAKMP Buffer Overflow Vulnerability [SA11524] Coppermine Photo Gallery Multiple Vulnerabilities [SA11554] PHPX Multiple Vulnerabilities [SA11497] Sesame Unauthorised User Repository Access Vulnerability [SA11536] HP Web Jetadmin Multiple Vulnerabilities [SA11535] Moodle "help.php" Cross-Site Scripting Vulnerability [SA11533] ReciPants Unspecified Input Validation Vulnerabilities [SA11556] Verity Ultraseek Reserved DOS Device Name Path Disclosure ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA11547] Titan FTP Server Aborted LIST Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-05-05 STORM has reported a vulnerability in Titan FTP Server, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11547/ -- [SA11542] Aweb Exposure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-05-05 Oliver Karow has reported some vulnerabilities in Aweb, allowing malicious people to see sensitive information and arbitrary files. Full Advisory: http://secunia.com/advisories/11542/ -- [SA11525] Web Wiz Forum SQL Injection and Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2004-05-03 Alexander has reported some vulnerabilities in Web Wiz Forum, allowing malicious people to conduct SQL injection attacks and perform certain administrative functions. Full Advisory: http://secunia.com/advisories/11525/ UNIX/Linux:-- [SA11539] Mac OS X Security Update Fixes Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Hijacking, Security Bypass, Manipulation of data, Privilege escalation, DoS, System access Released: 2004-05-04 Apple has issued a security update for Mac OS X, which fixes some older, known vulnerabilities along with some new unspecified issues. Full Advisory: http://secunia.com/advisories/11539/ -- [SA11528] Pound "logmsg()" Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-03 Akira Higuchi has discovered a vulnerability in Pound, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11528/ -- [SA11553] PHP-Nuke Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-05-06 Janek Vind has reported some vulnerabilities in PHP-Nuke, allowing malicious people to conduct Cross Site Scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/11553/ -- [SA11548] OpenBSD update for cvs Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2004-05-05 OpenBSD has issued patches for cvs. These fix two vulnerabilities, which can be exploited by malicious servers to compromise clients and by malicious users to retrieve arbitrary files from a vulnerable server. Full Advisory: http://secunia.com/advisories/11548/ -- [SA11544] Slackware update for LHA Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-05 Slackware has issued updates packages for LHA. These fix some vulnerabilities, potentially allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11544/ -- [SA11538] Slackware update for xine-lib Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-04 Slackware has issued updates for xine-lib. These fix a vulnerability, which potentially can be exploited by malicious people to gain system access. Full Advisory: http://secunia.com/advisories/11538/ -- [SA11527] ProFTPD CIDR Addressing ACL Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-05-03 Jindrich Makovicka has reported a security issue in ProFTPD, potentially allowing malicious people to bypass ACLs. Full Advisory: http://secunia.com/advisories/11527/ -- [SA11521] Red Hat update for OpenOffice Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-03 Red Hat has issued updated packages for OpenOffice. These fix a vulnerability allowing malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11521/ -- [SA11512] Red Hat update for xchat Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-30 Red Hat has issued updated packages for xchat. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11512/ -- [SA11510] LHA Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-30 Ulf Harnhammar has reported some vulnerabilities in LHA, potentially allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11510/ -- [SA11500] MPlayer and xine-lib RTSP Handling Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-30 Some vulnerabilities have been reported in MPlayer and xine-lib, potentially allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11500/ -- [SA11498] Debian update for eterm Critical: Moderately critical Where: From remote Impact: System access Released: 2004-04-29 Debian has issued updated packages for eterm. These fix a vulnerability, which potentially can be exploited by malicious people to manipulate actions taken by the system administrator and other users on a system. Full Advisory: http://secunia.com/advisories/11498/ -- [SA11552] FreeBSD update for kadmind Critical: Moderately critical Where: From local network Impact: System access, DoS Released: 2004-05-06 FreeBSD has addressed a vulnerability in kadmind, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11552/ -- [SA11550] Heimdal kadmind Heap Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access, DoS Released: 2004-05-06 Evgeny Demidov has discovered a vulnerability in Heimdal, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11550/ -- [SA11545] Fedora update for mc Critical: Less critical Where: Impact: Released: 2004-05-05 Fedora has issued updates for mc. These fix some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11545/ -- [SA11543] UnixWare / Open Unix update for Apache Critical: Less critical Where: From remote Impact: Exposure of sensitive information, Privilege escalation Released: 2004-05-05 SCO has issued updated packages, which fix some older vulnerabilities in Apache. Full Advisory: http://secunia.com/advisories/11543/ -- [SA11540] Slackware update for libpng Critical: Less critical Where: From remote Impact: DoS Released: 2004-05-04 Slackware has issued updates for libpng. These fix a vulnerability, potentially allowing malicious people to cause a Denial of Service against certain applications. Full Advisory: http://secunia.com/advisories/11540/ -- [SA11537] Slackware update for rsync Critical: Less critical Where: From remote Impact: Manipulation of data, Security Bypass Released: 2004-05-04 Slackware has issued updated packages for rsync. These fix a vulnerability, potentially allowing malicious people to write files outside the intended directory. Full Advisory: http://secunia.com/advisories/11537/ -- [SA11531] SquirrelMail Folder Name Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-05-03 Alvin Alex has reported a vulnerability in SquirrelMail, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/11531/ -- [SA11523] Debian update for rsync Critical: Less critical Where: From remote Impact: Manipulation of data, Security Bypass Released: 2004-05-03 Debian has issued updated packages for rsync. These fix a vulnerability, potentially allowing malicious people to write files outside the intended directory. Full Advisory: http://secunia.com/advisories/11523/ -- [SA11520] Red Hat update for libpng Critical: Less critical Where: From remote Impact: DoS Released: 2004-05-03 Red Hat has issued updates for libpng. These fix a vulnerability, potentially allowing malicious people to cause a Denial of Service against certain applications. Full Advisory: http://secunia.com/advisories/11520/ -- [SA11517] Debian update for libpng Critical: Less critical Where: From remote Impact: DoS Released: 2004-04-30 Debian has issued updates for libpng. These fix a vulnerability, potentially allowing malicious people to cause a Denial of Service against certain applications. Full Advisory: http://secunia.com/advisories/11517/ -- [SA11515] Trustix update for rsync Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2004-04-30 Trustix has issued updated packages for rsync. These fix a vulnerability, potentially allowing malicious people to write files outside the intended directory. Full Advisory: http://secunia.com/advisories/11515/ -- [SA11514] rsync Allows Writing Files Outside the Intended Directory Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2004-04-30 A vulnerability has been reported in rsync, allowing malicious people to write files outside the intended directory. Full Advisory: http://secunia.com/advisories/11514/ -- [SA11509] OpenPKG update for png Critical: Less critical Where: From remote Impact: DoS Released: 2004-04-30 OpenPKG has issued updates for png (libpng). These fix a vulnerability, potentially allowing malicious people to cause a Denial of Service against certain applications. Full Advisory: http://secunia.com/advisories/11509/ -- [SA11507] Mandrake update for libpng Critical: Less critical Where: From remote Impact: DoS Released: 2004-04-30 MandrakeSoft has issued updates for libpng. These fix a vulnerability, potentially allowing malicious people to cause a Denial of Service against certain applications. Full Advisory: http://secunia.com/advisories/11507/ -- [SA11505] libpng Potential Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-04-30 Steve Grubb has reported a vulnerability in libpng, potentially allowing malicious people to cause a Denial of Service against applications and services using libpng. Full Advisory: http://secunia.com/advisories/11505/ -- [SA11551] FreeBSD update for heimdal Critical: Less critical Where: From local network Impact: ID Spoofing Released: 2004-05-06 FreeBSD has addressed an older vulnerability in heimdal, which can allow certain people to impersonate others. Full Advisory: http://secunia.com/advisories/11551/ -- [SA11541] SuSE update for kernel Critical: Less critical Where: Local system Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS Released: 2004-05-04 SuSE has issued updated packages for the kernel. These fix some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges, gain knowledge of sensitive information, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11541/ -- [SA11530] Debian update for flim Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-03 Debian has issued updated packages for flim. These fix a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/11530/ -- [SA11529] FLIM Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-03 Tatsuya Kinoshita has reported a vulnerability in FLIM, which can be exploited by malicious, local users to take certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/11529/ -- [SA11526] ipmenu Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-04 Akira Yoshiyama has discovered a vulnerability in ipmenu, which can be exploited by malicious, local users to perform certain actions on a system with escalated privileges. Full Advisory: http://secunia.com/advisories/11526/ -- [SA11522] Red Hat update for mc Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-03 Red Hat has issued updates for mc. These fix some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11522/ -- [SA11519] Red Hat update for utempter Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-03 Red Hat has issued updated packages for utempter. These fix a security issue, which potentially can be exploited by malicious, local users to perform certain actions with higher privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/11519/ -- [SA11508] Debian update for mc Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-30 Debian has issued updates for mc. These fix some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11508/ -- [SA11506] Mandrake update for mc Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-30 MandrakeSoft has issued updates for mc. These fix some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11506/ -- [SA11503] Gentoo update for samba Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-30 Gentoo has issued updated packages for Samba. These fix a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11503/ -- [SA11502] Midnight Commander Multiple Unspecified Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-04-30 Jacub Jelinek has reported some vulnerabilities in GNU Midnight Commander, allowing malicious users to escalate their privileges. Full Advisory: http://secunia.com/advisories/11502/ -- [SA11501] Slackware update for kernel Critical: Less critical Where: Local system Impact: Privilege escalation, Exposure of sensitive information, Exposure of system information Released: 2004-04-30 Slackware has issued updated packages for the kernel. These fix some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges, or gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11501/ -- [SA11518] PaX Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2004-05-04 borg has discovered a vulnerability in PaX, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11518/ Other:-- [SA11499] Zonet ZSR1104WE Wireless Router NAT Implementation Weakness Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-04-29 Jason Wachtel has reported a weakness in the Zonet ZSR1104WE wireless router, which may prevent identification of remote attackers. Full Advisory: http://secunia.com/advisories/11499/ -- [SA11516] Network Appliances Data ONTAP and NetCache Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-04-30 An unspecified vulnerability has been reported in Data ONTAP and NetCache, allowing malicious people to cause a Denial of Service against vulnerable devices. Full Advisory: http://secunia.com/advisories/11516/ -- [SA11504] 3Com NBX 100 Communications System Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2004-04-30 Michael Scheidell has reported a vulnerability in 3Com NBX 100 Communications System, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11504/ Cross Platform:-- [SA11546] Check Point VPN-1 Products ISAKMP Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-05 A vulnerability has been discovered in various Check Point VPN-1 products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11546/ -- [SA11524] Coppermine Photo Gallery Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information, System access Released: 2004-05-03 Janek Vind has reported multiple vulnerabilities in Coppermine Photo Gallery, allowing malicious people to compromise a vulnerable system or conduct Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/11524/ -- [SA11554] PHPX Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2004-05-06 JeiAr has reported some vulnerabilities in PHPX, allowing malicious people to conduct Cross Site Scripting, SQL injection and potentially execute administrative functions. Full Advisory: http://secunia.com/advisories/11554/ -- [SA11497] Sesame Unauthorised User Repository Access Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information Released: 2004-04-29 A vulnerability has been discovered in Sesame, which can be exploited by malicious, anonymous users to access other user's repositories. Full Advisory: http://secunia.com/advisories/11497/ -- [SA11536] HP Web Jetadmin Multiple Vulnerabilities Critical: Moderately critical Where: From local network Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2004-05-04 FX has reported multiple vulnerabilities in HP Web Jetadmin, where the most serious issues can be combined to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11536/ -- [SA11535] Moodle "help.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-05-03 Bartek Nowotarski has discovered a vulnerability in Moodle, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/11535/ -- [SA11533] ReciPants Unspecified Input Validation Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-05-04 Jon McClintock has reported some vulnerabilities in ReciPants, potentially allowing malicious people to conduct Cross-Site Scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/11533/ -- [SA11556] Verity Ultraseek Reserved DOS Device Name Path Disclosure Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2004-05-06 Martin O'Neal of Corsaire has discovered a security issue in Verity Ultraseek, which can be exploited by malicious people to disclose path information. Full Advisory: http://secunia.com/advisories/11556/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri May 7 09:50:37 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 7 10:19:59 2004 Subject: [ISN] Security experts warn of nastier Sasser worm Message-ID: http://www.computerworld.com/securitytopics/security/virus/story/0,10801,92936,00.html by Bernhard Warner and Spencer Swartz MAY 06, 2004 REUTERS Computer security experts warned yesterday that the Sasser worm could merge with earlier viruslike programs to wreak more havoc on the Internet, just as companies and PC users clean up from the last attack and authorities hunt for those responsible. Since appearing over the weekend, the fast-moving Sasser computer worm has hit PC users around the world who run the ubiquitous Microsoft Windows 2000, NT and XP operating systems. It is expected to slow down as computer users download antivirus patches. But Sasser could mutate by combining with the 2-month-old Netsky worm and become a launching pad for further Web attacks, putting it on par with Blaster, the destructive worm that appeared last year and used infected computers to attack Microsoft Corp.'s Web site. For now, the more benign Sasser worm does its harm by duplicating itself and slowing down Internet connections. "My expectation is that Netsky and Sasser variants will merge and become what we call one 'abundant threat' that attacks through e-mail and software vulnerabilities," said Jimmy Kuo, a research fellow at Network Associates Inc.'s McAfee antivirus unit. The fast-moving Sasser worm, which has hit home users, corporations and government agencies throughout Europe, North America and Asia, doesn't appear to wipe out data on disk drives, but it may damage software applications, analysts said. Estimates on how many users have been hit by the virus vary from 150,000 to 1 million, although analysts say the final tally could be in the millions by the time the four Sasser variants work their way through the Internet. Analysts are unsure what economic damage Sasser has caused so far but said the costs associated with things such as installing new software on PCs and labor are likely to make it an expensive cleanup process. If infected computers aren't patched and protected by firewalls and antivirus software, they could be used by virus writers to launch future attacks, experts said. Microsoft said yesterday that it's working with the Northwest Cybercrime Task Force, a joint effort by the FBI and U.S. Secret Service, to hunt down those responsible for the latest worm outbreak. Microsoft created a page, http://www.microsoft.com/sasser, on its corporate Web site to deal with the Sasser threat and is offering a tool to rid infected computers of the worm, said Stephen Toulouse, security program manager at the company's Security Response Center. The origin of Internet threats is notoriously difficult to track, but authorities managed to find teenagers allegedly responsible for creating a copycat version of the Blaster worm. Minnesota teen Jeffrey Lee Parson was arrested in August, followed by the arrest of an unidentified juvenile in Seattle in September. Reed Stevenson contributed to this report. From isn at c4i.org Fri May 7 09:50:50 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 7 10:20:00 2004 Subject: [ISN] WinHEC: Microsoft revisits NGSCB security plan Message-ID: http://www.nwfusion.com/news/2004/0505msngscb.html By Joris Evers IDG News Service 05/05/04 Microsoft is revisiting its Next-Generation Secure Computing Base (NGSCB) security plan because enterprise users and software makers don't want to be forced to rewrite their code to take advantage of the technology, the company said Wednesday. In response to feedback from users and software makers, Microsoft is retooling NGSCB so at least part of the security benefits will be available without the need tor recode applications, Mario Juarez, a Microsoft product manager, said in an interview Wednesday at the vendor's Windows Hardware Engineering Conference (WinHEC). "We're revisiting the way that the architecture needs to be built in order to accommodate the feedback that we have gotten and provide the broader value that we want the technology to provide," he said. Microsoft is making changes to NGSCB, but is not discarding previous work or going back to the drawing board, Juarez stressed. Microsoft announced NGSCB in 2002. The technology, formerly known by its Palladium code name, uses a combination of software and hardware that Microsoft says will boost PC security by providing the ability to isolate software so it can be protected against malicious code. The software maker plans to incorporate the technology in Longhorn, the successor to Windows XP expected out in 2006. NGSCB was demonstrated for the first time a year ago at the 2003 WinHEC. Attendees at Microsoft's Professional Developers Conference in Los Angeles last October received a developer preview of NGSCB. That preview was meant to give developers a feel of what it is like to develop an application that uses NGSCB security. Meanwhile, Microsoft has been gathering feedback and is now working on incorporating that feedback, according to Juarez. As a result, NGSCB will change. Software makers and enterprise users will be able to take advantage of part of the technology out of the box, without the need to rewrite their applications, Juarez said. Originally Microsoft had limited NGSCB to provide strong protection for very small amounts of data through protected agents. Applications would have to be rebuilt to include a protected agent that would run in a secured space on the system. Now Microsoft is working to revise the NGSCB technology so it is possible to secure more bits without having to rewrite applications, Juarez said. "We can't provide the level of specifics that we provided last year because we're still in the process of sorting out the details," Juarez said. "We will have more specifics later this year about how the technology will be implemented based on the feedback." NGSCB includes a new software component for Windows called a "nexus," and a chip that can perform cryptographic operations called the trusted platform module. NGSCB also requires changes to a PC's processor and chipset and the graphics card. The combination of hardware and software creates a second operating environment within a PC that is meant to protect the system from malicious code by providing secure connections between applications, peripheral hardware, memory and storage. Microsoft has pitched NGSCB as a boon for its customers, though critics have argued that it will curtail users' ability to control their own PCs and could erode fair-use rights for digital music and movie files. Corporate users will likely be first to buy in to the technology, Microsoft has said. Early applications will include secure messaging and other applications especially interesting for corporate PC users, the company has said. From isn at c4i.org Fri May 7 09:51:04 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 7 10:20:01 2004 Subject: [ISN] Small Biz Puts Protection Before Continuity In Survey Message-ID: http://nwc.serverpipeline.com/showArticle.jhtml?articleID=19502258 By Tom Smith Small Business Pipeline May 05, 2004 Despite a recent history that includes terrorist attacks on American soil, the resulting war against terror, and a flurry of virus activity, most small businesses aren't concerned enough to develop specific plans to keep their businesses up and running in the event of a disaster. However, they do recognize the need to protect their data and computer systems from natural disaster and hacker attacks. A survey of 237 small business conducted by Small Business Pipeline in April found that 73% have no written plan that defines a strategy for responding to disaster. Of the 27% that do have such a plan, about 80% actually review the plan on an annual basis with their employees. Six of 10 have done no formal quantification of how much it would cost their business if it was interrupted for any extended period of time. Of that small percentage that have performed this financial analysis, 56% say they'd lose less than $10,000 per day. That result is perhaps not too surprising, given that more than half of the survey respondents have less than 10 employees. Another 27% have less than 50 employees and 16% have less than 100. In a somewhat contradictory finding, the highest number of respondents, 35%, ranked disaster recovery as about equally important as other business functions such as customer service, technology operations, finance and accounting, and so on. A full 34% said disaster recovery is more important while 31% said it's less important. Despite these findings, there's no apparent sense or urgency to plan for disaster. There was some good news: 56% of survey respondents do have a defined sequence of steps to be followed if their physical location becomes unavailable. Z Technology, a manufacturer of test and measurement equipment for the radio and television broadcast industry, appears to be fairly typical of the survey respondents. The 10-person company has no formal disaster-recovery plan, operations manager Dan Nicholas said. "I don't think it's ever been thought about a whole lot," Nicholas added. "It's not a conscious decision to not have one." However, the survey found a strong, clear emphasis on data and systems protection among small businesses. Those businesses are acutely aware of the threat posed by viruses, hackers and system incursions. Of the 237 survey respondents, 88 or 37% say technology-driven threats "viruses, hackers, security breaches" pose the greatest danger that could interrupt the functioning of their business. Other threats identified as the biggest concerns included disasters such as fires or explosions, selected by 27% of respondents; natural disasters such as weather and earthquakes, 26%; theft or loss of intellectual property, 7%; and other areas such as terrorism and a national emergency, 3% FMSI Actuarial Concepts and Systems Inc. is indicative of the focus on protecting data and systems among small business. The Deerfield, Ill., company's three employees hold themselves accountable for backing up data from their workstations on a regular basis. Data gets backed up to two separate Web-based systems maintained by different outsourcing firms for an additional layer of protection. "If one is down, the other is not down at the same time," explains Gerry Kopelman, a partner. While these backup procedures aren't explicitly defined, they are a part of the company's way of doing business. "There are no formal policies. It's just become our habit to do that. It's common sense," Kopelman says. Like FMSI, respondents to the Small Business Pipeline survey appear well-prepared to deal with threats that could impact their corporate data. Three quarters of respondents say they have a specific medium or plan for protecting data in the event of a business or technology interruption. In a related finding, 62% of respondents say they have defined policies to secure the data on individual employees' computers. Asked to identify their primary means of protecting data, 43% said they back up data to an off-site facility they own or manage; 28% said they back up data to servers or systems in the same office as primary systems; 20% said they back up data to a third-party facility, and 9% use another means. Asked to rank technologies that are most important in preventing business interruptions, the most respondents 40%, selected network security products such as firewalls. Another 34% selected data backup and management. From isn at c4i.org Mon May 10 02:45:24 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 10 03:13:50 2004 Subject: [ISN] Arrest could crack open PC virus ring Message-ID: http://www.thecouriermail.news.com.au/common/story_page/0,5936,9514174%255E8362,00.html Jennifer Dudley technology reporter 10may04 A RING of virus writers responsible for at least 30 viruses and billions of dollars damage could be exposed after German police arrested two men over the Sasser, Agobot and Phatbot viruses. Anti-virus experts said the arrest of an 18-year-old German high school student who allegedly confessed to creating Sasser could be "one of the most significant cybercrime arrests of all time" and was made possible by a $US250,000 bounty from Microsoft. The Sasser worm surfaced on April 30 and infected tens of millions of computers using Windows XP or 2000. It spread without any intervention from users. Victims included Westpac Bank, the Northern Territory Government, British Airways, Delta Airlines and the UK Maritime and Coastguard Agency. Police arrested a man over the virus in Rotenburg, North Germany, on Friday. His name has not been released although it is believed the FBI and CIA were searching for a suspect called Sven J. Lower Saxony police spokesman Frank Federau said the man had confessed to creating the worm virus and "Microsoft experts . . . confirmed our suspicions". Police seized several computers at the man's home and he was released pending charges. The man's computer reportedly contained the Sasser virus computer code. Microsoft senior vice president Brad Smith said a breakthrough came on Wednesday last week when a group of fewer than five Germans approached the company with information about the alleged virus writer. He said the group inquired about the company's $5 million anti-virus reward program, and Microsoft agreed to pay the group $US250,000 "pending the successful conviction of this case". If the man is convicted, it would be the first successful prosecution under the Microsoft reward program, which was launched in November 2003. Also on Friday, German police arrested a 21-year-old unemployed man in Loerrach who allegedly admitted creating the widespread Agobot and Phatbot viruses with other programmers. Sophos senior technology consultant Graham Cluley said the breakthroughs could lead to further arrests of Skynet virus-writing group members, who recently claimed to have written Sasser in a message embedded in the Netsky-AC virus. "If this is the case, this could be one of the most significant cybercrime arrests of all time," he said. "We would not be surprised if more arrests follow in due course." Mr Cluley said 29 "highly disruptive" variants of the Netsky virus were spreading and clues to their authors could be on computers seized during the arrests. Both men face charges of computer sabotage, which in Germany carries up to five years' prison, but Computer Associates Australia senior security consultant Daniel Zatz said it was not illegal to write a computer virus, only to distribute it. The men might claim they did not mean to release the viruses. From isn at c4i.org Mon May 10 02:45:45 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 10 03:13:51 2004 Subject: [ISN] Howard Schmidt opts out of bid for Congress Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,92974,00.html News Story by Dan Verton MAY 07, 2004 COMPUTERWORLD WASHINGTON -- After months of consideration, Howard Schmidt, the chief security officer at eBay Inc. and the former chairman of the President's Critical Infrastructure Protection Board, announced today that he won't run for Congress from his home state of Washington. In an exclusive interview with Computerworld, Schmidt said that the "financial timing is not right" to undertake a major political campaign and that he believes he can be a more effective advocate for critical-infrastructure protection and cybersecurity issues working from the private sector. However, he hasn't ruled out a political career in the future. Schmidt had eyed a run for Washington's 8th District seat, currently held by Jennifer Dunn, who in January announced plans to retire. And while senior members of Dunn's staff have said publicly that Schmidt could carry on Dunn's homeland security agenda, Schmidt chose instead to take on more work with the Department of Homeland Security. Starting next week, Schmidt will begin talks with senior DHS officials about a future role as either executive director or "ambassador at large" for the U.S. CERT Partnership Program, a new effort currently in the planning phase. Schmidt said he was approached about the program apparently because of his understanding of the interdependency of cyber and physical infrastructures. Senior members of the DHS approached Schmidt in December during the inaugural National Cyber Security Summit and asked for his direct assistance in working with the private sector. Other senior DHS and private sector officials, who spoke on condition of anonymity, said Schmidt was approached amid concerns that the agency wasn't getting good advice on cybersecurity and critical-infrastructure protection from outside "industry experts." A senior DHS official involved in luring Schmidt back into a consulting and advisory role acknowledged that some advice received by the DHS wasn't well grounded. Schmidt, however, said he has been closely weighing his options, working to ensure he doesn't overextend himself -- something he has expressed to DHS officials. In addition to his current role at eBay, the former White House adviser recently co-founded the Global CSO Council and serves as co-chair of the awareness and education committee of the Cyber Security Task Force, which was formed at last year's National Cyber Security Summit. From isn at c4i.org Mon May 10 02:46:15 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 10 03:13:52 2004 Subject: [ISN] Ministry to get police power to combat cyber crime Message-ID: http://www.koreaherald.co.kr/SITE/data/html_dir/2004/05/10/200405100014.asp By Kim Tong-hyung (thkim@heraldm.com) 2004.05.10 Law enforcement agencies plan to grant the Ministry of Information and Communication police power to combat computer crimes such as network hacking, a move that is expected to generate controversy over individual rights and the limits of the state's authority. "Basic agreements were reached with the Ministry of Justice and the Ministry of Government Administration and Home Affairs in March in extending juridical authority," said a ministry official on Friday. "We think our trained personnel and technical infrastructure at the Korea Information Security Agency to cover the areas in computer crimes the National Police Agency lacks in efficiency in controlling," he said. More than 600 cases of unsolicited e-mail distribution and personal information infringements were reported to the police last year, compared with none in 2002. If the plan is approved, the ministry officials will have the authority to investigate such cases without a police warrant. Ministry officials hope related regulations will be revised by the National Assembly by the end of the year. Legal experts criticized the plan as an unreasonable expansion of government authority. "Government authority to control over individual freedom should be accessed by authorized and limited personnel only, since it harbors the possibility of violating civic rights," said lawyer Lee Eun-woo, a member of Lawyers for a Democratic Society. "If police needed help with computer crimes, they could always request technical assistance from the ministry or other telecom companies. There is no reason to expand the jurisdiction itself." Under the tentative plan, the ministry will have a 24-person inspection team with two agents from the Korea Information Security Agency sent to each of the eight provincial police agencies across the nation. The ministry official said talks were currently under way between the Justice Ministry and National Police Agency on jurisdiction matters. The National Police Agency has balked at the plan since it was broached in March by justice officials. It says that it would be more reasonable to increase personnel and budgets of the police computer crime investigation units. "The crimes in the information technology sector aren't disconnected with other types of crimes happening in other areas. It's not like technology experts could handle them alone," said a police agency spokesman. Currently, the Information and Communication Ministry has jurisdiction over limited cases, including the violation of software copyrights and destruction or illegal use of electronic and radio communication equipment. The ministry also runs branch organizations of Korea Information Security Agency and the Information and Communication Ethics Committee to oversee information security and inspection of Internet content. From isn at c4i.org Mon May 10 02:46:34 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 10 03:13:53 2004 Subject: [ISN] Cry to beat iris scanners Message-ID: http://www.theregister.co.uk/2004/05/07/watery_eyes_iris_scan/ By Lucy Sherriff 7th May 2004 An MP who volunteered to take part in the UK ID card trials says the iris scanner used is uncomfortable and made his eyes water. Poor chap, you're probably thinking, but not exactly a tragedy. However, this isn't just a whinge. The water in his eyes actually stopped the scanner from working, and it seems long eyelashes and hard contact lenses could fox it too. So we're going to have a system that is derailed by a few tears and fluttering eyelashes? Roland Sables, the man in charge of the trial, said that he was expecting a failure rate of about seven per cent. Most of these failures, he argued, would be caused by problems with camera positioning, although others "are due to eye malformations, watery eyes and long eyelashes in a small percentage [of cases]". Sables said that so far the iris scanner had failed to match people with their details in just four per cent of cases. Scale that up to the UK population and you've got nearly 2.5m people who won't be correctly identified. Bob Russell, a member of the Home Affairs Select Committee, and the man with the rheumy eyes, speculated that the iris scanner could also cause problems for people who were particularly photo sensitive, or suffered from epilepsy. John Denham, the Home Affairs Select Committee chairman, who was also visiting the pilot registration centre, said that while the overall registration process was very simple, there were some technology issues that needed to be addressed. He pointed out that people with disabilities would have difficulty moving into the right position to be scanned. "Some of the crucial issues about the technology will be better informed at the end of the trial," he added. From isn at c4i.org Mon May 10 02:48:54 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 10 03:13:54 2004 Subject: [ISN] [Vmyths.com ALERT] Hysteria over ''Sasser'' worm Message-ID: Fowarded from: Rob Rosenberger >>I've not read AFP newswire story >>MTV3 news (Finnish TV channel) reported that Sampo >>actually got infected. Check out http://www.busrep.co.za/index.php?fArticleId=424286 when you get a chance. "'We decided to close our offices as a precaution, since we knew that our virus protection hadn't been updated," Sampo spokesman Hannu Vuola told AFP. 'It is possible that we have some minor problems with this (worm) already, so this was the best decision to avoid any serious problems,' he added." >>I find it hard to believe that Sampo would have closed >>their branch offices as a "precautionary measure". Believe it. Hope this insight helps... Rob Rosenberger http://Vmyths.com From isn at c4i.org Mon May 10 02:49:15 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 10 03:13:55 2004 Subject: [ISN] Linux Advisory Watch - May 7th 2004 Message-ID: +----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | May 7th, 2004 Volume 5, Number 19a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for mc, libpng, LHA, httpd, and rsync. The distributors include Debian, Mandrake, Red Hat, and Trustix. ---- >> Certify your Software Integrity << As a software developer you know that the product you make available on the Internet can be tampered with if it is not secured. Our Free Guide will show you how to securely distribute your code over the Internet and how these certificates operate with different software platforms: Download a guide to learn more: http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawten06 ---- Security Benefit In today's business world, there is an ever-increasing reliance on information technology. With this, businesses are discovering new ways to produce products and offer services with greater efficiency. New business opportunities are created by the production of digital products and service. However, with every business opportunity comes increased risks. IT systems are now a huge target. If a business is not properly prepared, a single system failure could result in a catastrophic outcome. Security is greatly important and a necessary part of keeping IT systems in operation. Traditionally, security has been viewed as a 'badge and gun' operation. The most important part is protecting the confidentiality, integrity, and availability of a system. In the process of improvement, security practitioners increase the number of firewall rules, increase password complexity, and impose additional limitations on each user's ability to access the information they need to conduct daily business. How do non- security types react to this? Of course, they don't like it! Security is not seen as a business benefit, but a hinderance. Rather than supporting business functions, it is making it more difficult to do even the simplest tasks. Sadly, increasing a security budget may be viewed as increasing the difficulty to conduct daily business. Today, security is changing. Managers are starting to realize that security only exists to support business. If the business did not exist, the security department protecting it wouldn't exist. As a security manager, it is important to deliver value to the business. This can be done a number of ways. First, create a security awareness program that educates others on the importance of protecting information. Next, only choose controls that are in line and appropriate for the information it is protecting. For example, military-grade security may not be appropriate for internal employee manuals. However, financial documents may require the tightest security. Secure appropriately! Finally, metrics are important. Report to superiors the effectiveness of current security controls. Report the number of incidents and types from least significant to most. Demonstrate with numbers how the current security is protecting the information assets. How many times was your network scanned in the last month? How many connections did the firewall reject/drop? How much spam did the filters keep out of inboxes? Good security goes unnoticed and ignored. It is important to remind management how well you are doing! Until next time, cheers! Benjamin D. Thomas ben@linuxsecurity.com ---- Guardian Digital Launches Next Generation Internet Defense & Detection System Guardian Digital has announced the first fully open source system designed to provide both intrusion detection and prevention functions. Guardian Digital Internet Defense & Detection System (IDDS) leverages best-in-class open source applications to protect networks and hosts using a unique multi-layered approach coupled with the security expertise and ongoing security vigilance provided by Guardian Digital. http://www.linuxsecurity.com/feature_stories/feature_story-163.html -------------------------------------------------------------------- Interview with Siem Korteweg: System Configuration Collector In this interview we learn how the System Configuration Collector (SCC) project began, how the software works, why Siem chose to make it open source, and information on future developments. http://www.linuxsecurity.com/feature_stories/feature_story-162.html -------------------------------------------------------------------- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 4/30/2004 - libpng, libpng3 Out of bounds access vulnerability This problem could cause the program to crash if a defective or intentionally prepared PNG image file is handled by libpng. http://www.linuxsecurity.com/advisories/debian_advisory-4292.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 4/30/2004 - mc Multiple vulnerabilities Several vulnerabilities in Midnight Commander were found by Jacub Jelinek. http://www.linuxsecurity.com/advisories/mandrake_advisory-4296.html 4/30/2004 - libpng Out of bounds access vulnerability Bug could potentially lead to a DoS (Denial of Service) condition in a daemon that uses libpng to process PNG imagaes. http://www.linuxsecurity.com/advisories/mandrake_advisory-4297.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 4/30/2004 - X-Chat Buffer overflow vulnerability Out of bounds access vulnerability An updated X-Chat package fixes a vulnerability which could be exploited by a malicious Socks-5 proxy is now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4293.html 4/30/2004 - LHA Multiple vulnerabilities Ulf Harnhammar discovered two stack buffer overflows and two directory traversal flaws in LHA. http://www.linuxsecurity.com/advisories/redhat_advisory-4294.html 4/30/2004 - httpd Denial of service vulnerability Updated httpd packages are now available that fix a denial of service vulnerability in mod_ssl and include various other bug fixes. http://www.linuxsecurity.com/advisories/redhat_advisory-4295.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 4/30/2004 - rsync Path escape vulnerability Please either enable chroot or upgrade to 2.6.1. http://www.linuxsecurity.com/advisories/trustix_advisory-4298.html 4/30/2004 - libpng, proftpd Multiple vulnerabilities Path escape vulnerability Patches for a DoS using libpng and a ACL escape for proftpd. http://www.linuxsecurity.com/advisories/trustix_advisory-4299.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon May 10 02:52:06 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 10 03:13:56 2004 Subject: [ISN] [Vmyths.com ALERT] Will U.S. try to extradite Sasser's creator? Message-ID: Vmyths.com Virus Hysteria Alert {8 May 2004, 13:10 CT} ------- CATEGORY: Historical perspective on recent hysteria http://Vmyths.com/hoax.cfm?id=280&page=3 A Reuters newswire says "German police have arrested an 18-year-old man suspected of creating the 'Sasser' computer worm, believed to be one of the Internet's most costly outbreaks of sabotage... [A police spokesman] said the suspect admitted to programming the worm." See http://www.msnbc.msn.com/id/4928653 for the full text of the newswire. In our previous Hysteria Alert, we predicted the fearmongers at mi2g will soon slap an astronomical dollar value on the Sasser worm. The U.S. alone will account for a few billion of mi2g's guesstimate. This leads us to ponder an interesting question: Will the Justice Department try to extradite the author of the Sasser worm? Will he stand trial on American soil for a multi-billion-dollar crime? If history is a guide, Sasser's author will never appear before a U.S. judge. Consider the following: 1) U.S. feds never sought extradition for Jan de Wit (aka "OnTheFly"), who released the Kournikova virus in February 2001. A Dutch court convicted him for the crime but he remains free of a U.S. indictment. 