From isn at c4i.org Mon Nov 1 03:51:57 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 1 04:15:57 2004 Subject: [ISN] Bush website conspiracy theories darken skies Message-ID: Forwarded from: security curmudgeon : http://www.theregister.co.uk/2004/10/27/bushwhacked/ : : By John Leyden : 27th October 2004 : : The official Bush re-election website - which blocked access to most of : the world outside the US this week - is still visible to Canadians. : : We don't know if it's fears about future attacks by hackers, concerns : about keeping bandwidth costs to a minimum or an aggressive response to : pinko UK broadsheet The Guardian's recent shameful pro-Kerry political : lobbying efforts in Ohio which are behind moves that have rendered : GeorgeWBush.com inaccessible to world + dog. Or, to be strictly : accurate, most of the world bar the US and Canada which is presumably : considered bandwidth-friendly, hacker-free and mercifully bereft of : pinko broadsheets. The block occurs as a result of the web server policy. People outside the US make a request, reach the server, and are then returned a 403. This does not protect or prevent any form of bandwidth based Denial of Service, nor bandwidth usage really (unless the pages they server are all really poorly written and excessively large). From isn at c4i.org Mon Nov 1 03:50:39 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 1 04:15:58 2004 Subject: [ISN] Security hole found in Gmail Message-ID: http://net.nana.co.il/Article/?ArticleID=155025&sid=10 [This was covered on Full Disclosure here... http://seclists.org/lists/fulldisclosure/2004/Oct/1155.html http://seclists.org/lists/fulldisclosure/2004/Oct/1159.html - WK] Nitzan Weidenfeld Nana NetLife Magazine 27/10/2004 So you've got a Gmail mail account? Or maybe you've just received an invitation? Well, we have some bad news for you: Your mail box is exposed. A major security hole in Google's mail service, allows full access to user accounts, without the need of a password. "Everything could get publicly exposed - your received mails might be readable, as well as all of your sent mail, and furthermore - anyone could send and receive mail under your name", thus reveals Nir Goldshlagger, an Israeli hacker, on an exclusive interview with Nana NetLife Magazine. "Even more alarming", he explains, "is the fact that the hack itself is quite simple. All that is needed of the malicious hacker, beside knowledge of the specific technique, is quite basic computer knowledge, the victim's username - and that's it, he's inside". When approached, Google admitted to the security flaw. Google also assured us that this matter is being resolved, and that "the company will go to any length to protect its users". The flaw which was discovered by Goldshlagger and was tested many times by Nana's editorial board had shown an alarming success rate. In order not to further jeopardize mail boxes' owners, we will only disclose that the process is based upon a security breach in the service's identity authentication. It allows the hacker to "snatch" the victims cookie file (a file planted in the victim's computer used to identify him) using a seemingly innocent link (which directs to Gmail's site itself). Once stolen, this cookie file allows the hacker to identify himself as the victim, without the need of a password. Even if the victim does change his password afterwards, it will be to no avail. "The system authenticates the hacker as the victim, using the stolen cookie file. Thus no password is involved in the authentication process. The victim can change his password as many times as he pleases, and it still won't stop the hacker from using his box", explains Goldshlagger. Whether hackers have already used this method to compromise users' accounts is unclear at the moment. Matters are several times worse when it comes to a service such as Gmail. Besides the obvious blow to Google's seemingly spotless image, we're looking here at a major threat to anyone who has turned to Gmail as his major email box. "Because Gmail offers a gigabyte of storage, several times bigger than most other web based mail services, users hardly delete any old correspondence", says Goldshlagger. "The result is a huge amount of mail accumulating in the users' boxes, which frequently include bank notices, passwords, private documents and other files the user wanted to backup. Who ever takes a hold of this data, could literally take over the victim's life and identity". Ofer Elzam, a security expert for "Aladdin", who examined the security hole at Nana's Netlife request, explains: "This is a major threat, for the following reasons: First - the users have no way of protecting themselves. Second - it's quite easy to carry out, and third - it allows identity theft, which is nothing less than a serious danger to the victim". "On the bright side", he adds, "its a good thing that this hole was found now, before the service was officially announced and offered to millions of users world-wide. I reckon it's just a matter of time before an automatic tool is made, which would allow even the less computer-savvy people to exploit this hack. The damage, needless to say, could be huge" Is there a way, after all, to protect ourselves in the face of this danger? Elzam does not bear good news on the matter. "The only immediate solution that comes to mind is not using Gmail to store any messages or files that might be maliciously used. At least until Google attends to this problem" From isn at c4i.org Mon Nov 1 03:51:29 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 1 04:16:00 2004 Subject: [ISN] Yoran and Spaf's Law Message-ID: http://www.eweek.com/article2/0,1759,1679514,00.asp By Ben Rothke October 25, 2004 In his book "Practical Unix and Internet Security," Professor Gene Spafford of Purdue University spells out Spaf's first principle of security administration: "If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong." Spaf's principle is a cruel reality faced by many of those responsible for information security. They often are treated like a cross between Charlie Brown, who is constantly picked on, and the late Rodney Dangerfield, who got no respect. Amit Yoran is a prime example of Spaf's principle in action. On Oct. 1, Yoran resigned in frustration after one year as director of the National Cyber Security Division of the Department of Homeland Security. Yoran lacked both an important title and appropriate authority - which are everything in government. Yoran said he resigned because he had done all he could with limited resources. That much is true. In principle, he had done all he could. But, in fact, he was severely limited. His hands were tied. Yoran's very visible resignation motivated the House of Representatives to change the language in the intelligence reform bill that would have moved responsibility for cyber-security from DHS to the Office of Management and Budget. Such a boost would give the director the necessary power to bring about change in the government. Further, DHS Secretary Tom Ridge, spurred by Yoran's departure, said the cyber-security position would be upgraded to assistant secretary. I, for one, sincerely hope that the cyber-security position will be upgraded to assistant secretary. But the reality of Washington politics is likely to preclude that. The Yoran incident isn't unique. Many organizations like to state publicly that information security is priority No. 1, but, privately, they will not put their money where their mouths are. Upper management often issues orders such as "Clean up the system at any cost!" Yet when these same managers get recommendations for pre-emptive security implementation, too often chief information security officers are told, "The budget for this quarter has been exceeded. Ask me again later in the year." Information security is a challenging and technologically rewarding profession. Unfortunately, those responsible for carrying out information security often are not given the authority and budget to get the work done. Yoran knows what this is like. Without the means to do the job, winning the security war is a nearly impossible fight. -=- Ben Rothke, CISSP, is a New York-based security consultant with ThruPoint Inc. McGraw-Hill has just published his book: "Computer Security: 20 Things Every Employee Should Know." He can be reached at brothke@thrupoint.net. Free Spectrum is a forum for the IT community and welcomes contributions. Send submissions to free_spectrum@ziffdavis.com. From isn at c4i.org Mon Nov 1 03:52:48 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 1 04:16:02 2004 Subject: [ISN] Linux Advisory Watch - September 29th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 29th, 2004 Volume 5, Number 43a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for mozilla, zlib, kernel, glib2, MySQL, Gaim, MIT, Netatalk, socat, mpg123, rssh, xpdf, gpdf, cups, kdegraphics, squid, and libtiff. The distributors include Conectiva, Fedora, Gentoo, Mandrake, Red Hat, Slackware, and SuSE. ----- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 ----- Developing A Security Policy Create a simple, generic policy for your system that your users can readily understand and follow. It should protect the data you're safeguarding, as well as the privacy of the users. Some things to consider adding are who has access to the system (Can my friend use my account?), who's allowed to install software on the system, who owns what data, disaster recovery, and appropriate use of the system. A generally accepted security policy starts with the phrase: "That which is not expressly permitted is prohibited" This means that unless you grant access to a service for a user, that user shouldn't be using that service until you do grant access. Make sure the policies work on your regular user account, Saying, ``Ah, I can't figure this permissions problem out, I'll just do it as root'' can lead to security holes that are very obvious, and even ones that haven't been exploited yet. Additionally, there are several questions you will need to answer to successfully develop a security policy: What level of security do your users expect? How much is there to protect, and what is it worth? Can you afford the down-time of an intrusion? Should there be different levels of security for different groups? Do you trust your internal users? Have you found the balance between acceptable risk and secure? You should develop a plan on who to contact when there is a security problem that needs attention. There are quite a few documents available on developing a Site Security Policy. You can start with the SANS Security Policy Project. http://www.sans.org/resources/policies/ Excerpt from the LinuxSecurity Administrator's Guide: http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html Written by: Dave Wreski (dave@guardiandigital.com) ------ --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 10/22/2004 - mozilla upstream fix This announcement updates mozilla packages for Conectiva Linux 9 and 10 to mozilla version 1.7.3. This updates fixes lots of vulnerabilities. http://www.linuxsecurity.com/advisories/conectiva_advisory-5004.html 10/25/2004 - zlib denial of service vulnerabilities fix Due to a Debian bug report[3], a denial of service vulnerability[4] was discovered in the zlib compression library versions 1.2.x, in the inflate() and inflateBack() functions. http://www.linuxsecurity.com/advisories/conectiva_advisory-5020.html 10/26/2004 - kernel vulnerabilities fix This announcement fixes a vulnerability in the Linux kernel which could allow a local attacker to obtain sensitive information due to an issue when handling 64-bit file offset pointers. http://www.linuxsecurity.com/advisories/conectiva_advisory-5024.html 10/27/2004 - foomatic-filters vulnerability vulnerabilities fix The foomatic-rip filter in foomatic-filters contains a vulnerability[2][3] caused by insufficient checking of command-line parameters and environment variables which may allow arbitrary remote command execution on the print server with the permissions of the spooler user ("lp"). http://www.linuxsecurity.com/advisories/conectiva_advisory-5029.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 10/26/2004 - cups-1.1.20-11.6 update vulnerabilities fix A problem with PDF handling was discovered by Chris Evans, and has been fixed. The Common Vulnerabilities and Exposures project (www.mitre.org) has assigned the name CAN-2004-0888 to this issue. http://www.linuxsecurity.com/advisories/fedora_advisory-5023.html 10/27/2004 - glib2 and gtk2 md5sums update The md5sums of the glib2-2.4.7-1.1 and gtk2-2.4.13-2.1 updates don't match the ones in the announcements I sent out. http://www.linuxsecurity.com/advisories/fedora_advisory-5026.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 10/24/2004 - MySQL Multiple vulnerabilities Several vulnerabilities including privilege abuse, Denial of Service, and potentially remote arbitrary code execution have been discovered in MySQL. http://www.linuxsecurity.com/advisories/gentoo_advisory-5013.html 10/24/2004 - Gaim Multiple vulnerabilities Multiple vulnerabilities have been found in Gaim which could allow a remote attacker to crash the application, or possibly execute arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-5014.html 10/25/2004 - MIT krb5 Insecure temporary file use in send-pr.sh The send-pr.sh script, included in the mit-krb5 package, is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the utility. http://www.linuxsecurity.com/advisories/gentoo_advisory-5016.html 10/25/2004 - Netatalk Insecure tempfile handling in etc2ps.sh The etc2ps.sh script, included in the Netatalk package, is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the utility. http://www.linuxsecurity.com/advisories/gentoo_advisory-5017.html 10/25/2004 - socat Format string vulnerability socat contains a format string vulnerability that can potentially lead to remote or local execution of arbitrary code with the privileges of the socat process. http://www.linuxsecurity.com/advisories/gentoo_advisory-5018.html 10/27/2004 - mpg123 Buffer overflow vulnerabilities Buffer overflow vulnerabilities have been found in mpg123 which could lead to execution of arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-5025.html 10/27/2004 - rssh Format string vulnerability rssh is vulnerable to a format string vulnerability that allows arbitrary execution of code with the rights of the connected user, thereby bypassing rssh restrictions. http://www.linuxsecurity.com/advisories/gentoo_advisory-5027.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 10/22/2004 - xpdf vulnerabilities fix Chris Evans discovered numerous vulnerabilities in the xpdf package which can result in DOS or possibly arbitrary code execution. http://www.linuxsecurity.com/advisories/mandrake_advisory-5000.html 10/22/2004 - gpdf DoS vulnerability fix Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code, such as gpdf. http://www.linuxsecurity.com/advisories/mandrake_advisory-5001.html 10/22/2004 - cups DoS vulnerabilities fix Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code. http://www.linuxsecurity.com/advisories/mandrake_advisory-5002.html 10/22/2004 - kdegraphics DoS vulnerability fix Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code, such as kpdf. http://www.linuxsecurity.com/advisories/mandrake_advisory-5003.html 10/22/2004 - squid SNMP processing vulnerability fix iDEFENSE discovered a Denial of Service vulnerability in squid version 2.5.STABLE6 and previous. The problem is due to an ASN1 parsing error where certain header length combinations can slip through the validations performed by the ASN1 parser, leading to the server assuming there is heap corruption or some other exceptional condition, and closing all current connections then restarting. http://www.linuxsecurity.com/advisories/mandrake_advisory-5007.html 10/22/2004 - gpdf DoS vulnerability fix Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code. http://www.linuxsecurity.com/advisories/mandrake_advisory-5008.html 10/22/2004 - kdegraphics DoS vulnerability fix Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code. http://www.linuxsecurity.com/advisories/mandrake_advisory-5009.html 10/22/2004 - CUPS DoS vulnerabilities fix Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code. http://www.linuxsecurity.com/advisories/mandrake_advisory-5010.html 10/22/2004 - xpdf vulnerabilities fix Multiple integer overflow issues affecting xpdf-2.0 and xpdf-3.0. Also programs like cups which have embedded versions of xpdf. These can result in writing an arbitrary byte to an attacker controlled location which probably could lead to arbitrary code execution. http://www.linuxsecurity.com/advisories/mandrake_advisory-5011.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 10/22/2004 - CUPS security issues fix Updated cups packages that fix denial of service issues, a security information leak, as well as other various bugs are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-5005.html 10/22/2004 - libtiff update Updated libtiff packages that fix various buffer and integer overflows are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-5006.html 10/27/2004 - mysql-server update update An updated mysql-server package that fixes various security issues is now available in the Red Hat Enterprise Linux 3 Extras channel of Red Hat Network. http://www.linuxsecurity.com/advisories/redhat_advisory-5030.html 10/27/2004 - xchat SOCKSv5 proxy security issue fix An updated xchat package that fixes a stack buffer overflow in the SOCKSv5 proxy code. http://www.linuxsecurity.com/advisories/redhat_advisory-5031.html 10/27/2004 - xpdf security flaws fix An updated xpdf package that fixes a number of integer overflow security flaws is now available. http://www.linuxsecurity.com/advisories/redhat_advisory-5032.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 10/22/2004 - Gaim buffer overflow A buffer overflow in the MSN protocol handler for GAIM 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and may allow the execution of arbitrary code. http://www.linuxsecurity.com/advisories/slackware_advisory-5015.html 10/26/2004 - apache, mod_ssl, php security issues fix buffer overflow New apache and mod_ssl packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix security issues. http://www.linuxsecurity.com/advisories/slackware_advisory-5021.html +---------------------------------+ | Distribution: Suse | ----------------------------// +---------------------------------+ 10/22/2004 - libtiff security vulnerability fix Chris Evans found several security related problems during an audit of the image handling library libtiff, some related to buffer overflows, some related to integer overflows and similar. http://www.linuxsecurity.com/advisories/suse_advisory-5012.html 10/26/2004 - xpdf, gpdf, kdegraphics3-pdf, pdftohtml, cups security vulnerability fix security vulnerability fix Chris Evans found several integer overflows and arithmetic errors. Additionally Sebastian Krahmer from the SuSE Security-Team found similar bugs in xpdf 3. http://www.linuxsecurity.com/advisories/suse_advisory-5019.html 10/26/2004 - xpdf, gpdf, kdegraphics3-pdf, pdftohtml, cups remote system compromise security vulnerability fix Chris Evans found several integer overflows and arithmetic errors. Additionally Sebastian Krahmer from the SuSE Security-Team found similar bugs in xpdf 3. http://www.linuxsecurity.com/advisories/suse_advisory-5022.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Nov 1 03:53:39 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 1 04:16:04 2004 Subject: [ISN] Second sight Message-ID: Forwarded from: Kevin L. Shaw Your screensaver is then actively looking for illegal content. What happens when your door is kicked in by the cops because your ISP detects you accessing data on their "watch list"? What's to prevent pedophiles from using the "screensaver" as their get out of jail free card? "Stopping the supply" will be about as effective as anti-cocaine operations in South America; which is to say, not very effective at all. Treating the mentally ill and recognizing signs of aberrant behavior to help prevent it - a wholly non-technological solution - seems to me far more effective. -----Original Message----- Subject: [ISN] Second sight http://www.guardian.co.uk/online/comment/story/0,,1331820,00.html Dave Birch October 21, 2004 The Guardian I was involved in a discussion about internet policing and child pornography the other day. There were a number of suggestions: ID cards, expanding police IT training and so on. None, in my opinion, were likely to have much ... From isn at c4i.org Tue Nov 2 03:51:12 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 2 04:13:23 2004 Subject: [ISN] Old con tricks pose the 'greatest security risk' Message-ID: http://news.com.com/Old+con+tricks+pose+the+greatest+security+risk/2100-7349_3-5435199.html By Munir Kotadia Special to CNET News.com November 1, 2004 The greatest security risk facing large companies and individual Internet users over the next 10 years will be the increasingly sophisticated use of social engineering to bypass IT security defenses, according to Gartner. The research firm defined social engineering as "the manipulation of people, rather than machines, to successfully breach the security systems of an enterprise or a consumer," in an announcement Sunday. This involves criminals persuading a user to click on a link or open an attachment that they probably know they shouldn't. Rich Mogull, research director for information security and risk at Gartner, said in the announcement that social engineering is more of a problem than hacking. "People, by nature, are unpredictable and susceptible to manipulation and persuasion. Studies show that humans have certain behavioral tendencies that can be exploited with careful manipulation," he said. "Many of the most damaging security penetrations are, and will continue to be, due to social engineering, not electronic hacking or cracking." Mogull said that identity theft is a major concern because more criminals are "reinventing old scams" using new technology. "Criminals are using social engineering to take the identity of someone either for profit, or to gather further information on an enterprise. This is not only a violation of the business, but of someone's personal privacy," he said. Rob Forsyth, managing director at Sophos in Australia and New Zealand, described a recent "malicious and cynical" scam that targeted unemployed Australians. The potential victim received an e-mail that purported to come from Credit Suisse bank advertising a job opportunity. The e-mail asked the recipient to go to a Web site that was an almost exact replica of the actual Credit Suisse site--but this version contained an application form for the "job posting." Forsyth said the replicated Web site was recreated so thoroughly that it took experts some time to confirm that it was actually a fraud. "It took us some time to determine it was a fake site. It was not necessarily groundbreaking, but quite a clever combination of technology. They are targeting those people in the community that are most in need--those seeking work. It is exactly those people that might be vulnerable to this kind of overture," Forsyth said. Gartner's Mogull said: "We believe social engineering is the single greatest security risk in the decade ahead." Munir Kotadia of ZDNet Australia reported from Sydney. From isn at c4i.org Tue Nov 2 03:51:38 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 2 04:13:27 2004 Subject: [ISN] Secure state of mind Message-ID: http://www.computerweekly.com/articles/article.asp?liArticleID=134676 By Mick Hegarty 2 November 2004 Not surprisingly, security is one of the biggest issues facing businesses today. The threat posed by viruses, hackers and fraudsters affects every organisation, as do the consequences of accidental damage, equipment failure and even uninformed employees. It is a fact that lack of appropriate security measures result in lost business, lost revenue, lost customers and even loss of reputation. Poor levels of security threaten a company's survival. The Department of Trade & Industry has found that the average UK business now has roughly one security incident a month, and this situation is not going to get any better as businesses use technology to make better use of information, change the way they work and stay competitive. Small and medium-sized enterprises must feel they are under attack from all sides. And to cap it all, recent legislation in the form of the Data Protection Act, the Stock Exchange's Turnbull Report and guidance from the Financial Services Authority places responsibility for data security and openness of accountability at the door of the most senior people in the business. For SMEs that responsibility is landing in IT managers' laps. They are being given the task of setting up and supporting rigorous security policies and systems. So where does the IT manager start? The first thing is to realise that security is not all negative. Just as poor security can be fatal, good security can bring real advantages. Customers and suppliers who have confidence in a firm's security policies will spread the word. Good defences help enhance the brand and differentiate a company from its competitors. What is more, being confident about security means you will be able to open up the network for flexible working, direct links with suppliers and e-commerce. This is how IT managers can really enhance their reputation within the company. The workforce will appreciate the greater flexibility in the way they are able to work and the directors are going to enjoy the competitive advantage and the money they are saving. Get the network security right and the IT manager becomes a hero. At the same time, security does not have to be difficult and expensive thanks to continued reductions in costs and improvements in the range and capabilities of third-party providers. Third parties can supply expertise to analyse vulnerabilities and help to develop your security policy. They can design and implement security products to meet requirements and budget. They can monitor the system proactively and help manage aspects such as firewall and URL filtering rules and updates to the anti-virus system. A third party will have invested in skills and capabilities that a small company would find hard to afford itself. This will include government and manufacturer accreditation, skilled consultants and engineers and the learning that comes from helping other businesses such as yours. This can give you real peace of mind. And do not forget that if you choose one supplier for your network and your security, you have the added advantages of a single supplier to work with and one who understands every aspect of your needs. By managing security in this way, SME IT managers can concentrate their efforts on their core business while letting others concentrate on the challenges of integrating and managing security. They can avoid having to recruit skills or potentially investing in equipment up-front. Most of all, IT managers can make a real contribution to protecting and enhancing the company. So, do you want to be a hero? Mick Hegarty is ICT general manager at BT Business From isn at c4i.org Tue Nov 2 03:51:51 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 2 04:13:30 2004 Subject: [ISN] Google plugs hole exposing Gmail mailboxes Message-ID: http://www.macworld.com/news/2004/11/01/gmail/index.php By Joris Evers IDG News Service November 01, 2004 Google Inc. has fixed a security flaw in its Gmail Web-based e-mail service that allowed attackers to hijack users' e-mail accounts. "Google was recently alerted to a potential security vulnerability affecting the Gmail service. We have since fixed this vulnerability, and all current and future Gmail users are protected," Google spokesman Nathan Tyler said. Tyler declined to discuss the nature of the problem, but a source close to Google confirmed that the flaw allowed an attacker to gain complete control over a user's account. The problem was in the way Gmail authenticated users. An attacker could steal a so-called cookie file identifying the user by making use of a seemingly innocent link to Google's own Web site, according to a report on the Web site of the Israeli publication Nana NetLife Magazine. The cookie allowed an attacker to sign on to Gmail as the victim from any computer without having to enter a password. The attacker would continue to be able to access the Gmail account even if the password were changed, according to Nana NetLife, which cited an Israeli hacker named Nir Goldshlagger. An investigation by Google found that only a handful of Gmail users were victimized, the source close to the Mountain View, California-based company said. Google announced Gmail in April, grabbing headlines because of the 1GB storage space provided with a Gmail account. The service is still officially in beta testing and Internet users can only get accounts after receiving an invitation from a current user. Google does not disclose how many Gmail accounts it hosts. From isn at c4i.org Tue Nov 2 03:52:04 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 2 04:13:32 2004 Subject: [ISN] Study: Lax laptop policies create security concerns Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,97094,00.html By John E. Dunn NOVEMBER 01, 2004 TECHWORLD.COM Company laptops are routinely used to download music and video, access porn, and do online shopping, a new Europe-wide survey has revealed. So big has the problem become that laptops returning to company networks after their travels are now one of the biggest security hazards faced by many companies. Despite this, 70% of companies questioned offered no written guidance to employees on the use of their machines, and only a quarter imposed technological restrictions. The survey of employees in 500 companies across the U.K., the Netherlands, Germany, France, and Italy on behalf of Websense Inc., uncovered the tendency of many employees to treat laptops as unofficial personal possessions. The crimes of the mobile workforce are various but include picking up spyware, downloading non-approved software, surfing porn sites, and generally treating the issue of security as a minor concern. Forty-six percent allowed people outside of work to use their machines. And board level employees were no better than workers at other levels of the organization, with 54% admitting any one of a number of hazardous activities such as downloading non-approved software. The U.K. scored at or near the top on most measures of risky behavior. "I don't know if it's a lack of awareness or that they [companies] are focused on security from within the network," said Mark Murtagh of Websense. "They are looking at the traditional threat of viruses but not doing a good job of protecting against the evolving threats." Part of the problem was widespread ignorance of the risks of laptop use -- the survey revealed that only 7% of those asked understood what spyware was -- coupled to a need to use more technology to lock down security, he said. Companies loaded antivirus software but did not yet see the other types of threat, such as data theft, as critical enough to warrant further investment. Solutions to the problem are harder to gauge. At an absolute minimum, companies should start asking employees to sign up to reasonable-use guidelines, while IT staff should treat any laptop connecting to the company network after returning from its travels as a major security risk. Longer term, it seems likely that software