2) U.S. feds never sought extradition for any of the suspects behind the ILoveYou virus in May 2000. Reonel Ramones, Onel de Guzman, and Irene de Guzman remain free of a U.S. indictment in the Philippines despite the successful completion of a much-publicized worldwide manhunt. 3) U.S. feds never sought extradition for Mike Calce (aka "Mafiaboy"), a then-14yr-old hacker who masterminded an e-commerce attack that (supposedly) very nearly destroyed Amazon.com, Yahoo!, eBay, CNN, and other U.S.-based firms in February 2000. Calce was found guilty in Canada for the crime but remains free of a U.S. indictment. 4) U.S. feds never sought extradition for acknowledged Chernobyl virus writer Chen Ing-Hau for "destroy[ing] thousands" of U.S. government, military, corporate, academic, and personal PCs in April 1999. He remains free of a U.S. indictment in Taiwan. FBI agents traditionally provide "evidence" to other countries to help them prosecute virus/worm authors ... but that's as far as it goes. Remember this when you read stories about the arrest of Sasser's creator. Vmyths predicts he won't be extradited to America. Remember your history lessons. Stay calm. Stay reasoned. And stay tuned to Vmyths. Rob Rosenberger, editor http://Vmyths.com (319) 646-2800 CATEGORY: Historical perspective on recent hysteria http://Vmyths.com/hoax.cfm?id=280&page=3 --------------- Useful links ------------------ Remember this when virus hysteria strikes http://Vmyths.com/resource.cfm?id=31&page=1 Common clich?s in the antivirus world http://Vmyths.com/resource.cfm?id=22&page=1 False Authority Syndrome http://Vmyths.com/fas/fas1.cfm From isn at c4i.org Tue May 11 01:48:56 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 11 02:07:35 2004 Subject: [ISN] Linux Security Week - May 10th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | May 10th, 2004 Volume 5, Number 19n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Guarded Memory Move," "Scanning the Horizon," "DNS Troubleshooting: Everything Depends on It," and "Benefits of BCC." ---- >> Certify your Software Integrity << As a software developer you know that the product you make available on the Internet can be tampered with if it is not secured. Our Free Guide will show you how to securely distribute your code over the Internet and how these certificates operate with different software platforms: Download a guide to learn more: http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawten06 ---- LINUX ADVISORY WATCH: This week, advisories were released for mc, libpng, LHA, httpd, and rsync. The distributors include Debian, Mandrake, Red Hat, and Trustix. http://www.linuxsecurity.com/articles/forums_article-9272.html ---- Guardian Digital Security Solutions Win Out At Real World Linux Enterprise Email and Small Business Solutions Impres at Linux Exposition. Internet and network security was a consistent theme and Guardian Digital was on hand with innovative solutions to the most common security issues. Attending to the growing concern for cost-effective security, Guardian Digital's enterprise and small business applications were stand-out successes. http://www.linuxsecurity.com/feature_stories/feature_story-164.html ---- >> Bulletproof Virus Protection << Protect your network from costly security breaches with Guardian Digital's multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn04 -------------------------------------------------------------------- Interview with Siem Korteweg: System Configuration Collector In this interview we learn how the System Configuration Collector (SCC) project began, how the software works, why Siem chose to make it open source, and information on future developments. http://www.linuxsecurity.com/feature_stories/feature_story-162.html ---- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Book Review: Computer Security May 8th, 2004 Thomas Greene is well-known within the computer and security world for his work as Associate Editor of The Register- a British tech newspaper. This book is a great contribution to the home and small office market. http://www.linuxsecurity.com/articles/documentation_article-9277.html * "Every Principle of Security is Being Violated," Says O'Dowd May 7th, 2004 "There is no way to fix Linux to bring it up to the level of security that is required for national defense systems, a level that is already available in proprietary operating systems," says Dan O'Dowd. He's just released his third white paper in a series focusing on what his company Green Hills Software terms "an urgent security threat posed by the use of the Linux operating system in U.S. defense systems." http://www.linuxsecurity.com/articles/general_article-9274.html * Benefits of BCC May 7th, 2004 Benefits of BCC Although in many situations it may be appropriate to list email recipients in the To: or CC: fields, sometimes using the BCC: field may be the most desirable option. What is BCC? http://www.linuxsecurity.com/articles/privacy_article-9275.html * Guarded Memory Move (GMM) May 5th, 2004 The Guarded Memory Move tool gets handy when you have to study buffer overflows and you need to catch them together with a "good" stack image. When a stack overflow has been exploited, the back trace is already gone together with good information about parameters and local variables, that are of vital importance when trying to understand how the attacker is trying to work out the exploit. http://www.linuxsecurity.com/articles/host_security_article-9266.html * SELinux Boosts Server Security May 4th, 2004 Security enhanced Linux, a set of kernel modifications and utilities initially developed by the National Security Agency, bolsters the security of Linux systems by enabling administrators to more finely tune data and process permissions. SELinux enforces mandatory access control policies, which limit user and application privileges to the minimum required to do the job. http://www.linuxsecurity.com/articles/server_security_article-9261.html +------------------------+ | Network Security News: | +------------------------+ * SecurityTalk with K Rudolph, CISSP May 6th, 2004 Dancho: Hi Kaie, nice to have you in our first SecurityTalk discussing the importance of Security Awareness programmes and the problems related to the education of end users. http://www.linuxsecurity.com/articles/general_article-9270.html * Scanning the Horizon May 5th, 2004 How secure is your enterprise network? Today that's a harder question to answer than ever, especially as enterprise networks continue to grow in size and complexity. http://www.linuxsecurity.com/articles/network_security_article-9268.html * HNS Learning Session: DDoS Threats May 4th, 2004 For the second learning session on Help Net Security, they've got Steve Woo, Riverhead Networks Vice President of Marketing and Business Development, discussing the threats of Distributed Denial of Service attacks. Since the making of this audio session, Riverhead Networks was acquired by Cisco Systems. http://www.linuxsecurity.com/articles/network_security_article-9265.html * DNS Troubleshooting Everything Depends on It May 4th, 2004 The Domain Name System (DNS) service is required to access e-mail, browse Web sites and use hostnames in general. DNS resolves hostnames to IP addresses and back (e.g. www.cyberguard.com translates to 64.94.50.88). This article details how DNS works under normal circumstances and provides troubleshooting tips. http://www.linuxsecurity.com/articles/network_security_article-9262.html +------------------------+ | General Security News: | +------------------------+ * The Internet's Wilder Side May 6th, 2004 It was just another Wednesday on the sprawling Internet chat-room network known as I.R.C. In a room called Prime-Tyme-Movies, users offered free pirated downloads of "The Passion of the Christ'' and "Kill Bill Vol. 2.'' In the DDO-Matrix channel, illegal copies of Microsoft's Windows software and "Prince of Persia: The Sands of Time,'' an Xbox game, were ripe for downloading. http://www.linuxsecurity.com/articles/network_security_article-9269.html * Mitnick busts bomb hoaxer May 4th, 2004 Ex-hacker Kevin Mitnick is a hero to the small town of River Rouge, Michigan, after using his tech skills to help officials nab the culprit behind a harrowing series of bomb threats. http://www.linuxsecurity.com/articles/general_article-9263.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue May 11 01:48:37 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 11 02:07:36 2004 Subject: [ISN] [Vmyths.com ALERT] Will U.S. try to extradite Sasser's creator? Message-ID: Fowarded from: Pete Simpson Extradition not desirable, Rob? Why not? Could it be that the culprits fit the profile of some geeky teenage kid. If these had been extradited to stand trial in the US for 'multi-billion' dollar crime: 1 - would these outrageous damage estimates stand scrutiny 2 - would the repeated images of geeky kids conflict with the preferred image of crazed terrorists hell bent on destruction the national infrastructure or am I just a cynic seeing propaganda angles where the don't even exist? > -----Original Message----- > From: InfoSec News [mailto:isn@c4i.org] > Sent: 10 May 2004 07:52 > To: isn@attrition.org > Subject: [ISN] [Vmyths.com ALERT] Will U.S. try to extradite Sasser's > creator? > > > Vmyths.com Virus Hysteria Alert > {8 May 2004, 13:10 CT} > > ------- > > CATEGORY: Historical perspective on recent hysteria > http://Vmyths.com/hoax.cfm?id=280&page=3 > > A Reuters newswire says "German police have arrested an 18-year-old > man suspected of creating the 'Sasser' computer worm, believed to be > one of the Internet's most costly outbreaks of sabotage... [A > police spokesman] said the suspect admitted to programming the > worm." See http://www.msnbc.msn.com/id/4928653 for the full text of > the newswire. > > In our previous Hysteria Alert, we predicted the fearmongers at mi2g > will soon slap an astronomical dollar value on the Sasser worm. > The U.S. alone will account for a few billion of mi2g's guesstimate. > This leads us to ponder an interesting question: > > Will the Justice Department try to extradite the author of the > Sasser worm? Will he stand trial on American soil for a > multi-billion-dollar crime? [...] From isn at c4i.org Tue May 11 01:49:22 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 11 02:07:38 2004 Subject: [ISN] The Google Terrrorist Message-ID: http://www.usnews.com/usnews/issue/040517/whispers/17whisplead_2.htm [I have to wonder what shock waves this InfoSec News story sent out on November 19th 2002... http://archives.neohapsis.com/archives/isn/2003-q1/0031.html :) - WK] Washington Whispers 5/17/04 It was the lead item on the government's daily threat matrix one day last April. Don Emilio Fulci described by an FBI tipster as a reclusive but evil millionaire, had formed a terrorist group that was planning chemical attacks against London and Washington, D.C. That day even FBI director Robert Mueller was briefed on the Fulci matter. But as the day went on without incident, a White House staffer had a brainstorm: He Googled Fulci. His findings: Fulci is the crime boss in the popular video game Headhunter. "Stand down," came the order from embarrassed national security types. From isn at c4i.org Tue May 11 01:49:43 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 11 02:07:38 2004 Subject: [ISN] Hacker gives Kuomintang Web site pro-Chinese look with PRC photos Message-ID: http://www.etaiwannews.com/Taiwan/2004/05/10/1084154781.htm 2004-05-10 Agence France-Presse A person claiming to be a Chinese military veteran has hacked into the Web site of the opposition Kuomintang and replaced its homepage with pro-China photos, a party official said yesterday. One photo shows a soldier with the People's Liberation Army aiming a rifle at a target while the other shows two men raising the national flag of the People's Republic of China, KMT spokesman Justin Chou (?P?u?V) told AFP. The hacker has also written "I'm proud of being a Chinese and a Chinese veteran" in Chinese, and China's national anthem now plays as the Web site's background music, Chou said. The KMT has closed the Web site and filed a complaint with the police, he said. "We strongly condemned the move," Chou said. Taiwan split with China in 1949 at the end of a civil war and tensions have remained between the two neighbors. Beijing still considers Taiwan a province of China awaiting reunification, by force if necessary, and has threatened to invade if the island declares its independence. The KMT maintained a 51-year long grip on power until being ousted by President Chen Shui-bian's (??????) Democratic Progressive Party in 2000. From isn at c4i.org Tue May 11 01:49:58 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 11 02:07:39 2004 Subject: [ISN] Experts: Timing of new Sasser worm raises questions Message-ID: http://www.nwfusion.com/news/2004/0510expertimin.html By Paul Roberts IDG News Service 05/10/04 The release of a new version of the Sasser worm calls into question claims by some German authorities that they have the sole author of the worm in custody, according to anti-virus experts. A new version of the Sasser worm, dubbed Sasser-E, appeared late Friday, around the time police arrested an 18-year-old man they said was the author of all the Sasser variants and of the Netsky worm. While it is possible that the teenager released the worm just before being captured, the close timing and clues from earlier Sasser variants may point to a larger network of virus writers outside of Germany, said Mikko Hypp?nen, anti-virus research manager at F-Secure in Finland. On Friday, German police in Lower Saxony arrested the man and charged him with creating Sasser, which appeared on May 1, and three variants that appeared in subsequent days. The arrest of the man, who has not officially been identified, followed a tip to Microsoft Deutschland from individuals who asked about the possibility of receiving a reward in exchange for information about the creator of the Sasser worm, said Brad Smith, senior vice president and general counsel at Microsoft, in a statement. On Monday, the Associated Press quoted Frank Federau, a spokesman for the state criminal office in Hanover, Germany, saying the teenager likely programmed Sasser-E "immediately before his discovery." Microsoft believes that the man arrested made Sasser-E, like the other variants, and released it almost simultaneously with his arrest, according to Smith. "It's our understanding that the police have arrested the individual responsible for Sasser-E and the four previous variants," he said. Microsoft is basing that position on statements from German authorities and from the ongoing investigation of Sasser and Netsky, he said. Anti-virus experts say that scenario is possible, but not likely. "It's... possible it was released by the guy they arrested... but he would have to have released it just before he got arrested, 15 minutes before the police knocked on his door," Hypp?nen said. However, the timing of the release and tidbits of information gleaned from earlier Sasser worms suggests that others may be involved with the Sasser and Netsky worms, Hypp?nen said. F-Secure learned of Sasser-E 10 hours after the arrest of the suspect, but knows of earlier reports that put the first appearance of the worm around three hours and forty-five minutes after his arrest, according to information on the F-Secure Web site. Three hours is still a long time for a worm to circulate on the Internet without being spotted. Unless even earlier reports of the worm turn up, that time lag could cast doubt on claims that the man arrested Friday is the sole author of Sasser, Hypp?nen said. "It's... possible that somebody else released (Sasser-E) as proof that (the German man) is not the only guy, or that this guy has written some versions of Sasser but not all, or that he's admitting guilt to protect someone else," he said. Symantec didn't receive a copy of Sasser-E until 1 a.m. Pacific Time on Sunday morning, almost two days after the arrest. The company is still analyzing data from its worldwide DeepSight Alert network of sensors to spot the first appearance of the worm, said Oliver Friedrichs, senior manager of Symantec Security Response. The company doesn't have enough information to say whether there are multiple authors behind the Sasser worms. However, prior to the arrest Friday, the sheer number of variants produced of both worms led Symantec to suspect a virus writing group was behind Sasser and Netsky, he said. F-Secure researchers also assumed there was a group at work, probably based in Russia, Hypp?nen said. "We were surprised that it was one guy and that it was not in Russia," he said. Comments hidden in previous versions of Netsky and Sasser included references to the Czech Republic and Russia, as well as a "crew" of authors. Some parts of the Netsky worm code also contain comments in Russian, Hypp?nen said. "If they didn't speak Russian, they at least took some lessons before inserting the comments in there," he said. The evolution of the Netsky worm from version to version also suggests the work of more than one author, he said. "The way the secondary functions of the virus changed. In the beginning it just killed installations of Mydoom and Bagle, then it slowly changed to launch DDOS (distributed denial of service attacks) against peer-to-peer and (software) cracking sites," he said. The changes could reflect the input and interests of different contributors, just as the Blaster worm was modified by others, neither of them the original author, resulting in the arrests of two men: Jeffrey Parsons, a teenager from Hopkins, Minn., in August 2003 for Blaster-B and Dan Dumitru Ciobanu, a 24-year-old from Romania who was charged with releasing the Blaster-F worm in September, he said. The German man's confession to police and reports that police found the Sasser source code on his computer are certainly persuasive that man was involved with the worm's creation and release, but not conclusive that he was the only person responsible for Netsky and Sasser, Hypp?nen said. "I wouldn't be surprised at all if there turns out to be someone else -- a third party," he said. Microsoft is continuing its investigation of Sasser, and doesn't discount the possibility of others being involved, Smith said. "Obviously, information is shared all the time among individuals on the Internet, he said. "We're not in a position to comment who had access to (the Sasser) information or participated in the spread of it," he said. Despite the arrests, questions remain, Smith said. "There are things we don't know, such as who put the comments in -- was it single individual or someone else? What was that person's motivation?" More arrests are possible, but Microsoft believes that the German police got their man on Friday, he said. "It's always possible that (the investigation) will lead to other individuals, but I don't believe those will be individuals who authored the variants or launched the initial (worm) distribution," he said. If the man arrested on Friday really is the only author, it will be a huge relief to anti-virus experts like Hypp?nen, who have been working overtime in recent months to keep up with the barrage of new worm variants. "If the guy really confessed to writing Netsky and Sasser and that's true, then the worm releases should stop right there, and that's excellent," he said. From isn at c4i.org Tue May 11 01:50:23 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 11 02:07:40 2004 Subject: [ISN] Book review: Security Warrior by Cyrus Peikari & Anton Chuvakin Message-ID: Forwarded from: security curmudgeon http://www.powells.com/cgi-bin/partner?partner_id=28327&cgi=product&isbn=0-596-00545-8 Security Warrior Cyrus Peikari & Anton Chuvakin Paperback - 581 pages (January, 2004) $44.95 - O'Reilly ISBN: 0-596-00545-8 Security Warrior is one of the latest books that attempts to cover hacking and security information in a way that appeals to all levels of the field. Most books of this nature will present a wide variety of concepts and technologies that fall under the "security" blanket. These topics usually include an introduction to security, networking, reconnaissance, social engineering, attack and defense. As with most professions, attempting to disclose the ins and outs in a comprehensive manner would take volumes of information and could never be summed up in a single book. Breaking away from the mold, Security Warrior stands out in a crowd of security books by delving into the world of software cracking through reverse engineering. While this is not a skillset many security personell use or know, it can be a very handy skill to have. Peikari and Chuvakin spend almost one third of the book on reverse engineering by providing detailed explanations, real world examples and even excercises to test your ability to break past software that restricts your access to a program on your own computer. While the skill of reverse engineering is useful, it is also fairly intensive and requires a solid programming knowledge. The extensive use of program source code in the book can get a bit overdone as most people reading the book will already understand it and find no use for it typed out in a book, or find themselves lost after the second line. The next major section covers the basics of networking and reconnaissance as relates to security testing. After a brief outline of TCP/IP and other protocols that make this big Internet thingy work, they immediately dive into the art of Social Engineering before going back to network recon, OS fingerprinting and hiding your attacks. While this information is all valuable, the sudden turn to Social Engineering in the middle of technical network attacks is disjointed to say the least. Once you have identified your targets via network recon, the next step is to figure out what specific platform attacks may work for you. Unfortunately, you need to read the chapter on Unix defense before Unix attacks in this book. While the order of the chapters is a minor nuisance, the author's consistancy is a tad annoying. After learning about Unix defense and attack, you then get treated to Windows Client Attacks and Windows Server Attacks. Apparently, the chapter on Windows defense got left on the cutting room floor. Even more odd is the next chapter on SOAP XML Web Services Security followed by the SQL Injection attack chapter. While these are all well written chapters that convey the information very cleanly, the order and choice of topics is very messy. The last section covers Advanced Defense and goes into audit trails, intrusion detection, honeypots, incident response and forensics. Each chapter receives a good share of attention and falls back into an orderly fashion for dispensing the details of each technology. This material is a solid conclusion to a book that has a place in the security professional's library. For someone just entering the security circle, this book will be a rough start. From isn at c4i.org Tue May 11 01:50:11 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 11 02:07:41 2004 Subject: [ISN] Spec in Works to Secure Wireless Networks Message-ID: http://www.eweek.com/article2/0,1759,1590243,00.asp By Mark Hachman May 10, 2004 The Trusted Computing Group said Monday that it is working on a specification to ensure that wireless clients connecting to a network won't serve as a back door to worms and crackers. Officials within the TCG, based in Portland, Ore., said the industry standards body is developing a "Trusted Network Connect" specification, designed to audit wireless-enabled PCs when they first make contact with an enterprise's wireless network. The specification will be finalized later this year, said officials from the group, which comprises computer and device manufacturers, software vendors and others. Although a client or customer connecting to an enterprise network may not overtly be seeking to do harm, the laptop may in fact hide an unpatched system that could serve as an unexpected back door into an otherwise secure system. Likewise, a network administrator cannot be sure whether a laptop hides a worm that might otherwise have been blocked by a wired firewall. When completed, the specification will serve as a means by which network security and network infrastructure vendors can ensure a level of compliance with the best practices of network security, executives said. The spec will improve AAA (authentication, authorization and accounting) software's ability to make a decision before allowing admission to the system, said Ned Smith, the TCG infrastructure working groups' co-chairman and an architect at Intel Corp. in Santa Clara, Calif. "It's a proactive approach to security," Smith said. The specification was designed with wireless clients in mind, although it also may be applied to wired networks. he said. The specification will specify a level of trust for network endpoints, characterized by the version number of specific applications; whether those applications have been patched; and whether those OSes and applications are free from viruses, as defined by the revision numbers of the signature libraries used within antivirus applications. If a client fails to meet those specifications, the Trusted Network Connect specification will define a process by which the client is quarantined until the appropriate patches and antivirus tools have been applied. The TCG is more commonly known for its Trusted Platform Module (TPM) specification, which defines the parameters for a security chip that can be embedded onto a PC's motherboard. The TPM is designed to work with the upcoming Next-Generation Secure Computing Base (NGSCB) technology in Microsoft Corp.'s Longhorn OS and other trusted operating systems to ensure that data is viewed only by the appropriate users. "Part of what's interesting to the TCG is linking identity-based platform authorization to the network connect decision," Smith said. Extreme Networks, Foundry Networks Inc., Funk Software Inc., InfoExpress Inc., Juniper Networks Inc., Meetinghouse Data Communications, Network Associates Inc., Sygate Inc., Symantec Corp., Trend Micro Inc. and Zone Labs Inc. have joined TCG to participate in this effort. TCG members Hewlett-Packard Co., Intel Corp., Verisign Inc. and others are also participating. From isn at c4i.org Thu May 13 05:47:52 2004 From: isn at c4i.org (InfoSec News) Date: Thu May 13 06:01:35 2004 Subject: [ISN] FBI Investigating Cyber-extortion Message-ID: http://thewhir.com/marketwatch/fbi051004.cfm May 10, 2004 WEB HOST INDUSTRY REVIEW The FBI is investigating the claims of a Kentucky business owner who appears to have been the target of a cyber-extortion, according to the Associated Press. Jay Broder, the owner of CSI Mid-South, also known as Card Solutions International, claimed his company's Web site (authorizeit.com) went down for about a week after he refused to pay $10,000 to the sender of the email extortion threat. The email threatened to cripple the site if the money was not sent. Broder said in the report that he thought the threats were idle and believed the emails to be spam. He said he is not aware of any reason why he would be targeted. The alleged attack, unleashed a few hours after Broder received a second threatening email, was a distributed denial of service attack (DDoS), an assault that overloads a system with a flood of incoming messages forcing it to shut down. According to the Courier-Journal, CSI Mid-South's Web site is hosted with Boston-based Web hosting provider Hosting.com (hosting.com), who did not return requests for comment. Broder said the attacks stopped when he switched Web hosting providers and got a new IP address. Card Solutions International processes credit card payments online. From isn at c4i.org Thu May 13 05:48:35 2004 From: isn at c4i.org (InfoSec News) Date: Thu May 13 06:01:37 2004 Subject: [ISN] Security UPDATE--Patrolling Wireless Networks--May 12, 2004 Message-ID: ==================== ==== This Issue Sponsored By ==== CipherTrust http://list.winnetmag.com/cgi-bin3/DM/y/efqP0CJgSH0CBw0BHFc0AK Exchange & Outlook Administrator http://list.winnetmag.com/cgi-bin3/DM/y/efqP0CJgSH0CBw0BEf10Ax ==================== 1. In Focus: Patrolling Wireless Networks 2. Security News and Features - Recent Security Vulnerabilities - News: Time to Patch Quicktime, iTunes, Mac OS X, and Panther - Update: Problems with Microsoft's Patch MS04-011 3. Security Toolkit - FAQ - Featured Thread 4. New and Improved - Firewall Gets Faster and Easier ==================== ==== Sponsor: CipherTrust ==== Corporations are experiencing spam levels in excess of 60% of their total email volume. The effect of this volume on productivity, bandwidth and storage is significant and costly. But these are not the only effects. Spam now presents a serious threat to security with implications for network integrity and legal liability. In this white paper, you'll learn about the security threat presented by spam, as well as valuable insight into spammer methods and techniques, all from the experts in anti-spam and email security at CipherTrust. Take action now to secure your networks against spam! http://list.winnetmag.com/cgi-bin3/DM/y/efqP0CJgSH0CBw0BHFc0AK ==================== ==== 1. In Focus: Patrolling Wireless Networks ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net The Sasser worm basically fizzled, and I think that so far, its variants are little more than a nuisance. But that could change in the future. We'll have to wait and see. In any event, it's a certainty that someone with misconnected neurons will unleash yet another worm on the unsuspecting public before people have had time to install the most recent patches and fix any problems with them. Gee, I can hardly wait. In the meantime, other matters need attending to. For example, what's the state of your wireless security? If you subscribe to "Windows & .NET Magazine," you've probably received the May issue, which includes "A Secure Wireless Network Is Possible," an informative article by Randy Franklin Smith. Subscribers can also read the article at the URL below. In the article, Smith points out that, "Wireless networks can be secure if you use the right technologies. To add a secure wireless network to an existing Windows network, all you need to do is install one or more 802.1x-compliant wireless Access Points (APs) and one computer running Windows Server 2003. The Windows 2003 server will facilitate 802.1x authentication between your wireless clients and your existing Windows network. Your users will be able to gain access to your wireless network simply by using their existing Windows user accounts." http://www.winnetmag.com/windows/article/articleid/42273/42273.html If you have wireless equipment and Windows Server 2003, consider implementing the suggestions in the article. Also consider what might happen if someone plugs in a wireless AP without your knowledge or someone (inadvertently or not) configures his or her wireless network card to operate in ad-hoc mode. In either case, your network would suddenly gain a security hole that you might not want to leave open. Another problem arises when unwanted wireless clients come within broadcast range of your wireless gear. Solutions are available to monitor the airwaves against unwanted access points and unknown wireless clients, a few of which are AirDefense, AirMagnet, and Red-M's Red-Detect. These are hardware-based solutions that can quickly identify broadcasting APs and clients, help prevent unwanted wireless connectivity, detect various types of wireless network attacks, and more. I'm in the process of reviewing these three products for an upcoming edition of "Windows & .NET Magazine." I wonder if you use one of these solutions or maybe another solution? If so, I'm interesting in learning what you think about it and what your experiences have been to date. Please send me an email with your detailed thoughts about these products or whichever solution you might use. And please prefix your message subject with "WIFI:" so that I can more easily find your responses among the junk mail. ==================== ==== Sponsor: Exchange & Outlook Administrator ==== Try a Sample Issue of Exchange & Outlook Administrator! If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and downtime. Request a sample issue today, and discover tools you won't find anywhere else to help you migrate, optimize, administer, and secure Exchange and Outlook. Order now! http://list.winnetmag.com/cgi-bin3/DM/y/efqP0CJgSH0CBw0BEf10Ax ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html News: Time to Patch Quicktime, iTunes, Mac OS X, and Panther If you use Quicktime or iTunes software on Windows or Apple systems or manage Apple desktops or servers, you might want to load the latest patches. http://www.winnetmag.com/article/articleid/42586/42586.html Update: Problems with Microsoft's Patch MS04-011 Last week, I wrote about the Microsoft article "Your computer stops responding, you cannot log on to Windows, or your CPU usage for the System process approaches 100 percent after you install the security update that is described in Microsoft Security Bulletin MS04-011," http://support.microsoft.com/?kbid=841382 , released April 28. Another Microsoft article, "MS04-011: Security Update for Microsoft Windows," http://support.microsoft.com/?kbid=835732 , was also released on April 28 and provides links to six articles (including article 841382) that pertain to problems administrators might encounter while trying to implement the MS04-011 patch. http://www.winnetmag.com/article/articleid/42505/42505.html ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) New--Small Servers for Small Businesses Web Seminar Today a small business can be as agile as a large business by understanding which technology can be leveraged to create a centralized server environment. In this free Web seminar, you'll learn about the perils of peer-to-peer file sharing, backup and recovery, migration from desktop to servers, and Small Business Server basics. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/efqP0CJgSH0CBw0BH1G0AV Get 2 Free Sample Issues of SQL Server Magazine! SQL Server Magazine is a useful resource loaded with relevant information covering database modeling and design, performance tuning, security, ADO.NET, ASP.NET, XML, and the latest topics that SQL Server developers, administrators, and business-intelligence architects need to know. Try two (no-risk) sample issues today, and discover the timesaving qualities the magazine has to offer. Order now: http://list.winnetmag.com/cgi-bin3/DM/y/efqP0CJgSH0CBw0BH6l0AD Get Your Free Email Security Toolkit--Includes a Free Web Seminar, eBook, and White Paper! You'll learn how to eliminate the top 5 email security threats including spam and viruses. Plus, get an inside look at how Enterprise Rent-A-Car reduced spam and viruses, improved its email security, and increased productivity. Don't miss your chance to get a free eBook, Web seminar, and white paper. Get your Email Security Toolkit now! http://list.winnetmag.com/cgi-bin3/DM/y/efqP0CJgSH0CBw0BH1H0AW ==== 3. Security Toolkit ==== FAQ: Granting Necessary Permissions to AD for SMS 2003 Advanced Security Mode by John Savill, http://www.winnetmag.com/windowsnt20002003faq Q: How can I avoid errors when I create Active Directory (AD) containers on a server that runs Microsoft Systems Management Server (SMS) 2003 in Advanced Security Mode? A. SMS 2003's Advanced Security Mode removes the requirement for multiple accounts and instead relies on the Local System and Computer accounts for all security-related actions (such as interacting with the file system and updating AD). The Computer account therefore needs permission to parts of AD when AD integration is enabled--specifically the System partition of the domain namespace. To grant this permission, perform the following steps: 1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in (click Start, Programs, Administrative Tools, Active Directory Users and Computers). 2. Click View, Advanced Features. 3. Select the System branch from the treeview pane. 4. Right-click the system container and select Properties. 5. On the Security tab, click Advanced. 6. Click Add. 7. Click Object Types and ensure that only the Computers check box is selected. Click OK. 8. In the "Enter the object name to select" text box, enter the name of the SMS site server. (Alternatively, you can click Advanced, then click Find Now and select the computer.) Click OK. 9. The set of permissions is displayed. Ensure that in the "Apply onto:" list box, only "This object and all child objects" is selected. 10. Under Permissions, select the "Full Control" check box under the Allow column. Click OK. 11. Click OK to close the main System Properties dialog box. You must also ensure that the computer account of the SMS site server that uses Advanced Security Mode is a member of the local Administrators group. To add the account, run the command: net localgroup Administrators \$ /add Featured Thread: Exchange--Outbound SMTP Fails (One message in this thread) A reader writes that his company's Microsoft Exchange 2000 Server is directly connected to the firewall; however, the company wants to route all Internet traffic through the Microsoft ISA Server system, which is configured to allow outbound and inbound SMTP traffic. The Exchange server is a Network Address Translation (NAT) secure client. The company has no problems with DNS resolution or inbound SMTP, but outbound SMTP doesn't work at all. Email messages sit queued in the Exchange SMTP connector. The reader looked at the ISA log files and saw that outbound SMTP sessions have a status of 13301, which means that the firewall policy denied the connection requests. He then installed the firewall client on his Exchange server and could send messages through the firewall. But as far as he knows, a firewall client can only function when a user is logged on to the system on which the client is installed and he wants to know if that's true or if there's a way around that. Lend a hand or read the responses: http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=120712 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) New--From Chaos to Control: Using Service Management to Reclaim Your Life Take control of your workday! If you're supporting 24 x 7 operations by working around the clock instead of 9 to 5, learn how you can benefit from a sound service management strategy. In this free Web seminar, you'll learn practical steps for implementing service management for your key Windows systems and applications. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/efqP0CJgSH0CBw0BH1I0AX ==================== ==== 4. New and Improved ==== by Jason Bovberg, products@winnetmag.com Firewall Gets Faster and Easier Agnitum announced Outpost Firewall Pro 2.1, a new version of the company's firewall software that boasts enhanced speed and ease of use. Users now have increased control over filtering rules and can more easily customize the product. Agnitum has also simplified the upgrade process and hidden advanced features to ease operation for novice users. Visual alerts inform you about events that need your immediate attention; automatic news and plug-in announcements keep you up-to-date about the latest security news and updates from Agnitum. Outpost Firewall Pro 2.1 costs $39.95. For more information, or to download an evaluation copy, contact Agnitum at info@agnitum.com or on the Web. http://www.agnitum.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. ==================== ==== Sponsored Links ==== Argent Comparison Paper: The Argent Guardian Easily Beats Out MOM http://list.winnetmag.com/cgi-bin3/DM/y/efqP0CJgSH0CBw0BDWV0AK Microsoft(R) TechNet Microsoft(R) TechNet Webcasts: essential guidance, industry experts http://list.winnetmag.com/cgi-bin3/DM/y/efqP0CJgSH0CBw0BG360AF ==================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== ==== Contact Our Sponsors ==== Primary Sponsor: CipherTrust -- http://www.ciphertrust.com -- 1-877-448-8625 ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z You received this email message because you asked to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu May 13 05:48:47 2004 From: isn at c4i.org (InfoSec News) Date: Thu May 13 06:01:37 2004 Subject: [ISN] Crackers declare cyberwar on USA Message-ID: http://www.zone-h.org/en/news/read/id=4225/ Siegfried www.zone-h.org admin 05/12/2004 Famous Brazilian newspapers have been informed that a new hacking group composed of worldwide individuals (from Brazil, China, Hong Kong and Russia) has declared cyberwar on the United States of America. Its name is Hackers Against America (HAA) and their web site is hosted on a Russian server. According to what is written on the main page, they plan to integrate new members and launch attacks against computers based in the US (cracking some of them but also use worms, viruses) in order to steal private documents. Some samples of documents and codes are available on the web site, although they don't seem to be secret at all and possible to find by using search engines. Even if this threat appears to be tiny now, it is probably not a hoax and it could grow in the future, just keep an eye on it. Siegfried www.zone-h.org admin Jo?o Magalh?es from www.estadao.com.br contributed to this article From isn at c4i.org Thu May 13 05:49:38 2004 From: isn at c4i.org (InfoSec News) Date: Thu May 13 06:01:38 2004 Subject: [ISN] Phatbot arrest throws open trade in zombie PCs Message-ID: http://www.theregister.co.uk/2004/05/12/phatbot_zombie_trade/ By John Leyden Published 12th May 2004 The arrest of the suspected author of the Phatbot Trojan could lead to valuable clues about the illicit trade in zombie PCs. The arrest of the alleged Phatbot perp was overshadowed by the unmasking of the admitted Sasser author, Sven Jaschan. But the Phatbot case may shed the mostlight into the dark recesses of the computer underground. Phatbot is much less common than NetSky but is linked much more closely with the trade in compromised PCs to send spam or for other nefarious purposes. Viruses such as My-Doom and Bagle (and Trojans such as Phatbot) surrender the control of infected PCs to hackers. This expanding network of infected, zombie PCs can be used either for spam distribution or as platforms for DDoS attacks, such as those that many online bookies have suffered in recent months. By using compromised machines - instead of open mail relays or unscrupulous hosts - spammers can bypass IP address blacklists. Phatbot was been used to spam, steal information or perform DDoS attacks, according to Mikko Hypp?nen, director of anti-virus research at F-Secure. "You could do anything you wanted with it," he said. Phatbot is a variant of Agobot, a big family of IRC bots. Hypp?nen said people were selling tailor-made versions of the bot for various illegal purposes. NetSky also contains a backdoor component but this was designed only to upgrade malicious code: it is not a conscious attempt by its designer to turn compromised PC into spam zombies, Hypp?nen says. Alex Shipp of MessageLabs said hackers ware still able to seize machines compromised by NetSky but he agreed with Hypp?nen that worms such as Bagle and MyDoom, and Trojans like Phatbot, are far more commonly used in zombie spam networks. As reported last month, networks of compromised hosts (BotNets) are commonly traded between virus writers, spammers and middlemen over IRC networks. The price of these BotNets (DoSNets) was roughly $500 for 10,000 hosts last Summer when the MyDoom and Blaster (the RPC exploit worm) first appeared on the scene. "I have no doubt it's doubled since then as hosts are cleaned and secured," Andrew Kirch, a security admin at the Abusive Hosts Blocking List told El Reg. By his reckoning, non-exclusive access to compromised PCs sells for about 10 cent a throw. An unnamed 21 year-old man from the southern German state of Baden-Wuerttemberg was arrested last Friday on suspicion of creating the Agobot and Phatbot Trojans. He is yet to be formally charged. From isn at c4i.org Thu May 13 05:49:49 2004 From: isn at c4i.org (InfoSec News) Date: Thu May 13 06:01:39 2004 Subject: [ISN] Multiple Vulnerabilities Found in Symantec Client Products Message-ID: http://www.eweek.com/article2/0,1759,1591504,00.asp By Larry Seltzer May 12, 2004 Symantec has acknowledged several serious bugs in several of its client security products in both corporate and consumer editions. The problems, reported to Symantec Corp. by eEye Digital Security, involve several functions of the products but one specific file, SYMDNS.SYS. Symantec has provided a brief description, stating that fixes for all of the problems are available through its LiveUpdate and technical-support channels. Products affected include Symantec Client Firewall versions 5.0.0 through 5.1.1; Symantec Client Security 1.0.0, 1.1.0 and 2.0.0; Norton AntiSpam 2004; Norton Internet Security 2002 through 2004; and Norton Internet Security Professional Edition 2002 through 2004. DNS response is one of the functions listed as having such an error. A malicious response to a DNS request could cause the program to fail or alter the flow of the program. There are also errors in the processing of NetBIOS Name Service responses that could allow remote code execution or denial of service. Since NetBIOS is not a routable protocol, such attacks would have to come from within a network segment. From isn at c4i.org Fri May 14 04:40:37 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 14 05:04:07 2004 Subject: [ISN] The ease of (ab)using X11, Part 1 Message-ID: +------------------------------------------------------------------+ | Linux Security: Tips, Tricks, and Hackery 13-May-2004 | | Published by Onsight, Inc. Edition | | | | http://www.hackinglinuxexposed.com/articles/20040513.html | +------------------------------------------------------------------+ This issue sponsored by ... you. Intrested in sponsoring the Linux Security: Tips, Tricks, and Hackery newsletter? Just drop us a line. Special low low rates ($0) are available for worthy Open Source projects and companies that stand up to the DMCA, IP abuses, and fight for our online freedoms. -------------------------------------------------------------------- The ease of (ab)using X11, Part 1 By Brian Hatch Summary: X11 is the protocol that underlies your graphical desktop environment, and you need to be aware of it's security model. ------ A friend of mine decided to finally get a computer recently. He's one of those people who is very bright, he just didn't have the need for one before.[1] Being a very intelligent and worldly guy, he naturally wanted a Linux box. After a few months of hardware problems[2] we installed Knoppix to the hard drive. Knoppix is a bootable CD distribution based on Debian and has the best hardware auto configuration out there. Plus, it's based on Debian, a huge plus in my book. After getting everything set up for him, configuring Mozilla, twiddling his desktop, etc, he took it home. Naturally, being a new user, some mistakes were made, and the technical support desk (read: me) was called in. So here's the first problem: they turn their computer off at night, making it much harder for me to troubleshoot it at 3am. I wanted a quick way to leave them a note to tell them I'm planning on working on it that evening. Since email was the thing that was broken, I didn't want to send email, and I didn't want to wake up their kid by calling. Seemed the easiest thing to do would be to just plop a message up on their screen. Here's where we get into the X11 security model.[3] X11 is the engine of whatever graphical user environment you have. For example, Gnome, KDE, IceWM, fluxbox, sawfish, are all window managers that live on top of X11, and help decide what the boarders of windows look like, how they're iconified, and the like. Your applications, like Mozilla, terminals, the Gimp, are all X11 applications - they create windows and get input from user keys and mouse movements by interacting with the underlying X11 library routines. The X11 server has an amazingly simplistic and abusable security model. In modern installations, there are only two things you need to know to be able to connect to the X11 server: DISPLAY The Display number is typically something like :0 or :1, which mean "the first X11 display on the local machine" and "the second X11 display on the local machine" respectively. The display is stored in the environment variable DISPLAY, and any X11 application uses this variable to determine how to contact the X11 server and show it's windows when it starts up. If your X11 server is listening on the network, then people can contact it from outside your computer. The first display :0 lives on port 6000, the second on 6001, etc: $ netstat -natp |grep :600 tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1029/X11 Here we see that X11 (process 1029) is listening on port 6000. A remote machine can attempt to connect and use this server. Not all X11 servers listen on the network by default any more -- this is a very good thing. The server also will listen on a unix socket, which is equivalent to a TCP port except it's available via a file on the local machine. Processes can connect to it only if they are on this machine, which makes this avenue unavailable from outside machines. If my DISPLAY variable is set to :0, then the underlying X11 calls in my applications will find the appropriate socket on their own. For example on this Knoppix box, it keeps the socket in the /tmp directory: $ ls -l /tmp/.X11-unix/ srwxrwxrwx 1 root root 0 Jan 21 11:51 /tmp/.X11-unix/X0 X11 Magic Cookie Once a client (be it local or remote) is able to connect to an X11 server, any modern X11 server will require that the client application prove it's authorized to connect. When the server is started, it has a list of xauth(1) cookies (random strings) that are authorized -- if the client can provide one of them, then the connection is allowed, else it's dropped. These cookies are stored in your home directory, and can be viewed using the xauth(1) program: $ cd $HOME $ ls -l .Xauthority -rw------- 1 fernando twins 152 Jan 21 11:52 /home/fernando/.Xauthority $ xauth list dingo/unix:10 MIT-MAGIC-COOKIE-1 566e1128ce92a0126587cf30f4e19815 dingo/unix:0 MIT-MAGIC-COOKIE-1 d506c80eb23511a2c28ce9242810c132 dingo:0 MIT-MAGIC-COOKIE-1 d506c80eb23511a2c28ce9242810c132 So remember, the goal is to put something on his screen, even though I'm sitting across the city connected via SSH. After logging in and becoming root (I'll need that later), let's set my DISPLAY variable. Using ls in /tmp/.X11-unix, or netstat I can easily determine that he's running on screen #0, which is not a surprise at all. # DISPLAY=:0 # export DISPLAY Now I need to get access to his magic cookies. Since I'm root, I can read all files on the filesystem, so I just need to let the underlying X11 calls know where "my" .Xauthority file lives: # xauth list xauth: creating new authority file /root/.Xauthority # XAUTHORITY=/home/fernando/.Xauthority # export XAUTHORITY # xauth list dingo/unix:10 MIT-MAGIC-COOKIE-1 566e1128ce92a0126587cf30f4e19815 dingo/unix:0 MIT-MAGIC-COOKIE-1 d506c80eb23511a2c28ce9242810c132 dingo:0 MIT-MAGIC-COOKIE-1 d506c80eb23511a2c28ce9242810c132 Bingo! Now xauth, and by extension all X11 applications, will use that .Xauthority file. I should now have access to his X11 server. Indeed, if I run xclock from the command line, it just sits there, rather than complaining about being unable to connect to the screen and exiting, so I assume it's working. So, I whip up a quick shell script to let me show a file to him on an xterm so I can leave him notes on the screen. I'm sure there's a good program for this sort of thing already, so if anyone knows what it is let me know. Here's my terribly boring shell script. # cat shownote #!/bin/sh if [ "$#" -gt "2" ] ; then echo "Usage: $0 filename" >&2 exit 1 fi if [ -z "$2" ] ; then nohup xterm -e $0 $1 blah >/dev/null 2>&1 & exit; fi if [ -z "$1" ] ; then echo "Usage: $0 filename" >&2 exit 1 fi cat $1 sleep +1d # shownote /tmp/dont_turn_machine_off.txt & It takes a filename, and then opens an xterm that shows that file in it via cat. Simplistic but easy. The key here is that I should not be allowed to show things on his X11 server -- if I can, I can do other nastier things. Next time, we'll see some of the more interesting things that are possible. If you have favourites in your arsenal, let me know and I'll try to include them! NOTES: [1] To some of us, having a computer is a need, just like breathing. Sometimes breathing is run at a higher nice(1)ness level, for that matter. [2] Damned be to Microtel! [3] You didn't think I was going to just ramble on the whole time, did you? ------------- Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He looks back on his college days of playing xtank at 3am and wonders "Did anyone steal my passwords when we all ran 'xhost +' " ? Brian can be reached at brian@hackinglinuxexposed.com. -------------------------------------------------------------------- This newsletter is distributed by Onsight, Inc. The list is managed with MailMan (http://www.list.org). You can subscribe, unsubscribe, or change your password by visiting http://lists.onsight.com/ or by sending email to linux_security-request@lists.onsight.com. Archives of this and previous newsletters are available at http://www.hackinglinuxexposed.com/articles/ -------------------------------------------------------------------- Copyright 2004, Brian Hatch. From isn at c4i.org Fri May 14 04:40:53 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 14 05:04:08 2004 Subject: [ISN] Worm feeds on Sasser-infected computers Message-ID: http://news.com.com/2100-7349_3-5212284.html By Robert Lemos Staff Writer CNET News.com May 13, 2004 Computers compromised by the Sasser worm may be vulnerable to a scavenging program that exploits a flaw in the software left behind by the worm, a security researcher said Thursday. The worm--dubbed Dabber--has started spreading to Microsoft Windows systems, but likely won't have a large impact, said Joe Stewart, senior security researcher with network protection firm Lurhq. "It is not going to be a big problem for anyone that is paying any attention at all to computer security," he said. "If somebody does get it, they probably already have Sasser and, most likely, Agobot as well." Dabber is not the first worm to exploit back doors into compromised systems left behind by previous attackers. Two worms, Doomjuice and Deadhat, infected systems already compromised with the MyDoom virus. However, Dabber may be the first worm to attack systems using a flaw in a previous malicious program. In this case, the file transfer protocol (FTP) server installed by Sasser to enable the worm to transfer itself to new hosts has a buffer-overflow vulnerability. Dabber uses that security flaw to spread to the new machine. Once it copies itself to a new host, the worm will change the system settings so that operating system runs the malicious program every time it starts up. Dabber will also attempt to block other worms, which may have infected the machine, from running. Finally, the worm will establish a back door into the software to allow knowledgeable attackers to take control of the system. The scavenging worm arrives as German police are investigating more leads in the Sasser case. Already, the suspected author has been arrested in that country, based on information leaked to Microsoft by informants interested in reward money. From isn at c4i.org Fri May 14 04:41:08 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 14 05:04:09 2004 Subject: [ISN] Students warn of hacking threat Message-ID: http://www.thecouriermail.news.com.au/common/story_page/0,5936,9553516%255E8362,00.html Tess Livingstone higher education editor 14th May 2004 THREE Brisbane university students have discovered a major flaw in wireless network technology that means hackers can bring down critical infrastructure in as little as five seconds [1]. The finding, which is likely to have worldwide ramifications - was identified by the Queensland University of Technology's Information Security Research Centre. Wireless technology is booming in popularity because it allows for access to the Internet without the need for cables and it is also used in some countries - but not Australia - to control infrastructure such as railways and electricity. Associate Professor Mark Looi, the deputy head of QUT's School of Software Engineering and Data Communications, said the discovery should send a warning to government and industry worldwide. "Any organisation that continues to use the standard wireless technology (IEEE 802.11b) to operate critical infrastructure could be considered negligent," Professor Looi said. "This wireless technology should not be used for any critical applications, as the results could potentially be very serious." Professor Looi's PhD students Christian Wullems, Kevin Tham and Jason Smith discovered the flaw while investigating mechanisms for defending wireless devices against hackers. Mr Wullems will present the findings to the Institute of Electrical and Electronic Engineers Wireless Telecommunication Symposium in California today. Potential attackers only need a common wireless adaptor which retails for about $50, and instead of using it to enable their computer to access a network, they can change its coding to interfere with transmission. "With this adaptor you can basically totally disrupt any wireless network that uses this technology within a kilometre of its operation in anywhere between five and eight seconds," Professor Looi said. The Information Security Research Centre at QUT has been working with AusCERT - Australia's national computer emergency response team - to alert manufacturers about vulnerable wireless networking equipment since the discovery was made in November last year. A solution is yet to be found. In Brisbane, about 12 public access networks and many corporate intranet systems, including those in large department stores could be affected, Professor Looi said. "QUT confirmed their findings with other leading independent researchers in Australia," he said. Professor Looi said that while the process to bring down a wireless network was very simple, it did not compromise the data on the network. Tools were currently being developed so wireless networks could be tested to see how vulnerable they were to disruption. [1] http://www.auscert.org.au/render.html?it=4091 From isn at c4i.org Fri May 14 04:41:20 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 14 05:04:10 2004 Subject: [ISN] Voice Over IP Can Be Vulnerable To Hackers, Too Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=20300851 By W. David Gardner TechWeb News May 13, 2004 As voice over IP sweeps across the high-tech landscape, many IT managers are being lulled into a dangerous complacency because they look upon Internet phoning as a relatively secure technology--not as an IP service susceptible to the same worms, viruses, and other pestilence that threatens all networked systems. "With VoIP," security specialist Mark Nagiel said Thursday in an interview, "we're inserting a new technology into an unsecured and unprotected environment. VoIP is essentially availability driven, not security driven, and that's the problem." But Nagiel, manager of security consulting at NEC Unified Solutions, said that there are measures that can be taken to protect voice over IP from the threats that confront Web telephoning. The first step--an obvious one, he says--is to secure existing TCP/IP networks. Nagiel is finding that the new government-required regulations--such as Sarbanes-Oxley, which stipulates improved accounting record-keeping, and HIPAA in health care--are helping IT managers because they impose security discipline across-the-board. "The financial and health-care fields are getting secured very quickly," Nagiel said. Even so, there can be difficulties. He noted that although hospitals' protection of patient records generally has been excellent, they often neglect to completely secure physicians' conversations. Security managers can overlook the fact that voice over IP conversations can reside on servers that can be hacked. The traditional voice model utilized PBXs, which were stable and secure, Nagiel noted. If the voice over IP infrastructure isn't properly protected, it can easily be hacked and recorded calls can be eavesdropped. He says the networks utilized to transmit voice over IP--routers, servers, and even switches--are more susceptible to hacking than traditional telephony equipment. It's also relatively easy to launch an attack against a voice over IP network because the software tools available to hackers and others bent on invading a network are more available and easier to use. "And the exposure levels have gone up because there are so many nets," he said. What's the solution? "You need strong encryption over VoIP servers and VoIP client devices," Nagiel said. He observed that extensive encryption can slow down efficiency of networks, but encryption is a small price to pay to avoid denial-of-service attacks and invasions of networks. Another useful defense tactic is to use virtual LANs "whenever possible to separate traffic," according to Nagiel. In this way, transmitted data can be segregated into unique virtual LANs for data and voice transmission. However, Nagiel cautioned that security managers should resist using shared Ethernet network segments for voice. From isn at c4i.org Fri May 14 04:41:35 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 14 05:04:11 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-20 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-05-06 - 2004-05-13 This week : 42 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia has launched a new service called Secunia Virus Information. Secunia Virus Information is based on information automatically collected from seven different anti-virus vendors. The data will be parsed and indexed, resulting in a chronological list, a searchable index, and grouped profiles with information from the seven vendors. Furthermore, when certain criteria are triggered virus alerts will be issued. You can sign-up for the alerts here: Sign-up for Secunia Virus Alerts: http://secunia.com/secunia_virus_alerts/ Secunia Virus Information: http://secunia.com/virus_information/ ======================================================================== 2) This Week in Brief: ADVISORIES: Two vulnerabilities have been reported in the Eudora mail client. The first vulnerability was discovered by Paul Szabo and can be triggered by embedding an overly long link in an e-mail. Successful exploitation may allow execution of arbitrary code. The second vulnerability was discovered by Brett Glass and can be exploited to obfuscate the actual link contained in an e-mail. Reference: http://secunia.com/SA11581 http://secunia.com/SA11568 -- Microsoft has reported a vulnerability in Windows Help and Support Center, which can be exploited to compromise a user's system. However, this will require some user interaction. Patches have been issued for this. Please refer to Secunia advisory below. Reference: http://secunia.com/SA11590 VIRUS ALERTS: During the last week, Secunia issued two MEDIUM RISK virus alerts. Please refer to the grouped virus profiles below for more information: Wallon.A - MEDIUM RISK Virus Alert - 2004-05-11 18:49 GMT+1 http://secunia.com/virus_information/9320/wallon.a/ Sasser.E - MEDIUM RISK Virus Alert - 2004-05-11 06:46 GMT+1 http://secunia.com/virus_information/9263/sasser.e/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA11539] Mac OS X Security Update Fixes Multiple Vulnerabilities 2. [SA11568] Eudora URL Handling Buffer Overflow Vulnerability 3. [SA11582] Microsoft Internet Explorer and Outlook URL Obfuscation Issue 4. [SA10395] Internet Explorer URL Spoofing Vulnerability 5. [SA11482] Windows Explorer / Internet Explorer Long Share Name Buffer Overflow 6. [SA11590] Microsoft Windows Help and Support Center URL Validation Vulnerability 7. [SA10328] Linux Kernel "do_brk()" Privilege Escalation Vulnerability 8. [SA11558] Exim Buffer Overflow Vulnerabilities 9. [SA11064] Microsoft Windows 14 Vulnerabilities 10. [SA11553] PHP-Nuke Multiple Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA11590] Microsoft Windows Help and Support Center URL Validation Vulnerability [SA11588] MailEnable Professional HTTPMail Service Buffer Overflow Vulnerabilities [SA11568] Eudora URL Handling Buffer Overflow Vulnerability [SA11566] MyWeb HTTP GET Request Buffer Overflow Vulnerability [SA11589] eMule Web Interface Negative Content Length Denial of Service [SA11578] Icecast Basic Authorization Denial of Service Vulnerability [SA11573] efFingerD Denial of Service Vulnerabilities [SA11572] Microsoft Outlook Predictable File Location Weakness [SA11595] Microsoft Outlook External Reference Vulnerability [SA11576] TrendMicro OfficeScan Weak Permissions [SA11582] Microsoft Internet Explorer and Outlook URL Obfuscation Issue [SA11581] Eudora URL Obfuscation Issue [SA11563] Microsoft IIS Inappropriate Cookie Handling Error UNIX/Linux: [SA11597] Debian update for exim-tls [SA11571] OpenPKG update for ssmtp [SA11562] Debian update for exim [SA11559] P4DB Input Validation Vulnerabilities [SA11558] Exim Buffer Overflow Vulnerabilities [SA11599] Red Hat update for ipsec-tools [SA11598] OpenPKG update for apache [SA11592] Gentoo update for OpenOffice [SA11575] Gentoo update for neon [SA11574] Gentoo update for LHA [SA11565] HP WBEM Services OpenSSL Handshake Denial of Service Vulnerabilities [SA11564] Conectiva update for lha [SA11584] Mandrake update for apache2 [SA11583] Mandrake update for rsync [SA11600] Red Hat update for kernel [SA11586] SCO OpenServer Insecure Default XHost Access Controls [SA11585] NetBSD Systrace Privilege Escalation Vulnerability [SA11580] IBM Parallel Environment Sample Code Privilege Escalation Vulnerability [SA11561] OpenPKG update for kolab [SA11560] Kolab Server OpenLDAP Root Password Disclosure [SA11591] Gentoo update for ClamAV [SA11577] Linux Kernel IO Bitmap Access Permissions Inheritance Vulnerability Other: Cross Platform: [SA11587] phpShop Arbitrary File Inclusion Vulnerability [SA11569] DeleGate SSLway Filter Buffer Overflow Vulnerability [SA11579] NukeJokes SQL Injection Vulnerabilities [SA11570] Sun Java Runtime Environment Unspecified Denial of Service Vulnerability [SA11567] e107 "Login Name/Author" Script Insertion Vulnerability [SA11593] BEA WebLogic "weblogic.xml" May Reset to Default Permissions [SA11594] BEA WebLogic Admins and Operators May be Able to Stop the Service ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA11590] Microsoft Windows Help and Support Center URL Validation Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-11 Microsoft has issued patches for Microsoft Windows to fix a vulnerability in the Help and Support Center. Full Advisory: http://secunia.com/advisories/11590/ -- [SA11588] MailEnable Professional HTTPMail Service Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-11 Behrang Fouladi has discovered two vulnerabilities in MailEnable Professional, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11588/ -- [SA11568] Eudora URL Handling Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-07 Paul Szabo has reported a vulnerability in Eudora, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11568/ -- [SA11566] MyWeb HTTP GET Request Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-05-08 badpack3t has reported a vulnerability in MyWeb, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11566/ -- [SA11589] eMule Web Interface Negative Content Length Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-05-11 A vulnerability has been discovered in eMule, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11589/ -- [SA11578] Icecast Basic Authorization Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-05-12 ned has discovered a vulnerability in Icecast, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11578/ -- [SA11573] efFingerD Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-05-10 Dr_insane has reported a vulnerability in efFingerD, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11573/ -- [SA11572] Microsoft Outlook Predictable File Location Weakness Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-10 http-equiv has reported a security issue in Microsoft Outlook, potentially allowing malicious people to place a file in a predictable location. Full Advisory: http://secunia.com/advisories/11572/ -- [SA11595] Microsoft Outlook External Reference Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-05-12 http-equiv has reported a security issue in Microsoft Outlook, potentially allowing malicious people (spammers) to verify if a recipient has read an email. Full Advisory: http://secunia.com/advisories/11595/ -- [SA11576] TrendMicro OfficeScan Weak Permissions Critical: Less critical Where: Local system Impact: Security Bypass Released: 2004-05-10 Matt has reported a vulnerability in TrendMicro OfficeScan, allowing local users to stop the virus scanning. Full Advisory: http://secunia.com/advisories/11576/ -- [SA11582] Microsoft Internet Explorer and Outlook URL Obfuscation Issue Critical: Not critical Where: From remote Impact: ID Spoofing Released: 2004-05-10 http-equiv has discovered an issue in Microsoft Internet Explorer, Outlook and Outlook Express, allowing malicious people to obfuscate URLs. Full Advisory: http://secunia.com/advisories/11582/ -- [SA11581] Eudora URL Obfuscation Issue Critical: Not critical Where: From remote Impact: ID Spoofing Released: 2004-05-10 Brett Glass has reported an issue in Eudora, allowing malicious people to obfuscate URLs. Full Advisory: http://secunia.com/advisories/11581/ -- [SA11563] Microsoft IIS Inappropriate Cookie Handling Error Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2004-05-10 Cesar Cerrudo has reported a security issue in Microsoft Internet Information Services (IIS), potentially allowing malicious people to gain knowledge of certain details about server side scripts. Full Advisory: http://secunia.com/advisories/11563/ UNIX/Linux:-- [SA11597] Debian update for exim-tls Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-12 Debian has issued updated packages for exim. These fix two vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11597/ -- [SA11571] OpenPKG update for ssmtp Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-08 OpenPKG has issued an update for sSMTP. This fixes two vulnerabilities, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11571/ -- [SA11562] Debian update for exim Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-07 Debian has issued updated packages for exim. These fix two vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11562/ -- [SA11559] P4DB Input Validation Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-06 Jon McClintock has reported some vulnerabilities in P4DB, potentially allowing malicious people to execute system commands. Full Advisory: http://secunia.com/advisories/11559/ -- [SA11558] Exim Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-06 Georgi Guninski has reported two vulnerabilities in exim, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11558/ -- [SA11599] Red Hat update for ipsec-tools Critical: Moderately critical Where: From remote Impact: Hijacking, Security Bypass, Manipulation of data, DoS Released: 2004-05-12 Red Hat has issued updated packages for ipsec-tools. These fix various vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), establish unauthorised connections, and conduct MitM (Man-in-the-Middle) attacks. Full Advisory: http://secunia.com/advisories/11599/ -- [SA11598] OpenPKG update for apache Critical: Moderately critical Where: From remote Impact: DoS, Manipulation of data, ID Spoofing, Security Bypass Released: 2004-05-12 OpenPKG has issued updates for apache. These fix various vulnerabilities, which can be exploited to inject potentially malicious characters into error logfiles, bypass certain restrictions, gain unauthorised access, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11598/ -- [SA11592] Gentoo update for OpenOffice Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-12 Gentoo has issued updates for OpenOffice. These fix a vulnerability allowing malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11592/ -- [SA11575] Gentoo update for neon Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-10 Gentoo has issued updated packages for neon. These fix multiple vulnerabilities, allowing malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11575/ -- [SA11574] Gentoo update for LHA Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-10 Gentoo has issued an update for lha. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11574/ -- [SA11565] HP WBEM Services OpenSSL Handshake Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-05-07 HP has reported that WBEM Services is affected by the OpenSSL handshake vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11565/ -- [SA11564] Conectiva update for lha Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-07 Conectiva has issued updated packages for lha. These fix multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11564/ -- [SA11584] Mandrake update for apache2 Critical: Less critical Where: From remote Impact: DoS Released: 2004-05-11 MandrakeSoft has issued updated packages for Apache 2. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11584/ -- [SA11583] Mandrake update for rsync Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2004-05-11 MandrakeSoft has issued updated packages for rsync. These fix a vulnerability, potentially allowing malicious people to write files outside the intended directory. Full Advisory: http://secunia.com/advisories/11583/ -- [SA11600] Red Hat update for kernel Critical: Less critical Where: Local system Impact: Privilege escalation, Exposure of sensitive information, Exposure of system information Released: 2004-05-12 Red Hat has issued updated packages for the kernel. These fix various vulnerabilities, which can be exploited by malicious, local users to gain knowledge of sensitive information or gain escalated privileges. Full Advisory: http://secunia.com/advisories/11600/ -- [SA11586] SCO OpenServer Insecure Default XHost Access Controls Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-12 SCO has fixed an old security issue, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11586/ -- [SA11585] NetBSD Systrace Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-11 Stefan Esser has reported a vulnerability in the NetBSD -current implementation of the systrace utility and in a FreeBSD port by Vladimir Kotal, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11585/ -- [SA11580] IBM Parallel Environment Sample Code Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-10 A vulnerability has been discovered in IBM Parallel Environment (PE), which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11580/ -- [SA11561] OpenPKG update for kolab Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information Released: 2004-05-06 OpenPKG has issued an updated version of kolab. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of the OpenLDAP root password. Full Advisory: http://secunia.com/advisories/11561/ -- [SA11560] Kolab Server OpenLDAP Root Password Disclosure Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information Released: 2004-05-06 Luca Villani has discovered a vulnerability in Kolab Server, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11560/ -- [SA11591] Gentoo update for ClamAV Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2004-05-12 Gentoo has issued an update for clamav. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11591/ -- [SA11577] Linux Kernel IO Bitmap Access Permissions Inheritance Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2004-05-10 Stas Sergeev has reported a vulnerability in the Linux kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11577/ Other: Cross Platform:-- [SA11587] phpShop Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-11 Calum Power has reported a vulnerability in phpShop, potentially allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11587/ -- [SA11569] DeleGate SSLway Filter Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-07 Joel Eriksson has reported a vulnerability in DeleGate, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11569/ -- [SA11579] NukeJokes SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-05-10 Janek Vind has reported multiple vulnerabilities in NukeJokes, allowing malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/11579/ -- [SA11570] Sun Java Runtime Environment Unspecified Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-05-08 An unspecified vulnerability has been discovered in the Java Runtime Environment, which can be exploited by malicious people to cause the Java Virtual Machine to become unresponsive. Full Advisory: http://secunia.com/advisories/11570/ -- [SA11567] e107 "Login Name/Author" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-05-08 SmOk3 has reported a vulnerability in e107, which can be exploited to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/11567/ -- [SA11593] BEA WebLogic "weblogic.xml" May Reset to Default Permissions Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-05-12 BEA has issued updates for WebLogic Server and WebLogic Express. These fix a security issue, which potentially could grant inapropriate privileges. Full Advisory: http://secunia.com/advisories/11593/ -- [SA11594] BEA WebLogic Admins and Operators May be Able to Stop the Service Critical: Not critical Where: From local network Impact: DoS Released: 2004-05-12 BEA has issued updates for WebLogic Server and WebLogic Express. These fix a weakness allowing certain administrative users to stop the service. Full Advisory: http://secunia.com/advisories/11594/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Mon May 17 04:41:25 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 17 05:01:20 2004 Subject: [ISN] Crackers declare cyberwar on USA Message-ID: Forwarded from: blitz This was tried before, and they ran afoul of the US hackers who rallied to our defense. Remember the incident where the US spy plane landed in China? That was about the time this happened. At 05:48 5/13/2004, you wrote: > http://www.zone-h.org/en/news/read/id=4225/ > > Siegfried www.zone-h.org admin 05/12/2004 > > Famous Brazilian newspapers have been informed that a new hacking > group composed of worldwide individuals (from Brazil, China, Hong > Kong and Russia) has declared cyberwar on the United States of > America. > > Its name is Hackers Against America (HAA) and their web site is > hosted on a Russian server. According to what is written on the main > page, they plan to integrate new members and launch attacks against > computers based in the US (cracking some of them but also use worms, > viruses) in order to steal private documents. Some samples of > documents and codes are available on the web site, although they > don't seem to be secret at all and possible to find by using search > engines. > > Even if this threat appears to be tiny now, it is probably not a > hoax and it could grow in the future, just keep an eye on it. > > Siegfried www.zone-h.org admin > > Jo?o Magalh?es from www.estadao.com.br contributed to this article From isn at c4i.org Mon May 17 04:41:52 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 17 05:01:22 2004 Subject: [ISN] Linux Advisory Watch - May 14th 2004 Message-ID: +----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | May 14th, 2004 Volume 5, Number 20a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for lha, rsync, film, exim, mc, OpenSSL, heimdal, libneon, clamav, utempter, propftd, apache2, systrace, cvs, procfs, libpng, openoffice, kernel, sysklogd, and live. The distributors include Conectiva, Debian, Fedora, FreeBSD, Gentoo, Mandrake, NetBSD, OpenBSD, Red Hat, Slackware, and SuSE. ---- >> Need to Secure Multiple Domain or Host Names? << Securing multiple domain or host names need not burden you with unwanted administrative hassles. Learn more about how the cost-effective Thawte Starter PKI program can streamline management of your digital certificates. Download a guide to learn more: http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawten06 ---- Why Security As security professionals and systems administrators we often forget exactly why we're adding additional security. In the daily grime of configuring firewalls, intrusion detection systems, and other controls, we tend to loose sight of the real objective. In any organization the purpose of information security is to support long-term growth and stability, and ensuring confidentiality, integrity, and availability. In a business environment, information security is critical. A typical business objective is to maximize profit, while having a high and sustainable rate of growth. Today, businesses are increasingly dependent on IT to support the automation of tasks, and e-Business functions. Email and Web access are no longer just a 'nice thing to have,' they are a necessity. With this, comes increased risks. Information is an essential resource for all businesses, and is often a key factor for achieving business goals. Having the right information in the hands of the right people, at the right time is a critical success factor. It could be the difference between success and failure. Today, businesses are so dependent on IT that if any event interrupted service, productivity would grind to a halt. In many cases, doing a task manually is no longer an option or even possible. We have information security initiatives in business to help prevent those catastrophic occurrences. We must also realize it is impossible to prevent every incident. With that in mind, it is important to have a plan to appropriately deal with situations as they occur, possibly limiting any consequential damage. Information security is about maintaining confidentiality, integrity, and availability with appropriate controls. It is not about having the latest-and-greatest experimental technology. Although fun to play with, it is important to keep the real objectives in mind. Until next time, cheers! Benjamin D. Thomas ben@linuxsecurity.com ---- Guardian Digital Security Solutions Win Out At Real World Linux Enterprise Email and Small Business Solutions Impres at Linux Exposition. Internet and network security was a consistent theme and Guardian Digital was on hand with innovative solutions to the most common security issues. Attending to the growing concern for cost-effective security, Guardian Digital's enterprise and small business applications were stand-out successes. http://www.linuxsecurity.com/feature_stories/feature_story-164.html -------------------------------------------------------------------- Interview with Siem Korteweg: System Configuration Collector In this interview we learn how the System Configuration Collector (SCC) project began, how the software works, why Siem chose to make it open source, and information on future developments. http://www.linuxsecurity.com/feature_stories/feature_story-162.html -------------------------------------------------------------------- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 5/10/2004 - lha Multiple vulnerabilities Specially crafted LHarc archives, when processed by lha, may execute arbitrary code or overwrite arbitrary files. http://www.linuxsecurity.com/advisories/conectiva_advisory-4322.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 5/10/2004 - rsync Directory traversal vulneraiblity Patch fixes issue where a remote user could cause an rsync daemon to write files outside of the intended directory tree unless 'chroot' option is on. http://www.linuxsecurity.com/advisories/debian_advisory-4319.html 5/10/2004 - flim Insecure temporary file vulnerability This vulnerability could be exploited by a local user to overwrite files with the privileges of the user running emacs. http://www.linuxsecurity.com/advisories/debian_advisory-4320.html 5/10/2004 - exim Buffer overflow vulnerabilities Neither of these stack-based buffer overflows is exploitable with the default Debian configuration. http://www.linuxsecurity.com/advisories/debian_advisory-4321.html 5/12/2004 - exim-tls Buffer overflow vulnerabilities Buffer overflow vulnerabilities These can not be exploited with the default configuration from the Debian system. http://www.linuxsecurity.com/advisories/debian_advisory-4330.html 5/13/2004 - mah-jong Denial of service vulnerability Buffer overflow vulnerabilities A problem has been discovered in mah-jong that can be utilised to crash the game server after dereferencing a NULL pointer. http://www.linuxsecurity.com/advisories/debian_advisory-4336.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 5/10/2004 - mc Multiple vulnerabilities Several buffer overflows, several temporary file creation vulnerabilities, and one format string vulnerability have been discovered in Midnight Commander. http://www.linuxsecurity.com/advisories/fedora_advisory-4317.html 5/10/2004 - OpenSSL Denial of service vulnerability Testing uncovered a bug in older versions of OpenSSL 0.9.6 prior to 0.9.6d that can lead to a denial of service attack (infinite loop). http://www.linuxsecurity.com/advisories/fedora_advisory-4318.html +---------------------------------+ | Distribution: FreeBSD | ----------------------------// +---------------------------------+ 5/10/2004 - heimdal Cross-realm trust vulnerability It is possible for the Key Distribution Center (KDC) of a realm to forge part or all of the `transited' field to fake zone trustedness. http://www.linuxsecurity.com/advisories/freebsd_advisory-4315.html 5/10/2004 - crypto_heimdal Heap overflow vulnerability A remote attacker may send a specially formatted message to k5admind, causing it to crash or possibly resulting in arbitrary code execution. http://www.linuxsecurity.com/advisories/freebsd_advisory-4316.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 5/10/2004 - LHa Multiple vulnerabilities Patch corrects two stack-based buffer overflows and two directory traversal problems in LHa. http://www.linuxsecurity.com/advisories/gentoo_advisory-4313.html 5/10/2004 - libneon Format string vulnerabilities Allows malicious WebDAV server to execute arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4314.html 5/12/2004 - ClamAV Privilege escalation vulnerability With a specific configuration Clam AntiVirus is vulnerable to an attack allowing execution of arbitrary commands. http://www.linuxsecurity.com/advisories/gentoo_advisory-4328.html 5/12/2004 - OpenOffice.org Format string vulnerabilities Privilege escalation vulnerability Several format string vulnerabilities are present in the Neon library allowing remote execution of arbitrary code when connected to an untrusted WebDAV server. http://www.linuxsecurity.com/advisories/gentoo_advisory-4329.html 5/13/2004 - utempter Insecure temporary file vulnerability Utempter contains a vulnerability that may allow local users to overwrite arbitrary files via a symlink attack. http://www.linuxsecurity.com/advisories/gentoo_advisory-4335.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 5/10/2004 - proftpd Access control escape vulnerability CIDR ACLs in version 1.2.9 allow access even to files and directories that are otherwise specifically denied. http://www.linuxsecurity.com/advisories/mandrake_advisory-4312.html 5/12/2004 - rsync Directory traversal vulnerability Rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, allows remote attackers to write files outside of the module's path. http://www.linuxsecurity.com/advisories/mandrake_advisory-4326.html 5/12/2004 - apache2 Denial of service vulnerability A memory leak in mod_ssl in the Apache HTTP Server prior to version 2.0.49 allows a remote denial of service attack against an SSL-enabled server. http://www.linuxsecurity.com/advisories/mandrake_advisory-4327.html +---------------------------------+ | Distribution: NetBSD | ----------------------------// +---------------------------------+ 5/13/2004 - systrace Privilege escalation vulnerability A local user that is allowed to use /dev/systrace can obtain root access. http://www.linuxsecurity.com/advisories/netbsd_advisory-4334.html +---------------------------------+ | Distribution: OpenBSD | ----------------------------// +---------------------------------+ 5/10/2004 - cvs Pathname validation vulnerabilities Patches for both client and server prevent file creation and modification outside of allowed directories. http://www.linuxsecurity.com/advisories/openbsd_advisory-4311.html 5/13/2004 - procfs Incorrect bounds checking vulnerability Incorrect bounds checking in several procfs functions could allow an unprivileged malicious user to read arbitrary kernel memory. http://www.linuxsecurity.com/advisories/openbsd_advisory-4332.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 5/10/2004 - utempter Temporary file vulnerability Utemper can be userd to overwrite privileged files with symlink. http://www.linuxsecurity.com/advisories/redhat_advisory-4300.html 5/10/2004 - libpng Denial of service vulnerability An attacker could carefully craft a PNG file in such a way that it would cause an application linked to libpng to crash when opened by a victim. http://www.linuxsecurity.com/advisories/redhat_advisory-4301.html 5/10/2004 - OpenOffice Format string vulnerability An attacker could create a malicious WebDAV server in such a way as to allow arbitrary code execution on the client should a user connect to it using OpenOffice. http://www.linuxsecurity.com/advisories/redhat_advisory-4302.html 5/10/2004 - mc Multiple vulnerabilities This patch corrects many vulnerabilities of Midnight Commander. http://www.linuxsecurity.com/advisories/redhat_advisory-4303.html 5/12/2004 - kernel Multiple vulnerabilities This patches the 2.4.x kernel for a wide variety of platforms to fix a large number of bugs, including several with security implications. http://www.linuxsecurity.com/advisories/redhat_advisory-4324.html 5/12/2004 - ipsec-tools Multiple vulnerabilities Multiple vulnerabilities This patch fixes three seperate vulnerabilities in IPSec under Red Hat. http://www.linuxsecurity.com/advisories/redhat_advisory-4325.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 5/10/2004 - rsync Improper write access vulnerability When running an rsync server without the chroot option it is possible for an attacker to write outside of the allowed directory. http://www.linuxsecurity.com/advisories/slackware_advisory-4306.html 5/10/2004 - sysklogd Denial of service vulnerability New sysklogd packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix a security issue where a user could cause syslogd to crash. http://www.linuxsecurity.com/advisories/slackware_advisory-4307.html 5/10/2004 - xine-lib Arbitrary code execution vulnerability Denial of service vulnerability Playing a specially crafted Real RTSP stream could run malicious code as the user playing the stream. http://www.linuxsecurity.com/advisories/slackware_advisory-4308.html 5/10/2004 - libpng Denial of service vulnerability libpng could be caused to crash, creating a denial of service issue if network services are linked with it. http://www.linuxsecurity.com/advisories/slackware_advisory-4309.html 5/10/2004 - lha Multiple vulneraiblities Fixes buffer overflows and directory traversal vulnerabilities. http://www.linuxsecurity.com/advisories/slackware_advisory-4310.html 5/13/2004 - apache Multiple vulnerabilities Patch corrects denial of service and shell escape vulnerabilities. http://www.linuxsecurity.com/advisories/slackware_advisory-4333.html +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ 5/10/2004 - kernel Multiple vulnerabilities This patch fixes a large number of minor vulnerabilities and bugs related to the SuSE 8.1 and SuSE 9.0 kernels. http://www.linuxsecurity.com/advisories/suse_advisory-4304.html 5/10/2004 - Live CD 9.1 Passwordless superuser A configuration error on the Live CD allows for a passwordless, remote root login to the system via ssh, if the computer has booted from the Live CD and if it is connected to a network. http://www.linuxsecurity.com/advisories/suse_advisory-4305.