to lock down and secure laptops will become a standard feature. From isn at c4i.org Tue Nov 2 03:52:15 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 2 04:13:33 2004 Subject: [ISN] Oxford Uni 'hackers' suspended Message-ID: http://www.theregister.co.uk/2004/11/01/oxford_uni_hacks_suspended/ By John Leyden 1st November 2004 A pair of Oxford University students have been suspended over a little hacking project they undertook to "expose" security flaws in the University's IT system. First-year students Patrick Foster and Roger Waite were able to snoop on traffic sent over the network - including email passwords sent in plain text, a contravention of University security policies - and unencrypted CCTV footage. They published an account of their activities in the Oxford Student paper in May 2004, suggesting that University IT systems were "wide open to hackers". Systems were not "hacked" but "snooped on", according to University techies, who criticised the duo's reporting as inaccurate and "sensationalist". Oxford dons were also angry with the student hacks' actions and instigated disciplinary proceedings. Last week Oxford's Court of Summary Jurisdiction suspended Foster, 20, from the university until May 2005. Waite, 21, was banned from university buildings and facilities (a process known as rustication) for a lesser period of one term. He's been suspended from the second year of his history course until January, the BBC reports. Both undergraduates admitted the various charges (unauthorised access, violating users' privacy and wasting staff time) against them. Foster, a politics, philosophy and economics student, who has since become editor of Oxford Student, and Waite have both vowed to appeal their sentences. From isn at c4i.org Wed Nov 3 07:56:09 2004 From: isn at c4i.org (InfoSec News) Date: Wed Nov 3 08:12:00 2004 Subject: [ISN] Assessing Network Security Message-ID: http://books.slashdot.org/books/04/11/02/207244.shtml [ http://www.amazon.com/exec/obidos/ASIN/0735620334/c4iorg - WK] November 02, 2004 Anton Chuvakin writes "I've read some pretty bad books on penetration testing; till now, nobody seemed to get this fun subject right! Good news - this time somebody did. Assessing Network Security comes to us direct from the bunkers of Redmond. Written by three Microsoft security researchers, the book provides a great overview as well as an in-depth coverage of assessing security via penetration testing ('pentesting'), scanning, IT audit and other means." Read on for the rest of Chuvakin's review of the book. Assessing Network Security Author: Ben Smith, David LeBlanc, Kevin Lam Pages: 592 Publisher: Microsoft Press Rating: 8/10 Reviewer: Anton Chuvakin ISBN: 0735620334 Summary: Great pentesting book Assessing Network Security starts with a nice overview of key principles of security (definitely not news for industry practitioners, but nice anyway), and then goes on to defines vulnerability assessment, penetration testing and security audit. A critically important section on reporting the findings is also nicely written, and shows that the authors are knowledgeable, and interested in showing a complete security process rather than just the looking-for-leaks part. The authors then go into developing and maintaining pentesting skills, including advice on choosing training and resources (nice for those starting in the field). The actual pentesting process is split into non-intrusive (combining the usual "intelligence gathering" with port scans, sweeps and various host queries) and intrusive tests (such as running a vulnerability scanner, brute-forcing passwords, DoS testing and others). Some entries seem to belong in both categories (such as sniffing) but are placed into the intrusive section, for whatever reason. Up-to-date content (wireless, Bluetooth and web assessment, for instance) is well represented. The authors also include a fairly insightful social engineering testing section (touching on dumpster diving and other non-network assessment methods). My favorite chapter was the one presenting various case studies - examples of specific threats/tests against Web, email, VPN and domain controller systems. Among other features that I liked in Assessing Network Security were 'notes from the field' sidebars with fun stories related by authors, and FAQs at the end of each section. On the down side, the book is somewhat Windows-focused (although it is amazingly vendor-neutral in most respects, considering the source). The book is also somewhat dry, although the sidebars provide some needed relief when the text gets too process-oriented at times. Assessing Network Security is largely about methodology, but I'd have preferred to see a bit more technical content, since it is a 600-page volume. I think the checklists present in the Appendix are a great step in that direction. Overall, I enjoyed the book and think it is both a great guide and a reference for most security professionals, especially for those starting to be involved with penetration testing. Anton Chuvakin, Ph.D., GCIA, GCIH is a Security Strategist with a security information management company and maintains the security portal info-secure.org. He wrote Security Warrior and contributed to Know Your Enemy, 2nd Edition. From isn at c4i.org Wed Nov 3 07:53:29 2004 From: isn at c4i.org (InfoSec News) Date: Wed Nov 3 08:12:02 2004 Subject: [ISN] Dutch government takes legal action against DDoS attacker Message-ID: http://www.dmeurope.com/default.asp?ArticleID=4170 By Joe Figueiredo 03/11/2004 The Dutch government is to launch legal proceedings against a suspected hacker accused of recently disabling several government websites for four days through a series of distributed denial of service (DDoS) attacks, the ICTU - the government agency that oversees information and communication technology in the public sector - has reported. The suspect is an 18-year old youth, and a possible member of the "0x1fe Crew", a group of around 15 hackers protesting recent cabinet decisions. The youth, who, if found guilty, could face a stiff bill for damages amounting to tens of thousands of euros, apparently revealed his actions and personal details to a Dutch current affairs television programme, according to the ICTU, which had conducted an enquiry into the attacks. The ICTU has since introduced technical measures (including purchasing extra bandwidth from hosting provider ASP4all) to better deal with future cyber assaults on these websites. "We can take even further steps, but this would depend on what our 'clients' are willing to pay," said an ICTU spokesperson. Although the ICTU is only taking a civil action against the alleged hacker, the public prosecutor in the Hague is looking into bringing possible criminal charges. This follows a complaint in parliament against an earlier decision by the public prosecution service not to take any action against the alleged hackers, despite the police having known their identity. From isn at c4i.org Wed Nov 3 07:55:39 2004 From: isn at c4i.org (InfoSec News) Date: Wed Nov 3 08:12:04 2004 Subject: [ISN] Stolen computers have Wells Fargo customer data Message-ID: http://www.siliconvalley.com/mld/siliconvalley/news/editorial/10079221.htm Nov. 02, 2004 NEW YORK (AP) - Thousands of Wells Fargo & Co. mortgage and student-loan customers may be at risk for identity theft after four computers were stolen last month from a vendor that prints loan statements. The computers were taken from the Atlanta office of Regulus Integrated Solutions LLC contained customer names, addresses, and social security and account numbers. No passwords or personal-identification numbers were in the database. ``There is no indication that the stolen information has been misused,'' Wells Fargo spokeswoman Janis Smith said. Regulus, which also services other big banks, didn't return phone calls seeking comment. The bank declined to say how many people may be affected. But Wells Fargo, a $422 billion financial-services company, has about 4.9 million mortgage customers and serves about 890,000 customers through its education-finance division. The bank notified customers by mail last week after finding out about the theft and urged them to take precautions such as filing a security alert with the three major credit bureaus. Additionally, the bank is offering a free year of its credit-monitoring service, Wells Fargo Select Identity Theft Protection, to customers who enroll by March 31, 2005. It marks the third time in about a year computers have been stolen containing personal data of Wells Fargo customers. The bank said it isn't aware of any misuse from the two previous occasions. Earlier this year, thousands of credit-card numbers were stolen from BJ's Wholesale Club Inc. Tax preparer H&R Block Inc. and database keeper Acxiom Corp. have also had consumer information stolen in recent years. The incidents highlight the increasing danger of identity theft, which occurs when an individual's information is stolen and then used to open up credit and bank accounts. In a recent report, the Federal Trade Commission estimated that 27.3 million people have been victims of identity theft in five years. From isn at c4i.org Wed Nov 3 07:56:30 2004 From: isn at c4i.org (InfoSec News) Date: Wed Nov 3 08:12:05 2004 Subject: [ISN] Linux Security Week - November 1st 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | November 1st, 2004 Volume 5, Number 43n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Linux More Secure than Windows says Study," "Firewall Security Tips," and "Common Sense About Passwords." ---- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 ---- LINUX ADVISORY WATCH: This week, advisories were released for mozilla, zlib, kernel, glib2, MySQL, Gaim, MIT, Netatalk, socat, mpg123, rssh, xpdf, gpdf, cups, kdegraphics, squid, and libtiff. The distributors include Conectiva, Fedora, Gentoo, Mandrake, Red Hat, Slackware, and SuSE. http://www.linuxsecurity.com/articles/forums_article-10147.html ----- Mass deploying Osiris Osiris is a centralized file-integrity program that uses a client/server architecture to check for changes on a system. A central server maintains the file-integrity database and configuration for a client and at a specified time, sends the configuration file over to the client, runs a scan and sends the results back to the server to compare any changes. Those changes are then sent via email, if configured, to a system admin or group of people. The communication is all done over an encrypted communication channel. http://www.linuxsecurity.com/feature_stories/feature_story-175.html --------------------------------------------------------------------- AIDE and CHKROOTKIT Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit. http://www.linuxsecurity.com/feature_stories/feature_story-173.html ------ --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Hole in Linux kernel October 28th, 2004 Leading Linux distributor Suse has uncovered a security hole in the linux 2.6 kernel. It is claimed that this vulnerability can be used to shut down a system running 2.6-based software remotely. Bad news, indeed. http://www.linuxsecurity.com/articles/host_security_article-10144.html * Suse warns of hole in Linux kernel October 27th, 2004 Linux distributor Suse has warned of one of the most serious security holes to date in version 2.6 of the Linux kernel, which could allow attackers to shut down a system running 2.6-based software. http://www.linuxsecurity.com/articles/server_security_article-10140.html * Linux more secure than Windows says study October 27th, 2004 Another brown study in the Windows vs Linux security debate claims to prove that the Mighty Vole fudged things when it claimed that its software was more secure than Linux. The study, compiled by tech journalist Nicholas Petreley concludes that Microsoft's "Get The Facts" campaign does not deal with the "real facts." http://www.linuxsecurity.com/articles/general_article-10137.html * Integer overflows the next big threat October 26th, 2004 THE NEXT big problem the IT security community faces is integer overflow attacks, said Theo de Raadt, OpenBSD's project founder and leader. According to him, the community currently can't see a clear method to circumvent any future vulnerabilities that would arise from integer overflows. http://www.linuxsecurity.com/articles/security_sources_article-10134.html +------------------------+ | Network Security News: | +------------------------+ * Week 45: Firewall Security Tips October 28th, 2004 In the limited space available here, I cannot possibly address how to secure a firewall. Instead, I'll note the considerations that go into doing so and point you to some useful resources. CNSS Instruction No. 4009, revised May 2003, National Information Assurance (IA) Glossary defines a firewall as a "system designed to defend against unauthorized access to or from a private network." http://www.linuxsecurity.com/articles/firewalls_article-10146.html * Computer Security 101 October 26th, 2004 With Lesson 8 we begin to enter the home stretch in the 10-part Computer Security 101 Series. The object of Computer Security 101 is to provide an introduction for new or novice users to the technology, terminology and acronyms commonly used with computers and networks. Understanding these things better will hopefully help people understand what, how and why they need to secure their computers as well. http://www.linuxsecurity.com/articles/documentation_article-10133.html +------------------------+ | General Security News: | +------------------------+ * Linux users: welcome to the world of malware October 29th, 2004 Linux users are often smug about the state of their computer security, rightly criticizing Windows for its numerous security holes, but overlooking their own vulnerabilities. Now it's their turn to suffer. http://www.linuxsecurity.com/articles/server_security_article-10151.html * Common Sense About Passwords October 29th, 2004 Passwords are a pain, but new thinking about passwords and some new tools make it possible to make passwords easier to manage and more effective. Passwords are expensive for IT staff to manage. http://www.linuxsecurity.com/articles/host_security_article-10149.