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon May 17 04:44:45 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 17 05:01:22 2004 Subject: [ISN] Cisco Source Code Reportedly Stolen Message-ID: http://www.eweek.com/article2/0,1759,1593870,00.asp By Steven J. Vaughan-Nichols May 16, 2004 Russian security Web site SecurityLab is reporting that the source code for Cisco Systems Inc.'s main networking device operating system was stolen on Thursday. According to the report, criminal hackers broke into Cisco's corporate network and stole 800MB of source code for IOS 12.3 and 12.3t (an early deployment version containing features not found in the vanilla 12.3 version). In addition, a 2.5MB sample of what is supposedly IOS code was released on an Internet Relay Chat channel as proof of the alleged theft. IOS 12.3 is the newest main version of San Jose, Calif.-based Cisco's popular operating system. It's used across the company's networking line, including in home office routers (the 800 Series); those for branch offices (the 3700 Series); and those that comprise the Internet backbone (the 7000 Series). Other routers that use the operating system include the 1700, 2500, 2600 and 3600 Series. eWEEK.com was unable to reach Cisco to confirm the break-in and code theft. If the report is accurate, this represents a major security threat not just for Cisco users, but for the entire Internet. According to the Dell'Oro Group, a market research firm that specializes in the networking and telecommunications industries, Cisco owns 62 percent of the core router market. With the proprietary source code in hand, criminal hackers could, in theory, create programs that could cause denial-of-service attacks in Cisco-based networks. A previous major source code theft of parts of Microsoft's NT 4.0 and Windows 2000 has not led to any security violations. However the alleged theft of the Cisco source code, since it's both the most current edition and all of the code, has the potential to be more damaging. From isn at c4i.org Mon May 17 04:44:57 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 17 05:01:23 2004 Subject: [ISN] No WLAN? You still need wireless security Message-ID: http://techupdate.zdnet.com/techupdate/stories/main/need_wireless_security.html By David Berlind May 16, 2004 It was nearly impossible to traverse a significant part of the show floor at this year's Networld+Interop without encountering solutions that dealt with the thorny issue of wireless security. Indeed, when it comes to the threat matrix associated with wireless security, there are many issues demanding attention: everything from keeping unauthorized wireless users off wireless local area networks (WLANs) to making sure that the traffic flowing through a WLAN is encrypted in a way that keeps the payloads safe from prying eyes. Although most wireless security solutions target organizations that have deployed wireless networks, there is a class of solutions that target all companies--even those that haven't deployed wireless networks. These solutions detect the existence of rogue access points. (An access point is a transceiver that connects devices on a wireless LAN to the wired infrastructure. A rogue access point is not authorized by an organization's IT department for operation.) Setting up an access point is child's play. In addition to plugging the access point into a power source, all one has to do is connect one end of an Ethernet cable to an available Ethernet port, connect the other end to an access point and voila! A new Wi-Fi WLAN is born. Not all rogue access points are malicious. Until my IT department found out about it and asked me to shut it down, I ran a rogue access point for almost two years (long before Wi-Fi was popular). So early was it in the history of Wi-Fi, that the software for setting up, managing, and securing my Lucent-based 802.11b WLAN was both proprietary and not very user friendly. Knowing that hardly anyone was using Wi-Fi at the time, I didn't bother securing it. Eventually, the company standardized on a single vendor's technology for deploying and securing WLANs and, knowing about my access point through the grapevine, the IT department saw my rogue WLAN for what it was: a back door that bypassed all of the hard work and planning that went into building a secure Wi-Fi network. Nick Miller, CEO of wireless management solution provider Cirond, put the problem in simple terms. "Companies spend thousands upon thousands of dollars and man-hours on network security," said Miller, "and all it takes is a $30 access point to render that investment useless." Why set up a rogue access point in the first place? I can imagine at least three scenarios that could result in rogue access points. The first of these is where people with wireless networks at home and at work are having difficulty with home-work interoperability. Though software is making it easier to move back and forth between the two, I've had this problem and I also know that the easiest solution is to have the same kind of access point in both locations. In the second scenario, people have a wireless network at home, but none at work. Once people catch wireless fever at home, they want it at work, too. If, for security or budgetary reasons, their company's IT department is unwilling to provide it, many overzealous workers are willing to install one for themselves. In the third scenario, someone outside the organization--usually someone with malicious intent--gains access to a physical Ethernet port on the company's network and surreptitiously connects an access point to it. Depending on where that port is (for example, underneath a desk in an unused cubicle), such "deployments" can easily escape physical detection. The last two scenarios are particularly noteworthy since they could introduce wireless security problems to companies that have, for whatever reasons, no deployments of wireless technology. [...] From isn at c4i.org Mon May 17 04:45:09 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 17 05:01:24 2004 Subject: [ISN] Student uncovers US military secrets Message-ID: http://www.theregister.com/2004/05/13/student_unlocks_military_secrets/ By Lucy Sherriff 13th May 2004 An Irish graduate student has uncovered words blacked-out of declassified US military documents using nothing more than a dictionary and text analysis software. Claire Whelan, a computer science student at Dublin City University was given the problems by her PhD supervisor as a diversion. David Naccache, a cryptographer with Gemplus, challenged her to discover the words missing from two documents: one was a memo to George Bush, and another concerned military modifications to civilian helicopters. The process is quite straightforward, and according to Naccache, Whelan's success proves that merely blotting words out of declassified documents will not keep the contents secret. The first task is to identify the font, and font size the missing word was written in. Once that is done, the dictionary search begins for words that fit the space, plus or minus three pixels, Naccache explained. This process yielded 1,530 possibilities for word blanked out of a sentence in the Bush memo. Then, the text anaysis routine checks for words that would make sense in English. The sentence was: "An Egyptian Islamic Jihad (EIJ) operative told an XXXXXXXX service at the same time that Bin Ladin was planning to exploit the operative's access to the US to mount a terrorist strike." Just 346 words remained on the list at this stage. The next stage is to involve the brain of the researcher. This eliminated all but seven words: Ugandan, Ukrainian, Egyptian, uninvited, incursive, indebted and unofficial. Naccache plumped for Egyptian, in this case. Whelan subjected the helicopter memo to the same scrutiny, and the results suggested South Korea was the most likely anonymous supplier of helicopter knowledge to Iraq. Although the technique is no good for tackling larger sections of text, it does show that officials need to be more careful with their sensitive documents. Naccache argues that the most important conclusion of this work "is that censoring text by blotting out words and re-scanning is not a secure practice". According to the original report in Nature (http://www.nature.com/nature), intelligence experts may consider changing procedures. From isn at c4i.org Tue May 18 06:13:47 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 18 06:24:05 2004 Subject: [ISN] Linux Security Week - May 17th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | May 17th, 2004 Volume 5, Number 20n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Voice Over IP Can Be Vulnerable To Hackers," "Spec in Works to Secure Wireless Networks," and "Understanding TCP Reset Attacks." ---- >> Need to Secure Multiple Domain or Host Names? << Securing multiple domain or host names need not burden you with unwanted administrative hassles. Learn more about how the cost-effective Thawte Starter PKI program can streamline management of your digital certificates. Download a guide to learn more: http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawten06 ---- LINUX ADVISORY WATCH: This week, advisories were released for lha, rsync, film, exim, mc, OpenSSL, heimdal, libneon, clamav, utempter, propftd, apache2, systrace, cvs, procfs, libpng, openoffice, kernel, sysklogd, and live. The distributors include Conectiva, Debian, Fedora, FreeBSD, Gentoo, Mandrake, NetBSD, OpenBSD, Red Hat, Slackware, and SuSE. http://www.linuxsecurity.com/articles/forums_article-9301.html ---- Guardian Digital Security Solutions Win Out At Real World Linux Enterprise Email and Small Business Solutions Impres at Linux Exposition. Internet and network security was a consistent theme and Guardian Digital was on hand with innovative solutions to the most common security issues. Attending to the growing concern for cost-effective security, Guardian Digital's enterprise and small business applications were stand-out successes. http://www.linuxsecurity.com/feature_stories/feature_story-164.html ---- >> Bulletproof Virus Protection << Protect your network from costly security breaches with Guardian Digital's multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn04 -------------------------------------------------------------------- Interview with Siem Korteweg: System Configuration Collector In this interview we learn how the System Configuration Collector (SCC) project began, how the software works, why Siem chose to make it open source, and information on future developments. http://www.linuxsecurity.com/feature_stories/feature_story-162.html ---- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * The ease of (ab)using X11, Part 1 May 14th, 2004 A friend of mine decided to finally get a computer recently. He's one of those people who is very bright, he just didn't have the need for one before.[1] Being a very intelligent and worldly guy, he naturally wanted a Linux box. http://www.linuxsecurity.com/articles/documentation_article-9302.html * HNS Learning Session: Introduction to Computer Forensics May 13th, 2004 For this learning session on Help Net Security, we've got Michael J. Staggs, Senior Security Engineer at Guidance Software, discussing the basics of computer forensics. http://www.linuxsecurity.com/articles/government_article-9300.html * Fundamentals: Password Madness May 12th, 2004 While senior technology editor Curt Franklin was hard at work testing authentication tokens for this issue's cover story, I coincidentally ran into some questionable authentication policies and practices as a user. http://www.linuxsecurity.com/articles/privacy_article-9293.html * Net(Free)BSD Systrace Local Root Vulnerability May 12th, 2004 At the end of March Brad Spengler from grsecurity informed the world about a silently patched systrace bypass vulnerability within the linux port of systrace. He also revealed that he found two more holes within systrace, which he did not disclose further. His mail was reason enough to have a look into systrace on nearly all of its supported platforms. http://www.linuxsecurity.com/articles/host_security_article-9291.html +------------------------+ | Network Security News: | +------------------------+ * Voice Over IP Can Be Vulnerable To Hackers, Too May 14th, 2004 As voice over IP sweeps across the high-tech landscape, many IT managers are being lulled into a dangerous complacency because they look upon Internet phoning as a relatively secure technology--not as an IP service susceptible to the same worms, viruses, and other pestilence that threatens all networked systems. http://www.linuxsecurity.com/articles/network_security_article-9303.html * BlueTooth Hacking For Fun and Profit May 13th, 2004 WiFi wardriving tools have now advanced to the point where it is less a sign of techno-machismo and more a sign of social maladjustment to actually go out and wardrive in your neighborhood. So what's a young wireless data enthusiast to do? http://www.linuxsecurity.com/articles/hackscracks_article-9296.html * Spec in Works to Secure Wireless Networks May 13th, 2004 The Trusted Computing Group said Monday that it is working on a specification to ensure that wireless clients connecting to a network won't serve as a back door to worms and crackers. http://www.linuxsecurity.com/articles/network_security_article-9294.html * Web worm tests network security May 12th, 2004 Using vulnerabilities revealed at the same time as those exploited by the web worm, security firm IRM has demonstrated how they can be used to gain control of a Windows web server. http://www.linuxsecurity.com/articles/network_security_article-9292.html * Understanding TCP Reset Attacks, Part I May 11th, 2004 A vulnerability in TCP, the transmission control protocol, recently received some exposure in the media. Paul Watson released a white paper titled Slipping In The window: TCP Reset Attacks at the 2004 CanSecWest conference, providing a much better understanding of the real-world risks of TCP reset attacks. http://www.linuxsecurity.com/articles/network_security_article-9289.html * Network Security Basics May 11th, 2004 A solid network foundation is the key to business agility, process efficiency, productivity, and competitiveness. It provides intelligent services such as security, availability, reliability, and quality of service (QoS). http://www.linuxsecurity.com/articles/network_security_article-9285.html +------------------------+ | General Security News: | +------------------------+ * Students warn of hacking threat May 14th, 2004 Three Brisbane university students have discovered a major flaw in wireless network technology that means hackers can bring down critical infrastructure in as little as five seconds. http://www.linuxsecurity.com/articles/network_security_article-9305.html * Book Review: Malicious Cryptography May 10th, 2004 Most people are familiar with malware- viruses, worms, Trojans, etc.- and most people are familiar, at least with the concept, of cryptography. However there are far fewer people that truly understand either of these technologies, and even fewer still who understand how the two can be combined to create the next generation of malicious code. http://www.linuxsecurity.com/articles/cryptography_article-9279.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue May 18 06:14:06 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 18 06:24:07 2004 Subject: [ISN] DefCon 12 WarDriving Contest Registration Now Open Message-ID: Forwarded from: chris -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Registration for the DefCon 12 WarDriving Contest is now open. For the first time ever the Def Con WarDriving contest will be divided into two parts. A "Main Drive" that will run for the entire three days and four "Mini-Games" that allow contestants that would like to participate but do not want to invest the entire Con in WarDriving. Registration takes place in the WarDriving Contest Section of the DefCon Forums (http://forum.defcon.org/forumdisplay.php?f=42). Registration for the DefCon 12 WarDriving Contest requires forum registration. For more information about the DefCon 12 WarDriving Contest (Main Drive and/or Mini-Games) please visit the official contest page at http://www.worldwidewardrive.org/dc12wd/DC12WD.html The DefCon 12 WarDriving Contest is sponsored by: FAB-Corp (www.fab-corp.com) NetStumbler (www.netstumbler.org) Blackthorn Systems (www.blackthornsystems.com) Michigan Wireless (www.michiganwireless.org) Good luck and have fun. Chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAqRGHOyWtx0MtxawRAsA2AJ4rqDPiotuHpwJeo7IuuHZMr4KlzwCfbmyz tkhuXA77GTgR28AtuC4E7uk= =1nXz -----END PGP SIGNATURE----- From isn at c4i.org Tue May 18 06:14:24 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 18 06:24:08 2004 Subject: [ISN] Regulation Compliance Tops Companies' Security Concerns Message-ID: http://channelzone.ziffdavis.com/article2/0,1759,1594080,00.asp May 17, 2004 By Karen D. Schwartz Just a few short years ago, the primary security-related concern for most IT executives was how to prevent hackers from infiltrating their companies' systems. Although that issue still is quite relevant, it's no longer the top concern of many organizations. Today, that honor goes to how to comply with the increasing number of regulatory and compliance mandates required by the U.S. government. Some of these requirements, such as Graham-Leach-Bliley and Sarbanes-Oxley, apply to virtually all corporations, while others, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Basel II Accord, affect specific industries. The unifying thread among all of these mandates is the need to adequately protect personal information - an issue that can cause significant challenge and confusion for IT managers who are unfamiliar with the available tools and methods for satisfying these requirements. Helping organizations comply with this panoply of regulations, however, has created significant opportunity for resellers, says Ed Smith, director of security solutions at Forsythe Technology Inc., a technology infrastructure solution provider based in Skokie, Ill. "These regulations don't require specific technology, which makes them confusing and vague. Some say you have to provide access control, for example, but they don't specify how to do it," Smith says. To solve the problem, many organizations are turning to resellers who specialize in building compliance-ready environments and stand ready to map those environments to the organization's framework, best practices and standards. Resellers and systems integrators fulfill a real need in the compliance arena, agrees Michael Rasmussen, director of information security at Forrester Research Inc., a Cambridge, Mass., IT consultancy. Not only is there no off-the-shelf product to deal with compliance and security issues, but creativity and ingenuity tend to be key to success, Rasmussen says. "It's about building a culture of security and governance within the organization, as well as selecting the right products and assigning the appropriate management and staffing to them." Although not yet a requirement, the government's recent push to address cyber-security is beginning to rank nearly as high a regulatory compliance for companies trying to stay on the cutting edge of security requirements. Spearheaded by the National Cyber Security Partnership Task Force, a public-private partnership led by a variety of trade groups and the U.S. Chamber of Commerce, the goal is to develop strategies to better secure critical information infrastructure. Slowly but surely, the push to implement better cyber-security is trickling down from government to private industry, encouraging resellers to develop solutions and methodologies for implementing these practices within their client base. "We're encouraging the private sector to adopt what's happening in the public sector because cyber-security cuts across everything and should be part of the overall business model," says Jeff Tye, founder of GMP Networks, a Tucson, Ariz. ,security integrator. But at least for now, compliance and cyber-security issues remain more relevant to larger companies than smaller ones. These issues, generally grouped under the term "information security," include financial integrity, regulatory compliance, privacy, intellectual property and industrial espionage. Smaller companies, on the other hand, tend to remain focused on IT security - technology that includes firewalls, disaster recovery, patch management, intrusion-detection systems, and encryption and anti-virus software. That's changing, but slowly, Smith notes. "You have to become a trusted adviser beyond just offering the latest technology. It's about understanding their problems and then developing an appropriate solution - whatever the need." GLOSSARY OF TERMS Sarbanes-Oxley Act of 2002: Mandates a comprehensive accounting framework for all public companies doing business in the United States. Companies must disclose all relevant financial performance information publicly, creating the need for more stringent digital data integrity and accountability controls. Health Insurance Portability and Accountability Act of 1996 (HIPAA): One part of this act deals with the standardization of health care-related information systems, establishing standardized mechanisms for electronic data interchange, security and confidentiality of all health care-related data. Graham-Leach-Bliley Act of 1999: To protect consumers' financial private information. It put processes in place to control the use of consumers' private information and included requirements to secure and protect the data from unauthorized use or access. Basel II: The Basel II Accord is a regulatory framework governing risk management practices, developed by the Bank of International Settlements. Companies have until the end of 2006 to comply with it. The accord consists of minimum capital requirement, supervisory review of capital adequacy and public disclosure. And new guidelines on operational risk may cause banks to need to implement more comprehensive business continuity solutions. Once finalized, it will give banks a more standard way of evaluating risk. Cyber-security: Simply put, cyber-security is the act of protecting all corporate information from potential harm through identification, protection and defense. The U.S. government is doing its best to encourage organizations to deal with cyber-security. The National Cyber Security Partnership Task Force, for example, recently issued a report recommending ways of reducing security vulnerabilities by adopting existing standards and best practices, using common software security configurations, developing guidelines for secure equipment deployment and network architectures, and improving the processes commonly used to develop security specifications and conduct security evaluations. From isn at c4i.org Tue May 18 06:14:36 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 18 06:24:09 2004 Subject: [ISN] Ex-cybersecurity czar blasts Bush's efforts Message-ID: http://www.govexec.com/dailyfed/0504/051704tdpm1.htm [ http://www.amazon.com/exec/obidos/ASIN/0743260244/c4iorg - WK] By William New National Journal's Technology Daily May 17, 2004 Richard Clarke became a national celebrity in recent months for his criticisms of the Bush administration's handling of the 2001 terrorist attacks. Now the former White House official is extending that criticism to the administration's handling of cybersecurity. Clarke, who moved in spring 2001 from his job as White House counter-terrorism chief to head a new White House cybersecurity office created on his recommendation, said the administration has made cybersecurity too low a priority. Clarke shared his criticisms about administration anti-terrorism policy with the independent panel investigating intelligence activities before the Sept. 11, 2001, terrorist attacks. Administration witnesses -- including National Security Adviser Condoleeza Rice -- also testified to rebut those charges and defend administration policy, although cybersecurity issues were not a major focus of those discussions. In his best-selling book Against All Enemies, Clarke said cybersecurity needs more attention. In an interview last week with National Journal's Technology Daily, he detailed what he thinks has gone wrong since his office completed a national cybersecurity plan early in 2003. "I think the national strategy fell essentially on deaf ears," he said. "The president signed it, the president issued it, there was the usual amount of lip service to it, but then nothing ever happened for the better part of a year." Under criticism from him and people outside government, the administration agreed to create the national cybersecurity division in the Homeland Security Department, he said. "They bought some time from criticism by announcing they were going to do it, but then they didn't appoint anyone to run it for the longest period of time." When the administration did name someone, he said, it was too low-level a position to have governmentwide impact. That might change, however, Clarke said, as House Republicans are interested in elevating the position to the assistant-secretary level and legislatively giving that person authority over cyber security in other departments. He also criticized the administration for cutting overall funding for cybersecurity research and for not creating a federal government that is a model of how to do cybersecurity. "Most of the departments are still in bad shape," he said. Clarke said that in January 2001, Rice and her deputy, Steve Hadley, asked him to look for ways to spin off portions of his portfolio. He proposed a separate White House cybersecurity office. "I surprised them by proposing myself to run it, since they thought I was obsessed with terrorism and would never want to leave that issue," Clarke said. "But at the time, I thought they were not obsessed with terrorism, and if they were not going to treat terrorism with the importance it deserved I didn't want to work on it for them." He also saw cybersecurity as "a future area of threat" that was unappreciated. "One of the things I've been able to do in my career is to find emerging issues and help them emerge," he said. Clarke left for the private sector shortly after the release of the National Strategy to Secure Cyberspace, following 30 years of federal service. From isn at c4i.org Tue May 18 06:14:55 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 18 06:24:10 2004 Subject: [ISN] Mac browsers vulnerable to hackers Message-ID: http://www.macworld.co.uk/news/main_news.cfm?NewsID=8696 By Macworld staff May 18, 2004 Computer security firm Secunia is warning of a new security vulnerability affecting Mac Internet browsers Safari 1.x and Internet Explorer 5.x. The report claims the weakness: "Potentially allows malicious Web sites to compromise a vulnerable system". "The problem is that the "help" URI handler allows execution of arbitrary local scripts (.scpt) via the classic directory traversal character sequence using 'help:runscript'", the warning explains. This makes it possible for malicious computer users to place "arbitrary" files (including script files) in a known location on a user's system - but only if either browser has been set-up to open safe files after they are downloaded. This is the default browser setting. Secunia recommends users switch off the latter capability in Safari's preferences folder; that they do not go online as a "privileged user" and that they rename the help handler, though no instructions related to the latter are avaiable. From isn at c4i.org Wed May 19 08:17:07 2004 From: isn at c4i.org (InfoSec News) Date: Wed May 19 08:29:41 2004 Subject: [ISN] New evidence points to Cisco network hack Message-ID: http://www.nwfusion.com/news/2004/0518moredetai.html By Paul Roberts IDG News Service 05/18/04 More details about the computer code stolen from Cisco surfaced on Tuesday, including new samples of the source code and information on how the code was distributed, four days after a Russian Web site reported news of the theft and posted sample code files to support the claim. Additional copies of Cisco code files for the Internetwork Operating System (IOS) may be circulating on the Internet, after the thief compromised a Sun server on Cisco's network, then briefly posted a link to the source code files on a file server belonging to the University of Utrecht in the Netherlands, according to Alexander Antipov, a security expert at Positive Technologies, a security consulting company in Moscow, who was interviewed by e-mail and instant messaging service. A Cisco spokesman declined to comment on the new information, citing the ongoing investigation, but the company is working with the FBI, according to Robert Barlow, a company spokesman. "Cisco will continue to take every measure to protect our intellectual property, employee and customer information. In this case, Cisco is working with the FBI on this matter," the company said in a statement. Antipov downloaded more than 15M bytes of the stolen code, which is estimated to be around 800M bytes, after an individual using the online name "Franz" briefly posted a link to a 3M-byte compressed version of the files in a private Internet Relay Chat (IRC) forum on Friday, he said. Antipov denied knowing Franz and said he wants to return the code to Cisco and has been communicating with a Cisco employee about the leaked source code. The link provided was only available around ten minutes and pointed to a file on an FTP (File Transfer Protocol) server, ftp://ftp.phys.uu.nl, which belongs to the University of Utrecht in the Netherlands. That server is open to the public for hosting files of files smaller than 5M bytes, according to the University's Web page. Examples of the additional source code files viewed by IDG News Service are different from the two code files posted on www.securitylab.ru, and appear to be written in the C programming language. One, named snmp_chain.c dates to 1993 and is credited to Robert Widmer. Another, named http_auth.c and containing a module for HTTP authentication routines is dated March, 2002 and credited to Saravanan Agasaveeran. Another source code file, also credited to Agasaveeran, contains code for a public API for HTTP client and server applications, and Antipov said the source code he obtained also includes IOS modules covering IPv6. A Cisco source confirmed that Agasaveeran is a Cisco employee in San Jose, Calif. No information was immediately available on Widmer. A computer directory listing purported to be of the stolen IOS modules was also shown to IDG News Service. The listing identifies a Sun Sparc server named iwan-view3.cisco.com and a list of directories, but no specific information on the contents of those directories. Still, the listing of directories does give some indication of when the leak may have occurred. Most of the directories were last updated in 2002 and 2003, with one changed as late as November 2003. That information could be vital in determining the "when" of the crime, said Mark Rasch, senior vice president and chief security counsel of Solutionary. "By going up the (revision) dates, you know which versions they got and have a good idea of when they obtained the code," he said. The apparent theft from a Sun server also supports the idea that the code was stolen directly from Cisco's corporate network, rather than from a developer's laptop or a worker connecting to Cisco over a remote connection, he said. "People aren't typically [using VPN connections] into Sun boxes. The Solaris stations tend to be on site, that's where you'd use them," he said. Regardless, Cisco is facing a "huge" forensic investigation, and should assume that other parts of its network and all of its source code have been compromised, he said. The stolen code could be a bonanza for malicious hackers looking to compromise Cisco devices, even if the stolen code isn't from critical IOS modules, Rasch said. Unlike open source software products, the security of Cisco's systems, like those of other proprietary software vendors, depends on the source code being kept out of public view, he said. "When your security depends, in large measure, on keeping source code private, a breach can be significant," he said. From isn at c4i.org Wed May 19 08:20:05 2004 From: isn at c4i.org (InfoSec News) Date: Wed May 19 08:29:42 2004 Subject: [ISN] Embracing the Art of Hacking Message-ID: http://www.wired.com/news/infostructure/0,1377,63506,00.html [ http://www.amazon.com/exec/obidos/ASIN/0596006624/c4iorg - WK] By Michelle Delio May. 19, 2004 The idea that every hacker is an artist and every artist is a hacker isn't groundbreaking -- recent gallery and museum shows have focused on the link between art and coding -- but a new book by programmer Paul Graham gives the concept a fresh twist by advising hackers to improve their skills by borrowing creative techniques from other artists. Billed as a guide into the minds and motivations of hackers, Hackers & Painters, due to be released by O'Reilly Media later this month, is a mixed bag of essays on topics ranging from aesthetics to high school hazing, spam to startups, Microsoft to money. It doesn't quite live up to the promotional promise that "if you want to understand what hackers are up to, this book will tell you," since it's unlikely that the mildly hacker-curious will wade through four chapters on the pros and cons of programming languages. But, on the whole, the book does provide some fascinating reading for anyone who cares about making great things. Graham certainly knows hacking: Currently working on a new programming language called Arc, he developed the first Web-based application (Viaweb, which was acquired by Yahoo in 1998) and created a simple but effective Bayesian spam filter that inspired most of the current spam busters. He also knows art; Graham studied painting at Rhode Island School of Design and the Accademia di Belle Arti in Florence, Italy. Unfortunately, Hackers and Painters gets off to a slow start with a dull chapter on why geeks aren't popular in high school, a subject that's been exhaustively covered elsewhere. Graham breaks no new ground here -- we already know that young geeks care more about learning than being popular, which can lead to social awkwardness, and we also know that other kids are often mean to them. It's a shame that Graham didn't offer some solutions to the problem of keeping geek kids sane in school. He does mention some possibilities in a one-paragraph addendum in the back of the book -- suggesting home schooling and making high school more like college. Had these ideas been the focus of the "Why Nerds are Unpopular" chapter the book might have provided real options to suffering young school-bound hackers. The chapters on general rules of good design as they apply to programming, painting and any creative endeavor are by far the best in the book. Graham slams the artistic conceit that all art is good and taste is purely subjective, pointing out that if you aren't willing to say that some creations aren't beautiful then you'll never develop the aesthetic muscles necessary to define and develop good work. Graham steers programmers, writers and other artists toward simplicity, making the point that ornate stylistic embellishments often cover up lack of substance, whether you are writing a computer application or a novel. He urges anyone who is involved in creative work not to get pretentious and to retain her or his sense of humor, noting that "good design may not have to be funny, but it's hard to imagine something that could be called humorless also being good design." Graham also shares ideas on how to produce work from other creative fields and advises hackers to apply these tools to their own endeavors. Writers and painters know that good work is the result of an enormous amount of reworking or rewriting and are taught to be patient with the process of figuring out what they are trying to create. But programmers, Graham writes, are taught that they should "figure out a program completely on paper before even going near a computer." "I found that I did not program this way.... Instead of patiently writing out a complete program and assuring myself it was correct, I tended to just spew out code that was hopelessly broken, and gradually beat it into shape. Debugging, I was taught, was a kind of final pass where you caught typos and oversights. The way I worked, it seemed like programming consisted of debugging. "For a long time I felt bad about this, just as I once felt bad that I didn't hold my pencil the way they taught me to in elementary school. If I had only looked over at the other makers, the painters or the architects, I would have realized that there was a name for what I was doing: sketching. As far as I can tell, the way they taught me to program in college was all wrong. You should figure out programs as you're writing them, just as writers and painters and architects do." Encouraging programmers to make what writers sometimes refer to as sloppy first copies also has implications for programming languages, Graham writes. "It means that a programming language should, above all, be malleable. A programming language is for thinking of programs, not for expressing programs you've already thought of. "We need a language that lets us scribble and smudge and smear, not a language where you have to sit with a teacup balanced on your knee and make polite conversation with a strict old aunt of a compiler." Taking inspiration from artists working in other media will also improve software, Graham writes, comparing open-source development to painting with oils, a flexible medium that allows for reworking and overpainting, as opposed to the more fixed and rigid nature of tempera paints. "Open source software has fewer bugs because it admits to the possibility of bugs ... and it helps to have a medium that makes change easy," Graham writes. Graham rounds out the book with chapters on programming language politics (essentially: "yay" for Lisp and "boo" to Java), and an excellent chapter on spam-filter technology. He predicts applications will vanish from desktops shortly and will instead run via browsers over the Web, says Microsoft is all but doomed and also provides some hints to those who'd like to be the next Bill Gates. The chapters on free speech and free thought contain little that's new, but these subjects are so central to hacking philosophy that an overview has to be included in any book on hackers. Graham wraps up the book with a final excellent chapter on good design, offering up more tools used by artists and writers that would work equally well for programmers. "Design must be for users, but I don't mean to imply that good design aims at some kind of lowest common denominator," Graham writes in his last chapter. "If you think you're designing something for idiots, odds are you're not designing something good." Hackers and Painters is not a masterpiece, but it's far from bland match-your-couch art, either. It's a very personal, often illuminating, rather jumbled and only occasionally tedious look at one man's ideas about how to create good things. From isn at c4i.org Wed May 19 08:20:18 2004 From: isn at c4i.org (InfoSec News) Date: Wed May 19 08:29:44 2004 Subject: [ISN] Conference Wireless LAN is Hacker Heaven Message-ID: http://wifi.weblogsinc.com/entry/5607251948314673/ Mike Outmesguine May 18, 2004 AirDefense is one of the more respected companies producing wireless LAN security software. AirDefense performed a research experiment at the recent Networld+Interop conference in Las Vegas. Their monitoring software scanned for vulnerabilities and network attacks during the conference producing some astonishing results: AirDefense noted an increase in unsecured connections to Hotspots, up three percent from 18 percent yesterday. The majority of connections continued to be created for email, file transfer protocol, instant messaging and Telnet. "The increase in malicious activity was likely due to more free time by the attendees and the frustration of attendees not being able to get out to the Internet," said [chief security officer of AirDefense Richard] Rushing. Additional AirDefense research discovered the following wireless LAN and Bluetooth risks and threats on day two: - 189 separate attacks on different devices - 112 separate MAC spoofing attacks - 89 Denial of Service attacks - 42 authentication attacks, likely due to brute force attacks or misconfigured clients - 20 separate AirSnarf attacks - 4 separate Hotspotter attacks - 3 large Ad-Hoc mesh networks were re-established on day two with an average of 10 stations connected. - Another association was made with the Sear Service Toolbox (SST-PR-1) and the network was attacked twice - One Virtual Routing Redundancy Protocol (VRRP) attack, a routing tool attack to redirect traffic - 165 BlueJack attacks - 12 Blue Snarf attacks Jeez. That's a lot of free time. From isn at c4i.org Wed May 19 08:20:30 2004 From: isn at c4i.org (InfoSec News) Date: Wed May 19 08:29:46 2004 Subject: [ISN] Safe and insecure Message-ID: http://www.salon.com/tech/feature/2004/05/18/safe_and_insecure/index.html By Micah Joel May 18, 2004 Last week, I turned off all the security features of my wireless router. I removed WEP encryption, disabled MAC address filtering and made sure the SSID was being broadcast loud and clear. Now, anyone with a wireless card and a sniffer who happens by can use my connection to access the Internet. And with DHCP logging turned off, there's really no way to know who's using it. What's wrong with me? Haven't I heard about how malicious wardrivers can use my connection from across the street to stage their hacking operations? How my neighbors can steal my bandwidth so they don't have to pay for their own? How I'm exposing my home network to attacks from the inside? Yup. So why am I doing this? In a word, privacy. By making my Internet connection available to any and all who happen upon it, I have no way to be certain what kinds of songs, movies and pictures will be downloaded by other people using my IP address. And more important, my ISP has no way to be certain if it's me. In mid-April, Comcast sent letters to some of its subscribers claiming that their IP addresses had been used to download copyrighted movies. Since Comcast is not likely to improve customer satisfaction and retention with this strategy, it's probable the letter was a result of pressure from the Motion Picture Association of America or one of its members. And to Comcast's credit, it stopped short of direct accusation; instead it gives users an out. Says the letter, "If you believe in good faith that the allegedly infringing works have been removed or blocked by mistake or misidentification, then you may send a counter notification to Comcast." That's good enough for me. I've already composed my reply in case I receive one of these letters someday. "Dear Comcast, I am so sorry. I had no idea that copyrighted works were being downloaded via my IP address; I have a wireless router at home and it's possible that someone may have been using my connection at the time. I will do my best to secure this notoriously vulnerable technology, but I can make no guarantee that hackers will not exploit my network in the future." If it ever comes down to a lawsuit, who can be certain that I was the offender? And can the victim of hacking be held responsible for the hacker's crimes? If that were the case, we'd all be liable for the Blaster worm's denial of service attacks against Microsoft last year. Don't get me wrong. I'm not deliberately opening my network to hackers and miscreants bent on downloading copyrighted material. I'm simply choosing not to secure it. That's no different from the millions of people who haven't installed anti-virus software and the millions more who don't keep theirs up to date. Yes, their vulnerabilities allow viruses to spread more quickly, but that's their choice, right? What about the security of my home network? A determined hacker may be able to crack my passwords or exploit weaknesses in the operating system that I never even thought of, but how is that different from before? There's no system that's completely secure, so whether hackers are inside or outside my firewall will make little difference. I'm willing to trade a little security for privacy. It feels strange to be opening up my network after years of vigorously protecting it, and it's not without a tinge of anxiety that I do so. But there's also a sense of liberation, of sticking it to the Man, that's undeniable, as well as an odd sense of community. It seems there's safety in numbers after all, even among strangers. - - - - - - - - - - - - About the writer Micah Joel is a systems engineer for a software company, an award-winning tech presenter and an early adopter of home wireless. From isn at c4i.org Wed May 19 08:20:41 2004 From: isn at c4i.org (InfoSec News) Date: Wed May 19 08:29:46 2004 Subject: [ISN] Police probe Sasser informant Message-ID: http://www.theregister.co.uk/2004/05/18/sasser_informant_turns_suspect/ By John Leyden 18th May 2004 The informant who led police to the self-confessed author of the infamous Sasser worm is himself under investigation. Marle B. - the man who provided the tip-off to Microsoft that led to the arrest of Sven Jaschan, 18 - has become a suspect in the German police's computer sabotage inquiry. Munich-based weekly Focus reports that a criminal investigation would blight Marle B's chances of a share in the $250,000 reward money from Microsoft's Anti-Virus Reward Program that caused him to come forward in the first place. "If he was involved in Sasser, then he will go away empty-handed," Microsoft spokesman, Thomas Baumgaertner, told Focus. 