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Wed Nov 3 07:59:26 2004 From: isn at c4i.org (InfoSec News) Date: Wed Nov 3 08:12:06 2004 Subject: [ISN] Russian Denies Authoring "SoBig" Worm Message-ID: http://www.oreillynet.com/pub/a/network/2004/11/02/sobig.html By Brian McWilliams 11/02/2004 A Russian developer of bulk email software flatly denied reports that he or his company is in any way connected to the virulent SoBig computer worm. Ruslan Ibragimov, owner of Russia-based Send-Safe, said an anonymously published document falsely accuses him of authoring SoBig, which was rampant on the internet in 2003. "It's bullshit," said Ibragimov in an online interview on Monday. The report, "Who Wrote SoBig?" (a copy of which is available here) includes a 48-page technical analysis of both SoBig and the Send-Safe bulk email program. The similarities between the software "should be considered as significant as finding a fingerprint on a murder weapon," concluded the document's pseudonymous creator, "Author Travis." Since SoBig was first identified in January 2003, experts have suspected that the worm was created in order to turn infected PCs into "Trojan" proxies that could be used to send spam anonymously. Author Travis is the first to publicly finger a specific spam operation as the source of the worm. Ibragimov, 30, said no one from the FBI or any other law enforcement agency has ever contacted him about the SoBig worm. He rejected the report's forensic analysis and said that it reached faulty technical conclusions. The report noted, for example, a strong similarity in the email headers created by Send-Safe and SoBig. But Ibragimov said Send-Safe chose the particular order of headers merely to mimic Outlook Express and to better evade spam filters. Ibragimov also said that the roughly similar release dates of new Send-Safe versions and updates of SoBig were purely a coincidence and not an indication that the programs were both written by the same person. "We have released new builds [of Send-Safe] every week and a new version every month," Ibragimov said. Ibragimov also commented that there's a painful irony in the accusation that Send-Safe wrote the SoBig worm in order to assemble a collection of "Trojaned" proxies. "Trojans killed my business," he said, noting that many of his customers have recently migrated to "cracked" (pirated) versions of spamware programs such as Dark Mailer, for which they purchase lists of Trojaned proxies from hackers. According to Ibragimov, Send-Safe provides customers with a list of proxies gathered by scanning the internet for computers configured as proxy servers. He claims that the report incorrectly states that Send-Safe, like SoBig, primarily uses proxies on obscure port addresses. The current list of 937 proxies provided to Send-Safe customers includes 682 using standard proxy ports--ports 80, 8080, 3128, and 1080. The Send-Safe mailer does allow users to supply their own proxies. Ibragimov admitted that some customers might have obtained Trojaned proxies from other sources and used them with the Send-Safe mailer. Comments on Send-Safe's discussion forum appear to confirm that the company has had trouble providing users with sufficient proxies for sending spam. Over the past 16 months, customers have frequently reported problems with proxies. On September 9, Ibragimov responded to one complaint about the service this way: "Proxy count is just a little lower than usual. We are looking for a good proxy provider for our users." Ibragimov said his company, which employs three people, currently has around thirty users, sharply down from the hundreds it served just a year ago. In an email, Author Travis declined to answer questions about the report. According to the document, the authors provided the information to law enforcement over a year ago. They decided to go public with the report in hopes of spurring additional research into their theory that Send-Safe is the culprit behind SoBig. According to the document, the authors' forensic analysis of SoBig predates Microsoft's offer of a $250,000 reward for the apprehension and conviction of SoBig's creator. A Microsoft representative Monday said the company had no comment on the SoBig report. An investigation by law enforcement into SoBig is still underway, said the representative. "Who Wrote SoBig" was published anonymously, according to its authors, because "associating this paper with any specific company, organization, group, or individual will only serve to detract from the investigation." Ibragimov said he had no idea who authored the anonymous report. When asked whether he had any idea who might have written SoBig, Ibragimov said, "No. There are a million good programmers in the world." From isn at c4i.org Thu Nov 4 03:12:58 2004 From: isn at c4i.org (InfoSec News) Date: Thu Nov 4 03:26:15 2004 Subject: [ISN] 16 candles for first Internet worm Message-ID: http://news.com.com/16+candles+for+first+Internet+worm/2100-7349_3-5438291.html By Munir Kotadia Special to CNET News.com November 3, 2004 The first significant Internet worm appeared on this day 16 years ago, and online security has never been the same, security professionals say. At around midnight on Nov. 2, 1988, the Morris worm, written by a 23-year-old Massachusetts Institute of Technology student called Robert Tappan Morris, was released on the embryonic Internet. Within hours, the worm's 99 lines of code overloaded thousands of Unix-based VAX and Sun Microsystems systems, forcing administrators to disconnect their computers from the network to try to stop the worm from spreading. The Morris worm was part of a research project and was not designed to cause damage, but it was programmed to self-replicate. Unfortunately, the code contained a bug that allowed the worm to infect a single machine multiple times, which resulted in thousands of computers grinding to a halt. Morris' worm was the first to spread on the Internet. But the very first appearance of a worm was in a 1982 paper by researchers John Shoch and Jon Hupp of the Xerox Palo Alto Research Center, who described a self-distributing program with a bug that managed to crash 100 machines in the research building. Morris was convicted for his research, but did not go to prison. He received a suspended sentence with community service and was fined $10,000. At the time, the Internet was still a closed system used by universities and the military for research purposes, security experts say. Once it was opened to the public--and became known as the World Wide Web--attitudes to security had to change. Sean Richmond, a senior technology consultant at Sophos Australia, said that since Morris, there have been fundamental changes in the way networks and computers communicate with each other, and that will continue to evolve over the next 16 years. "At that time, commands such as 'remote login,' 'remote shell' and 'remote copy' were commonly used. The idea was that if you were logged into one machine, you could access another system, and it wouldn't even ask you for a login password. There was a level of trust," Richmond said. Matt Dircks, vice president and product manager at network management specialists NetIQ, said that the biggest difference is the impact a network worm has on the general population. When Morris hit in 1988, academics would have lost some of their research. But when worms like Blaster or Sasser start spreading on the modern Internet, it affects banks, government departments and even stops kids from researching their schoolwork from home, said Dircks. "The stakes have gone up because the impact of the worm has changed in scope and in depth. The impact on people's daily lives is much more pronounced," Dircks said. Sophos' Richmond said that malicious software is unlikely to go away over the next 16 years, but it should have less impact, as software companies develop their applications with security in mind rather than as an afterthought. Richmond also said that the next-generation Internet will run on IPv6, or Internet Protocol version 6, which is a communications protocol that lays the foundation for a far more secure and safe online commercial environment. "Security is being designed in the next TCP/IP version (IPV6), so the IP address will contain a knowledge and expectation of security. The current version IPv4 was built with a much more open world in mind. Security was not part of the initial design," he said. "In 16 years' time, the potential for something to spread widely and rapidly across everything will be diminished just by the underlying security." However, NetIQ's Dircks said that IPv6 is a very long-term project, and because it will require so much hardware to be replaced, it will be a very slow upgrade cycle. "Part of the solution is to build security into the architecture. But there are systems that are 30 or 40 years old still running, and the companies using them will not get rid of them, because they still work," Dircks said. "We are always going to have a heterogeneous world, and without painting a picture of doom, gloom and apocalypse, the problems are not going away." Munir Kotadia of ZDNet Australia reported from Sydney. From isn at c4i.org Thu Nov 4 03:12:24 2004 From: isn at c4i.org (InfoSec News) Date: Thu Nov 4 03:26:17 2004 Subject: [ISN] Hackers reopen stolen code store with Cisco wares Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,97194,00.html By Paul Roberts NOVEMBER 03, 2004 IDG NEWS SERVICE An anonymous group of malicious hackers reopened an online store that sells the stolen source code of prominent software products and is offering the code for Cisco Systems Inc.'s PIX firewall software for $24,000, according to messages posted in online discussion groups. The Source Code Club reappeared online Monday, using messages to online security discussion groups to announce that it was back in business. The group is using e-mail and messages posted in a Usenet group to communicate with customers and take orders for the source code of several security products, including Cisco's PIX 6.3.1 firewall and intrusion-detection system software from Enterasys Networks Inc., the group said. Cisco did not immediately respond to a request for comment. The club first surfaced in July, using a Web page with an address in Ukraine and messages posted to the Full-Disclosure security discussion list to advertise its wares. Initially, the Source Code Club said it was selling "corporate intel[ligence]" to its customers, along with other unnamed services, according to a message posted in July to the Full-Disclosure mailing list by a group or individual using the name "Larry Hobbles." The club offered the Enterasys Dragon IDS 6.1 source code for $16,000 and the code for file sharing software from Napster LLC, now part of Roxio Inc., for $10,000. However, the group was forced to shutter its operations after just a few days, citing the need to redesign its business model. In its latest incarnation, the Source Code Club is still marketing itself as a corporate espionage service, but is also playing on domestic security fears, appealing to "intelligence agencies [and] government organizations" that want to understand exactly what products like Cisco's PIX firewall do. The group has raised the price on the Enterasys and Napster code, to $19,200 and $12,000, respectively, according to a new message from the group, which was also posted under the name "Larry Hobbles." The Source Code Club is also offering private membership for those who buy one full copy of product source code, with the promise of access to a list of more source code "deemed to [sic] sensitive to put up," the message said. Cisco PIX is one of the most commonly deployed corporate firewalls. Version 6.3.1 was first released in March 2003. The current version is 6.3.4, which was released in July. From isn at c4i.org Thu Nov 4 03:12:41 2004 From: isn at c4i.org (InfoSec News) Date: Thu Nov 4 03:26:19 2004 Subject: [ISN] E.V. men accused in computer hacking ring Message-ID: http://www.eastvalleytribune.com/index.php?sty=30941 By Bryon Wells Tribune November 3, 2004 Two Scottsdale men and a Tempe resident are accused of being "high-ranking" operatives of a computer hacking and fraud ring that trafficked in 1.7 million stolen credit card numbers totaling $4 million in losses. In its yearlong investigation, the U.S. Secret Service and other law enforcement agencies infiltrated the ring, which operated Web sites with names such as Shadowcrew.com and Darkprofits.com to facilitate criminal activity among at least 4,000 members of the network. Andrew Montavani and Brandon L. Monchamp of Scottsdale, described as architects of the network, and Phillip Kresler of Tempe, were three of 21 people arrested late last month in the United States. There were several other indictments in foreign countries, according to the Secret Service. "Identity theft carries a heavy price, both in the damage to individuals whose identities are stolen and the enormous cost to America's businesses," said Attorney General John Ashcroft in a release. "This indictment strikes at the heart of an organization that is alleged to have served as a one-stop marketplace for identity theft." Montavani, Monchamp and Kresler were arrested after a raid on their homes Oct. 26. Items taken included computers, computer disks and other equipment, as well as blank credit card plastics, an embosser, credit cards, false identification cards and bank receipts, according to court records. The Web sites are now inaccessible or contain a warning message from the Secret Service, intended "For those who wish to play in the shadows:" "Several arrests have been made with many more to follow." Members of the network communicated via message boards and chat rooms on the Web sites to exchange hacking techniques and buy and sell fraudulent credit cards, false IDs, passports and birth certificates - even Arizona driver's licenses and Arizona State University student IDs in Kresler's case. The hackers had numerous schemes with their own terminology to define them: For example, "carding" refers to going on a shopping spree with counterfeit cards. "Phishing" is spamming several e-mail addresses with dummy links to replicas of legitimate Web sites such as eBay and Citibank to trick the victim into giving up personal information, and "Printing" refers to manufacturing fake credit cards. A confidential informant, described only as a "high-ranking" member of Shadowcrew, had been helping the Secret Service with the investigation since August 2003. The informant entered into a plea with the government and will be criminally charged for their involvement. The Secret Service began tailing Montavani on July 7 at his home in the 4200 block of North Miller Road in Scottsdale, and later learned that Monchamp lived there. Montavani's specialty was "banging out ATMs," which refers to getting cash from automated teller machines through fake cards. Monchamp, aka "Kingpin," was able to emboss and encode fake credit cards, and also had access to MasterCard, Bank One and Capital One hologram labels. Most of those arrested, including Monchamp, Montavani and Kresler, were extradited to New Jersey, where the complaint originated. The government touted the case as an example of how the Justice Department will continue to aggressively prosecute these crimes. "Identity theft by organized groups like Shadowcrew is a particularly insidious crime," said assistant attorney general Christopher A. Wray. "Victims have their identities stolen and their credit ratings ruined. Identity theft defrauds banks and businesses of millions of dollars every year, endangering economic security and undermining consumer confidence." From isn at c4i.org Thu Nov 4 03:13:30 2004 From: isn at c4i.org (InfoSec News) Date: Thu Nov 4 03:26:21 2004 Subject: [ISN] Security UPDATE--Mathematical Strength of Passphrases--November 3, 2004 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Debunking the Top 5 Myths of Outsourcing Email Security http://list.windowsitpro.com/cgi-bin3/DM/y/eiAL0MfYqv0Kma0BMfg0AL Get thawte's New Step-by-Step SSL Guide for MSIIS http://list.windowsitpro.com/cgi-bin3/DM/y/eiAL0MfYqv0Kma0BMfh0AM ==================== 1. In Focus: Mathematical Strength of Passphrases 2. Security News and Features - Recent Security Vulnerabilities - News: New Security Risk Management Guide - Feature: Event Response 3. Security Matters Blog - Microsoft's Virtual Lab - Need Hands-on Time in a Cisco Lab? 4. Instant Poll 5. Security Toolkit - FAQ - Security Forum Featured Thread 6. New and Improved - SSL VPN for Multiplatform Clients ==================== ==== Sponsor: Postini==== Debunking the Top 5 Myths of Outsourcing Email Security As spam and email-borne viruses continue to threaten the productivity and stability of email systems, enterprises are evaluating various anti-spam email security solutions including buying software or appliances for deployment in-house, or outsourcing email security to a managed service. In this free White paper, you'll find out the five most common myths surrounding the concept of outsourcing email security. Plus, you'll gain an understanding of the benefits gained from using a managed service for email security including improved protection against new email threats and attacks, lower infrastructure costs, less administrative burden, and reduced risk and complexity. Get this white paper now! http://list.windowsitpro.com/cgi-bin3/DM/y/eiAL0MfYqv0Kma0BMfg0AL ==================== ==== 1. In Focus: Mathematical Strength of Passphrases ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Last week, I wrote about why passphrases might be a better idea than passwords. In essence, passphrases are longer and stronger, easier to remember, and more resistant to the assaults of many of the more popular password crackers. In previous editions of this newsletter, I've mentioned articles by Jesper Johansson, Microsoft security program manager. Recently, Johansson published part 2 of the three-part series "The Great Debates: Pass Phrases vs. Passwords," which compares passphrases and passwords. In part 1 (at the first URL below), Johansson covers the fundamentals, including how passwords are stored. In part 2 (at the second URL below), he looks at the strength of each approach, and in part 3, due out later this month, if I understand correctly, he will offer guidance on how to select stronger passwords and configure password policy. http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint091004.mspx http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint100504.mspx Part 2 of the series is very interesting because Johansson offers insight into why "longer is stronger" in many cases. Some password-cracking tools attempt to precompute all possible hashes and store them on disk in order to quicken computation time when trying to crack a given password. Johannson points out that precomputing for LAN Manager (LM) hashes is feasible because storing all possible hashes for a 14-character password, for example, based on a 76-character set (the number of characters on a standard American English keyboard when you include lower- and uppercase letters, numbers, punctuation, and special characters) would require about 310TB of storage. Granted, that's a huge amount of data, but storing it is feasible given the file systems available today. On the other hand, trying to store all the possible NT hashes given the same 14-character password and 76-character set wouldn't be feasible because NT's hash algorithm produces longer hashes that would require 5,652,897,009 exabytes (EB) of storage, which according to Johannson, "exceeds the capacity of any file system today." So you can see that using at least 14 characters for passwords and NT hashes makes cracking take much longer than using shorter passwords and LM hashes because all the possible NT hashes can't be precomputed and stored to disk to save processing time. If all the characters in a password are alphanumeric, and especially if all the letters are the same case, then cracking doesn't take as long as if some nonalphanumeric characters and mixed-case letters are used. As you might know, cracking programs check first for common words using techniques such as dictionary attacks. And if you use only upper- or lowercase letters, the alphanumeric characters add up to only 26 letters and 10 digits, or 36 characters. But if you use the entire set of 76 characters, you greatly increase password strength because you increase the amount of time required to crack your passwords. Essentially, the strength of a password (or passphrase) is a function of the size of the character set, the number and randomness of characters used from that set, and the computing power of the platform used to attempt to break the password. Because you can't precisely determine which platform crackers might have at their disposal, you could assume the worst-case scenario--that they have the power of a distributed computing network and massive amounts of storage and will therefore be able to crack your password much more quickly than if they worked alone or with a few associates. That means you should consider using password policies that defend against such threats as much as possible by requiring passwords longer than 14 characters, requiring some nonalphanumeric characters, defending your network at all levels against sniffing, and so on. If you're interested in more information about password strength or need some logical reasoning to justify new password policies for your network, be sure to read Johannson's articles. He goes into a lot of detail (which isn't over the head of a typical network administrator) and offers several anecdotes and cases studies that I think you'll find interesting. Also, please take a moment to visit our Security Hot Topic Web page and answer our latest Instant Poll question: "What password length do you enforce on your network?" I'm interested to know whether you agree that longer passwords are stronger passwords. On another note, we're happy to announce the IT Prolympics--a contest designed to recognize the most proficient Active Directory (AD) experts in the nation. The gold medal winner will get an all-expenses-paid trip to TechEd 2005. Plus, we'll feature photos and test scores of gold, silver, and bronze winners in the January issue of Windows IT Pro magazine. Learn more about IT Prolympics and enter here: http://www.windowsitpro.com/itprolympics ==================== ==== Sponsor: thawte ==== Get thawte's New Step-by-Step SSL Guide for MSIIS In need of a SSL Certificate for your Microsoft Internet Information Services (MS IIS) web server? This guide will provide a solution for your need by demonstrating how to test, purchase, install and use a digital certificate on your MSIIS web server. Best practices are highlighted throughout this guide to help you ensure efficient ongoing management of your encryption keys and digital certificates. You will also discover how a particular digital certificate can benefit your business by addressing unique online security issues to build customer confidence. http://list.windowsitpro.com/cgi-bin3/DM/y/eiAL0MfYqv0Kma0BMfh0AM ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.windowsitpro.com/departments/departmentid/752/752.html News: New Security Risk Management Guide Microsoft has published a new Security Risk Management Guide that helps people "plan, build, and maintain a successful security risk management program." The new guide is available for free on the company's TechNet Web site. http://www.winnetmag.com/Article/ArticleID/44356/44356.html Feature: Event Response Windows event logs are a crucial source of information for Windows IT pros. They can warn you of impending problems and alert you to security incidents--but only if you keep on top of them so that you can react to problems quickly. Unfortunately, that's easier said than done. Randy Franklin Smith reviews three tools that monitor event logs and send you alerts. http://www.winnetmag.com/Article/ArticleID/44093/44093.html ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Are You Using Virtualization Technology? If So, You Could Be a Virtualization Hero! Share your experiences using virtualization (aka virtual machine) products to solve IT and business problems. Enter the Windows IT Pro Virtualization Hero contest, and tell us how you used virtualization technology in innovative ways to benefit your business. Winners will receive a copy of Microsoft Virtual Server 2005. Also, you can post a comment in our Virtualization Technology blog, moderated by members of Microsoft's Virtual Server team. To enter the blog and for a link to the contest, click here: http://list.windowsitpro.com/cgi-bin3/DM/y/eiAL0MfYqv0Kma0BMdO0At Subscribe Now to Windows IT Pro with Exclusive Online Access! Windows & .NET Magazine is now Windows IT Pro! Act now to get the November issue, which features a Linux primer for Windows administrators, the how-tos of making NTBackup work, and a checklist for Sarbanes-Oxley compliance. You'll save 30% off the cover price and receive exclusive subscriber-only access to our entire online library with your paid subscription! This is a limited-time offer, so click here to order today! http://list.windowsitpro.com/cgi-bin3/DM/y/eiAL0MfYqv0Kma0BMdM0Ar Get a Quick Reference Guide to the Latest Antispam Developments A recent survey shows that spam is the number one pain point for IT pros, and spammers find new methods to avoid filters every day. Counter spam by learning the essentials for ensuring user productivity, increasing mail-server efficiency, decreasing storage requirements, managing bandwidth, and controlling TCO. Download this free, quick reference guide now! http://list.windowsitpro.com/cgi-bin3/DM/y/eiAL0MfYqv0Kma0BMd70AV ==================== ==== Hot Release ==== Free Solution Brief: Security Protection Strategies for NT4 Devices Do you have legacy applications running on NT4? Did you know that Microsoft will no longer support the platform with security hot-fixes leaving many organizations without a credible protection strategy? Download this free white paper to learn how to protect the Windows platform without relying on patching. http://list.windowsitpro.com/cgi-bin3/DM/y/eiAL0MfYqv0Kma0BMfi0AN ==================== ==== 3. Security Matters Blog ==== by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters Check out these recent entries in the Security Matters blog: Microsoft's Virtual Lab Did you know that Microsoft has a virtual lab? I recently learned about the TechNet Virtual Lab, which lets people test the company's latest software in a sandbox environment. http://www.winnetmag.com/Article/ArticleID/44374/44374.html Need Hands-on Time in a Cisco Lab? The folks over at the Firewall.cx Web site have announced they are providing a "free fully equipped lab" with Cisco hardware. http://www.winnetmag.com/Article/ArticleID/44312/44312.html ==== 4. Instant Poll ==== Results of Previous Poll: Do you use Mac OS X on your network? The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 46 votes. - 33% Yes - 7% No, but we intend to - 61% No - 0% I'm not sure (Deviations from 100 percent are due to rounding.) New Instant Poll: What password length do you enforce on your network? Go to the Security Hot Topic and submit your vote for - 14 or fewer characters - 15 to 24 characters - 25 to 34 characters - 35 to 44 characters - 45 or more characters http://www.windowsitpro.com/windowssecurity#poll ==== 5. Security Toolkit ==== FAQ by John Savill, http://www.windowsitpro.com/windowsnt20002003faq Q: Does Microsoft provide a tool to help you determine the meanings of error codes? Find the answer at http://www.winnetmag.com/Article/ArticleID/44330/44330.html Security Forum Featured Thread A forum participant has a computer with a file named *yhukyp.exe that runs at boot up. The file is hidden in the All Users startup directory. When he deletes the file, it's copied back from somewhere else. He's looked in the registry under Run and RunOnce and at the system.ini and win.ini files. He wonders whether anyone knows of a guide that might describe where to find the program on the system. Join the discussion at http://www.windowsitpro.com/Forums/messageview.cfm?catid=42&threadid=127136 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows IT Pro at http://www.windowsitpro.com/events ) Securing Your Organization's Messaging Traffic In this free Web seminar, security expert Randy Franklin Smith will take a high-level look at the current security trends in the industry, the emerging threats, and the threats that have become passe. Plus, you'll learn about the commonly held misconceptions about security patches and which kinds of attacks companies are reporting in increased numbers. Register now! http://list.windowsitpro.com/cgi-bin3/DM/y/eiAL0MfYqv0Kma0BMdP0Au ==================== ==== 6. New and Improved ==== by Renee Munshi, products@windowsitpro.com SSL VPN for Multiplatform Clients F5 Networks announced a new version of its FirePass Controller, a Secure Sockets Layer (SSL) VPN solution. With this release, F5 offers secure remote access to any application from clients that include Windows, Linux, Macintosh, Solaris, PocketPC, and other PDAs (iPAQ and Toshiba e800 devices). F5 also offers more granular access control and simplified management, making it easier to control and manage employee and partner access. The new FirePass 4100 enterprise-class hardware platform offers accelerator cards that speed SSL data traffic and provide data and key protection for government organizations. FirePass Controller 5.2 base pricing starts at $24,990 (list) for 100 concurrent users on the FirePass 4100 hardware platform. For more information, go to http://www.f5.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://www.windowsitpro.com/forums About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://www.secadministrator.com/rd.cfm?code=00ep254xeb View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Nov 4 03:13:44 2004 From: isn at c4i.org (InfoSec News) Date: Thu Nov 4 03:26:22 2004 Subject: [ISN] Online payment firm in DDoS drama Message-ID: http://www.theregister.co.uk/2004/11/03/protx_ddos_attack/ By John Leyden 3rd November 2004 Online payments processing firm Protx is continuing to fight a sustained internet attack which has severely impacting its services for the fourth successive day. Since Sunday (31 October), Protx's systems have been reduced to a crawl because of a malicious DDoS attack. Although Protx felt it was on top of the problem by Monday (1 November) the attack once again intensified, prompting the company to draft in heavy duty DDoS defences which it hopes will finally thwart the assault. In a statement, Mat Peck, chief technical officer, Protx said: "Earlier today [1 November] the parties responsible for the Distributed Denial of Service attack on our systems stepped up their assault, this time pushing our systems beyond their capacity to cope. A large number of compromised machines from a wide range of spoofed IP addresses have been attacking our site in a varied and well structured manner. We have been working all day with Globix, our ISP, to implement a specific DDoS solution which can burst up to 1Gb connectivity during periods of peak load whilst also analysing and killing traffic generated by zombie machine on the Net." "We have migrated the WWW site across to this system first to check the functionality and now that's working, we will be moving the payment servers in the next few hours. This new service, whilst expensive, still mainly developmental and bleeding edge, should enable us to continue to process transactions even under DDoS attacks ten times the size we've seen so far. Future attacks will be dealt with in a matter of minutes instead of hours (or days as many victims of such attacks have found). We're continuing to work closely with the National High Tech Crimes Unit (NHTCU) to bring the perpetrators to task," he added. On 2 November Globix said it was also beefing up the hardware used by its systems in the process of moving across to a new platform. "Whilst all the payment services are available, some of the auxiliary services will not be available until tomorrow," Peck wrote in an update. However Register readers report problems processing payments through the service today. "Thousands of small transactional websites, like mine, have been affected," Reg reader Bruce Stidston tells us. At the time of writing Protx's website was unavailable but you can get an insight into what's going on through Google's cache of the firm's status page. From isn at c4i.org Fri Nov 5 03:17:41 2004 From: isn at c4i.org (InfoSec News) Date: Fri Nov 5 03:33:22 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-45 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-10-28 - 2004-11-04 This week : 75 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Monitor, Filter, and Manage Security Information - Filtering and Management of Secunia advisories - Overview, documentation, and detailed reports - Alerting via email and SMS Request Trial: https://ca.secunia.com/?f=s ======================================================================== 2) This Week in Brief: ADVISORIES: A new vulnerability has been discovered in Internet Explorer, which can be exploited to compromise vulnerable systems. Secunia issued a rare "Extremely Critical" Secunia advisory regarding this, since working exploit code has been posted to several public mailing lists. The vulnerability does not affect users running Windows XP with Service Pack 2 installed. However, for Windows XP Service Pack 1 and Windows 2000 users, there is no solution available and users are advised to use an alternate product. References: http://secunia.com/SA12959 VIRUS ALERTS: During the last week, Secunia issued two MEDIUM RISK virus alerts. Please refer to the grouped virus profiles below for more information: Bagle.AR - MEDIUM RISK Virus Alert - 2004-10-29 19:49 GMT+1 http://secunia.com/virus_information/13040/bagle.ar/ Bagle.AQ - MEDIUM RISK Virus Alert - 2004-10-29 11:10 GMT+1 http://secunia.com/virus_information/13033/bagle.aq/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12959] Internet Explorer IFRAME Buffer Overflow Vulnerability 2. [SA12889] Microsoft Internet Explorer Two Vulnerabilities 3. [SA13005] Quicktime Two Vulnerabilities 4. [SA12712] Mozilla / Mozilla Firefox / Camino Tabbed Browsing Vulnerabilities 5. [SA12820] Debian update for mpg123 6. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerability 7. [SA12304] Internet Explorer Address Bar Spoofing Vulnerability 8. [SA13015] Internet Explorer/Outlook Express Restricted Zone Status Bar Spoofing 9. [SA12713] Opera Tabbed Browsing Vulnerability 10. [SA13028] Shadow "passwd_check()" Security Bypass Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA13079] Helm Web Hosting Control Panel Two Vulnerabilities [SA13078] Web Forum Server Directory Traversal and Clear Text User Credentials [SA13070] WinRAR "Repair Archive" Feature Vulnerability [SA13066] Cisco Secure ACS EAP-TLS User Authentication Bypass Vulnerability [SA13063] ArGoSoft FTP Server Shortcut Upload Vulnerability [SA13062] MailEnable Professional Unspecified Webmail Vulnerability [SA13067] F-Secure Anti-Virus for Exchange Nested Password Protected Archives Bypass Issue [SA13024] Cyber Web Filter IP Address Restriction Security Bypass [SA13015] Internet Explorer/Outlook Express Restricted Zone Status Bar Spoofing UNIX/Linux: [SA13082] Debian update for xpdf [SA13058] Gentoo update for Cherokee [SA13057] Cherokee Format String Vulnerability [SA13056] Mandrake update for gaim [SA13053] Mandrake update for mpg123 [SA13046] Debian update for mpg123 [SA13044] Conectiva update for squid [SA13043] Slackware update for libtiff [SA13037] qwik-smtpd Format String Vulnerability [SA13036] Sun Java System Web Proxy Server Unspecified Buffer Overflow Vulnerabilities [SA13027] OpenVMS Secure Web Server Multiple Vulnerabilities [SA13020] Fedora update for kdegraphics [SA13019] Fedora update for gpdf [SA13014] Gentoo update for GPdf/KPDF/KOffice [SA13092] Gentoo update for GD [SA13080] Debian update for libxml [SA13077] Gentoo update for MIME-tools [SA13076] Gentoo update for libxml2 [SA13075] SGI IRIX OpenSSL and OpenSSH Vulnerabilities [SA13064] Mandrake update for perl-MIME-tools [SA13060] Debian update for abiword [SA13055] Mandrake update for perl-Archive-Zip [SA13040] Caudium HTTP Request Processing Denial of Service [SA13039] Gentoo update for Archive::Zip [SA13035] bogofilter "quoted-printable decoder" Denial of Service Vulnerability [SA13031] haserl Manipulation of Critical Environment Variables Vulnerability [SA13026] HP Tru64 Secure Web Server Multiple Vulnerabilities [SA13025] HP-UX Apache Multiple Vulnerabilities [SA13016] Fedora update for libxml2 [SA13061] Debian iptables Module Loading Security Issue [SA13050] Mandrake update for mod_ssl/apache2-mod_ssl [SA13048] Conectiva update for rsync [SA13018] MIMEDefang Unspecified Vulnerabilities [SA13017] Debian update for squid [SA13087] Gentoo update for proxytunnel [SA13081] proxytunnel "message()" Format String Vulnerability [SA13059] HP OpenView Operations Unspecified Vulnerability [SA13054] Mandrake update for MySQL [SA13084] Debian update for lvm10 [SA13083] LVM "lvmcreate_initrd" Script Insecure Temporary File Creation [SA13069] Gentoo update for Speedtouch USB driver [SA13068] Gentoo update for Apache [SA13052] Mandrake update for netatalk [SA13042] Slackware update for apache/mod_ssl [SA13032] Debian update for postgresql [SA13028] Shadow "passwd_check()" Security Bypass Vulnerability [SA13022] Debian update for catdoc [SA13021] catdoc "xlsview" Privilege Escalation Vulnerability [SA13049] Gentoo update for ppp [SA13047] Safari "Javascript Disabled" Status Bar Spoofing Other: [SA13065] NetGear FWAG114 Default SNMP Community Strings Security Issue Cross Platform: [SA13013] Quake2 Engine Multiple Vulnerabilities [SA13073] Gbook MX Multiple SQL Injection Vulnerabilities [SA13072] Sun Java System Web and Application Server Certificate Handling Denial of Service [SA13071] Gallery Unspecified Script Insertion Vulnerability [SA13051] MIME::tools Malware Detection Bypass Vulnerability [SA13041] HTML::Merge "template" Directory Traversal Vulnerability [SA13038] Archive::Zip Zip Archive Virus Detection Bypass Vulnerability [SA13034] Land Down Under SQL Injection Vulnerabilities [SA13029] PuTTY IPv6 "SSH2_MSG_DEBUG" Packet Handling Buffer Overflow [SA13033] Chesapeake TFTP Server Directory Traversal and Denial of Service [SA13074] FsPHPGallery Denial of Service and Disclosure of System Information Vulnerabilities [SA13045] Apache "Space Headers" Denial of Service Vulnerability [SA13090] Sun Java System Application Server HTTP TRACE Response Cross-Site Scripting [SA13086] Mozilla / Thunderbird Valid Email Address Enumeration Weakness [SA13023] PHP CURL "open_basedir" Security Bypass Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA13079] Helm Web Hosting Control Panel Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-11-03 Behrang Fouladi has reported two vulnerabilities in Helm Web Hosting Control Panel, which can be exploited by malicious people to conduct SQL injection and script insertion attacks. Full Advisory: http://secunia.com/advisories/13079/ -- [SA13078] Web Forum Server Directory Traversal and Clear Text User Credentials Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2004-11-03 R00tCr4ck has discovered two vulnerabilities in Web Forum Server, which can be exploited to disclose sensitive information. Full Advisory: http://secunia.com/advisories/13078/ -- [SA13070] WinRAR "Repair Archive" Feature Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-03 Peter Winter-Smith of NGSSoftware has reported a vulnerability in WinRAR, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13070/ -- [SA13066] Cisco Secure ACS EAP-TLS User Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-11-03 A vulnerability has been reported in Cisco Secure Access Control Server and Cisco Secure ACS Solution Engine, which can be exploited by malicious people to bypass the user authentication. Full Advisory: http://secunia.com/advisories/13066/ -- [SA13063] ArGoSoft FTP Server Shortcut Upload Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-11-02 A vulnerability with an unknown impact has been reported in ArGoSoft FTP Server. Full Advisory: http://secunia.com/advisories/13063/ -- [SA13062] MailEnable Professional Unspecified Webmail Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-11-02 A vulnerability with an unknown impact has been reported in MailEnable Professional. Full Advisory: http://secunia.com/advisories/13062/ -- [SA13067] F-Secure Anti-Virus for Exchange Nested Password Protected Archives Bypass Issue Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-11-03 A vulnerability has been discovered in F-Secure Anti-Virus for MS Exchange, which may prevent detection of malware in certain archives. Full Advisory: http://secunia.com/advisories/13067/ -- [SA13024] Cyber Web Filter IP Address Restriction Security Bypass Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-10-29 Ziv Kamir has discovered a vulnerability in Cyber Web Filter, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13024/ -- [SA13015] Internet Explorer/Outlook Express Restricted Zone Status Bar Spoofing Critical: Not critical Where: From remote Impact: Security Bypass Released: 2004-10-29 Benjamin Tobias Franz has discovered a weakness in Internet Explorer, which can be exploited by malicious people to trick users into visiting a malicious website by obfuscating URLs. Full Advisory: http://secunia.com/advisories/13015/ UNIX/Linux:-- [SA13082] Debian update for xpdf Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-03 Debian has issued an update for xpdf. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13082/ -- [SA13058] Gentoo update for Cherokee Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-02 Gentoo has issued an update for Cherokee. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13058/ -- [SA13057] Cherokee Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-02 Florian Schilhabel has reported a vulnerability in Cherokee, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13057/ -- [SA13056] Mandrake update for gaim Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-02 MandrakeSoft has issued an update for gaim. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13056/ -- [SA13053] Mandrake update for mpg123 Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-02 MandrakeSoft has issued an update for mpg123. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13053/ -- [SA13046] Debian update for mpg123 Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-01 Debian has issued an update for mpg123. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13046/ -- [SA13044] Conectiva update for squid Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-11-03 Conectiva has issued an update for squid. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13044/ -- [SA13043] Slackware update for libtiff Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-11-01 Slackware has issued an update for libtiff. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13043/ -- [SA13037] qwik-smtpd Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-01 Dark Eagle has reported a vulnerability in qwik-smtpd, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13037/ -- [SA13036] Sun Java System Web Proxy Server Unspecified Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-11-01 Pentest Limited has reported some vulnerabilities in Sun Java System Web Proxy Server, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13036/ -- [SA13027] OpenVMS Secure Web Server Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Privilege escalation, DoS, System access Released: 2004-10-29 HP has acknowledged some vulnerabilities in OpenVMS running Secure Web Server (CSWS), which can be exploited to cause a DoS (Denial of Service), bypass certain security functionality, gain escalated privileges, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13027/ -- [SA13020] Fedora update for kdegraphics Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-10-29 Fedora has issued an update for kdegraphics. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13020/ -- [SA13019] Fedora update for gpdf Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-29 Fedora has issued an update for gpdf. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13019/ -- [SA13014] Gentoo update for GPdf/KPDF/KOffice Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-28 Gentoo has issued updates for GPdf, KPDF, and KOffice. These fix some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13014/ -- [SA13092] Gentoo update for GD Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-04 Gentoo has issued an update for gd. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13092/ -- [SA13080] Debian update for libxml Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-03 Debian has issued an update for libxml. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13080/ -- [SA13077] Gentoo update for MIME-tools Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-11-03 Gentoo has issued an update for MIME-tools. This fixes a vulnerability, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/13077/ -- [SA13076] Gentoo update for libxml2 Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-03 Gentoo has issued an update for libxml2. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13076/ -- [SA13075] SGI IRIX OpenSSL and OpenSSH Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, DoS Released: 2004-11-03 SGI has acknowledged some vulnerabilities in IRIX, which can be exploited by malicious people to cause a DoS (Denial-of-Service) or potentially overwrite arbitrary files. Full Advisory: http://secunia.com/advisories/13075/ -- [SA13064] Mandrake update for perl-MIME-tools Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-11-02 MandrakeSoft has issued an update for perl-MIME-tools. This fixes a vulnerability, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/13064/ -- [SA13060] Debian update for abiword Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-02 Debian has issued an update for abiword. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13060/ -- [SA13055] Mandrake update for perl-Archive-Zip Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-11-02 MandrakeSoft has issued an update for perl-Archive-Zip. This fixes a vulnerability, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/13055/ -- [SA13040] Caudium HTTP Request Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-11-01 A vulnerability has been reported in Caudium, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13040/ -- [SA13039] Gentoo update for Archive::Zip Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-11-01 Gentoo has issued an update for Archive::Zip. This fixes a vulnerability, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/13039/ -- [SA13035] bogofilter "quoted-printable decoder" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-11-01 A vulnerability has been reported in bogofilter, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13035/ -- [SA13031] haserl Manipulation of Critical Environment Variables Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-11-01 A vulnerability has been reported in haserl, which can be exploited by malicious people to manipulate critical environment variables. Full Advisory: http://secunia.com/advisories/13031/ -- [SA13026] HP Tru64 Secure Web Server Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2004-10-29 HP has acknowledged some vulnerabilities in Secure Web Server for HP Tru64, which is included in HP Internet Express (IX). These can be exploited to gain escalated privileges, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13026/ -- [SA13025] HP-UX Apache Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Privilege escalation, DoS, System access Released: 2004-10-29 HP has confirmed some vulnerabilities in HP-UX Apache, which can be exploited to cause a DoS (Denial of Service), bypass configured access controls, gain escalated privileges, or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13025/ -- [SA13016] Fedora update for libxml2 Critical: Moderately critical Where: From remote Impact: System access Released: 2004-10-29 Fedora has issued an update for libxml2. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13016/ -- [SA13061] Debian iptables Module Loading Security Issue Critical: Less critical Where: From remote Impact: Released: 2004-11-02 Full Advisory: http://secunia.com/advisories/13061/ -- [SA13050] Mandrake update for mod_ssl/apache2-mod_ssl Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-11-02 MandrakeSoft has issued updates for mod_ssl/apache2-mod_ssl. This fixes a security issue, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13050/ -- [SA13048] Conectiva update for rsync Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2004-11-01 Conectiva has issued an update for rsync. This fixes two vulnerabilities, which potentially can be exploited by malicious users to read or write arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/13048/ -- [SA13018] MIMEDefang Unspecified Vulnerabilities Critical: Less critical Where: From remote Impact: Unknown Released: 2004-10-29 Some vulnerabilities with unknown impacts have been reported in MIMEDefang. Full Advisory: http://secunia.com/advisories/13018/ -- [SA13017] Debian update for squid Critical: Less critical Where: From remote Impact: Spoofing, DoS Released: 2004-10-29 Debian has issued an update for squid. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and use the system for port scanning other hosts. Full Advisory: http://secunia.com/advisories/13017/ -- [SA13087] Gentoo update for proxytunnel Critical: Less critical Where: From local network Impact: System access Released: 2004-11-03 Gentoo has issued an update for proxytunnel. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13087/ -- [SA13081] proxytunnel "message()" Format String Vulnerability Critical: Less critical Where: From local network Impact: System access Released: 2004-11-03 Florian Schilhabel has reported a vulnerability in proxytunnel, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13081/ -- [SA13059] HP OpenView Operations Unspecified Vulnerability Critical: Less critical Where: From local network Impact: Privilege escalation Released: 2004-11-02 A vulnerability has been reported in HP OpenView Operations (OVO), which can be exploited by certain malicious people to gain escalated privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/13059/ -- [SA13054] Mandrake update for MySQL Critical: Less critical Where: From local network Impact: Security Bypass, Privilege escalation, DoS, System access Released: 2004-11-02 MandrakeSoft has issued an update for MySQL. This fixes some vulnerabilities, which can be exploited to overwrite arbitrary files, bypass certain security restrictions, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13054/ -- [SA13084] Debian update for lvm10 Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-03 Debian has issued an update for lvm10. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13084/ -- [SA13083] LVM "lvmcreate_initrd" Script Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-03 A vulnerability has been reported in LVM, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13083/ -- [SA13069] Gentoo update for Speedtouch USB driver Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-02 Gentoo has issued an update for Speedtouch USB driver. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13069/ -- [SA13068] Gentoo update for Apache Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-02 Gentoo has issued an update for apache. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13068/ -- [SA13052] Mandrake update for netatalk Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-02 MandrakeSoft has issued an update for netatalk. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13052/ -- [SA13042] Slackware update for apache/mod_ssl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-01 Slackware has issued updates for apache and mod_ssl. These fix a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13042/ -- [SA13032] Debian update for postgresql Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-29 Debian has issued an update for postgresql. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13032/ -- [SA13028] Shadow "passwd_check()" Security Bypass Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2004-10-29 Martin Schulze has reported a vulnerability in Shadow, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13028/ -- [SA13022] Debian update for catdoc Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-29 Debian has issued an update for catdoc. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13022/ -- [SA13021] catdoc "xlsview" Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-29 Colin Phipps has reported a vulnerability in catdoc, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13021/ -- [SA13049] Gentoo update for ppp Critical: Not critical Where: From remote Impact: DoS Released: 2004-11-01 Gentoo has issued an update for ppp. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13049/ -- [SA13047] Safari "Javascript Disabled" Status Bar Spoofing Critical: Not critical Where: From remote Impact: Security Bypass Released: 2004-11-01 A weakness has been discovered in Safari, which can be exploited by malicious people to trick users into visiting a malicious website by obfuscating URLs. Full Advisory: http://secunia.com/advisories/13047/ Other:-- [SA13065] NetGear FWAG114 Default SNMP Community Strings Security Issue Critical: Moderately critical Where: From local network Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2004-11-02 Lyndon Dubeau has reported a security issue in NetGear FWAG114 ProSafe Dual Band Wireless VPN Firewall, which can be exploited by malicious people to read or manipulate configuration information. Full Advisory: http://secunia.com/advisories/13065/ Cross Platform:-- [SA13013] Quake2 Engine Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Spoofing, Manipulation of data, Exposure of sensitive information, DoS, System access Released: 2004-10-28 Multiple vulnerabilities have been reported in Quake2 engine, which can be exploited by malicious people to cause a DoS (Denial of Service), potentially execute arbitrary code, disclose sensitive information, conduct spoofing attacks, and corrupt server data for other clients. Full Advisory: http://secunia.com/advisories/13013/ -- [SA13073] Gbook MX Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-11-03 Some vulnerabilities have been reported in Gbook MX, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/13073/ -- [SA13072] Sun Java System Web and Application Server Certificate Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-11-03 Some vulnerabilities have been reported in Sun Java System Web Server and Sun Java System Application Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13072/ -- [SA13071] Gallery Unspecified Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-11-03 A vulnerability has been reported in Gallery, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13071/ -- [SA13051] MIME::tools Malware Detection Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-11-02 Stephane Lentz and Julian Field has reported a vulnerability in MIME::tools, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/13051/ -- [SA13041] HTML::Merge "template" Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2004-11-01 A vulnerability has been reported in HTML::Merge, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/13041/ -- [SA13038] Archive::Zip Zip Archive Virus Detection Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-11-01 A vulnerability has been reported in the Archive::Zip Perl module, which potentially can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/13038/ -- [SA13034] Land Down Under SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-11-01 Positive Technologies has reported some vulnerabilities in Land Down Under, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/13034/ -- [SA13029] PuTTY IPv6 "SSH2_MSG_DEBUG" Packet Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2004-10-29 A vulnerability has been reported in PuTTY IPv6, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13029/ -- [SA13033] Chesapeake TFTP Server Directory Traversal and Denial of Service Critical: Moderately critical Where: From local network Impact: Exposure of sensitive information, DoS, System access Released: 2004-11-01 Luigi Auriemma has reported two vulnerabilities in Chesapeake TFTP Server, which can be exploited by malicious people to disclose sensitive information, potentially compromise a vulnerable system, and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13033/ -- [SA13074] FsPHPGallery Denial of Service and Disclosure of System Information Vulnerabilities Critical: Less critical Where: From remote Impact: Exposure of system information, DoS Released: 2004-11-03 Two vulnerabilities have been reported in FsPHPGallery, which can be exploited by malicious people to cause a DoS (Denial of Service) and disclose system information. Full Advisory: http://secunia.com/advisories/13074/ -- [SA13045] Apache "Space Headers" Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-11-03 Chintan Trivedi has discovered a vulnerability in Apache, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13045/ -- [SA13090] Sun Java System Application Server HTTP TRACE Response Cross-Site Scripting Critical: Not critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-04 Sun has acknowledged a problem in Sun Java System Application Server, which potentially can be exploited to conduct cross-site scripting attacks against users. Full Advisory: http://secunia.com/advisories/13090/ -- [SA13086] Mozilla / Thunderbird Valid Email Address Enumeration Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2004-11-03 plonk has discovered a weakness in Mozilla and Thunderbird, which can be exploited by malicious people to enumerate valid email addresses. Full Advisory: http://secunia.com/advisories/13086/ -- [SA13023] PHP CURL "open_basedir" Security Bypass Vulnerability Critical: Not critical Where: Local system Impact: Security Bypass Released: 2004-10-29 FraMe has discovered a vulnerability in PHP, which can be exploited by malicious, local users to access files outside the "open_basedir" root. Full Advisory: http://secunia.com/advisories/13023/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Nov 5 03:16:02 2004 From: isn at c4i.org (InfoSec News) Date: Fri Nov 5 03:33:23 2004 Subject: [ISN] Outsourcing Information Security Message-ID: http://books.slashdot.org/books/04/11/04/1853219.shtml [ http://www.amazon.com/exec/obidos/ASIN/1580535313/c4iorg - WK] Author: C. Warren Axelrod Pages: 248 Publisher: Artech House Rating: 10 Reviewer: Ben Rothke ISBN: 1580535313 Summary: Examines security risks related to IT security outsourcing When it comes to the outsourcing of information security functions specifically, the situation is even worse. Far too few organizations know the inherent risks involved with outsourcing security, and don't properly investigate what they are getting into. The same company that makes it nearly impossible for an employee to enter the office supply closet to get much needed toner cartridge will outsource their intrusion detection, email and firewall systems without a blink. One of the many reasons companies turn to security outsourcing and managed security services providers (MSSP) is to use their limited internal security staff for more interesting areas such as web development, VPN and e-commerce applications. They will then outsource the boring activities such as firewall and IDS monitoring and maintenance to a MSSP. Given that activities such as firewall monitoring and administering an IDS in large enterprise requires 24/7 support, it is not unusual for a company to want to outsource such activities; monitoring and administering are not core functions of most organizations. The trouble comes from the lack of due care often given to choosing a MSSP. With that, Outsourcing Information Security is a long-overdue book that asks the questions that are necessary before an organization decides to outsource any information security function. The author's general tone is against the outsourcing of information security; but provides readers with the various benefits and risks involved in outsourcing security, and let's them ultimate decide if outsourcing security is right for their organization. It is the reader who must define, evaluate and manage those risks and determine if outsourcing is a viable solution. These include technology, business and legal risks. The book comprises nine chapters and three appendices totaling a bit under 250 pages. The first two chapters provide a good introduction to and overview of outsourcing and information security, and the associated security risks. Chapter 3 details various reasons why outsourcing information security makes sense. The chapter includes various tables and references to the many reasons why a company would want to outsource security. Chapter 4 takes the other side and analyzes the risks of outsourcing. The chapter details the traditional risks, in addition to other factors such as hidden costs, broken promises, phantom benefits and more. The book shows that while many organizations hand over information security responsibility to their MSSP, when things go wrong, they can't effectively blame the MSSP. When things go wrong -- and they will -- all of the fingers in the world can be pointed at the MSSP, but the ultimate responsibility falls on the organization itself. With outsourced security, if something goes wrong, those fingers will point back to the company's security manager, not the incompetent firewall administrator in Bangalore. The chapter provides a balanced look at the risk of outsourcing, and while calm in its overall approach, the chapter should at least make the person considering outsourcing information security think twice. In fact, the author concludes the chapter by stating "when all of the risks of outsourcing are considered, one wonders how anyone ever makes the decision to use a third party." Nonetheless, there is plenty of evidence that many security activities are indeed outsourced to MSSP, and are often satisfactory from both the buyer's and seller's perspective. Chapters 5 and 6 provide a thorough summary of the costs and benefits of outsourcing, and provides a method with which to categorize them. The chapter is well suited for a CFO with its discussion of direct vs. indirect costs, controllable vs. non-controllable costs, and much more. These two chapters show that creating meaningful financial numbers to see if outsourcing makes financial sense is not such an easy task. It is important to understand that outsourcing sometimes makes financial sense, but certainly not all the time. For those organizations that don't crunch the numbers seriously at the beginning, these costs can later come back to haunt them in a big way. Chapters 7 and 8 detail the processes involved in commencing an outsourcing project, from requirements gathering to placing policy against the outsourced company. A mistake many organizations make is failure to ensure that the MSSP is abiding by the client's information security policies, rather than their own. Similarly, one of the most overlooked areas of outsourcing information security functionality is regulation. A U.S. company may be under numerous regulations, from HIPAA to Sarbanes-Oxley, GLBA, SEC and more; when they outsource their security functionality, the remote technician may not be under the jurisdiction of the SEC; but the corporate data still must be protected according to those regulations. The main part of the book concludes with chapter 9, which provides a 20-step process to determine if an outsourced security solution is appropriate. In seven pages, the author specifies the various events, tasks and steps that make up the typical outsourcing project. Appendix A provides a breakdown of the various services that can be outsourced, with Appendices B & C providing brief histories of IT Outsourcing and Information Security. The only downside to the book is its $85.00 price, which is at the high-end for technology and business books. While the price is high, the book is a huge value for anyone considering outsourcing security. The book asks the questions that are often never asked, and details how the outsourcing of information security is not the slam-dunk that the MSSPs often portray it to be. For those who know what their security issues are and look to outsource their security functionality to a trusted MSSP, Outsourcing Information Security shows how it can be done. On the other side, for those who are drunk with the panacea that outsourcing security is supposed to provide, Outsourcing Information Security will be a sobering wake-up call. From isn at c4i.org Fri Nov 5 03:16:27 2004 From: isn at c4i.org (InfoSec News) Date: Fri Nov 5 03:33:25 2004 Subject: [ISN] FBI Pursuing More Cyber-Crime Cases Message-ID: Forwarded from: William Knowles http://www.washingtonpost.com/wp-dyn/articles/A25579-2004Nov4.html By Brian Krebs washingtonpost.com Staff Writer November 4, 2004 A former technology company executive charged with hiring hackers to attack a competitor's Web site has joined the FBI's most-wanted list, the latest sign of the federal law enforcement agency's growing interest in cyber-crime. In August, a federal grand jury indicted Saad "Jay" Echouafni, 37, the former chief executive of Sudbury, Mass.