18-year-old Jaschan was arrested in the village of Waffensen near Rotenburg, in northern Germany, on 7 May in connection with writing and distributing the Sasser worm. He later confessed to police that he was both the author of Sasser and the original author of the NetSky worm. Police are expected to lay computer sabotage charges against Jaschan, who has been released on bail pending further proceedings. Last week German police raided five homes and questioned five further suspects as the inquiry into the release of the NetSky worm widened. The five new suspects are all school-friends of Jaschan, according to local reports. Two of the suspects questioned have admitted receiving the source code of NetSky from Jaschan and one has admitted distributing a version of the noxious NetSky worm. Suspects were questioned but no further arrests were made. Public prosecutor Helmut Trentmann told German news agency DPA that Jaschan's confession has expedited the 18 year-old trial, which could begin in a juvenile court in a matter of weeks. From isn at c4i.org Fri May 21 10:52:46 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 21 11:16:52 2004 Subject: [ISN] Third Country Hacker Uses Korean Computers to Hack U.S Air Force Space Command Message-ID: http://english.chosun.com/w21data/html/news/200405/200405210043.html Updated May 21, 2004 Korean police and their U.S counterpart began a joint investigation as several computers of an army unit under the U.S Air Force Space Command (SPACECOM) were hacked by an individual in a third country via a Korean firms?? computers in mid-February. The U.S. concluded that it was a serious case and hurriedly dispatched its investigators to Korea. The two countries began to establish a closely cooperative investigation system and have shared information to identify the hacker. The U.S Air Force Space Command is one of nine major joint forces commands under the Department of Defense and the core part that directs, controls and operates U.S. state-of-the-art military sections, such as intercontinental ballistic missiles, satellites and radar equipment. The Cyber Terror Response Center of the Korea Police Agency said Friday that it launched an investigation, as the U.S. had notified that a third country??s person had hacked into several computers of an army unit under the U.S Air Force Space Command. It was revealed that the hacker used computer servers of two Korean companies, the center said. The third country is another Asian nation, but the police agency has not revealed the name of the country, giving consideration to international relations. The hacker hacked into the computers of the U.S Air Force Space Command via two Korean private firms located in Inchon and Daegu. The hacker used Korean computers by remote control in the third country to penetrate into the U.S computers. The hacking was possible because Korea??s Internet network is the most highly developed in the world and has a close connection with the U.S., and Korean companies?? computer networks are poorly managed due to firms' low security awareness. A police investigator said that the two Korean firms did not realize their computers were hacked. The third country hacker showed high technical prowess by using two computers simultaneously to dodge police. This person hacked into computers of 12 countries like Taiwan and Japan, except the U.S., by using Korean computers. The hacker explored target computers prior to hacking them 120,000 times alone, the police officer said. Korea and the U.S. have almost identified who the hacker is and are to ask the third country to cooperate in arresting the culprit. The US Army Criminal Investigation Command (CID) and the Computer Crime Investigation Unit (CCIU) sent two army and navy investigators to Korea. They are sharing information and discussing the future direction of the investigation with Korean police. (Jang Il-hyun, ihjang@chosun.com ) From isn at c4i.org Fri May 21 10:54:14 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 21 11:16:53 2004 Subject: [ISN] Security UPDATE--Honeywall CD-ROM--May 19, 2004 Message-ID: ==================== ==== This Issue Sponsored By ==== Postini Preemptive Email Protection http://list.winnetmag.com/cgi-bin3/DM/y/efxW0CJgSH0CBw0BHea0A2 Sybari Software http://list.winnetmag.com/cgi-bin3/DM/y/efxW0CJgSH0CBw0BIQk0As ==================== 1. In Focus: Honeywall CD-ROM: A Honeynet on a Bootable Disk 2. Security News and Features - Recent Security Vulnerabilities - News: Serious Vulnerability in 802.11b and 802.11g Networks - News: You've Been Hacked, Now Rebuild Your System 3. Instant Poll 4. Security Toolkit - FAQ - Featured Thread 5. New and Improved - Extranet, Intranet, and Remote Access Policy Enforcement ==================== ==== Sponsor: Postini Preemptive Email Protection ==== Free Whitepaper: Top 10 Reports for Email Admins This paper will show you the top ten reports every email administrator really shouldn't live without including, dashboard views of inbound email activity, SMTP connection, and delivery monitoring, as well as outbound email and content. Assuring comprehensive email security and management for your enterprise requires real-time monitoring and detailed, flexible reporting. Postini provides an award-winning web console "dashboard" that helps email administrators manage their email protection more effectively and efficiently with a host of monitoring and trending reports. Reports show inbound spam by domain and recipient, as well as viruses by name and overall traffic by domain and recipient. http://list.winnetmag.com/cgi-bin3/DM/y/efxW0CJgSH0CBw0BHea0A2 ==================== ==== 1. In Focus: Honeywall CD-ROM: A Honeynet on a Bootable Disk ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net In the April 28 edition of this newsletter, I mentioned the new version of Network Security Toolkit (NST), which is the creation of Paul Blankenbaker and Ron Henderson. NST is loaded with security tools and is available as a bootable CD-ROM. The toolkit is based on Red Hat Linux 9.0, and you can download it as an International Organization for Standardization (ISO) image and make the CD-ROM yourself. http://www.networksecuritytoolkit.org/nst/index.html This week, I learned about another free security-related tool that you might want to try. The Honeynet Project has released a new beta version of Honeywall CD-ROM, which as you might suspect, lets you create a bootable disk that offers the tools necessary to run a honeypot network. Honeywall CD-ROM is based on a trimmed-down version of Linux and is configurable both before and after bootup. You can add items you might need or make configuration changes that suit your environment. For example, you could add Secure Shell (SSH) keys, set your IP address preferences, and so on, then burn a CD-ROM so that when you boot to the CD-ROM your system is already configured and ready for use. To use Honeywall CD-ROM, you need a system with 256MB of RAM or more, an IDE hard drive, at least two network cards, and of course a CD-ROM drive to boot from. A Pentium III processor (or equivalent) is also recommended. The Honeywall CD-ROM ISO image is a little over 50MB, and you can download a copy by visiting the Honeynet Project's Honeywall CD-ROM Web site. http://www.honeynet.org/tools/cdrom/ If you're wondering what honeypots and honeynets are all about, we've published numerous articles about them--most recently, "Honeypots for Windows" by Roger Grimes in March. Grimes explains some basics about honeypots and offers an inside peek into four commercial products that let you build honeypots on Windows platforms. http://www.winnetmag.com/article/articleid/41976/41976.html We have many other articles related to honeypots available online, including news and commentary. You can locate them quickly by using our search engine. I've included a couple of shortcuts below that list the most recent articles first. http://search.winnetmag.com/query.html?qt=honeypot&st=1&rf=1 http://search.winnetmag.com/query.html?qt=honeynet&st=1&rf=1 ==================== ==== Sponsor: Sybari Software ==== Get on the Road to Secure Computing with Sybari and you could find yourself in the driver's seat of a new 2004 MINI Cooper! Get your key to enter our giveaway by looking inside your TechEd attendee bag or visit Sybari booth #417 and register to win! Not attending TechEd, enter to win a MINI Cooper remote control car. Click here to enter: http://list.winnetmag.com/cgi-bin3/DM/y/efxW0CJgSH0CBw0BIQk0As ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html News: Serious Vulnerability in 802.11b and 802.11g Networks The Australian Computer Emergency Response Team (AusCERT) released an advisory about a newly discovered Denial of Service (DoS) vulnerability in 802.11 wireless networks. As you know, Access Points (APs) broadcast on a given channel and frequency. An attacker can exploit the Clear Channel Assessment (CCA) procedure used by 802.11 equipment, making the channel appear to be busy. Under such conditions, all APs and client stations defer their transmissions while they wait for the channel to become idle. However, an idle condition won't ensue until the DoS attack ceases. http://www.winnetmag.com/article/articleid/42673/42673.html News: You've Been Hacked, Now Rebuild Your System Microsoft Security Program Manager Jesper Johannson has published another article, "Help: I Got Hacked. Now What Do I Do?" The article raises that question, outlines more than half a dozen things that you can't do to correct the problem, and concludes that you must rebuild your system. http://www.winnetmag.com/article/articleid/42678/42678.html ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) Windows Connections October 24-27, Orlando, Florida. Save these dates for the Fall 2004 Windows Connections conference, which will run concurrently with Microsoft Exchange Connections. Register early and receive admission to both conferences for one low price. Learn firsthand from Microsoft product architects and the best third-party experts. Go online or call 800-505-1201 for more information. http://list.winnetmag.com/cgi-bin3/DM/y/efxW0CJgSH0CBw0KXQ0AV New Web Seminar: Preemptive Email Security Works for Chick-fil-A--It Can Work for You Become the company hero! Save your company time and money by preventing unwanted and lost email. In this free Web seminar, hear from an email expert--and learn from a real-world Chick-fil-A case study--about how you can reduce spam and viruses and improve email security and employee productivity. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/efxW0CJgSH0CBw0BILr0Au Windows & .NET Magazine Announces Best of Show Finalists Windows & .NET Magazine and SQL Server Magazine announced the finalists for the Best of TechEd 2004 Awards. The field included more than 260 entries in 10 categories. Winners will be announced at a private awards ceremony on Wednesday, May 26. The winners will also be announced at TechEd on Thursday, May 27 at 12:30 p.m. at the Windows & .NET Magazine booth #625. Click here to find out this year's finalists: http://list.winnetmag.com/cgi-bin3/DM/y/efxW0CJgSH0CBw0BIPH0AI ==================== ==== Hot Release Access the expert's white paper library ==== Get expert advice on Active Directory and Exchange from Quest, now including the people and products of Aelita Software. Quest's library of white papers details topics that simplify, automate, and secure your Microsoft infrastructure. The authoritative leader on Active Directory and Exchange, Quest Software is your single source for Windows management solutions and expert industry information. Access the white paper library today. http://list.winnetmag.com/cgi-bin3/DM/y/efxW0CJgSH0CBw0BIBB0Aw ==================== ==== 3. Instant Poll ==== Results of Previous Poll The voting has closed in the Windows & .NET Magazine Network Security Web page nonscientific Instant Poll for the question, "Has your company become infected by the Sasser or Gaobot worm?" Here are the results from the 138 votes. - 31% Yes - 57% No - 12% I'm not sure New Instant Poll The next Instant Poll question is, "Which wireless intrusion prevention system do you use?" Go to the Security Web page and submit your vote for - AirDefense products - AirMagnet products - Red-M products - Aruba Wireless Networks products - Other products http://www.winnetmag.com/windowssecurity ==== 4. Security Toolkit ==== FAQ: What's acctinfo.dll? by John Savill, http://www.winnetmag.com/windowsnt20002003faq A. Acctinfo.dll is a DLL that extends the functionality of the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Acctinfo.dll is included in the Windows Server 2003 Resource Kit tools. Installing acctinfo.dll adds the Additional Account Info tab to the user object's Properties page. This tab contains a variety of information, including * the last time the password was set * domain password policies * password expiration date * lockout status * last good and bad logons To install acctinfo.dll, run the command: regsvr32 acctinfo.dll If the command doesn't work (i.e., if Regsvr32 can't locate acctinfo.dll), specify the full path to acctinfo.dll on the command. Acctinfo.dll is typically located in C:\program files\windows resource kits\tools. Featured Thread: Risk Assessment--Lack of Physical Protection Over Client Machines (Two messages in this thread) Paul writes that his server rooms have a high level of physical protection; however, client machines could easily be accessed by a member of the public. He can't do anything about the exposure because of the nature of his organization. He's trying to assess the risks to files stored locally and to overall network security. He's made some relevant observations about how people might gain control over a machine if they have physical access and he's come up with some solutions to help guard client machines, but he wonders if anyone has any other recommendations about how to protect machines against physical access. Lend a hand or read the responses: http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=120760 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) The Exchange Server Seminar Series--Coming to Your City Soon! Simplify your life and others' lives with Windows Server 2003 and Exchange Server 2003. Learn the advantages of migrating to an integrated communications environment, consolidating and simplifying implementation of technology, and accelerating worker productivity. Register now for this free event! http://list.winnetmag.com/cgi-bin3/DM/y/efxW0CJgSH0CBw0BG6C0Aj ==================== ==== 5. New and Improved ==== by Jason Bovberg, products@winnetmag.com Extranet, Intranet, and Remote Access Policy Enforcement NetScreen Technologies announced the next-generation release of its Secure Access product family, built on the new Neoteris Instant Virtual Extranet (IVE) 4.0 platform, which includes sophisticated enterprise-class access-management capabilities. NetScreen Secure Access appliances running on the IVE 4.0 platform address the advanced security needs of customers deploying partner extranets and intranets with dynamic access privilege management, rich user self-service, granular role-based delegation, and centralized management. Available IVE 4.0 functionality and feature sets vary based on purchase and deployment options. For more information about IVE 4.0, contact NetScreen Technologies at 800-638-8296 or on the Web. http://www.netscreen.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. ==================== ==== Sponsored Links ==== Argent Comparison Paper: The Argent Guardian Easily Beats Out MOM http://list.winnetmag.com/cgi-bin3/DM/y/efxW0CJgSH0CBw0BDWV0AY Microsoft(R) TechNet Microsoft(R) TechNet Webcasts: essential guidance, industry experts http://list.winnetmag.com/cgi-bin3/DM/y/efxW0CJgSH0CBw0BG360AT ==================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== ==== Contact Our Sponsors ==== Primary Sponsor: Postini -- http://www.postini.com --1-888-584-3150 Secondary Sponsor: Sybari Software -- http://www.sybari.com -- 1-631-630-8500 Hot Release Sponsor: Quest Software -- http://www.quest.com -- 1-949-754-8000 ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri May 21 10:54:31 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 21 11:16:54 2004 Subject: [ISN] ITL Bulletin for May 2004 Message-ID: Forwarded from: Elizabeth Lennon ITL Bulletin for May 2004 GUIDE FOR THE SECURITY CERTIFICATION AND ACCREDITATION OF FEDERAL INFORMATION SYSTEMS Elizabeth B. Lennon, Editor Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce Introduction In response to the requirements of the E-Government Act (Public Law 107-347), Title III, Federal Information Security Management Act (FISMA) of December 2002, ITL recently published NIST Special Publication (SP) 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. Developed through an extensive public review process, the document represents a significant contribution to federal agency security management by providing specific recommendations on how to certify and accredit information systems. State, local, and tribal governments, as well as private sector organizations, are encouraged to use the guidelines, as appropriate. This ITL Bulletin summarizes the document, which is available at http://csrc.nist.gov/sec-cert/. NIST SP 800-37 provides guidelines for the security certification and accreditation of information systems supporting the executive agencies of the federal government. The guidelines have been developed to help achieve more secure information systems within the federal government by: * Enabling more consistent, comparable, and repeatable assessments of security controls in federal information systems; * Promoting a better understanding of agency-related mission risks resulting from the operation of information systems; and * Creating more complete, reliable, and trustworthy information for authorizing officials-to facilitate more informed security accreditation decisions. Security Certification and Accreditation Security certification and accreditation are important activities that support a risk management process and an integral part of an agency's information security program. Security accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. Required by OMB Circular A-130, Appendix III, security accreditation provides a form of quality control and challenges managers and technical staffs at all levels to implement the most effective security controls possible in an information system, given mission requirements, technical constraints, operational constraints, and cost/schedule constraints. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs. Thus, responsibility and accountability are core principles that characterize security accreditation. It is essential that agency officials have the most complete, accurate, and trustworthy information possible on the security status of their information systems in order to make timely, credible, risk-based decisions on whether to authorize operation of those systems. The information and supporting evidence needed for security accreditation is often developed during a detailed security review of an information system, typically referred to as security certification. Security certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The results of a security certification are used to reassess the risks and update the system security plan, thus providing the factual basis for an authorizing official to render a security accreditation decision. Roles and Responsibilities NIST SP 800-37 describes the roles and responsibilities of key participants, summarized below, involved in an agency's security certification and accreditation process: * The Chief Information Officer is the agency official responsible for: (i) designating a senior agency information security officer; (ii) developing and maintaining information security policies, procedures, and control techniques to address all applicable requirements; (iii) training and overseeing personnel with significant responsibilities for information security; (iv) assisting senior agency officials concerning their security responsibilities; and (v) in coordination with other senior agency officials, reporting annually to the agency head on the effectiveness of the agency information security program, including progress of remedial actions. * The authorizing official (or designated approving/accrediting authority as referred to by some agencies) is a senior management official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations, agency assets, or individuals. * The authorizing official's designated representative is an individual acting on the authorizing official's behalf in coordinating and carrying out the necessary activities required during the security certification and accreditation of an information system. * The senior agency information security officer is the agency official responsible for: (i) carrying out the Chief Information Officer responsibilities under FISMA; (ii) possessing professional qualifications, including training and experience, required to administer the information security program functions; (iii) having information security duties as that official's primary duty; and (iv) heading an office with the mission and resources to assist in ensuring agency compliance with FISMA. * The information system owner is an agency official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system. * The information owner is an agency official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. * The information system security officer is the individual responsible to the authorizing official, information system owner, or the senior agency information security officer for ensuring the appropriate operational security posture is maintained for an information system or program. * The certification agent is an individual, group, or organization responsible for conducting a security certification, or comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. * User representatives are individuals that represent the operational interests of the user community and serve as liaisons for that community throughout the system development life cycle of the information system. At the discretion of senior agency officials, certain security certification and accreditation roles may be delegated, and if so, appropriately documented. Individuals serving in delegated roles are able to operate with the authority of agency officials within the limits defined for the specific certification and accreditation activities. Agency officials retain ultimate responsibility, however, for the results of actions performed by individuals serving in delegated roles. The Process The security certification and accreditation process consists of four distinct phases: * Initiation Phase; * Security Certification Phase; * Security Accreditation Phase; and * Continuous Monitoring Phase. Each phase in the security certification and accreditation process consists of a set of well-defined tasks and subtasks that are to be carried out, as indicated, by responsible individuals (e.g., the Chief Information Officer, authorizing official, authorizing official's designated representative, senior agency information security officer, information system owner, information owner, information system security officer, certification agent, and user representatives). The Initiation Phase consists of three tasks: (i) preparation; (ii) notification and resource identification; and (iii) system security plan review, analysis, and acceptance. The purpose of this phase is to ensure that the authorizing official and senior agency information security officer are in agreement with the contents of the system security plan before the certification agent begins the assessment of the security controls in the information system. The Security Certification Phase consists of two tasks: (i) security control assessment; and (ii) security certification documentation. The purpose of this phase is to determine the extent to which the security controls in the information system are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. This phase also addresses specific actions taken or planned to correct deficiencies in the security controls and to reduce or eliminate known vulnerabilities in the information system. Upon successful completion of this phase, the authorizing official will have the information needed from the security certification to determine the risk to agency operations, agency assets, or individuals, and thus will be able to render an appropriate security accreditation decision for the information system. The Security Accreditation Phase consists of two tasks: (i) security accreditation decision; and (ii) security accreditation documentation. The purpose of this phase is to determine if the remaining known vulnerabilities in the information system (after the implementation of an agreed-upon set of security controls) pose an acceptable level of risk to agency operations, agency assets, or individuals. Upon successful completion of this phase, the information system owner will have: (i) authorization to operate the information system; (ii) an interim authorization to operate the information system under specific terms and conditions; or (iii) denial of authorization to operate the information system. The Continuous Monitoring Phase consists of three tasks: (i) configuration management and control; (ii) security control monitoring; and (iii) status reporting and documentation. The purpose of this phase is to provide oversight and monitoring of the security controls in the information system on an ongoing basis and to inform the authorizing official when changes occur that may impact on the security of the system. The activities in this phase are performed continuously throughout the life cycle of the information system. Accreditation Decisions The security accreditation package documents the results of the security certification and provides the authorizing official with the essential information needed to make a credible, risk-based decision on whether to authorize operation of the information system. Security accreditation decisions resulting from security certification and accreditation processes should be conveyed to information system owners. To ensure the agency's business and operational needs are fully considered, the authorizing official should meet with the information system owner prior to issuing the security accreditation decision to discuss the security certification findings and the terms and conditions of the authorization. There are three types of accreditation decisions that can be rendered by authorizing officials: * Authorization to operate; * Interim authorization to operate; or * Denial of authorization to operate. Examples of security accreditation decision letters appear in Appendix E. Continuous Monitoring A critical aspect of the security certification and accreditation process is the post-accreditation period involving the continuous monitoring of security controls in the information system over time. An effective continuous monitoring program requires: * Configuration management and configuration control processes; * Security impact analyses on changes to the information system; and * Assessment of selected security controls in the information system and security status reporting to appropriate agency officials. Conclusion Completing a security accreditation ensures that an information system will be operated with appropriate management review, that there is ongoing monitoring of security controls, and that re-accreditation occurs periodically in accordance with federal or agency policy and whenever there is a significant change to the system or its operational environment. Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 840-1357 From isn at c4i.org Fri May 21 10:54:47 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 21 11:16:55 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-21 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-05-13 - 2004-05-20 This week : 68 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia has launched a new service called Secunia Virus Information. Secunia Virus Information is based on information automatically collected from seven different anti-virus vendors. The data will be parsed and indexed, resulting in a chronological list, a searchable index, and grouped profiles with information from the seven vendors. Furthermore, when certain criteria are triggered virus alerts will be issued. You can sign-up for the alerts here: Sign-up for Secunia Virus Alerts: http://secunia.com/secunia_virus_alerts/ Secunia Virus Information: http://secunia.com/virus_information/ ======================================================================== 2) This Week in Brief: ADVISORIES: Secunia issued Monday a "Highly Critical" advisory for Mac OS X, as it was reported that it was possible to silently deliver and execute arbitrary code on a vulnerable system. However, during the day more details were revealed, and more advanced exploits were published by various sources, demonstrating exactly how easily this vulnerability could be exploited. Therefore, and in the light of no patch being available from Apple, Secunia raised the severity to a rare "Extremely Critical" for this vulnerability. Please refer to Secunia advisory below for full details. Reference: http://secunia.com/SA11622 -- http-equiv found a vulnerability in Outlook Express, which can be exploited to include arbitrary web content from remote sites in emails. It could be exploited by e.g. spammers to "ping" an email address to see if anyone is reading emails sent to it. http-equiv also reported a vulnerability in Microsoft Outlook, which could be exploited to bypass certain security restrictions. Please refer to the Secunia advisories below for in-depth information about the vulnerabilities. Reference: http://secunia.com/SA11607 http://secunia.com/SA11629 -- A vulnerability in CVS was reported by Stefan Esser, which can be exploited to compromise a vulnerable system. Many vendors have issued patches for this issue, and many more are likely to follow in the next days. Please refer to http://secunia.com for information about vendor patches. Reference: http://secunia.com/SA11641 VIRUS ALERTS: Secunia has not issued any virus alerts during the last week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA11622] Mac OS X URI Handler Arbitrary Code Execution 2. [SA11066] Symantec Client Firewall Products Multiple Vulnerabilities 3. [SA11539] Mac OS X Security Update Fixes Multiple Vulnerabilities 4. [SA11629] Microsoft Outlook RTF Embedded OLE Object Security Bypass 5. [SA11012] Apple Filing Protocol Insecure Implementation 6. [SA11303] Mac OS X Security Update Fixes Multiple Vulnerabilities 7. [SA10959] Mac OS X Security Update Fixes Multiple Vulnerabilities 8. [SA10440] Mac OS X cd9660.util Privilege Escalation Vulnerability 9. [SA10524] Mac OS X Local Denial of Service Vulnerability 10. [SA10723] Mac OS X Security Update Fixes Multiple Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA11629] Microsoft Outlook RTF Embedded OLE Object Security Bypass [SA11637] NetChat HTTP Service GET Request Buffer Overflow Vulnerability [SA11607] Microsoft Outlook Express Loading of Arbitrary Web Content [SA11633] Microsoft Windows "desktop.ini" Arbitrary File Execution Vulnerability UNIX/Linux: [SA11622] Mac OS X URI Handler Arbitrary Code Execution [SA11662] Slackware update for cvs [SA11661] Fedora update for cvs [SA11659] Fedora update for subversion [SA11658] Mandrake update for cvs [SA11653] SuSE update for cvs [SA11652] FreeBSD update for cvs [SA11651] Debian update for cvs [SA11647] Red Hat update for cvs [SA11646] Gentoo update for pound [SA11642] Subversion Date Parsing Buffer Overflow Vulnerability [SA11641] CVS Entry Line Heap Overflow Vulnerability [SA11620] Gentoo update for exim [SA11604] Zoneminder Query String Buffer Overflow Vulnerability [SA11671] Gentoo update for icecast [SA11670] Fedora update for ipsec-tools [SA11660] Fedora update for libneon [SA11657] Mandrake update for libneon [SA11655] Gentoo update for proftpd [SA11654] Debian update for cadaver [SA11650] Debian update for libneon [SA11648] Red Hat update for cadaver [SA11643] cadaver libneon Date Parsing Heap Overflow Vulnerability [SA11638] Neon Date Parsing Heap Overflow Vulnerability [SA11630] Mandrake update for apache [SA11617] Trustix update for apache [SA11613] HP-UX update for Mozilla [SA11610] Fedora update for LHA [SA11636] Debian update for heimdal [SA11614] HP-UX dtlogin XDMCP Parsing Vulnerability [SA11669] Red Hat update for rsync [SA11667] Red Hat update for libpng [SA11663] Fedora update for tcpdump [SA11656] Gentoo update for kdelibs [SA11645] Mandrake update for kdelibs [SA11644] Fedora update for kdelibs [SA11635] Slackware update for kdelibs [SA11631] Red Hat update for kdelibs [SA11623] TTT-C Multiple Vulnerabilities [SA11619] Gentoo update for libpng [SA11612] Fedora update for libpng [SA11628] SGI IRIX rpc.mountd Denial of Service Vulnerability [SA11668] Red Hat update for mc [SA11621] Slackware update for mc [SA11618] SuSE update for mc [SA11615] HP-UX B6848AB GTK+ Support Libraries Insecure Directory Permissions [SA11609] Gentoo update for utempter [SA11605] OpenBSD procfs Integer Overflow Vulnerability [SA11616] Sun Solaris SMC Web Server File Enumeration Security Issue [SA11611] Fedora update for iproute Other: [SA11632] Sidewinder G2 Firewall Multiple Denial of Service Vulnerabilities [SA11603] Sweex Wireless Broadband Router Exposure of Configuration [SA11627] Blue Coat Security Gateway OS Private Key Disclosure [SA11606] Linksys BEF Series Routers DHCP Vulnerability Cross Platform: [SA11649] Zen Cart SQL Injection Vulnerability [SA11640] phpMyFAQ Arbitrary File Inclusion Vulnerability [SA11639] Java Secure Socket Extension Unspecified Server Certificate Validation Vulnerability [SA11625] PHP-Nuke Multiple Vulnerabilities [SA11608] Ethereal Multiple Vulnerabilities [SA11602] Multiple Browsers Telnet URI Handler File Manipulation Vulnerability [SA11624] osCommerce Directory Traversal Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA11629] Microsoft Outlook RTF Embedded OLE Object Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-05-18 http-equiv has reported a vulnerability in Microsoft Outlook 2003, allowing malicious people to perform illegal actions through emails. Full Advisory: http://secunia.com/advisories/11629/ -- [SA11637] NetChat HTTP Service GET Request Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-05-19 Marius Huse Jacobsen has reported a vulnerability in NetChat, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11637/ -- [SA11607] Microsoft Outlook Express Loading of Arbitrary Web Content Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-05-14 http-equiv has reported a vulnerability in Microsoft Outlook Express, allowing malicious people (e.g. spammers and phishers) to load arbitrary content into the email client. Full Advisory: http://secunia.com/advisories/11607/ -- [SA11633] Microsoft Windows "desktop.ini" Arbitrary File Execution Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-18 Roozbeh Afrasiabi has reported a vulnerability in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11633/ UNIX/Linux:-- [SA11622] Mac OS X URI Handler Arbitrary Code Execution Critical: Extremely critical Where: From remote Impact: System access Released: 2004-05-17 Two vulnerabilities have been reported in Mac OS X, allowing malicious web sites to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11622/ -- [SA11662] Slackware update for cvs Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-20 Slackware has issued updated packages for cvs. These fix a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11662/ -- [SA11661] Fedora update for cvs Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-19 Fedora has issued updated packages for cvs. These fix a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11661/ -- [SA11659] Fedora update for subversion Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-19 Fedora has issued updated packages for subversion. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11659/ -- [SA11658] Mandrake update for cvs Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-19 MandrakeSoft has issued updated packages for cvs. These fix a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11658/ -- [SA11653] SuSE update for cvs Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-19 SuSE has issued updated packages for cvs. These fix a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11653/ -- [SA11652] FreeBSD update for cvs Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-19 FreeBSD has issued updates for cvs. These fix a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11652/ -- [SA11651] Debian update for cvs Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-19 Debian has issued updated packages for cvs. These fix a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11651/ -- [SA11647] Red Hat update for cvs Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-19 Red Hat has issued updated packages for cvs. These fix a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11647/ -- [SA11646] Gentoo update for pound Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-19 Gentoo has issued an update for pound. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11646/ -- [SA11642] Subversion Date Parsing Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-19 Stefan Esser has discovered a vulnerability in Subversion, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11642/ -- [SA11641] CVS Entry Line Heap Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-19 Stefan Esser has reported a vulnerability in CVS, allowing malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11641/ -- [SA11620] Gentoo update for exim Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-17 Gentoo has issued updated packages for exim. These fix two vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11620/ -- [SA11604] Zoneminder Query String Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-13 Mark Cox has reported a vulnerability in ZoneMinder, potentially allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11604/ -- [SA11671] Gentoo update for icecast Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-05-20 Gentoo has issued an update for icecast. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11671/ -- [SA11670] Fedora update for ipsec-tools Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-05-20 Fedora has issued updates for ipsec-tools. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11670/ -- [SA11660] Fedora update for libneon Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-19 Fedora has issued updated packages for libneon. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11660/ -- [SA11657] Mandrake update for libneon Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-19 MandrakeSoft has issued updated packages for libneon. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11657/ -- [SA11655] Gentoo update for proftpd Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-05-19 Gentoo has issued an update for proftpd. This fixes a security issue, which potentially allows malicious people to bypass ACLs. Full Advisory: http://secunia.com/advisories/11655/ -- [SA11654] Debian update for cadaver Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-19 Debian has issued updated packages for cadaver. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11654/ -- [SA11650] Debian update for libneon Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-19 Debian has issued updated packages for libneon. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11650/ -- [SA11648] Red Hat update for cadaver Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-19 Red Hat has issued updated packages for cadaver. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11648/ -- [SA11643] cadaver libneon Date Parsing Heap Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-19 cadaver is affected by a vulnerability in the libneon date parsing code, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11643/ -- [SA11638] Neon Date Parsing Heap Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-19 Stefan Esser has discovered a vulnerability in neon, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11638/ -- [SA11630] Mandrake update for apache Critical: Moderately critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, DoS Released: 2004-05-18 MandrakeSoft has issued updated packages for apache. These fix various vulnerabilities, which can be exploited to inject potentially malicious characters into error logfiles, bypass certain restrictions, gain unauthorised access, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11630/ -- [SA11617] Trustix update for apache Critical: Moderately critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, DoS Released: 2004-05-14 Trustix has issued updated packages for apache. These fix various vulnerabilities, which can be exploited to inject potentially malicious characters into error logfiles, bypass certain restrictions, gain unauthorised access, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11617/ -- [SA11613] HP-UX update for Mozilla Critical: Moderately critical Where: From remote Impact: System access, DoS, Cross Site Scripting, Security Bypass Released: 2004-05-14 HP has acknowledged various vulnerabilities in Mozilla for HP-UX, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain cookie restrictions, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/11613/ -- [SA11610] Fedora update for LHA Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-14 Fedora has issued an update for lha. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11610/ -- [SA11636] Debian update for heimdal Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-05-18 Evgeny Demidov has discovered a vulnerability in Heimdal, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11636/ -- [SA11614] HP-UX dtlogin XDMCP Parsing Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-05-14 HP has acknowledged a vulnerability in HP-UX, which may be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11614/ -- [SA11669] Red Hat update for rsync Critical: Less critical Where: From remote Impact: Manipulation of data, Security Bypass Released: 2004-05-20 Red Hat has issued updated packages for rsync. These fix a vulnerability, potentially allowing malicious people to write files outside the intended directory. Full Advisory: http://secunia.com/advisories/11669/ -- [SA11667] Red Hat update for libpng Critical: Less critical Where: From remote Impact: DoS Released: 2004-05-20 Red Hat has issued updates for libpng. These fix a vulnerability, potentially allowing malicious people to cause a Denial of Service against certain applications. Full Advisory: http://secunia.com/advisories/11667/ -- [SA11663] Fedora update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2004-05-19 Fedora has issued updated packages for tcpdump. These fix two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11663/ -- [SA11656] Gentoo update for kdelibs Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2004-05-19 Gentoo has issued updated packages for kdelibs. These fix a vulnerability, which can be exploited by malicious people to create or truncate files on a user's system. Full Advisory: http://secunia.com/advisories/11656/ -- [SA11645] Mandrake update for kdelibs Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2004-05-19 MandrakeSoft has issued updated packages for kdelibs. These fix a vulnerability, which can be exploited by malicious people to create or truncate files on a user's system. Full Advisory: http://secunia.com/advisories/11645/ -- [SA11644] Fedora update for kdelibs Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2004-05-19 Fedora has issued updated packages for kdelibs. These fix a vulnerability, which can be exploited by malicious people to create or truncate files on a user's system. Full Advisory: http://secunia.com/advisories/11644/ -- [SA11635] Slackware update for kdelibs Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2004-05-18 Slackware has issued updated packages for kdelibs. These fix a vulnerability, which can be exploited by malicious people to create or truncate files on a user's system. Full Advisory: http://secunia.com/advisories/11635/ -- [SA11631] Red Hat update for kdelibs Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2004-05-18 Red Hat has issued updated packages for kdelibs. These fix a vulnerability, which can be exploited by malicious people to create or truncate files on a user's system. Full Advisory: http://secunia.com/advisories/11631/ -- [SA11623] TTT-C Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-05-19 Kaloyan Olegov Georgiev has reported some vulnerabilities in TTT-C, allowing malicious people to conduct Cross Site Scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/11623/ -- [SA11619] Gentoo update for libpng Critical: Less critical Where: From remote Impact: DoS Released: 2004-05-17 Gentoo has issued updates for libpng. These fix a vulnerability, potentially allowing malicious people to cause a Denial of Service against certain applications. Full Advisory: http://secunia.com/advisories/11619/ -- [SA11612] Fedora update for libpng Critical: Less critical Where: From remote Impact: DoS Released: 2004-05-14 Fedora has issued updates for libpng. These fix a vulnerability, potentially allowing malicious people to cause a Denial of Service against certain applications. Full Advisory: http://secunia.com/advisories/11612/ -- [SA11628] SGI IRIX rpc.mountd Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-05-18 SGI has reported a vulnerability in IRIX, allowing malicious people to cause a DoS (Denial of Service) on the rpc.mountd daemon. Full Advisory: http://secunia.com/advisories/11628/ -- [SA11668] Red Hat update for mc Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-20 Red Hat has issued updates for mc. These fix some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11668/ -- [SA11621] Slackware update for mc Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-17 Slackware has issued updates for mc. These fix some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11621/ -- [SA11618] SuSE update for mc Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-17 SuSE has issued updates for mc. These fix some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11618/ -- [SA11615] HP-UX B6848AB GTK+ Support Libraries Insecure Directory Permissions Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2004-05-14 HP has reported a vulnerability in HP-UX, which can be exploited by malicious, local users to manipulate the content of certain files. Full Advisory: http://secunia.com/advisories/11615/ -- [SA11609] Gentoo update for utempter Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-14 Gentoo has issued an update for utempter. This fixes a security issue, which potentially can be exploited by malicious, local users to perform certain actions with higher privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/11609/ -- [SA11605] OpenBSD procfs Integer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information, DoS Released: 2004-05-13 OpenBSD has issued patches for procfs. These fix a vulnerability, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11605/ -- [SA11616] Sun Solaris SMC Web Server File Enumeration Security Issue Critical: Not critical Where: From local network Impact: Exposure of system information Released: 2004-05-14 Jon Hart has reported a security issue in Sun Solaris, which can be exploited by malicious people to enumerate files on an affected system. Full Advisory: http://secunia.com/advisories/11616/ -- [SA11611] Fedora update for iproute Critical: Not critical Where: Local system Impact: DoS Released: 2004-05-14 Fedora has issued updated packages for iproute. These fix a vulnerability, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11611/ Other:-- [SA11632] Sidewinder G2 Firewall Multiple Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-05-18 Multiple vulnerabilities have been reported in Sidewinder, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11632/ -- [SA11603] Sweex Wireless Broadband Router Exposure of Configuration Critical: Moderately critical Where: From local network Impact: Exposure of system information, Exposure of sensitive information Released: 2004-05-13 Mark Janssen has reported a vulnerability in Sweex Wireless Broadband Router/Accesspoint, allowing malicious people to gain knowledge of the configuration. Full Advisory: http://secunia.com/advisories/11603/ -- [SA11627] Blue Coat Security Gateway OS Private Key Disclosure Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2004-05-18 A security issue has been reported in Blue Coat SGOS, which may disclose private keys associated with imported certificates. Full Advisory: http://secunia.com/advisories/11627/ -- [SA11606] Linksys BEF Series Routers DHCP Vulnerability Critical: Less critical Where: From local network Impact: Exposure of system information, Exposure of sensitive information, DoS Released: 2004-05-13 Jon Hart has reported a vulnerability in Linksys BEFSR41 and BEFW11S4, which can be exploited by malicious people to gain knowledge of sensitive information or cause a DoS (Denial of Service) Full Advisory: http://secunia.com/advisories/11606/ Cross Platform:-- [SA11649] Zen Cart SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-05-19 Oliver Minack has reported a vulnerability in Zen Cart, allowing malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/11649/ -- [SA11640] phpMyFAQ Arbitrary File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2004-05-19 Stefan Esser has reported a vulnerability in phpMyFAQ, allowing malicious people to view arbitrary local files and potentially execute arbitrary local php code. Full Advisory: http://secunia.com/advisories/11640/ -- [SA11639] Java Secure Socket Extension Unspecified Server Certificate Validation Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Spoofing Released: 2004-05-19 A vulnerability has been discovered in JSSE (Java Secure Socket Extension), allowing malicious websites to impersonate trusted websites. Full Advisory: http://secunia.com/advisories/11639/ -- [SA11625] PHP-Nuke Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, System access Released: 2004-05-18 Janek Vind has reported three vulnerabilities in PHP-Nuke, allowing malicious people to conduct Cross Site Scripting attacks and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11625/ -- [SA11608] Ethereal Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-05-14 Multiple vulnerabilities have been discovered in Ethereal, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/11608/ -- [SA11602] Multiple Browsers Telnet URI Handler File Manipulation Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2004-05-13 A vulnerability has been reported in various browsers, which can be exploited by malicious people to create or truncate files on a user's system. Full Advisory: http://secunia.com/advisories/11602/ -- [SA11624] osCommerce Directory Traversal Vulnerability Critical: Not critical Where: From remote Impact: Exposure of sensitive information Released: 2004-05-19 l0om has reported a security issue in osCommerce, allowing malicious administrative users to view arbitrary local files. Full Advisory: http://secunia.com/advisories/11624/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri May 21 10:55:08 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 21 11:16:56 2004 Subject: [ISN] Two Open-Source Databases Spring Security Leaks Message-ID: http://www.eweek.com/article2/0,1759,1596274,00.asp By Lisa Vaas May 20, 2004 Critical flaws have been found in two open-source database applications: Concurrent Versions System (CVS), a popular open-source database application within which many developers store code, and Subversion, which was built to be a compelling replacement for CVS in the open-source community. Stefan Esser, the security researcher who discovered the flaws, released advisories Wednesday recommending that the applications be updated immediately. Esser is the chief security and technology officer at e-Matters, a German technology company. The first flaw pertains to CVS releases up to 1.11.15 and CVS feature releases up to 1.12.7. Both contain a flaw that occurs when deciding whether a CVS entry line should get a flag reading modified or unchanged. When remote users send entry lines to the server, an additional byte is allocated so as to have ample space for later flagging of the entry. Users are then allowed to insert "M" or "=" characters into the middle of strings, which would result in what's called a heap overflow. The flaw could allow a remote attacker to execute arbitrary code on the CVS server. According to Esser's advisory, CVS developers were notified of the flaw earlier this month. Derek Robert Price replied that the flaw had already been fixed. The CVS Project posted two updates Wednesday, CVS Version 1.11.16 and CVS Feature Version 1.12.8. According to the disclosure timeline in Esser's advisory, important code repositories were notified before the flaws were made public Wednesday. The second flaw, in Subversion?which is released under an Apache/BSD-style open-source license?is easy to exploit, according to Esser's advisory. "Exploiting this vulnerability on not heavily protected servers is trivial even for beginners," Esser wrote. "Even ProPolice users aren't safe because overwriting function arguments allows some fancy exploits." (ProPolice was developed by IBM and protects against "stack-smashing" attacks, a common way to break program security.) Subversion versions up to 1.0.2 are vulnerable to the flaw, which is a date-parsing vulnerability that can be exploited to allow remote code execution on Subversion servers and thereby compromise repositories. The flaw resides in an unsafe call to sscanf() in a Subversion date-parsing function. When Subversion attempts to convert a string into an apr_time_t, it falls back to sscanf() to decode old-styled date strings, according to Esser's advisory. That function is exposed to external attack through a DAV2 REPORT query or a get-dated-rev svn-protocol command. The first way is "somewhat harder" to exploit, Esser wrote, whereas the second is a standard stack overflow with the exception that white space and the "\0" character are forbidden. Linux and BSD distributions have released advisories, as well as the Debian Project?the association that created the open-source Debian GNU/Linux operating system. Read Debian's security alert here. From isn at c4i.org Mon May 24 03:19:52 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 24 03:32:09 2004 Subject: [ISN] Safe and insecure Message-ID: Forwarded from: Chad W. Didier I think this would fall under the category of "willful neglect". No one can be held responsible for the abuse of a technology that is flawed. But, to publically state you're not going to make reasonable attempts to secure it is "willful neglect". One could be held liable. Perhaps not criminally but, in a civil trial one may find themselves held responsible and liable for damages for the abuses of another. -----Original Message----- From: isn-bounces@attrition.org [mailto:isn-bounces@attrition.org] On Behalf Of InfoSec News Sent: Wednesday, May 19, 2004 8:21 AM To: isn@attrition.org Subject: [ISN] Safe and insecure http://www.salon.com/tech/feature/2004/05/18/safe_and_insecure/index.html By Micah Joel May 18, 2004 Last week, I turned off all the security features of my wireless router. I removed WEP encryption, disabled MAC address filtering and made sure the SSID was being broadcast loud and clear. Now, anyone with a wireless card and a sniffer who happens by can use my connection to access the Internet. And with DHCP logging turned off, there's really no way to know who's using it. What's wrong with me? Haven't I heard about how malicious wardrivers can use my connection from across the street to stage their hacking operations? How my neighbors can steal my bandwidth so they don't have to pay for their own? How I'm exposing my home network to attacks from the inside? Yup. So why am I doing this? In a word, privacy. By making my Internet connection available to any and all who happen upon it, I have no way to be certain what kinds of songs, movies and pictures will be downloaded by other people using my IP address. And more important, my ISP has no way to be certain if it's me. In mid-April, Comcast sent letters to some of its subscribers claiming that their IP addresses had been used to download copyrighted movies. Since Comcast is not likely to improve customer satisfaction and retention with this strategy, it's probable the letter was a result of pressure from the Motion Picture Association of America or one of its members. And to Comcast's credit, it stopped short of direct accusation; instead it gives users an out. Says the letter, "If you believe in good faith that the allegedly infringing works have been removed or blocked by mistake or misidentification, then you may send a counter notification to Comcast." That's good enough for me. I've already composed my reply in case I receive one of these letters someday. "Dear Comcast, I am so sorry. I had no idea that copyrighted works were being downloaded via my IP address; I have a wireless router at home and it's possible that someone may have been using my connection at the time. I will do my best to secure this notoriously vulnerable technology, but I can make no guarantee that hackers will not exploit my network in the future." If it ever comes down to a lawsuit, who can be certain that I was the offender? And can the victim of hacking be held responsible for the hacker's crimes? If that were the case, we'd all be liable for the Blaster worm's denial of service attacks against Microsoft last year. [...] From isn at c4i.org Mon May 24 03:20:19 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 24 03:32:11 2004 Subject: [ISN] Linux Advisory Watch - May 21st 2004 Message-ID: +----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | May 21st, 2004 Volume 5, Number 21a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for heimdal, cvs, neon, cadaver, libpng, iproute, lha, mailman, kdelibs, tcpdump, utempter, subversion, exim, Pound, ProFTPD, Icecast, libuser, passwd, apache, kdelibs, mc, rsync, the and kernel. The distributors include Debian, Fedora, FreeBSD, Gentoo, Mandrake, Red Hat, Slackware, SuSE, and Trustix. ---- >> NEW Step-by-Step SSL Guide for Apache from Thawte << Thawtes new guide will show you how to test, purchase, install and use a Thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. Download a guide to learn more: http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawten06 ---- Security Failure Over the years computer systems and networks of all types have been the object of attack and compromise. Generally, systems that are compromised have similar characteristics. I will focus on some of the more common shortcomings. First, failure to have adequate security policies and procedures. What information assets should be protected? Who and what are they being protected from, and how should they be protected? All these questions should be addressed formally. A security policy provides direction and justification. Next, poor system logging and auditing. On many occasions, system administrators fail to review log files. If the job is too big to do it manually, there are many automated tools that will do a fine job. Knowing the network and its traffic patterns intimately can have many advantages. Failure to patch vulnerable services or applications in a timely fashion is a major contributor. Begin testing patches as soon as they are publicly available. After it has been determined stable, roll the changes out to production. Also, don't forget to verify those MD5s! Next, poor password generation and management can be troublesome. It is important to be sure that users are choosing and using strong passwords. Often, this is the only form of control used. Remember, weak passwords or bad key management practices can circumvent even the strongest cryptography schemes. Unused software/tools/commands should be removed, and network services should be disabled. If it is not there, it can't be exploited. You'll find that this is one technique that many hardened distributions (such as EnGarde Linux) use. A Web server does not need X11, games, etc. The system should be built for one purpose, exposing it to the least amount of risk. It is also important to ensure that all configurations are correct. On many distributions, the default settings are generally calibrated for usability, rather than high security. It is up to you to do the necessary research to find out what changes must be made. This also brings up the point of removing or disabling any pre-installed accounts or default passwords. Finally, it is imperative that the system is protected from remote network attacks. A properly configured, restrictive, firewall can go a long way in improving a systems security posture. In several situations, I've seen companies with firewalls that virtually allow all traffic through. Over time, service by service, new rules are added after each complaint. Rather than provide strong security, it only gives false assurance. By taking simple precautions, security can greatly be improved. Give your valuable information the protection it deserves. Until next time, cheers! Benjamin D. Thomas ben@linuxsecurity.com ---- Guardian Digital Security Solutions Win Out At Real World Linux Enterprise Email and Small Business Solutions Impres at Linux Exposition. Internet and network security was a consistent theme and Guardian Digital was on hand with innovative solutions to the most common security issues. Attending to the growing concern for cost-effective security, Guardian Digital's enterprise and small business applications were stand-out successes. http://www.linuxsecurity.com/feature_stories/feature_story-164.html -------------------------------------------------------------------- Interview with Siem Korteweg: System Configuration Collector In this interview we learn how the System Configuration Collector (SCC) project began, how the software works, why Siem chose to make it open source, and information on future developments. http://www.linuxsecurity.com/feature_stories/feature_story-162.html -------------------------------------------------------------------- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 5/18/2004 - heimdal Buffer overflow vulnerability This problem could perhaps be exploited to cause the daemon to read a negative amount of data which could lead to unexpected behaviour. http://www.linuxsecurity.com/advisories/debian_advisory-4347.html 5/19/2004 - cvs Heap overflow vulnerability Stefan Esser discovered a heap overflow in the CVS server, which serves the popular Concurrent Versions System. http://www.linuxsecurity.com/advisories/debian_advisory-4375.html 5/19/2004 - neon Heap overflow vulnerability User input is copied into variables not large enough for all cases. This can lead to an overflow of a static heap variable. http://www.linuxsecurity.com/advisories/debian_advisory-4376.html 5/19/2004 - cadaver Heap overflow vulnerability User input is copied into variables not large enough for all cases. This can lead to an overflow of a static heap variable. http://www.linuxsecurity.com/advisories/debian_advisory-4377.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 5/14/2004 - libpng 1.2.2 Information leak vulnerability Fixes a possible out-of-bounds read in the error message handler. http://www.linuxsecurity.com/advisories/fedora_advisory-4340.html 5/14/2004 - libpng 1.0.13 Information leak Fixes a possible out-of-bounds read in the error message handler. http://www.linuxsecurity.com/advisories/fedora_advisory-4341.html 5/14/2004 - iproute Denial of service vulnerability iproute 2.4.7 and earlier allows local users to cause a denial of service via spoofed messages as other users to the kernel netlink interface. http://www.linuxsecurity.com/advisories/fedora_advisory-4342.html 5/14/2004 - lha Multiple vulnerabilities Ulf Hrnhammar discovered two stack buffer overflows and two directory traversal flaws in LHA. http://www.linuxsecurity.com/advisories/fedora_advisory-4343.html 5/18/2004 - mailman Cross-site scripting vulnerability A cross-site scripting (XSS) vulnerability exists in the admin CGI script for Mailman before 2.1.4. http://www.linuxsecurity.com/advisories/fedora_advisory-4353.html 5/18/2004 - neon Format string vulnerabilities Exploiting these bugs may allow remote malicious WebDAV servers to execute arbitrary code. http://www.linuxsecurity.com/advisories/fedora_advisory-4354.html 5/18/2004 - cvs Chroot escape vulnerability The client for CVS before 1.11.15 allows a remote malicious CVS server to create arbitrary files by using absolute pathnames during checkouts or updates. http://www.linuxsecurity.com/advisories/fedora_advisory-4355.html 5/18/2004 - kdelibs Multiple vulnerabilities An attacker could create a carefully crafted link such that when opened by a victim it creates or overwrites a file in the victims home directory. http://www.linuxsecurity.com/advisories/fedora_advisory-4356.html 5/19/2004 - tcpdump Denial of service vulnerability Upon receiving specially crafted ISAKMP packets, TCPDUMP would try to read beyond the end of the packet capture buffer and subsequently crash. http://www.linuxsecurity.com/advisories/fedora_advisory-4368.html 5/19/2004 - utempter Insecure temporary file vulnerability An updated utempter package that fixes a potential symlink vulnerability is now available. http://www.linuxsecurity.com/advisories/fedora_advisory-4369.html 5/19/2004 - kdelibs Insufficient input sanitation An attacker could create a carefully crafted link such that when opened by a victim it creates or overwrites a file in the victims home directory. http://www.linuxsecurity.com/advisories/fedora_advisory-4370.html 5/19/2004 - cvs Heap overflow vulnerability Stefan Esser discovered a flaw in cvs where malformed "Entry" lines could cause a heap overflow. http://www.linuxsecurity.com/advisories/fedora_advisory-4371.html 5/19/2004 - neon Heap overflow vulnerability An attacker could create a malicious WebDAV server in such a way as to allow arbitrary code execution on the client, such as cadaver. http://www.linuxsecurity.com/advisories/fedora_advisory-4372.html 5/19/2004 - subversion Buffer overflow vulnerability An attacker could send malicious requests to a Subversion server and perform arbitrary execution of code. http://www.linuxsecurity.com/advisories/fedora_advisory-4373.html 5/19/2004 - ipsec-tools Denial of service vulnerability Buffer overflow vulnerability A crafted ISAKMP header can cause racoon to crash. http://www.linuxsecurity.com/advisories/fedora_advisory-4374.html +---------------------------------+ | Distribution: FreeBSD | ----------------------------// +---------------------------------+ 5/19/2004 - cvs Heap overflow vulnerability Malformed data can cause a heap buffer to overflow, allowing the client to overwrite arbitrary portions of the server's memory. http://www.linuxsecurity.com/advisories/freebsd_advisory-4367.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 5/14/2004 - exim Buffer overflow vulnerabiity When the verify=header_syntax option is set, there is a buffer overflow in Exim that allows remote execution of arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4344.html 5/14/2004 - libpng Denial of service vulnerability A bug in the libpng library can be abused using a crafted .png to crash programs making use of that library. http://www.linuxsecurity.com/advisories/gentoo_advisory-4345.html 5/19/2004 - Pound Format string vulnerability There is a format string flaw in Pound, allowing remote execution of arbitrary code with the rights of the Pound process. http://www.linuxsecurity.com/advisories/gentoo_advisory-4363.html 5/19/2004 - ProFTPD ACL bypass vulnerability Version 1.2.9 of ProFTPD introduced a vulnerability that causes CIDR-based Access Control Lists automatically allow remote users full access to available files. http://www.linuxsecurity.com/advisories/gentoo_advisory-4364.html 5/19/2004 - Icecast Denial of service vulnerability Icecast is vulnerable to a denial of service attack allowing remote users to crash the application. http://www.linuxsecurity.com/advisories/gentoo_advisory-4365.html 5/19/2004 - KDE Insufficient input sanitation Vulnerabilities in KDE URI handlers makes your system vulnerable to various attacks. http://www.linuxsecurity.com/advisories/gentoo_advisory-4366.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 5/18/2004 - libuser Denial of service vulnerability Steve Grubb discovered a number of problems in the libuser library that can lead to a crash in applications linked to it, or possibly write 4GB of garbage to the disk. http://www.linuxsecurity.com/advisories/mandrake_advisory-4350.html 5/18/2004 - passwd Multiple vulnerabilities Passwords given to passwd via stdin are one character shorter than they are supposed to be. He also discovered that pam may not have been sufficiently initialized to ensure safe and proper operation. http://www.linuxsecurity.com/advisories/mandrake_advisory-4351.html 5/18/2004 - apache Multiple vulnerabilities Patch fixes four seperate apache vulnerabilities. http://www.linuxsecurity.com/advisories/mandrake_advisory-4352.html 5/19/2004 - kdelibs Insufficient input sanitation This vulnerability can allow remote attackers to create or truncate arbitrary files. http://www.linuxsecurity.com/advisories/mandrake_advisory-4360.html 5/19/2004 - cvs Buffer overflow vulnerability Stefan Esser discovered that malformed "Entry" lines can be used to overflow malloc()ed memory in a way that can be remotely exploited. http://www.linuxsecurity.com/advisories/mandrake_advisory-4361.html 5/19/2004 - libneon Heap overflow vulnerability It was discovered that in portions of neon can be used to overflow a static heap variable. http://www.linuxsecurity.com/advisories/mandrake_advisory-4362.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 5/18/2004 - kdelibs Multiple vulnerabilities Updated kdelibs packages that fix telnet URI handler and mailto URI handler file vulnerabilities are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4348.html 5/19/2004 - cvs Buffer overflow vulnerability An updated cvs package that fixes a server vulnerability that could be exploited by a malicious client is now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4358.html 5/19/2004 - cadaver Heap overflow vulnerability An updated cadaver package is now available that fixes a vulnerability in neon which could be exploitable by a malicious DAV server. http://www.linuxsecurity.com/advisories/redhat_advisory-4359.html 5/19/2004 - mc Multiple vulnerabilities Updated mc packages that resolve several buffer overflow vulnerabilities, one format string vulnerability and several temporary file creation vulnerabilities are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4378.html 5/19/2004 - rsync Chroot escape vulnerability An updated rsync package that fixes a directory traversal security flaw is now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4379.html 5/19/2004 - libpng Denial of service vulnerability An attacker could carefully craft a PNG file in such a way that it would cause an application linked to libpng to crash when opened by a victim. http://www.linuxsecurity.com/advisories/redhat_advisory-4380.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 5/17/2004 - mc Multiple vulnerabilities These could lead to a denial of service or the execution of arbitrary code as the user running mc. http://www.linuxsecurity.com/advisories/slackware_advisory-4346.html 5/18/2004 - kdelibs Multiple vulnerabilities The telnet, rlogin, ssh and mailto URI handlers in KDE do not do sufficient argument checking, allowing improper passing of arguments. http://www.linuxsecurity.com/advisories/slackware_advisory-4349.html +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ 5/14/2004 - mc Multiple vulnerabilities This patch fixes buffer overflows, temporary file problems and format string bugs associated with Midnight Commander. http://www.linuxsecurity.com/advisories/suse_advisory-4339.html 5/19/2004 - cvs Buffer overflow vulnerability Stefan Esser reported buffer overflow conditions within the cvs program. http://www.linuxsecurity.com/advisories/suse_advisory-4357.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 5/14/2004 - apache Multiple vulnerabilities This patch addresses a wide variety of known apache vulnerabilities. http://www.linuxsecurity.com/advisories/trustix_advisory-4337.html 5/14/2004 - kernel Privilege escalation vulnerability Patch corrects a local root exploit. http://www.linuxsecurity.com/advisories/trustix_advisory-4338.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon May 24 03:20:36 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 24 03:32:12 2004 Subject: [ISN] Comm squadron fights 'cyber' war every day Message-ID: Forwarded from: William Knowles http://www.dcmilitary.com/airforce/beam/9_20/features/29187-1.html by Mike Campbell 11th Wing Public Affairs May 21, 2004 The 11th Communications Squadron and the Network Control Center guard wing computers 24/7 and remain vigilant as malicious computer viruses and Internet worms continue to attack personal, business and military computers worldwide. Contrary to what many might think, September 11 and its aftermath did not have any significant negative affect on computer security in the 11th Wing, according to Philip Hom, information assurance specialist with 11th CS. Mr. Hom says the real threat to wing computers comes from hackers' ability to develop new and ever-more elusive viruses that can penetrate even relatively secure and well-monitored networks such as Bolling's. "They design viruses that are very well-hidden," he said. "In a couple of the viruses I've seen, there was no interaction [with the user] required. The virus just comes on your network and users don't have to click on anything." He noted that the last time the Bolling network had to be shut down because of a virus was the spring of 1999, when the Melissa virus, which replicated itself through e-mail, emerged from nowhere to overwhelm commercial, government and military computer systems. Since then, improved detection techniques and the vigilance of the Air Force Computer Emergency Response Team have kept Bolling's network free from major disruptions. Besides guarding against new viruses by updating and installing anti-virus "patches" designed to render them harmless throughout the network, the 11th Wing Information Assurance Flight is constantly researching new, Internet-based software that may be attractive, but potentially harmful to users. Some of this software can contain invisible computer programs called "spyware," which allow the programs' originators to gain users' personal information after they unwittingly install the spyware by activating "Trojan Horse" programs by simply opening attachments. "Usually it's going to be [free or e-mailed] games that look cool or funny, and meant more for enjoyment; those tend to be the biggest culprits," said Staff Sgt. Benjamin Milton, an 11th CS information assurance specialist. While the user is busy playing the game, the malicious software imbedded in the game is doing its damage. "Every time they play it, they install the program," which Sergeant Milton said can, in some cases, lead to complete "identity theft" of the user. With malicious hackers lurking everywhere on the Internet and unsolicited e-mail and "spam" hitting e-mail inboxes in record numbers, everyone on base needs to be smart about protecting and maintaining the security and integrity of the Bolling network Sergeant Milton said that when it comes to computer security, getting smart begins with the individual user faithfully locking their computer every time they leave the keyboard. "That prevents [others] from being able to tamper with your system when you're gone," he said. Other basic precautions he suggests are not downloading trial, free or other online software without going through the workgroup manager to ensure there is nothing wrong with the software. He also cautions users that software additions must be thoroughly checked out and undergo an accreditation process before the software can be authorized to be installed on a wing computer. Sergeant Milton emphasized that units' workgroup managers are the first point of contact for any questions users may have about computer security. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* From isn at c4i.org Mon May 24 03:20:56 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 24 03:32:13 2004 Subject: [ISN] Security 'scare' for Qantas Message-ID: Forwarded from: Darren Reed Note: This article is not about information security at all but it is a story about someone who has pulled a prank in order to demonstrate the laxness of airline/airport security. What I think is important is to observe the reactions of the authorities, in addition to the airline. I think this is important because too many people pass off doing port scanning, etc, as being of benefit to others - be able to demonstrate a weakness. What's likely to be the end outcome? No metal cutlery in airline loungs :-/ http://theage.com.au/articles/2004/05/15/1084571006621.html Knives out for 'goat' Rex Hunt By Lyall Johnson, Andrew Webster May 16, 2004 He called it a "light-hearted prank" to highlight flaws in security at Australia's airports but television and radio showman Rex Hunt only narrowly escaped federal criminal charges yesterday after smuggling 10 metal forks he had stolen from a Qantas lounge onto an aeroplane. Hunt was branded a "complete goat" after causing a security scare on the flight from Adelaide to Melbourne when he began showing the forks around. A concerned passenger who did not recognise Hunt notified a flight attendant and Australian Federal Police detained him at Melbourne Airport. After more than half an hour of questioning, Hunt was released without charge and made his way - running late - to the MCG to call the Richmond-Western Bulldogs football match for 3AW. An AFP spokesman said forks were not classed as weapons under the Air Navigation Act and that because the detectives were satisfied Hunt had no intention of committing a violent or dangerous act, he was not charged. A spokesman for Qantas said the airline had referred the theft of the forks to police. Hunt handed the cutlery over but it is uncertain whether charges will be laid. The incident began at the check-in at Adelaide Airport, where Hunt repeatedly set off a security alarm. Hunt, speaking later on 3AW, claimed he had been "dacked" by airport security after they requested he take off his belt and shoes. "My denim jeans were down around my (shoes), my Y-fronts were in full view . . . I was dacked," Hunt said. "Yeah, it (made me lose it). I should have taken a breath and said they are only doing their job, which they are. (But) I went straight up to Qantas, got a handful of forks and said, 'I'll just show how easy it is to infiltrate this tight security I've just been through.' " During the flight, he showed the forks to a number of passengers, including Essendon assistant coach Mark Harvey, and told them he was highlighting security flaws. However, both a Qantas source and a spokesman for federal Transport Minister John Anderson claimed Hunt's version of events was not entirely true. They claim he had pulled down his trousers when he was asked to remove his belt at Adelaide Airport. Mr Anderson's spokesman said: "It is very unfortunate that an airline passenger has chosen to act like a complete goat . . . It is also disappointing that a celebrity seems to believe he is above the law and that regulations for passenger screening should not apply to him." A repentant Hunt admitted it was an irresponsible thing to do and "if I could change it I would". But he added that if his prank led to a tightening of security, it would be worth it. He objected to being called a "goat" and demanded an on-air interview with Mr Anderson's spokesman, who declined. Hunt told his radio audience that he wished he had not done what he did, saying: "It shook me, the fact that I was treated by a criminal - and I should have been." From isn at c4i.org Mon May 24 03:21:10 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 24 03:32:14 2004 Subject: [ISN] !! Conference Program Computer Security Mexico 2004 !! Message-ID: Forwarded from: Seguridad en Computo - UNAM -----BEGIN PGP SIGNED MESSAGE----- ======================================================================== Computer Security Mexico 2004 "10th Years celebrating Computer Security Mexico" Antiguo Colegio de San Ildefonso May 27th - May 28th, 2004 Mexico City, Mexico ======================================================================== The goal of Computer Security 2004 Mexico is to create awareness among the computer user community about security strategies and mechanisms used to protect information systems. Since 1994, Mexico has been organizing this great event through the Computer Security Department at UNAM and UNAM-CERT. Computer Security 2004 Mexico will be an event for all the people who are involved in the use, design and administration of computer systems. For the 2004 Conference Program we will have the presentation of a new book by Mike Schiffman and Jeremy Rauch, Avi Rubin will present his recent work about "Electronic Vote and Security", Art Manion of CERT/CC will present "Internet Explorer: Unsafe in Any Zone", Wietse Venema will present "Open Source Security Lessons" and Alan Paller will talk about "How Organization are Fighting Back Against Cybercrime" among other Computer Security Experts. IMPORTANT : The Conference will be English and Spanish. Translation Service Available -------------------------------------------------- Keynote Speakers * How Organization are Fighting Back Against Cybercrime Alan Paller Director of Research, The SANS Institute * Open Source Security Lessons Wietse Venema IBM T.J.Watson Research Center * Electronic Voting and Security Avi Rubin Johns Hopkins University * The Case for a Modern Network Infrastructure Security Volume I: The Protocols Mike Schiffman and Jeremy Rauch Cisco Systems and Independent Security Consultor * Secure Shell and Network-Based Intrusion Detection: Can (or should) they Co-exist? Eugene Schultz Lawrence Berkeley National Laboratory * Nuevos Ataques y Nuevas Tendencias en Seguridad Inform?tica Ivan Arce Chief Technology Officer, Core Security Technologies * Internet Explorer: Unsafe in Any Zone Art Manion Vulnerability Handling Team, CERT/CC * Estrategias de la Seguridad en Redes Europeas Francisco Jes?s Monserrat Coll Coordinador de Seguridad, RedIRIS * Future Trends in IDS Technologies Adam Richard SecureIT * The Security Enabled Enterprise & Windows XP Service Pack 2 Aaron Turner Security Center of Excellence Delivery Manager, Microsoft Corp. -------------------------------------------------- Why should you assist? Because it is the opportunity to find out about what is being developed in the computer security field and it is also a chance to share your own experience and interests with people with the same interest on this field. Also, You can learn about how to manage and respond to computer security incidentswithout exposing your resources. -------------------------------------------------- Further Information: * Web: http://congreso.seguridad.unam.mx * Conference Registration Availalable on site * The Conference Program will be English and Spanish Juan Carlos Guel - -- Departamento Seguridad en Computo UNAM-CERT DGSCA, UNAM E-mail:seguridad@seguridad.unam.mx Circuito Exterior, C. U. Tel.: 5622-81-69 Fax: 5622-80-43 Del. Coyoacan WWW: http://www.seguridad.unam.mx 04510 Mexico D. F. WWW: http://www.unam-cert.unam.mx -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQEVAwUBQLDZr3AvLUtwgRsVAQG67Qf8CeadlY2oHH5rj0gvQmcHdKj/nBegSWLs Ax2pxo1Ly0/tg5QHyLRP3hpqt9+MhnJt/WxqGfPsjy+1N6pIRocRSylN/St0CPJR Pw2VUae9iNXfvpgszWPu6H1kdiuC0QKKdtXYaGCz0vgUqQLLzHzFu8u47cHoSMDP Zvr32HbSs6DKo3nWY8vvbTGMeu50Oz1tUQkxLG2W4OGtSTEnQ/vP6sw+G9RMXzt7 dT58eH1jN3rN/l5WLixEItEhfeGTYr7HhUD57ei/tkP5ZquWvdHs4s20ivLisDko EmOnGkG0ILmaobeiIpJ3Gbw098UKM658/pnAb8qxOGdCA2GXhNdKFA== =EZsC -----END PGP SIGNATURE----- From isn at c4i.org Mon May 24 03:21:20 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 24 03:32:15 2004 Subject: [ISN] Apple Patches Security Hole in Mac OS X Message-ID: http://www.eweek.com/article2/0,1759,1598258,00.asp By Ian Betteridge May 23, 2004 Apple has released an update to Mac OS X patching a security hole that potentially allowed malicious code to be run via a Web page. The hole, which was rated as "extremely critical" by security company Secunia, allowed an attacker to potentially execute any Unix command, including ones to erase the user's home directory. The company took the unusual step of issuing a statement announcing the fix, in contrast to its previous policy of refusing all comment on security issues. "Apple takes security very seriously and works quickly to address potential threats as we learn of them?in this case, before there was any actual risk to our customers," said Philip Schiller, Apple Computer Inc.'s senior vice president of worldwide product marketing. But according to some users, the company was notified of the problem in February and has yet to respond to the original notification. The fix is available via the Mac OS X Software Update System Preference, or it can be downloaded from Apple's Web site. From isn at c4i.org Mon May 24 03:21:31 2004 From: isn at c4i.org (InfoSec News) Date: Mon May 24 03:32:16 2004 Subject: [ISN] Media missing at Los Alamos Message-ID: http://www.fcw.com/fcw/articles/2004/0517/web-missing-05-21-04.asp By Sarita Chourey May 21, 2004 An effort to reduce Classified Removable Electronic Media (CREM) at Los Alamos National Laboratory has yielded what federal officials call an accounting discrepancy and a watchdog group characterizes as a national security breach. Workers discovered the discrepancy in their account May 17 during a reinventory of classified media, according to officials. But laboratory and Project on Government Oversight (POGO) officials present different versions of the circumstances surrounding the missing media. Los Alamos officials described it as a bookkeeping error rather than an actual loss of material, and said most of the errors relate to administrative mistakes and past use of low-density magnetic and desktop systems. The accounting hole does not constitute a threat to national security, officials said. But POGO officials called the event a major security breach. "The lab can try to spin it however they want," said Danielle Brian, the group's executive director. "Classified data is missing once again from Los Alamos." The item in question was supposed to be destroyed in March, laboratory spokesman Kevin Roark said. "It's undocumented, but we believe it was" destroyed, he said. Energy Department officials want to convert information to diskless computers within five years, to prevent someone from transporting classified data in electronic form outside the site. Brian said the initiative should start immediately at Los Alamos. A recently completed CREM-reduction effort cut the laboratory's amount of recordable items by 50,000 pieces, or 60 percent from December levels, officials said. The initiative is in accordance with a University of California corporate policy on accountable classified removable electronic media. Rep. Tom Udall, (D-N.M.), whose district is home to the laboratory, said in a statement that lab officials assured him that the information does not contain nuclear weapons data. "The laboratory is already taking steps to create a 'medialess environment' by moving sensitive information to classified servers," he said. From isn at c4i.org Tue May 25 02:14:22 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 25 02:33:25 2004 Subject: [ISN] Linux Security Week - May 24th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | May 24th, 2004 Volume 5, Number 21n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Security flaws could corrupt open source databases," "TCP/IP Skills Required for Security Analysts," and "Regulation Compliance Tops Companies' Security Concerns." ---- >> NEW Step-by-Step SSL Guide for Apache from Thawte << Thawtes new guide will show you how to test, purchase, install and use a Thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. Download a guide to learn more: http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawten06 ---- LINUX ADVISORY WATCH: This week, advisories were released for heimdal, cvs, neon, cadaver, libpng, iproute, lha, mailman, kdelibs, tcpdump, utempter, subversion, exim, Pound, ProFTPD, Icecast, libuser, passwd, apache, kdelibs, mc, rsync, the and kernel. The distributors include Debian, Fedora, FreeBSD, Gentoo, Mandrake, Red Hat, Slackware, SuSE, and Trustix. http://www.linuxsecurity.com/articles/forums_article-9330.html ---- Guardian Digital Security Solutions Win Out At Real World Linux Enterprise Email and Small Business Solutions Impres at Linux Exposition. Internet and network security was a consistent theme and Guardian Digital was on hand with innovative solutions to the most common security issues. Attending to the growing concern for cost-effective security, Guardian Digital's enterprise and small business applications were stand-out successes. http://www.linuxsecurity.com/feature_stories/feature_story-164.html ---- >> Bulletproof Virus Protection << Protect your network from costly security breaches with Guardian Digital's multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn04 -------------------------------------------------------------------- Interview with Siem Korteweg: System Configuration Collector In this interview we learn how the System Configuration Collector (SCC) project began, how the software works, why Siem chose to make it open source, and information on future developments. http://www.linuxsecurity.com/feature_stories/feature_story-162.html ---- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Security flaws could corrupt open source databases May 20th, 2004 Flaws in two popular source code database applications could allow attackers to access and corrupt open-source software projects, according to a security researcher. One vulnerability affects the Concurrent Versions System (CVS), an application used by many developers to store program code. http://www.linuxsecurity.com/articles/server_security_article-9324.html * Safe and insecure May 19th, 2004 Last week, I turned off all the security features of my wireless router. I removed WEP encryption, disabled MAC address filtering and made sure the SSID was being broadcast loud and clear. Now, anyone with a wireless card and a sniffer who happens by can use my connection to access the Internet. http://www.linuxsecurity.com/articles/network_security_article-9321.html * What's Wrong With E-Mail Accreditation? May 18th, 2004 E-mail accreditation isn't taken all that seriously as a method of spam control. I'm baffled as to why. It appears to be an effective means of helping ensure that spam filters don't accidently block e-mail that the recipient actually wants to get. http://www.linuxsecurity.com/articles/privacy_article-9317.html * Hardened-PHP May 17th, 2004 The Hardened-PHP project team is pleased to announce the release of version 0.1.1 of our PHP security hardening patch. This new Hardened-PHP release is the first one that is publicly announced and is considered stable on atleast linux systems. http://www.linuxsecurity.com/articles/projects_article-9310.html +------------------------+ | Network Security News: | +------------------------+ * Do We Suffer From Wi-Fi Security Paranoia? May 21st, 2004 I'm one of the world's most rabid fans of wireless networking -- known variously as Wi-Fi, 802.11 or AirPort. (Would somebody PLEASE come up with a consistent, user-friendly term for it?) It's just so glorious to be standing in an airport, hotel lobby or city street, open your laptop, and discover that you can go online at cable-modem speeds without hooking up a single cable. http://www.linuxsecurity.com/articles/network_security_article-9332.html * Conference Wireless LAN is Hacker Heaven May 20th, 2004 AirDefense is one of the more respected companies producing wireless LAN security software. AirDefense performed a research experiment at the recent Networld+Interop conference in Las Vegas. Their monitoring software scanned for vulnerabilities and network attacks during the conference producing some astonishing results. http://www.linuxsecurity.com/articles/network_security_article-9326.html * TCP/IP Skills Required for Security Analysts May 19th, 2004 Breaking into the network security industry, and finding a job as a computer security analyst can often be a daunting task. A great deal of us who work in the industry started down this path with nothing but an interest in computer security to begin with, and a desire to work in a field that we love. http://www.linuxsecurity.com/articles/general_article-9320.html * No WLAN? You still need wireless security May 17th, 2004 Although most wireless security solutions target organizations that have deployed wireless networks, there is a class of solutions that target all companies--even those that haven't deployed wireless networks. http://www.linuxsecurity.com/articles/network_security_article-9309.html * Strategies for real and virtual honeypots May 17th, 2004 Few would deny that security has become a huge priority for network administrators over the last few years. Administrators dedicate lots of time to making sure their networks have all of the latest security patches, firewalls, and intruder detection systems designed to log suspicious activity. http://www.linuxsecurity.com/articles/intrusion_detection_article-9308.html * Centralizing the Management of Network Security May 17th, 2004 Two extreme scenarios exist for handling security when dealing with geographically disparate organizations: In the first scenario, local IT staff is employed at the individual remote locations. In this case, organizations have to deal with cultural differences, varying skill levels and capabilities and language barriers that pose potential misunderstandings. http://www.linuxsecurity.com/articles/general_article-9311.html +------------------------+ | General Security News: | +------------------------+ * Open Source Users Unaffected by Sasser Worm May 21st, 2004 Since the 'Sasser' worm hit the Telstra BigPond network at 1AM Saturday, 1st May, Australian computer users have suffered major disruptions, with thousands of home and business users running Microsoft operating systems infected and others experiencing network congestion. http://www.linuxsecurity.com/articles/host_security_article-9333.html * Cisco to patent security fix May 20th, 2004 Cisco Systems has applied for patents on technology that it claims will fix a flaw that has recently been found in one of the most common communications protocols. http://www.linuxsecurity.com/articles/network_security_article-9327.html * Embracing the Art of Hacking May 19th, 2004 The idea that every hacker is an artist and every artist is a hacker isn't groundbreaking -- recent gallery and museum shows have focused on the link between art and coding -- but a new book by programmer Paul Graham gives the concept a fresh twist by advising hackers to improve their skills by borrowing creative techniques from other artists. http://www.linuxsecurity.com/articles/security_sources_article-9322.html * Regulation Compliance Tops Companies' Security Concerns May 18th, 2004 Just a few short years ago, the primary security-related concern for most IT executives was how to prevent hackers from infiltrating their companies' systems. Although that issue still is quite relevant, it's no longer the top concern of many organizations. Today, that honor goes to how to comply with the increasing number of regulatory and compliance mandates required by the U.S. government. http://www.linuxsecurity.com/articles/general_article-9315.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue May 25 02:14:52 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 25 02:33:26 2004 Subject: [ISN] Tech Ed net locked down tight as a coffin Message-ID: http://www.theinquirer.net/?article=16099 [I have it under good authority from "The Unknown Hacker" that ports 80, 110, and 143 are open, and the Inquirer writer needs to lay off the Vodka RedBull's being expensed. :) - WK] By INQUIRER staff 24 May 2004 TECHED 2004, San Diego -- From the belly of the Vole. I ARRIVED this morning at the TechEd 2004 conference in San Diego. Within five minutes of registering I made my way to the Sail Pavilion, an impressive auditorium with about 600 computers, tables with ample amps and wep-less, wire-less web. So far, so good. I sat down, hooked up my trusty Compaq Battery Extender, and got to work. Or tried to. It turns out that my first "breakout session" (the one where I try to break out to the external network and check my email) ended in frustration when I learned that the local network engineers have nearly everything except port 80 walled off. Apparently, even most normal email ports are off limits to conference attendees. Anyone who runs any kind of webmail system can still check their mail, but I wonder how many in the crowd of developers and conference attendees shared in my initial frustration and will have to go without this week. In a brief discussion with one of the network technicians, I inadvertantly learned of a dark conspiracy. What any red blooded 'Merican would describe as an evil, headless terr'ist group of l337 h4x0r infidels has *allegedly* offered a bounty to anyone who can break into the conference network and run amok. I can't verify anything, but I'd be willing to bet Microsoft's got snipers perched strategically around the conference center to pick off local warwalkers. I have been unable to substantiate this rumour, but it makes sense. We live among bloodless heathens, and they must be dealt with. I've since learned that my hotel room offers inexpensive high-speed internet connection, so I can still make my CVS commits and check my email normally. In this regard, I've managed to duck out of the Vole versus h4x0r dance (a good thing, since my feet are already sore from hoofing it around San Diego). But, while considering the dance from waaaaaay up in my ivory tower hotel room, with my comfy high speed connection, a couple of unfortunate and ironic conditions crossed my mind. First of all, whether or not the hackers succeed in their mission, hundreds of folks here might have to live without email access for a week. That's just plain frustrating, and I can't imagine it will do much to improve the public image of the hacker as a benevolent, overly curious explorer of the digital frontier. A second consideration is that Microsoft's solution might be a little extreme. Crippling the network for anyone who doesn't have webmail might be a bit like cutting off the toe to clip the nail. Or throwing the baby out with the bathwater. Or putting the fire ants in the--anyway, you get the drift. It might cause more trouble than it solves. Something tells me there'd be enough coffee and more than enough eager network admin types here willing to have a patch-a-thon if things got wiggly. If I were an innocent bystander caught without email in the middle of this mess, I'd start looking for nearby wireless cafes. I'll let you know if I kick any up. More interesting tidbits as they develop. From isn at c4i.org Tue May 25 02:15:04 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 25 02:33:28 2004 Subject: [ISN] Theft of Cisco Source Code Stirs Fears of Security Threat Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,93352,00.html News Story by Jaikumar Vijayan MAY 24, 2004 COMPUTERWORLD The theft of proprietary operating system source code from Cisco Systems Inc. poses a potentially serious security threat to corporate networks that use the company's technology, users and analysts said. And the paucity of information released by the networking giant in the wake of last week's disclosure that the code had been stolen is raising troubling questions about what exactly happened and the real extent of the compromise, they added. "We are all waiting to hear what Cisco has to say," said Stephen Smith, network manager at Keystone Mercy Health Plan in Philadelphia. Cisco has been "unnaturally and unproductively quiet," added John Pescatore, an analyst at Gartner Inc. "That gives the impression that they are still unsure about the scope of the breach. Or they are sure, and it's much worse than has come out so far," he said. Unidentified attackers last week stole an unspecified amount of source code for Cisco's Internetworking Operating System 12.3 and 12.3T software, which is widely used in switches and other networking equipment. A Russian Web site posted about 13MB of what it claimed was the stolen code on May 15, saying that as much as 800MB of code appeared to have been stolen. Alexander Antipov, a security expert at Moscow-based Positive Technologies, which owns the Web site that posted the code, claimed that the company downloaded it via a link provided over an Internet Relay Chat channel by someone using the online name Franz. The supposed Cisco code samples, a copy of which was sent to Computerworld, were removed from Positive Technologies' site at Cisco's request on May 18, Antipov said. In a prepared statement posted on its Web site last week, Cisco confirmed that a "portion" of IOS code had been illegally copied and publicly posted for several days. It appeared that the occurrence was not the result of flaw in any Cisco product or service, the note said. It is also unlikely that the action was taken by a Cisco employee or contractor, it added. The company refused to provide any further details, citing an ongoing investigation into the matter, but said it believed that "the improper publication of this information does not create increased risk to customers' Cisco equipment." "We will continue to closely monitor this matter and provide updates as appropriate to customers," a company spokesman said. The theft raises security concerns, especially since Cisco's technology is widely used on corporate networks, users said. "Now that the code is available to scrutinize, it will be easier to find holes to exploit," said Jon Duren, chief technology officer at IdleAire Technologies Corp., a Knoxville, Tenn.-based provider of electrification services. "This issue has caused [us] to re-evaluate our access control lists on the routers, and on devices surrounding our routers, to ensure that they are solid," Duren said. A similar incident involving the theft of Microsoft Corp. source code for Windows NT and Windows 2000 in February led to the discovery of a remotely executable flaw in the company's Internet Explorer browser software [QuickLink 44787]. The stolen Cisco code could be investigated for similar flaws or somehow exploited to create back doors or to fool users into downloading malicious patches or Trojan horse programs, security experts said. In the Microsoft incident, the stolen code was freely available for download. In contrast, the Cisco source code hasn't resurfaced following its brief public airing on the Russian Web site. Another difference between the two incidents is that the Cisco source code could be a lot more difficult to exploit than the Microsoft code, which was "complete and reasonably easy to work with," said Johannes Ullrich, chief technology officer at the SANS Internet Storm Center in Quincy, Mass. "Just the same, we still have to be aware of the possibility of a security issue arising as a result of the theft," said Edward York, CTO at 724 Inc., an application service provider in Lompoc, Calif. This is especially true given the lack of information coming from Cisco, users and analysts said. Gartner's Pescatore noted that the question that always gets raised when incidents such as this occur is, "If this got out, what else was going on?" From isn at c4i.org Tue May 25 02:15:16 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 25 02:33:29 2004 Subject: [ISN] Former cybersecurity chief opposes new regulations Message-ID: http://www.govexec.com/dailyfed/0504/052404tdpm2.htm By William New National Journal's Technology Daily May 24, 2004 Richard Clarke, former White House cybersecurity chief, is the first to admit that more than a year after that office completed a national cybersecurity strategy, attacks via the Internet are still on the rise. But that is not the fault of the strategy, and does not mean that more government intervention is needed, he said. In a recent interview with National Journal's Technology Daily, Clarke criticized the Bush administration for failing to implement the National Strategy to Secure Cyberspace and for cutting funding for cybersecurity research. "They've actually cut the overall amount of money for research in cybersecurity," he said. "They've not created the federal government as an example of how to do cybersecurity." Clarke defended the strategy he oversaw, saying that it "absolutely" reflected his views, and indicating that no changes are needed in it. He took issue with press reports from the time of the strategy's release that suggested it had been "watered down" through consultation with industry and others. "What we did was we had a very complex document that was the result of a lot of input from a lot of groups in and out of government," he said. "We had 70 or 80 ... recommendations. ... So we clustered them ... into five recommendations and simplified the document. It wasn't watered down." He also contended with assertions that the earlier version had more "teeth," in terms of calling for federal regulations. He said a strong public-private partnership is critical to success against cyber attacks, and frowned upon new regulation. "I don't mind regulation if it's already there in industry traditionally regulated [such as electric power, banking and healthcare], and I think if you're going to have regulation, it ought to be effective regulation." Clarke also said, "The FBI is light years ahead of where it was three or four years ago, but where it was three or four years ago is in the Stone Age." But he said FBI and the Homeland Security Department are moving slowly to put in place a sophisticated network for federal, state and local law enforcement. "They are underfunded and there is a certain lack of creativity," he said. Clarke, who was the White House counter-terrorism adviser before moving to cybersecurity, said, "Terrorists use the Internet just like anybody else." But he has "yet to see any evidence per se that terrorists have used the Internet to launch attacks and cyber attacks. But then we very seldom know who does launch cyber attacks." Clarke left the administration shortly after the strategy's release early in 2003, and is now in the private sector in northern Virginia, consulting on cybersecurity for firms such as Symantec and RSA Security. Asked about this year's presidential election, Clarke said he is "still waiting" for a technology policy statement from the campaign of Democratic candidate John Kerry and would not say which candidate he supports. "I think I'm going to not publicly endorse anyone. I certainly think we need a management change, let's put it that way." From isn at c4i.org Tue May 25 02:15:34 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 25 02:33:30 2004 Subject: [ISN] Tales of Cyber-Crime Running Rampant Message-ID: http://www.eweek.com/article2/0,1759,1597361,00.asp By Dennis Fisher May 24, 2004 When Donna Getgen opened a letter from her credit union in March, the message within was anything but routine. Getgen was informed that she had been the victim of a cyber-theft. Getgen's account number, the letter read, was stolen from a database at BJ's Wholesale Club Inc., where she shopped from time to time. Stunned, Getgen, a business operations specialist for a high-tech company from Owings, Md., would later learn that she was one of tens of thousands of victims of one of the largest cyber-thefts in recent history. The BJ's security breach, which occurred over seven months from late 2003 to early this year and compromised thousands of debit and credit cards, was just the latest example of the kind of large-scale cyber-crime being perpetrated with greater frequency than ever in the United States and around the world. Ironically, as the number and scope of cyber-crimes proliferate, local, state and federal authorities are scrambling for resources to combat the threat. In many cases, the authorities are directing resources away from cyber-crime cases. "Most Americans would be surprised to know that thousands of credit card numbers are sold online every day, and very little is done to stop it," said Jim Melnick, director of threat intelligence at iDefense Inc., in Reston, Va., and a former Defense Intelligence Agency officer. "The dirty little secret is that there's all this other stuff going on that nobody is stopping. I'm not sure there's an understanding inside Washington of how pervasive cyber-crime is." Increasingly sophisticated schemes?from outright break-ins to so-called phishing scams?are among the biggest problems facing financial institutions today. The number of phishing attacks alone has grown by 1,200 percent in the past year, according to MessageLabs Inc., in New York. Phishing is the practice of sending fraudulent e-mail purporting to come from a bank, credit-card issuer or other trusted source to solicit account numbers, Social Security numbers and other sensitive data. A comprehensive study of the problem released last month by analysts at Gartner Inc., of Stamford, Conn., shows that more than 57 million Americans have received at least one phishing e-mail. The financial losses suffered by banks and credit card issuers that ultimately pay for these frauds amounted to $1.2 billion last year, the study said. Despite the mounting research, bank officials contacted for this story said they, along with credit card issuers, are doing most of the education and prevention regarding cyber-crime without much help from law enforcement or government regulators. "The biggest risk right now for us is the loss of reputation," said Michael Roberts, senior vice president and CIO of the Bank of Alameda, in California. "We get a lot of people who have had their account numbers or Social Security numbers stolen and come to us for help. We can't have that. "Identity theft is escalating, and it's moving offline. We see people coming in here with stolen numbers trying to open accounts. It's happening." Actually, cyber-crime has been happening for years. It is only now entering the public consciousness, thanks to high-profile incidents like the BJ's theft and elsewhere, such as those perpetrated on Guess Inc. and MTS Inc.'s Tower Records unit. In fact, of the 500 companies that responded to a recent FBI survey, 90 percent said they'd had a computer security breach, and 80 percent of those said they'd suffered financial loss as a result. Today, online criminals use stolen credit card numbers as illicit currency. The information is traded for other commodities, such as Social Security numbers or access to networks of compromised PCs that can be used in distributed-denial-of-service (DDoS) attacks. But as the cyber-crime rate climbs, security experts, consumers and even former government officials are questioning why federal lawmakers and administration officials have devoted so few resources to combating the menace. Many attribute the resource issue to the war on terrorism. "There were decisions made that things like credit card investigations weren't worth it at that point," said one former federal law enforcement agent who was involved in cyber-crime investigations for more than a decade. "Cyber-crime was put on the back burner. Pure investigations into cyber-crime have diminished at the FBI and the Secret Service." Indeed, in the months following the terrorist attacks of Sept. 11, 2001, counterterrorism became the highest priority for the FBI as well as the Secret Service, the two federal agencies responsible for the bulk of the government's cyber-crime investigations. That shift took its toll on the computer crime units at both agencies, and nearly 20 Secret Service agents who were working on cyber-crime at the time of the attacks were transferred to terrorism investigations. "There's a broken spirit in the government as far as cyber-crime," the former agent said. "It's one of the most daunting tasks that law enforcement has ever had to deal with." For those investigators at the FBI and Secret Service still responsible for handling cyber-crime?about 300 and 100, respectively?many are often pulled away from their regular duties to work on special details, which can lead to long delays in completing investigations. "There just aren't enough agents to do what's required," the former agent said. "The response from the government hasn't been commensurate with the problem. The big investigations that you see on TV with the press conferences were the exception, not the rule. "They're just showpieces. Having a massive investigation every six months is inconsequential when you have a crisis going on." According to government and law enforcement officials, the lack of interest in fighting cyber-crime comes from the top down and is traced to the current and past presidential administrations. Richard Clarke, chairman of Good Harbor Consulting LLC, in Herndon, Va., and a former counterterrorism official in the Clinton and current administration, often warned of the potential for a terrorist-based computer attack that would take out portions of the U.S. power grid or financial networks. When the power grid that serves huge swaths of the Northeast, Midwest and portions of Canada failed on a sweltering day last August, just days after the outbreak of the infamous Blaster worm, many people thought Clarke's oft-repeated prediction of a "digital Pearl Harbor" had come true. Within hours of the blackout, CNN reported from the paralyzed streets of Manhattan that U.S. officials were investigating the possibility that Blaster had caused the outage. It seemed to fit. Blaster was running rampant on the Internet, infecting hundreds of thousands of machines. More to the point, other recent worms had wreaked havoc with machines and networks not normally thought to be vulnerable. The SQL Slammer worm in January 2003 brought down the 911 dispatch system in Bellevue, Wash., and disrupted the operation of Bank of America's network of ATMs, angering customers and inciting fears that so-called crackers had stumbled on a new attack vector. Then Blaster arrived. But in the 10 months after the blackout, no evidence linking Blaster to the outage was found. In fact, an exhaustive report written by a joint U.S.-Canadian committee formed to study the blackout's effects determined there was no connection to any deliberate malicious attack on the power companies' computers. "The [Security Working Group] found no evidence that malicious actors caused or contributed to the power outage, nor is there evidence that worms or viruses circulating on the Internet ... had an effect on power generation," the report concluded. The report should have relegated Blaster to a footnote in the matter. But many security experts point to the incident as a perfect illustration of how the specter of cyber-terrorism can obscure the real problem of cyber-crime. While examples of cyber-crime abound?from database theft to Nigerian banking scams to the rigging of online gambling to worm attacks?no current or former government officials, no law enforcement officers and no security experts interviewed for this story could cite a single example of cyber-terrorism. "There haven't been any at all, to my knowledge," said Howard Schmidt, chief security officer at eBay Inc., in San Jose, Calif., and former chairman of the President's Critical Infrastructure Protection Board and one of the first dedicated computer crime investigators in the country, first with local law enforcement in Arizona, then with the FBI and later with the Air Force Office of Special Investigations. "I actually refrain from using that term [cyber-terror]." That's not to say the possibility doesn't exist for a concerted, targeted attack to bring down a critical banking network, utility grid or other vital system. Clarke, for one, sees the threat of cyber-terrorism as a serious concern for the United States. "What we see today is just the tip of the iceberg in terms of what's possible, especially if a nation-state wanted to get in on this," he said. "As long as these things are possible, we run the risk that someone will do them." And while other observers claim terrorist groups are using the Internet mainly for communications and fund-raising, Washington insiders insist the government is not sitting by idly awaiting a strike. "Cyber-crime is an alarming trend and one we're actively [focused on]," said Amit Yoran, director of the National Cyber Security Division at the Department of Homeland Security, the nation's top cyber-security post. "It's a huge issue. The Department of Justice's top priority is this. We're trying to build a threat-independent approach to protection. We don't care if it's a terrorist or a kid. If there's an impact, that's what we care about." Yoran said that relatively little data on cyber-crimes is flowing between the different departments and agencies in federal, state and local governments but that efforts are under way to change that. Another problem, he said, is the naivete of most Internet users. "I think there's a lack of general awareness among consumers about how vulnerable they are," Yoran said in Washington. "The issues right now are overly complex, and the government has to simplify it." Donna Getgen might agree, although it doesn't offer her much comfort. No fraudulent activity was found involving her debit card account in March, and the Digital Federal Credit Union, in Marlborough, Md., went ahead and canceled the card and was in the process of issuing her a replacement by the time she received the letter. But Getgen is still distressed by the incident. "I really have lost trust," said Getgen. "I haven't been back to BJ's since this happened, and I don't intend to go back. If I did, it would be on a cash basis only." From isn at c4i.org Tue May 25 02:15:57 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 25 02:33:31 2004 Subject: [ISN] The biggest spammer on the Net? Comcast? Message-ID: http://zdnet.com.com/2100-1107_2-5218720.html By Declan McCullagh CNET News.com May 24, 2004 Comcast's high-speed Internet subscribers have long been rumored to be an unusually persistent source of junk e-mail. Now someone from Comcast is confirming it. "We're the biggest spammer on the Internet," network engineer Sean Lutner said at a meeting of an antispam working group in Washington, D.C., last week. Lutner said Comcast users send out about 800 million messages a day, but a mere 100 million flow through the company's official servers. Almost all of the remaining 700 million represent spam erupting from so-called zombie computers--a breathtaking figure that adds up to six or seven spam-o-grams for each American family every day. Zombie computers arise when spammers seize on bugs in Microsoft Windows--or from naive users who click on attachments--to take over PCs and transform them into spambots. No hard numbers exist, but some estimates say that about one-third of spam comes from zombie computers with broadband connections. The owners of the zombie PCs typically don't even notice what's happening. Because home computers are more likely to be infected than business PCs, and because Comcast has about 6 million high-speed customers, it may have been inevitable that the cable provider became a haven for remote-controlled zombies that churn out junk e-mail. Don't take Comcast's word for it. IronPort Systems' statistics for comcast.net show that while the company's six official mail servers have a monthly outgoing e-mail index of 6.2, there are at least 44 Comcast subscribers with similar scores of 5.8 or higher. Overall, Comcast is the single biggest source of all types of e-mail, with a higher volume than the next two, Time Warner's Road Runner and Yahoo, combined. Brian Martin, a computer security consultant in Denver, experienced Comcast zombies firsthand. Last year, a Comcast subscriber apparently infected by zombieware disgorged approximately 10,000 e-mail messages an hour to Martin's e-mail address. It took two weeks of almost daily complaints to Comcast's abuse department before the deluge stopped. "I don't think that they really care about spam or virus infections," Martin said. "They don't want to put any personnel on it, because it takes away from the bottom line." Slowing the spam I don't mean to pick on Comcast. At least nowadays, its technicians appear to be more responsible: In March, it began sending warnings to suspected zombie infectees. In terms of the percentage of its users infected by zombies, Comcast is far from the worst--it's just the sheer number of subscribers that makes the company such an awesome source of spam. Comcast could block zombies by preventing outgoing mail from leaving its network before it flows through its servers. That technique is called blocking port 25, the port used by the venerable Simple Mail Transport Protocol. It has the benefit of making e-mail departing Comcast's network easier to monitor so that network technicians can spot zombie PCs more quickly. "It's not rocket science," John Levine, co-chair of the Internet Engineering Task Force's antispam research group, said of this technique. "Basically, you count the mail, and you give everyone a quota. If Grandma usually sends six messages a day and now tries to send 10,000 messages a day, what are the odds that she made that many new friends?" Some Internet providers, including EarthLink, Cox Communications and a number of universities, block port 25. But because it inconveniences people who rely on remote e-mail providers or the Linux aficionados who run their own mail servers, it's still a controversial response. (Eventually, all e-mail clients will support the workaround of outgoing connections through port 587.) Based on my conversations last week, Comcast's network engineers would like to be more aggressive. But the marketing department shot down a ban on port 25 because of its circa $58 million price tag--so high partially because some subscribers would have to be told how to reconfigure their mail programs to point at Comcast's servers, and each phone call to the help desk costs $9. Instead, Comcast's engineers plan to try the innovative approach of identifying the zombie PCs and surreptitiously sending the subscriber's cable modem a new configuration routine that prevents outbound connections on port 25. Zombie-infected users won't even notice, the thinking goes, because most people use Comcast's mail servers for outgoing e-mail. Anyone wrongfully blocked can call and complain. That's a clever idea, and it might even work. More importantly, it shows that the Internet's biggest spammer is finally trying imaginative ways to save our in-boxes from its subscribers. biography Declan McCullagh is CNET News.com's Washington, D.C., correspondent. He chronicles the busy intersection between technology and politics. Before that, he worked for several years as Washington bureau chief for Wired News. He has also worked as a reporter for The Netly News, Time magazine and HotWired. From isn at c4i.org Tue May 25 02:19:00 2004 From: isn at c4i.org (InfoSec News) Date: Tue May 25 02:33:32 2004 Subject: [ISN] Hackers getting harder to keep out: survey Message-ID: http://www.smh.com.au/articles/2004/05/25/1085442111470.html Gold Coast May 25, 2004 Malicious attackers are getting faster and harder to keep out of corporate and government systems, a major conference on computer crime was told yesterday. The Computer Crime and Security Survey, released at the AusCERT 2004 Asia Pacific IT security conference on the Gold Coast, also showed that efforts to date had failed to reduce the risk of break-ins, with harmful attacks on computer systems in Australia increasing over the past year. The anonymous survey of more than 200 businesses and government agencies was compiled with assistance of state police forces, Federal Police, the Australian High Tech Crime Centre and the national computer emergency response team, AusCERT. AusCERT general manager Graham Ingram said despite businesses spending more money fighting computer crime over the past year, only five per cent believed they were managing all computer security issues reasonably well. "Corporate Australia is having problems dealing with these issues," said Ingram. "It's telling you how difficult this issue is. "The message to the companies that are running these systems is to keep going. You can't stop. You have to continue. This is a war you can't afford not to fight." The most common and costliest attack on computer systems over the past year was from malicious viruses, worms or trojans with the average loss for all types of electronic computer attacks up 20 per cent to $116,212. Mr Ingram said the survey showed that hackers were able to exploit vulnerabilities faster than ever before and were quicker to react to security fixes or patches designed to keep them out. "You are in this race to get this fixed. That window used to be weeks or months, it's now down to hours and days," he said. "It's an arms race." Australian High Tech Crime Centre director Alastair MacGibbon warned hackers were widening their targets from online banks to home users in an attempt to gather passwords and other sensitive information. "We need to reach millions of end users to have anti-virus software and firewalls on their home computers," he said. The High Tech Crime Centre has noted that computer criminals were combining the skills of spammers, malicious code writers and criminal fraudsters to launch attacks. In one case a home computer in Perth was identified as being involved in the theft of money from seven bank customers. An investigation found that criminals from overseas had used a virus to gain control of the computer and carry out the thefts. The AusCERT conference ends on Thursday. From isn at c4i.org Wed May 26 03:28:57 2004 From: isn at c4i.org (InfoSec News) Date: Wed May 26 03:41:48 2004 Subject: [ISN] Tech Ed net locked down tight as a coffin Message-ID: Forwarded from: Steve W. Manzuik > network engineers have nearly everything except port 80 walled off. > Apparently, even most normal email ports are off limits to > conference attendees. Cool, so you only have to sniff http traffic to harvest the usual amount of credentials from the conference.... Wow, who would have thought that it could get any easier than it already is. ;-) -Steve From isn at c4i.org Wed May 26 03:29:33 2004 From: isn at c4i.org (InfoSec News) Date: Wed May 26 03:41:49 2004 Subject: [ISN] REVIEW: "Beyond Fear", Bruce Schneier Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKBYNDFR.RVW 20031219 "Beyond Fear", Bruce Schneier, 2003, 0-387-02620-7, U$25.00/C$38.95 %A Bruce Schneier schneier@counterpane.com %C 115 Fifth Ave., New York, NY 10003 %D 2003 %G 0-387-02620-7 %I Copernicus/Springer-Verlag %O U$25.00/C$38.95 800-842-3636 212-254-3232 fax: 212-254-9499 %O http://www.amazon.com/exec/obidos/ASIN/0387026207/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0387026207/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0387026207/robsladesin03-20 %P 295 p. %T "Beyond Fear" It is instructive to view this book in light of another recent publication. Marcus Ranum, in "The Myth of Homeland Security" (cf. BKMYHLSC.RVW) complains that the DHS (Department of Homeland Security) is making mistakes, but provides only tentative and unlikely solutions. Schneier shows how security should work, and does work, presenting basic concepts in lay terms with crystal clarity. Schneier does not tell you how to prepare a security system as such, but does illustrate what goes on in the decision-making process. Part one looks at sensible security. Chapter one points out that all security involves a balancing act between what you want and how badly you want it. An important distinction is also made between safety and security, and the material signals the danger of ignoring the commonplace in order to protect against the sensational but rare. Fundamental security concepts are outlined as well as risk analysis. Chapter two examines the effect (usually negative) that bias and subjective perceptions have on our inherent judgment of risks. Security policy is based on the agenda of the major players, and chapter three notes that we should evaluate security systems in that light. Part two reviews how security works. Chapter four introduces systems and how they fail. "Know the enemy," in chapter five, is not just a platitude: Schneier shows how an understanding of motivations allows you to assess the likelihood of different types of attack. Chapter six is less focused than those prior: it notes that attackers reuse old attacks with new technologies, but it is difficult to find a central thread as the text meanders into different topics. Finding a theme in chapter seven is also difficult: yes, technology creates imbalances in existing power structures, and, yes, complexity and common mechanisms do tend to weaken security positions, but the relationships between those facts is not as lucidly presented as in earlier material. The point of chapter eight, that you always have to be aware of the weakest link in the security chain, even when it changes, is more straightforward, but the relevance of the illustrations surrounding it is not always obvious. Resilience in security systems is important, but it is not clear why this needs to be addressed in a separate chapter nine when it could have been discussed in eight with defence in depth (or "class breaks" and single-points-of-failure in seven). The hurried ending is also very likely to confuse naive readers in regard to "fail-safe" and "fail- secure": Schneier does not sufficiently stress the fact that the two concepts are not only different, but frequently in conflict. Chapter ten notes that people are both the strongest and weakest part of security: adaptable and resilient but terrible at detail; frequently surprisingly intuitive but often randomly foolish. At this point the book is not only repetitive, but loses some of its earlier focus and structure. Detection and prevention are examined, in chapter eleven, not as part of the classic matrix of controls, but as yet another example or aspect of resilience. Most of the rest of the types of controls in the preventive/detective axis are listed in chapter twelve, lumped together as response. Chapter thirteen looks at identification, authentication, and authorization (but not accountability, which was seen, in the form of audit, in chapter eleven). Various types of countermeasures are described in chapter fourteen. Countermeasures with respect to terrorism are examined, in chapter fifteen, both in general terms and in light of the events of 9/11. What works is discussed, as well as what does not, and there is an interesting look at the different roles of the media in the US as contrasted with the UK. Part three, entitled "The Game of Security," is not clear as to purpose. Chapter sixteen starts off by pointing out that the five step assessment process is constant and never-ending--which begs the question of how to determine when diminishing returns start to set in on assessment itself. However, there is good material in regard to the actions you can take to influence decisions about security. A concluding editorial, in chapter seventeen, encourages the reader to move beyond fear and think realistically about security and the tradeoffs you are willing to make. Some of the terms Schneier uses or invents may be controversial. His use of "active" and "passive" failures for the concepts more commonly known respectively as false rejection (false positive) or false acceptance (false negative) is probably much clearer, initially, to the naive reader. The concept is an important one, and so the presentation of it in this way could be a good thing. On the other hand, does "active failure" completely map to what is meant by "false acceptance," and, if not, how much of a problem is created by the use of the new term? Similarly, "class break" does indicate the importance of new forms of attack, but the concept seems to partake aspects of defence in depth, single point of failure, and least common mechanism, all important constructs in their own right. Schneier's invention of "default to insecure" is not really any more understandable than the more conventional terms of fail-safe or fail- open. I recommend this book. Unlike Ranum's, "Beyond Fear" has a more significant chance of informing and educating the public on vital issues of security. Security educators will find a treasure trove of ideas and examples that they can use to explain security concepts, to a variety of audiences. Security professionals are unlikely to find anything new in this material, but Schneier's writing is always worth reading, and this work is refreshingly free of the grating of erroneous ideas. copyright Robert M. Slade, 2004 BKBYNDFR.RVW 20031219 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu C:\WINDOWS C:\WINDOWS\GO C:\PC\CRAWL http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed May 26 03:29:49 2004 From: isn at c4i.org (InfoSec News) Date: Wed May 26 03:41:50 2004 Subject: [ISN] Mac OS fix fails to plug security hole Message-ID: http://news.com.com/Mac+OS+fix+fails+to+plug+security+hole/2100-1002_3-5220285.html By Robert Lemos Staff Writer CNET News.com May 25, 2004 A security hole still threatens Mac OS X users after a patch issued by Apple Computer last week failed to fix the underlying problem, security experts said on Tuesday. The security issue could allow an attacker to transfer and then run a malicious program on a Mac, if the Mac's user can be enticed to go to a fake Web page on which the program has been placed. "This, in my mind, is the first critical vulnerability on OS X," said Richard Forno, a security researcher and the former chief of security for domain registrar Network Solutions. "Downloading the patch and seeing that there were some things that were fixed and some things that weren't, tells me that there is more work to be done." Two other software companies have confirmed the issue. Security information company Secunia raised its rating of the potential risk to "extremely critical" after determining that the vulnerability is more widespread than Apple apparently first thought. Independent software maker Unsanity released a tool this week to work around the problem and put out a white paper describing the issue. Apple would not comment. The company released the original patch Friday after news of the vulnerability appeared on the Internet. The vulnerability actually involves two flaws. One allows a Web site to place a file on the Mac's hard drive when a user clicks on a uniform resource locator, or URL, specifically designed to bypass Mac OS X's security. The other gives an attacker the ability to run a file on another user's computer, provided the location of the file is known. Used together, the flaws constitute a major security hole that could result in a potential instant-messaging or e-mail virus. Perhaps the biggest problem is that there seems to be no easy solution, Jason Harris, a programmer for Unsanity, wrote in the company's white paper. "There's lots of overlap between useful applications of this functionality and malicious ones, meaning that Apple can't easily fix this without removing useful features from its operating system and from existing apps," he wrote. The issue is the first major security problem for Mac OS X that has not been caused by the operating system's underlying Unix roots. Previously, Mac OS X has mainly had to patch problems that affected FreeBSD, the Unix-like operating system on which it is based. However, the current issue is in the code that the company built on top of that software. Forno maintains that the Mac is more secure than Windows but stressed that this problem should have been caught in testing before the operating system had shipped. Moreover, in light of the goofed patch and previous issues with Apple downplaying security problems, he said the company needs to start being more proactive about security. "Apple is coming to terms with dealing with these types of issues, "Forno said. From isn at c4i.org Wed May 26 03:30:08 2004 From: isn at c4i.org (InfoSec News) Date: Wed May 26 03:41:51 2004 Subject: [ISN] Auditors warn of foreign risks to weapons software Message-ID: http://www.fcw.com/fcw/articles/2004/0524/web-gaosoft-05-25-04.asp By Matthew French May 25, 2004 The Defense Department's control of the source of weapons software came under fire today in a report issued by the General Accounting Office, which said overseas production of software creates an unacceptable security environment. "DOD acquisition and software security policies do not fully address the risk of using foreign suppliers to develop weapon system software," auditors wrote in the report. "The current acquisition guidance allows program officials discretion in managing foreign involvement in software development, without requiring them to identify and mitigate such risks. Moreover, other policies intended to mitigate information system vulnerabilities focus mostly on operational software security threats, such as external hacking and unauthorized access to information systems, but not on insider threats, such as the insertion of malicious code by software developers." The report said military officials recently adopted initiatives that could curb the threat, but they have not yet implemented the initiatives throughout the department. Auditors cited weapons development as a particular concern, given the potential ramifications should an enemy infect software with a malicious code or a Trojan horse, the report said. "Unless program officials provide specific guidance, contractors may favor business considerations over potential software development security risks associated with using foreign suppliers." As the amount of software on weapon systems increases, it becomes more difficult and more costly to test every line of code. Although DOD has several software tests through which an application must pass, the possibility that stray code can pass through is always a concern. "The program manager must know more about who is developing software and where early in the software acquisition process, so that it can be included as part of software source selection and risk mitigation decisions," the report said. Outsourcing software development has been a hot-button topic for more than five years, as vendors are forced to balance the cost savings with the potential security risks. A section in the House version of the 2005 Defense authorization bill offers up to $50 million in grants to DOD contractors to develop strategies to avoid outsourcing jobs, including technology development. From isn at c4i.org Wed May 26 03:30:19 2004 From: isn at c4i.org (InfoSec News) Date: Wed May 26 03:41:52 2004 Subject: [ISN] MS UK 0wn3d by hackers. Again Message-ID: http://www.theregister.co.uk/2004/05/25/ms_uk_defaced/ By John Leyden 25th May 2004 D'oh. Microsoft's UK Web site was defaced early this morning by previously unknown hackers called the OutLaw Group. Headings on a page (www.microsoft.com/mspress/uk) plugging tech manuals were altered to "Owned by OutLaw Group" during the brief period the site was defaced. A Microsoft's spokeswoman confirmed a page dealing with technical text books was "briefly replaced by unauthorised content". Microsoft is investigating the incident. Beyond stating it's confident that no customer data was jeopardised by the hack, Microsoft is staying schtum about the embarrassing security breach. Successful hack attacks on Microsoft Web sites are nothing new, but previous attacks have focused on spraying digital graffiti across the front page of sites, especially those hosted by third party companies at the time. The latest attack is a more subtle data poisoning assault - the digital equivalent of urinating on Microsoft's back porch. It's unclear what attack mechanism was used to inject the rogue content onto the site, which runs IIS 6.0 on Windows 2003. The timing of the attack couldn't be much worse for Microsoft. At yesterday's TechEd conference the software giant was talking up the capabilities of its Internet Security and Acceleration (ISA) Server software in preventing security breaches. Today's attack does nothing to help MS's pitch that the latest version of ISA Server is gaining traction with server vendors and giving more traditional software firewall vendors, such as Check Point, a run for their money. From isn at c4i.org Fri May 28 08:40:08 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 28 09:03:29 2004 Subject: [ISN] Auditors warn of foreign risks to weapons software Message-ID: Fowarded from: Technical Security Division - Lab This doesn't surprise me at all. Having worked for a European Software/Hardware company who shall remain anonymous, on several occasions the software team under went audits from the project managers of some of the contracts we were working on. Most of the coding was done by our engineering office in China whom I dealt with on a daily basis and who provided the final builds, however we were emphatically ordered by our management not to mention the China office or the fact that they did any of our software. Even in the company phone book the office was called the Quality Assurance Team. Some of clients included US DOD departments. Need I say more! -----Original Message----- From: isn-bounces@attrition.org [mailto:isn-bounces@attrition.org] On Behalf Of InfoSec News Sent: 26 May 2004 08:30 To: isn@attrition.org Subject: [ISN] Auditors warn of foreign risks to weapons software http://www.fcw.com/fcw/articles/2004/0524/web-gaosoft-05-25-04.asp By Matthew French May 25, 2004 The Defense Department's control of the source of weapons software came under fire today in a report issued by the General Accounting Office, which said overseas production of software creates an unacceptable security environment. "DOD acquisition and software security policies do not fully address the risk of using foreign suppliers to develop weapon system software," auditors wrote in the report. "The current acquisition guidance allows program officials discretion in managing foreign involvement in software development, without requiring them to identify and mitigate such risks. Moreover, other policies intended to mitigate information system vulnerabilities focus mostly on operational software security threats, such as external hacking and unauthorized access to information systems, but not on insider threats, such as the insertion of malicious code by software developers." The report said military officials recently adopted initiatives that could curb the threat, but they have not yet implemented the initiatives throughout the department. Auditors cited weapons development as a particular concern, given the potential ramifications should an enemy infect software with a malicious code or a Trojan horse, the report said. [...] From isn at c4i.org Fri May 28 08:46:37 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 28 09:03:30 2004 Subject: [ISN] Security UPDATE--A Long Way from Junk-Free Inboxes--May 26, 2004 Message-ID: ==================== ==== This Issue Sponsored By ==== Exchange & Outlook Administrator http://list.winnetmag.com/cgi-bin3/DM/y/ef5p0CJgSH0CBw0BEf10AV Implementing Client Security on Windows 2000/XP http://list.winnetmag.com/cgi-bin3/DM/y/ef5p0CJgSH0CBw0BHGO0AX ==================== 1. In Focus: A Long Way from Junk-Free Inboxes 2. Security News and Features - Recent Security Vulnerabilities - News: Yahoo Publishes IETF Draft for DomainKeys - News: 20 Tips on Securing Outlook in 20 Minutes - News: Microsoft Identity and Access Management Series - News: Shavlik Technologies Partners with NetIQ and ENDFORCE 3. Security Toolkit - FAQ - Featured Thread 4. New and Improved - Enterprise-Class Firewall for the Small Business ==================== ==== Sponsor: Exchange & Outlook Administrator ==== Try a Sample Issue of Exchange & Outlook Administrator! If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and downtime. Request a sample issue today, and discover tools you won't find anywhere else to help you migrate, optimize, administer, and secure Exchange and Outlook. Order now! http://list.winnetmag.com/cgi-bin3/DM/y/ef5p0CJgSH0CBw0BEf10AV ==================== ==== 1. In Focus: A Long Way from Junk-Free Inboxes ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net In the March 3, 2004, edition of Security Update, I briefly explained three proposed technologies--Sender Policy Framework (SPF), DomainKeys, and Caller ID for E-Mail--that might help curb the amount of junk mail influx most of us receive each day. You can read the article at the following URL: http://www.winnetmag.com/article/articleid/41892/41892.html Recently Yahoo!, developer of the DomainKeys technology, submitted a draft to the Internet Engineering Task Force (IETF) that outlines the basics of the technology. As you'll learn when you read the draft, which is linked in the related news story, "Yahoo Publishes IETF Draft For DomainKeys," in this edition of the newsletter, Yahoo! still has plenty of work to do on DomainKeys. The developers of SPF technology have also submitted a draft proposal to the IETF (see the first URL below), and Microsoft has also submitted a draft proposal for Caller ID for E-Mail. You can learn more about SPF and Caller ID at the second, third, and fourth URLs below. http://spf.pobox.com/draft-mengwong-spf-01.txt http://spf.pobox.com/ http://www.microsoft.com/mscorp/twc/privacy/spam_callerid.mspx http://www.ietf.org/internet-drafts/draft-atkinson-callerid-00.txt In essence, DomainKeys technology works by digitally signing email messages, then attempting to verify digital signatures by communicating with the domain that allegedly sent the email message. SPF and Caller ID try to verify the alleged sending domain of a given email message, but they don't use digital signatures. At the time of this writing, both SPF and Caller ID try to verify that the mail headers of a given message haven't been forged (as is the case with a lot of junk mail) by checking particular DNS records (specially formatted TXT records) against records written into mail headers. Although all three technologies provide reasonable ways to verify an email message's origin, they all contain problems that determined spammers could exploit. Thus none of the technologies is an end-all solution for junk mail. However, using all three technologies together might improve the ability to curb unwanted email. As was pointed out on the IETF Anti-Spam Research Group (ARGS) mailing list, even with all three of the proposed technologies in place, domain operators can further reduce junk mail by adding other technologies--such as those that ban senders, domains, and sets of IP addresses--commonly referred to as blacklisting. But even combining all these technologies won't completely eliminate junk mail. https://www1.ietf.org/mailman/listinfo/asrg So far, the only solutions I've seen that can eliminate nearly all unwanted email are the types that use some sort of challenge and response system. For example, some solutions require a sender to visit a Web page the first time he or she sends an email to a certain user. At the Web page, the sender might have to type in a keyword shown on the screen or perform some other type of response. Other solutions might use email to deliver and process the challenge and response. These solutions are minor inconveniences for most people, but they often present major problems for sightless individuals. Even though many thousands of networks and software vendors, including AOL, Earthlink, Google, Symantec, and Brightmail, have already integrated SPF and thousands of others are undoubtedly slated to begin using DomainKeys or Caller ID or both, many people will continue to receive more junk mail than they care to tolerate. And because even a combined set of the current and proposed solutions won't satisfy every network's needs, we'll likely see more solutions become available. Incidentally, Symantec recently purchased Brightmail for approximately $370 million. Brightmail provides solutions that guard against spam, spoofed email, viruses, and more. Given Brightmail's extensive client base of major corporations, including AT&T, Microsoft, Cisco Systems, Lucent Technologies, Motorola, and eBay, the deal will permit Symantec to provide an even more rounded solution for email processing. You can read about the acquisition at Brightmail's Web site. http://www.brightmail.com/pressreleases/051904_pr.html ==================== ==== Sponsor: Implementing Client Security on Windows 2000/XP ==== Learn the requirements for securing client computers in environments where Windows Server 2003, Windows 2000 and Windows NT 4.0 servers are present. You will also learn how to implement best practices for clients in extreme high-security environments. The session will discuss the use of Group Policy and Administrative Templates to secure Windows 2000 and Windows XP installations and provide guidance on software restriction policies, anti-virus strategies, and distributed firewall technologies. This session also covers configuring Microsoft Office and Internet Explorer to help achieve a secure client environment. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/ef5p0CJgSH0CBw0BHGO0AX ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html News: Yahoo Publishes IETF Draft for DomainKeys Yahoo submitted a draft of its proposed junk mail solution, DomainKeys, to the Internet Engineering Task Force (IETF). The proposal outlines the concepts and some of the technical specifications that could be implemented on mail servers to help verify the identity of the actual domain used to send email messages. Yahoo anticipates that such identification will help pinpoint people who send unwanted or illegal email solicitations. http://www.winnetmag.com/article/articleid/42716/42716.html News: 20 Tips on Securing Outlook in 20 Minutes Windows & .NET Magazine author Paul Robichaux wrote a book, "Secure Messaging with Exchange Server 2003," which is published by Microsoft Press. An excerpt chapter from the book, "20 Tips on Securing Outlook in 20 Minutes," is now available online to help people secure their Outlook clients. http://www.winnetmag.com/article/articleid/42726/42726.html News: Microsoft Identity and Access Management Series Microsoft published a new article series, "Identity and Access Management," which helps explain how digital identity can be implemented and used to access network resources. http://www.winnetmag.com/article/articleid/42730/42730.html News: Shavlik Technologies Partners with NetIQ and ENDFORCE Shavlik Technologies announced it has entered into partnering agreements with NetIQ and ENDFORCE. The two companies will incorporate Shavlik's HFNetChkPRO patch-management software into their respective enterprise solutions. http://www.winnetmag.com/article/articleid/42725/42725.html ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) Get 2 Sample Issues of Windows & .NET Magazine! Every issue of Windows & .NET Magazine includes intelligent, impartial, and independent coverage of security, Active Directory, Exchange, scripting, and much more. Our expert authors deliver how-to articles and product evaluations that will help you do your job better. Try two, no-risk sample issues today, and find out why 100,000 IT professionals rely on Windows & .NET Magazine each month! http://list.winnetmag.com/cgi-bin3/DM/y/ef5p0CJgSH0CBw0BEuX0AP Get the Most Out of IIS 6.0 Performance and Tuning In this free Web seminar, you'll learn about the Internet Information Services (IIS) performance-tuning tools, including System Monitor, Application Center Test, and Log Manager. The Webcast will show how to use these tools to gather Web server baseline performance information, optimize performance and memory utilization, and test performance of applications running on the Web server with different caching and configuration settings. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/ef5p0CJgSH0CBw0BIYv0AV Free White Paper Get a free white paper and learn how to eliminate the top 5 email security threats including spam and viruses. http://list.winnetmag.com/cgi-bin3/DM/y/ef5p0CJgSH0CBw0BIb50AZ ==================== ==== Hot Release: Symantec ==== Free White Paper: "Automated Patch Management with ON iPatch" Download this free technical white paper now, courtesy of Symantec and Windows & .NET Magazine's White Paper Central: http://list.winnetmag.com/cgi-bin3/DM/y/ef5p0CJgSH0CBw0BIb60Aa ==================== ==== 4. Security Toolkit ==== FAQ: What's the Account Lockout Status Tool? by John Savill, http://www.winnetmag.com/windowsnt20002003faq A. The Account Lockout Status tool (lockoutstatus.exe) displays lockout information for a specified user by querying every contactable domain controller (DC) in the user's domain. You can download the Account Lockout Status tool at http://www.microsoft.com/downloads/details.aspx?familyid=d1a5ed1d-cd55-4829-a189-99515b0e90f7&displaylang=en. To use the tool, you must be running Windows 2000 Service Pack 3 (SP3) or later. To install lockoutstatus.exe, perform the following steps: 1. Download the Account Lockout Status tool, then execute the downloaded lockoutstatus.msi file. 2. Click Next to start the installation wizard. 3. Check "I accept the terms in the license agreement" and click Next. 4. Click Install Now. 5. After installation is complete, click Finish. By default, the tool is installed in the C:\program files\windows resource kits\tools folder. Double-click lockoutstatus.exe. From the tool's File menu, click Select Target and enter the user whose status you want to check. You'll see a window, like the one in the figure at Figure, which displays the user's lockout information. You can also check a user's lockout information at the command line. To do so, enter the follow command where the suffix after -u is the username. lockoutstatus -u:administrator@savilltech.com Featured Thread: Blackberry Server behind ISA (Two messages in this thread) A reader writes that he needs to use BlackBerry devices from behind a Microsoft Internet Security and Acceleration (ISA) Server, but he's having some trouble defining rules for the ports. He needs to open TCP port 3101 for bidirectional traffic and wants to know how to do it properly. He created a packet filter with the following characteristics: IP Protocol: TCP, Direction: Outbound, Local port: Fixed Port, Local Port Number 3101, Remote Port: All Ports, Remote Ports: Subdued. However, that approach doesn't work, and he wants to know what he's doing wrong. Lend a hand or read the responses: http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=119881 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) New--From Chaos to Control: Using Service Management to Reclaim Your Life Take control of your workday! If you're supporting 24 x 7 operations by working around the clock instead of 9 to 5, learn how you can benefit from a sound service-management strategy. In this free Web seminar, you'll learn practical steps for implementing service management for your key Windows systems and applications. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/ef5p0CJgSH0CBw0BIV80AQ ==================== ==== 5. New and Improved ==== by Jason Bovberg, products@winnetmag.com Enterprise-Class Firewall for the Small Business Comodo Trustix announced that its new entry level for the Trustix Firewall is five users and more. Trustix Firewall gives small and midsized business the benefits of an enterprise-class firewall-management solution. You can install and set up the product in less than 25 minutes. Trustix Firewall's GUI makes the product easily configurable, saving you money on time, maintenance, and licensing costs. Trustix Firewall is part of a portfolio of business-infrastructure solutions, which include Trustix LAN Server for file sharing, Trustix Mail Server for communication, and Trustix Web Server for interaction with business partners and customers. Each product is ready to use out of the box and benefits from the platform-independent Xploy utility. Trustix Firewall costs $270. For more information about the product, contact Comodo Trustix on the Web. http://www.trustix.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. ==================== ==== Sponsored Links ==== Argent Comparison Paper: The Argent Guardian Easily Beats Out MOM http://list.winnetmag.com/cgi-bin3/DM/y/ef5p0CJgSH0CBw0BDWV0Aq Microsoft(R) TechNet Microsoft(R) TechNet Webcasts: essential guidance, industry experts http://list.winnetmag.com/cgi-bin3/DM/y/ef5p0CJgSH0CBw0BG360Al ==================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== ==== Contact Our Sponsors ==== Hot Release Sponsor: Symantec -- http://www.symantec.com ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z You received this email message because you asked to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri May 28 08:46:43 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 28 09:03:31 2004 Subject: On the Other hand: Re: [ISN] Auditors warn of foreign risks to weapons software Message-ID: Forwarded from: The Unknown Security Gal Dan O'Dowd Reminds World of UNIX Creator Ken Thompson's Security Stunt "We must not entrust national security to Linux," he declares. April 11, 2004, http://linuxworld.com/story/44468.htm Summary In a speech intended to serve us a wake-up call to anyone relying on the "many eyes" that look at the Linux source code to quickly find any subversions, the CEO of Green Hills Software last week reminded his audience how UNIX's creator Ken Thompson installed a back door in the binary code of UNIX that automatically added his user name and password to every UNIX system - a secret he revealed only 14 years later. By LinuxWorld News Desk lwmeditors@sys-con.com In a speech to the Net-Centric Operations Industry Forum in McLean, Va., Dan O'Dowd, CEO of Green Hills Software Inc., argued that the proliferation of Linux through a growing number of U.S. defense systems poses a serious and urgent security threat, "The very nature of the open source process should rule Linux out of defense applications," O'Dowd said. "The open source process violates every principle of security. It welcomes everyone to contribute to Linux. Now that foreign intelligence agencies and terrorists know that Linux is going to control our most advanced defense systems, they can use fake identities to contribute subversive software that will soon be incorporated into our most advanced defense systems," he continued. In addition, O'Dowd noted, developers in Russia and China are also contributing to Linux software. Recently, the CEO of MontaVista Software, the world's leading embedded Linux company, said that his company has "two and a half offshore development centers. A big one in Moscow and we just opened one in Beijing." Linux has been selected to control the functionality, security, and communications of critical defense systems including the Future Combat System, the Joint Tactical Radio System and the Global Information Grid, said O'Dowd. "If Linux is compromised, our defenses could be disabled, spied on, or commandeered. Every day new code is added to Linux in Russia, China and elsewhere throughout the world. Every day that code is incorporated into our command, control, communications and weapons systems. This must stop," he added, before continuing: "Linux in the defense environment is the classic Trojan horse scenario - a gift of 'free' software is being brought inside our critical defenses. If we proceed with plans to allow Linux to run these defense systems without demanding proof that it contains no subversive or dangerous code waiting to emerge after we bring it inside, then we invite the fate of Troy." One of O'Dowd's most telling points came when he debunked the claim by Linux advocates that its security can be assured by the openness of its source code, arguing that "many eyes" looking at the Linux source code will quickly find any subversions. Ken Thompson, the original developer of the Unix operating system (which heavily influenced Linux) proved that this just isn't true, O'Dowd argued. Thompson installed a back door in the binary code of UNIX that automatically added his user name and password to every UNIX system. O'Dowd told his audience that, when Thompson revealed the secret 14 years later, he declared: "The moral is obvious. You can't trust code that you did not create yourself. No amount of source-level verification or scrutiny will protect you from using untrusted code." "Before most Linux developers were born, Ken Thompson had already proven that 'many eyes' looking at the source code can't prevent subversion," said O'Dowd. "Linux is being used in defense applications even though there are operating systems available today that are designed to meet the most stringent level of security evaluation in use by the National Security Agency, Common Criteria Evaluation Assurance Level 7 (EAL 7)." "We don't need cheaper security. We need better security. One 'back door' in Linux, one infiltration, one virus, one worm, one Trojan horse and all of our most sophisticated network-centric defenses could crumble. We must not abandon provably secure solutions for the illusion that Linux will save money. We must not entrust national security to Linux," O'Dowd concluded. About the author LinuxWorld News Desk gathers stories, analysis, and information from around the Linux world and synthesizes them into an easy to digest format for IT/IS managers and other business decision-makers. Related Sites ? Biography of Ken Thompson From isn at c4i.org Fri May 28 08:47:44 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 28 09:03:32 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-22 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-05-20 - 2004-05-27 This week : 48 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: ADVISORIES: Apple issued updates for the Mac OS X on Friday (21-05-2004) to fix the HELP URI handler vulnerability. However, the update from Apple did not correct the "disk" vulnerability. This unfortunately leaves users of the Mac OS X just as vulnerable to attacks as before the update was issued. Secunia has described the vulnerability in detail along with mitigating steps. See referenced Secunia Advisory below. Reference: http://secunia.com/SA11689 -- Yuu Arai has discovered a vulnerability in Symantec Norton AntiVirus ActiveX Control, which can be exploited by malicious websites to execute code that already resides on the affected user's system or cause the application to stop responding. Symantec has issued an updated version, which is available via the LiveUpdate feature. Reference: http://secunia.com/SA11676 -- F-Secure has reported a buffer overflow vulnerability in many of their products, which reportedly can be exploited to perform a Denial of Service attack. The buffer overflow will occur when processing specially crafted LHA archives. Reference: http://secunia.com/SA11712 VIRUS ALERTS: During the last week, Secunia issued one MEDIUM RISK virus alert. Please refer to the grouped virus profile below for more information: Bobax.C - MEDIUM RISK Virus Alert - 2004-05-18 23:37 GMT+1 http://secunia.com/virus_information/9513/bobax.c/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA11622] Mac OS X URI Handler Arbitrary Code Execution 2. [SA11689] Mac OS X Volume URI Handler Registration Code Execution Vulnerability 3. [SA11539] Mac OS X Security Update Fixes Multiple Vulnerabilities 4. [SA11676] Symantec Norton AntiVirus ActiveX Control Vulnerability 5. [SA11629] Microsoft Outlook RTF Embedded OLE Object Security Bypass 6. [SA11066] Symantec Client Firewall Products Multiple Vulnerabilities 7. [SA10395] Internet Explorer URL Spoofing Vulnerability 8. [SA11633] Microsoft Windows "desktop.ini" Arbitrary File Execution Vulnerability 9. [SA11674] Gentoo update for CVS 10. [SA11677] OpenBSD update for cvs ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA11706] Orenosv HTTP/FTP Server GET Request Buffer Overflow Vulnerability [SA11715] MiniShare HTTP Request Denial of Service Vulnerability [SA11684] BNBT Authorization Header Denial of Service Vulnerability [SA11676] Symantec Norton AntiVirus ActiveX Control Vulnerability [SA11699] F-Secure Anti-Virus Archived Virus Detection Bypass Vulnerability [SA11678] Exceed Xconfig Setting Editing Restriction Bypass UNIX/Linux: [SA11689] Mac OS X Volume URI Handler Registration Code Execution Vulnerability [SA11687] Gentoo update for metamail [SA11677] OpenBSD update for cvs [SA11675] Gentoo update for subversion [SA11674] Gentoo update for CVS [SA11719] Gentoo update for apache [SA11718] Mandrake update for mailman [SA11717] HP-UX update for Java [SA11709] Red Hat update for LHA [SA11707] Conectiva update for mailman [SA11702] Conectiva update for libneon [SA11701] Mailman Unspecified Password Retrieval Vulnerability [SA11693] e107 Site Statistics Script Insertion Vulnerability [SA11692] Liferay Enterprise Portal Multiple Script Insertion Vulnerabilities [SA11686] Gentoo update for squirrelmail [SA11685] Squirrelmail Unspecified Cross-Site Scripting and SQL Injection Vulnerabilities [SA11681] Mandrake update for apache-mod_perl [SA11680] vsftpd Connection Handling Denial of Service Vulnerability [SA11673] Gentoo update for neon [SA11672] Gentoo update for cadaver [SA11725] Conectiva update for kde [SA11713] SuSE update for kdelibs [SA11710] Red Hat update for tcpdump [SA11705] Fedora update for httpd [SA11703] Gentoo update for opera [SA11688] OpenPKG update for rsync [SA11720] Gentoo update for mc [SA11714] FreeBSD "msync()" MS_INVALIDATE Implementation Security Issue [SA11708] Red Hat update for utempter [SA11704] Gentoo update for mysql [SA11700] cPanel mod_php suexec Privilege Escalation Vulnerability [SA11695] Debian update for xpcd [SA11691] Gentoo update for firebird [SA11690] libpcd PhotoCD Image Error Handling Buffer Overflow Vulnerabilities [SA11683] Mandrake update for kernel Other: [SA11694] VocalTec Telephony Gateways H.323 Denial of Service Vulnerability [SA11682] HP ProCurve Routing Switch TCP Connection Reset Denial of Service [SA11679] Novell NetWare TCP Connection Reset Denial of Service [SA11716] 3Com OfficeConnect 812 ADSL Router Telnet Protocol Denial of Service [SA11698] Netgear RP114 URL Filtering Bypass Vulnerability Cross Platform: [SA11712] F-Secure Anti-Virus Products LHA Archive Processing Buffer Overflow [SA11696] e107 "user.php" Cross Site Scripting Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA11706] Orenosv HTTP/FTP Server GET Request Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-26 badpack3t has discovered a vulnerability in Orenosv HTTP/FTP Server, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11706/ -- [SA11715] MiniShare HTTP Request Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-05-27 Donato Ferrante has discovered a vulnerability in MiniShare, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11715/ -- [SA11684] BNBT Authorization Header Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-05-24 badpack3t has reported a vulnerability in BNBT, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11684/ -- [SA11676] Symantec Norton AntiVirus ActiveX Control Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-05-21 Yuu Arai has discovered a vulnerability in Norton AntiVirus 2004, which can be exploited by malicious people to perform various actions on a user's system. Full Advisory: http://secunia.com/advisories/11676/ -- [SA11699] F-Secure Anti-Virus Archived Virus Detection Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-05-25 A vulnerability has been discovered in F-Secure Anti-Virus, which may prevent certain malware in archives from being detected. Full Advisory: http://secunia.com/advisories/11699/ -- [SA11678] Exceed Xconfig Setting Editing Restriction Bypass Critical: Less critical Where: Local system Impact: Security Bypass Released: 2004-05-21 A vulnerability has been discovered in Exceed, which can be exploited by malicious, local users to bypass certain restrictions. Full Advisory: http://secunia.com/advisories/11678/ UNIX/Linux:-- [SA11689] Mac OS X Volume URI Handler Registration Code Execution Vulnerability Critical: Extremely critical Where: From remote Impact: System access Released: 2004-05-22 A vulnerability has been reported in Mac OS X, allowing malicious web sites to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11689/ -- [SA11687] Gentoo update for metamail Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-22 Gentoo has issued an update for metamail. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11687/ -- [SA11677] OpenBSD update for cvs Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-21 OpenBSD has issued patches for cvs. These fix a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11677/ -- [SA11675] Gentoo update for subversion Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-21 Gentoo has issued an update for subversion. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11675/ -- [SA11674] Gentoo update for CVS Critical: Highly critical Where: From remote Impact: System access Released: 2004-05-21 Gentoo has issued an update for CVS. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11674/ -- [SA11719] Gentoo update for apache Critical: Moderately critical Where: From remote Impact: DoS, Manipulation of data, Spoofing, Security Bypass Released: 2004-05-27 Gentoo has issued an update for apache. This fixes various vulnerabilities, which can be exploited to inject potentially malicious characters into error logfiles, bypass certain restrictions, gain unauthorised access, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11719/ -- [SA11718] Mandrake update for mailman Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2004-05-27 MandrakeSoft has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to retrieve members' passwords. Full Advisory: http://secunia.com/advisories/11718/ -- [SA11717] HP-UX update for Java Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-05-26 HP has acknowledged a vulnerability in Java for HP-UX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11717/ -- [SA11709] Red Hat update for LHA Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-26 Red Hat has issued an update for LHA. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11709/ -- [SA11707] Conectiva update for mailman Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information, DoS Released: 2004-05-26 Conectiva has issued an update for mailman. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or retrieve users' passwords. Full Advisory: http://secunia.com/advisories/11707/ -- [SA11702] Conectiva update for libneon Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-26 Conectiva has issued an update for libneon. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/11702/ -- [SA11701] Mailman Unspecified Password Retrieval Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2004-05-26 A vulnerability has been discovered in mailman, which can be exploited by malicious people to retrieve members' passwords. Full Advisory: http://secunia.com/advisories/11701/ -- [SA11693] e107 Site Statistics Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-05-24 Chinchilla has reported a vulnerability in e107, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/11693/ -- [SA11692] Liferay Enterprise Portal Multiple Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-05-24 Sandeep Giri has reported multiple vulnerabilities in Liferay Enterprise Portal, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/11692/ -- [SA11686] Gentoo update for squirrelmail Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2004-05-24 Gentoo has issued an update for squirrelmail. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/11686/ -- [SA11685] Squirrelmail Unspecified Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2004-05-24 Various vulnerabilities have been discovered in SquirrelMail, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/11685/ -- [SA11681] Mandrake update for apache-mod_perl Critical: Moderately critical Where: From remote Impact: DoS, Manipulation of data, Spoofing, Security Bypass Released: 2004-05-21 MandrakeSoft has issued updated packages for apache-mod_perl. These fix various vulnerabilities, which can be exploited to inject potentially malicious characters into error logfiles, bypass certain restrictions, gain unauthorised access, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11681/ -- [SA11680] vsftpd Connection Handling Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-05-21 Olivier Baudron has discovered a vulnerability in vsftpd, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11680/ -- [SA11673] Gentoo update for neon Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-21 Gentoo has issued an update for neon. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11673/ -- [SA11672] Gentoo update for cadaver Critical: Moderately critical Where: From remote Impact: System access Released: 2004-05-21 Gentoo has issued an update for cadaver. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/11672/ -- [SA11725] Conectiva update for kde Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2004-05-27 Conectiva has issued an update for kde. This fixes a vulnerability, which can be exploited by malicious people to create or truncate files on a user's system. Full Advisory: http://secunia.com/advisories/11725/ -- [SA11713] SuSE update for kdelibs Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2004-05-26 SuSE has issued an update for kdelibs. This fixes a vulnerability, which can be exploited by malicious people to create or truncate files on a user's system. Full Advisory: http://secunia.com/advisories/11713/ -- [SA11710] Red Hat update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2004-05-26 Red Hat has issued an update for tcpdump. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11710/ -- [SA11705] Fedora update for httpd Critical: Less critical Where: From remote Impact: Manipulation of data, DoS Released: 2004-05-26 Fedora has issued an update for httpd. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or inject certain potentially malicious characters in error log files. Full Advisory: http://secunia.com/advisories/11705/ -- [SA11703] Gentoo update for opera Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2004-05-26 Gentoo has issued an update for opera. This fixes a vulnerability, which can be exploited by malicious people to create or truncate files on a user's system. Full Advisory: http://secunia.com/advisories/11703/ -- [SA11688] OpenPKG update for rsync Critical: Less critical Where: From remote Impact: Manipulation of data, Security Bypass Released: 2004-05-22 OpenPKG has issued an update for rsync. This fixes a vulnerability, potentially allowing malicious people to write files outside the intended directory. Full Advisory: http://secunia.com/advisories/11688/ -- [SA11720] Gentoo update for mc Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-27 Gentoo has issued an update for mc. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11720/ -- [SA11714] FreeBSD "msync()" MS_INVALIDATE Implementation Security Issue Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-26 Stephan Uphoff and Matt Dillon has discovered a security issue in FreeBSD. This can be exploited by malicious, local users to prevent changes to certain files, which they have read access to, from being committed to disk. Full Advisory: http://secunia.com/advisories/11714/ -- [SA11708] Red Hat update for utempter Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-26 Red Hat has issued an update for utempter. This fixes a security issue, which potentially can be exploited by malicious, local users to perform certain actions with higher privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/11708/ -- [SA11704] Gentoo update for mysql Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-26 Gentoo has issued an update for mysql. This fixes two vulnerabilities, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/11704/ -- [SA11700] cPanel mod_php suexec Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-26 Rob Brown has reported an security issue in cPanel, potentially allowing malicious users to escalate their privileges. Full Advisory: http://secunia.com/advisories/11700/ -- [SA11695] Debian update for xpcd Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-25 Debian has issued an update for xpcd. This fixes three vulnerabilities, which potentially can be exploited by malicious people to execute arbitrary code on a user's system. Full Advisory: http://secunia.com/advisories/11695/ -- [SA11691] Gentoo update for firebird Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-24 Gentoo has issued an update for firebird. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/11691/ -- [SA11690] libpcd PhotoCD Image Error Handling Buffer Overflow Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-05-25 Jaguar has reported some vulnerabilities in libpcd, which potentially can be exploited by malicious people to execute arbitrary code on a user's system. Full Advisory: http://secunia.com/advisories/11690/ -- [SA11683] Mandrake update for kernel Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information Released: 2004-05-22 MandrakeSoft has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/11683/ Other:-- [SA11694] VocalTec Telephony Gateways H.323 Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-05-25 Tagoff Eugene has reported a vulnerability in certain VocalTec Telephony Gateways, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11694/ -- [SA11682] HP ProCurve Routing Switch TCP Connection Reset Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2004-05-21 HP has acknowledged a vulnerability in various products, which can be exploited by malicious people to reset established TCP connections on a vulnerable device. Full Advisory: http://secunia.com/advisories/11682/ -- [SA11679] Novell NetWare TCP Connection Reset Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2004-05-21 Novell has partly acknowledged a vulnerability in NetWare, which can be exploited by malicious people to reset established TCP connections on a vulnerable system. Full Advisory: http://secunia.com/advisories/11679/ -- [SA11716] 3Com OfficeConnect 812 ADSL Router Telnet Protocol Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2004-05-26 iDEFENSE has reported a vulnerability in 3Com OfficeConnect Remote 812 ADSL Router, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11716/ -- [SA11698] Netgear RP114 URL Filtering Bypass Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-05-25 Marc Ruef has reported a vulnerability in NetGear RP114, which can be exploited by malicious people to bypass the URL filtering functionality. Full Advisory: http://secunia.com/advisories/11698/ Cross Platform:-- [SA11712] F-Secure Anti-Virus Products LHA Archive Processing Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-05-26 A vulnerability has been discovered in various F-Secure Anti-Virus products, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/11712/ -- [SA11696] e107 "user.php" Cross Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-05-25 Chris Norton has reported a vulnerability in e107, allowing malicious users to conduct Cross Site Scripting attacks. Full Advisory: http://secunia.com/advisories/11696/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri May 28 08:48:01 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 28 09:03:33 2004 Subject: [ISN] North Korea operating computer-hacking unit Message-ID: Forwarded from: William Knowles http://www.koreaherald.co.kr/SITE/data/html_dir/2004/05/28/200405280004.asp shinyb@heraldm.com 2004.05.28 North Korea is operating a computer-hacking military unit to collect secret information on South Korea, a top military official in Seoul said yesterday. Speaking in a conference on protection of defense information, Defense Security Command commander Song Young-keun unveiled the North Korean military's hacking into computer networks of South Korea's major state organizations. "Considering intelligence we gathered, the North is operating a hacking unit under the direct instruction of Kim Jong-il," Lt. Gen. Song said in the statement. "They are stepping up cyber-terror abilities, such as collection of our information through hacking of our agencies and institutions." The DSC commander said in May that the North had annually trained about 100 computer hackers to strengthen its cyber-terror capability against South Korea. The South Korean military intelligence unit has set up a counter-cyber terrorism investigative team to check general computer viruses and hacking threats. Quoting unnamed DSC officials, Yonhap News Agency said North Korean military authorities have provided intensive and rigorous training of computer-related skills to some college graduates, and they are assigned to the military unit under the control of the Korean People's Army, the communist state's military forces. Their tasks are to get into the computer networks run by South Korean government agencies and research institutes, and retrieve classified information from them. One of their assignments is also to attack the computer systems, Yonhap said. The communist North is also using about 26 Internet Web sites directly run by it or other pro-Pyongyang organizations to promote the regime and other political propaganda. The DSC also said that through the Web sites, the North sets forth guidelines for its spy agents operating abroad. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* From isn at c4i.org Fri May 28 08:48:12 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 28 09:03:34 2004 Subject: [ISN] Deloitte security survey has some puzzling figures Message-ID: http://www.smh.com.au/articles/2004/05/28/1085641687991.html By Sam Varghese May 28, 2004 A research brief, about a global security survey measuring the state of IT security at leading financial institutions, claims that 83 percent of the top 100 companies worldwide have experienced some compromise of their systems in 2003. However, the conclusion, drawn by consulting company Deloitte Touche Tohmatu, is puzzling as the survey itself (which can be downloaded from the company's website) says that only 31 of the top 100 global financial services institutions ranked by 2002 assets were involved in the survey. The release accompanying the survey has it differently. "Practitioners from Deloitte's Global Financial Services Industry practice conducted face-to-face interviews with senior information technology executives of the top 100 global financial services organizations (sic)," it says. The survey claims that the results, published this month, "provide a global benchmark for the state of security in the financial sector." Did the company actually speak to representatives from the top 100? Kevin Shaw, Leader Security Services Group - Asia Pacific for the company's Enterprise Risk Services, said: "What we can say is that interviews with senior information technology executives of top 100 global financial services organizations (sic) were conducted and that the sample includes 31 of the top 100 global financial services institutions." He said four Australian banks were among those interviewed but refused to name them. "I am sure that you will understand that respecting the confidentiality of those who were so kind as to participate is very important to us, and so unfortunately, we cannot denote the true number of organizations (sic) that have participated in the survey," Shaw said. "If we indicate the number of organizations, (sic) people may start to reverse engineer the number and make assumptions about who participated. This could have impact on two levels, one being that unfair assumptions are made leading to potentially erroneous conclusions, and the other in that they circumvent our intent and promise of allowing organizations (sic) to remain anonymous." Last year's survey had some question marks over it as well. The company claimed the participants represented 35 percent of the top 500 global financial services organisations, which would have meant that 175 companies of the top 500 had been interviewed. However, when asked about it, Deloitte admitted that the facts were that 35 percent of the top 50 global financial services organisations - meaning 17 or 18 - had been involved. From isn at c4i.org Fri May 28 08:48:26 2004 From: isn at c4i.org (InfoSec News) Date: Fri May 28 09:03:35 2004 Subject: [ISN] Peeping Taiwanese Trojan author is arrested Message-ID: http://news.zdnet.co.uk/internet/0,39020369,39156052,00.htm Munir Kotadia ZDNet UK May 28, 2004 A Taiwanese man has been arrested after admitting to authoring the Peep Trojan horse. Taiwanese police have arrested a man for writing and distributing a Trojan that was apparently used by Chinese hackers to steal and destroy information on government-owned computers in Taiwan. Wang An-ping, 30, an engineer from Kaohsiung, has admitted to writing Peep, which allows hackers to steal and destroy data stored on infected computers. According to the China Post, Wang spent his free time designing software and had intended to sell Peep for commercial purposes, but eventually decided to give it away for free on his Web site. Lin Chieh-lung, a spokesman for Taiwan's Internet crime investigation taskforce, said Wang may simply have been trying to show off his skills, but he should have known the consequences of marketing such a program. Chieh-lung said Wang placed his program on popular hackers' Web sites and encouraged people to download it. Although Wang admitted he wrote the Trojan and was in contact with some Chinese software developers, he denied any knowledge of the alleged attacks carried out on the Taiwanese government's systems. Graham Cluley, senior technology consultant for antivirus firm Sophos, said it was unlikely that a 30-year-old computer engineer would not realise the consequences of writing and distributes a malicious piece of code. "If found guilty it's quite possible that he will receive a tough sentence -- up to five years -- particularly as it is being suggested that the Trojan may have left open a backdoor for Chinese hackers to exploit," Cluley said. This is the second virus-related charge this week. On Wednesday, a 16-year-old Canadian teenager was charged with "fraudulently using a computer" and "mischief against data" by the Royal Canadian Mounted Police. The teenager is suspected of writing the Randex worm.