-based Orbit Communication Corp., on charges of hiring the hackers to take down the Web sites of a large television services company called weaknees.com. The attacks, FBI investigators said, made the company's Web site temporarily unavailable, as well as the Web sites for Amazon.com and the Department of Homeland Security. The attacks caused more than $2 million in damage, prosecutors said. Echouafni, along with 150 other defendants, was indicted as part of a Justice Department investigation code-named "Operation Cyberslam." But it was his vanishing act that earned him a spot on the most-wanted list, a group of more than a dozen people that includes some of America's most elusive criminals. It includes alleged embezzlers, an accused child pornographer and individuals indicted on drug and murder charges. It is not the same list as the notorious "10 Most Wanted," which the FBI launched in 1950 to bring national recognition to some of the nation's most dangerous fugitives. Rather, it is a list that the bureau started almost five years ago on its Web site to nab suspects who are less of a threat or less prone toward physical violence, said spokesman Paul Bresson. Echouafni joins the likes of Jie Dong, who is charged with defrauding Internet auction sites out of nearly $1 million. A federal arrest warrant issued in California said Dong stiffed more than 5,000 winning bidders and fled the country. The FBI says Dong may now be somewhere in China or Hong Kong. Jerrod Lochmiller, 31, is charged with stealing at least $40,000 from 18 victims who thought they bought computers, televisions, musical instruments and other high-priced items at online auctions. Lochmiller also is charged with selling fake identification materials on the Internet. Johnny Ray Gasca, an ex-convict and aspiring screenwriter, was indicted on charges of videotaping movies at private screenings in Los Angeles before they were publicly released. Gasca was scheduled to stand trial on Jan. 13, 2004, but one week earlier he eluded authorities after reportedly going to a local drugstore to buy cold medication. The inclusion of these kinds of accused criminals throws weight behind FBI Director Robert S. Mueller III's decision to make cyber-crime one of the agency's top three investigative priorities, Bresson said. This action sends a message that the bureau is doing more than just talking about cyber-crime, said Mark Rasch, former prosecutor in the Justice Department's computer crimes and intellectual property section and chief security counsel at McLean, Va.-based Internet security firm Solutionary. "This is the first time we've had such a significant number of people being investigated and prosecuted for computer crime," Rasch said. "And we're only going to see this trend continue because investigators are getting better at identifying these individuals." The list, which currently includes 16 suspects, is located at http://www.fbi.gov/mostwant/alert/alert.htm. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Nov 5 03:16:40 2004 From: isn at c4i.org (InfoSec News) Date: Fri Nov 5 03:33:27 2004 Subject: [ISN] U.S. and Europe unprepared for cyber attack Message-ID: http://www.reuters.co.uk/newsPackageArticle.jhtml?type=worldNews&storyID=615531 By Bernhard Warner European Internet Correspondent 4 November, 2004 BARCELONA, Spain (Reuters) - Future widescale terror attacks will be executed by a person sitting behind a computer, not necessarily by a suicide truck bomber or plane hijacker, a United States lawmaker predicted on Thursday. Counter-terrorism agents are grappling with a new type of security threat -- a malicious piece of computer code capable of disabling the world's critical infrastructure from power grids to air traffic control networks. "If you're a terrorist, you don't even need the bombs. If you can control the (power) grids, if you can do it from a computer somewhere, you can do a lot of damage," U.S. congressman Tom Davis, a co-chair of the U.S government's Information Technology Working Group, told Reuters in an interview. "We're nervous about it," the Virginia Republican said. "The U.S. is not where we need to be on defending against this (type of threat). Europe is not where they need to be on this. "You don't want to wait for a cyber Pearl Harbor." With the U.S. elections over, a victorious Davis has come to Europe to discuss further collaboration between America and the European Union on fortifying information networks against increasingly damaging cyber attacks. SHARING THE WEALTH Davis said he would like to see America spend more of its $60 billion annual IT budget on network security-related measures. And, he said, he'd like to see more of that money flow to European and overseas technology companies. He said European and Israeli technology firms may be perfectly suited to win more security contracts from the U.S. government because these regions have been dealing with domestic terrorism for longer. "There is some interesting expertise here," he said following a keynote speech at a security conference in this Spanish coastal city. Moreover, he said, the U.S. has run up an $8 billion trade surplus in IT products and services. "That's all the more reason our government shouldn't just say 'buy American'. That just invites retaliation," he said, adding that as the world's largest consumer of IT products, the U.S. government should shop around for the best software at the best price. But an equally urgent matter is for the Bush administration to bolster ties with Europe in the area of cyber defences, he said. He pointed to a growing level of denial-of-service attacks on Web sites and online con jobs that appear to be the work of organised crime as a sign more international policing efforts are needed. If some of these cyber tools fall into the hands of extremist groups, he continued, they could be turned into weapons used to interrupt business From isn at c4i.org Fri Nov 5 03:19:12 2004 From: isn at c4i.org (InfoSec News) Date: Fri Nov 5 03:33:29 2004 Subject: [ISN] 16 candles for first Internet worm Message-ID: Forwarded from: Arrigo Triulzi InfoSec News scripsit: http://news.com.com/16+candles+for+first+Internet+worm/2100-7349_3-5438291.html [...] |"Security is being designed in the next TCP/IP version (IPV6), so the |IP address will contain a knowledge and expectation of security. The |current version IPv4 was built with a much more open world in mind. |Security was not part of the initial design," he said. "In 16 years' |time, the potential for something to spread widely and rapidly across |everything will be diminished just by the underlying security." I don't know what this guy has been smoking but it must have been good... how exactly does Richmond define "knowledge and expectation of security" and in the IP _address_ for that matter? OK, so IPsec ESP and AH are mandatory _option_ headers in IPv6. That doesn't exactly mean much in terms of security. Of course coming from an anti-virus company he doesn't really need to understand how the network works, Windows "hackme" components suffice. |However, NetIQ's Dircks said that IPv6 is a very long-term project, |and because it will require so much hardware to be replaced, it will |be a very slow upgrade cycle. Fortunately this chap manages to clear it all up - I can see all these machines running TCP/IP hard-coded in their ROM (not EEPROMs of course). Had he argued operating system upgrades I would have agreed but hardware.... he must be smoking something even better. How will IPv6 ever be deployed when FUD is all you ever hear? Not to mention the remarkable expectations of security they are implying: "No need to secure your software, the IPv6 address with take care of it". At least Dircks partially saves his reputation by talking about building security into the architecture in the last paragraph. Arrigo From isn at c4i.org Fri Nov 5 03:19:24 2004 From: isn at c4i.org (InfoSec News) Date: Fri Nov 5 03:33:30 2004 Subject: [ISN] Microsoft investigating reports of new IE hole Message-ID: http://www.nwfusion.com/news/2004/1104microinves.html By Joris Evers IDG News Service 11/04/04 Microsoft is investigating reports of a serious security flaw in Internet Explorer, but has not yet seen malicious code that exploits the reported flaw, the company said Thursday. Security experts earlier this week warned that code exploiting a newly discovered security hole in IE is circulating on the Internet. The code exploits a buffer overflow vulnerability in IE 6 and has been confirmed on PCs running Windows XP with Service Pack 1 and Windows 2000, according to Danish Security company Secunia. The U.S. Computer Emergency Readiness Team (CERT) issued an alert similar to the Secunia advisory. CERT warns that aside from the Web browser, applications such as e-mail clients that rely on browser controls may also be vulnerable. Attackers could gain complete control over a victim's computer by exploiting the flaw, according to Secunia and CERT. Microsoft is investigating the possible vulnerability, the company said in a statement. However, while Secunia and CERT raise alarm over code exploiting the vulnerability being publicly available, Microsoft said it has not seen that yet. "We have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports," the company said. The flaw lies in the way IE handles the SRC and NAME attributes of the "frame" and "iframe" HTML elements, according to the CERT alert.. A user could be attacked via a Web page containing malicious code or an HTML e-mail message. There is no patch for this flaw, but computers running Windows XP Service Pack 2 appear to be protected, according to Secunia and CERT. Upon completing its investigation, Microsoft said it will take the appropriate action to protect Windows users. This may include providing a fix through its monthly patch release process or an out-of-cycle security update, the company said. From isn at c4i.org Fri Nov 5 03:19:37 2004 From: isn at c4i.org (InfoSec News) Date: Fri Nov 5 03:33:32 2004 Subject: [ISN] Microsoft to help users prep for patching Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,97221,00.html By Scarlet Pruitt NOVEMBER 04, 2004 IDG NEWS SERVICE Microsoft Corp. will give customers advance notice of its monthly security updates in an effort to help them prepare to install related software patches, the company announced today. Starting this month, Microsoft will publish on its Web site a summary of planned security bulletins three days before they are released in their entirety. The summary will include information on which products are affected by updates, and severity ratings for security problems. The company normally releases security bulletins on the second Tuesday of each month. It previously offered advanced notifications to customers who signed up through support personnel, but the information was not published for all customers. "Giving customers advanced warning is really the next stage in making security more predictable," said Gytis Barzdukas, director of product management in Microsoft's Security Business and Technology Unit. With the security guidance, companies can schedule the needed IT staff for the update release day, and can prioritize their activities according to how critical the updates are, he said. The information will be available at www.microsoft.com/technet/security/default.mspx. Barzdukas spoke in a phone interview from the RSA Conference Europe 2004 in Barcelona, Spain, where Microsoft offered an update of its ongoing security efforts. In addition to the notification service, Microsoft also said it would deliver a beta version of its Windows Rights Management Services (RMS) Service Pack 1 in the first half of 2005, and has started a partner validation program for its Internet Security and Acceleration Server 2004. The validation program aims to assure customers of the interoperability of third-party products used with ISA Server 2004, and is being run in collaboration with VeriTest testing services, Microsoft said. Barzdukas said that the announcements are of particular interest to European users. The RMS service pack, for instance, adds improved authentication by smart cards and the ability to be deployed without a network connection to the Internet. "There's a lot more use of smart cards and token authentication in Europe, so we saw a lot of demand for these capabilities here," Barzdukas said. European customers were also interested in running RMS on servers not connected to the Internet. "We've moved away from the old model and are offering them control of their data on disconnected servers," Barzdukas said. The ISA Server 2004 validation program also addresses the tendency of Europeans to use more hardware security products than North American users, Barzdukas said. "Basically what we can do is go deeper and richer into packet inspection to help manage hardware," he said. The announcements today come as part of increasing efforts by the software maker to show that it is serious about security. Earlier this year it delivered the much-anticipated Windows XP Service Pack 2, which Barzdukas dubbed as the "largest automatic download of technology ever." Since its August launch, more than 110 million customers have downloaded Service Pack 2, Microsoft said today. From isn at c4i.org Mon Nov 8 05:32:34 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 8 05:58:59 2004 Subject: [ISN] E-gold Tracks Cisco Code Thief Message-ID: http://www.eweek.com/article2/0,1759,1713878,00.asp By Michael Myser November 5, 2004 The electronic currency site that the Source Code Club said it will use to accept payment for Cisco Systems Inc.'s firewall source code is confident it can track down the perpetrators. Dr. Douglas Jackson, chairman of E-gold Ltd., which runs www.e-gold.com, said the company is already monitoring accounts it believes belong to the Source Code Club, and there has been no activity to date. "We've got a pretty good shot at getting them in our system," said Jackson, adding that the company formally investigates 70 to 80 criminal activities a year and has been able to determine the true identity of users in every case. On Monday, a member of the Source Code Club posted on a Usenet group that the group is selling the PIX 6.3.1 firewall firmware for $24,000, and buyers can purchase anonymously using e-mail, PGP keys and e-gold.com, which doesn't confirm identities of its users. "Bad guys think they can cover their tracks in our system, but they discover otherwise when it comes to an actual investigation," said Jackson. The purpose of the e-gold system, which is based on 1.86 metric tons of gold worth the equivalent of roughly $25 million, is to guarantee immediate payment, avoid market fluctuations and defaults, and ease transactions across borders and currencies. There is no credit line, and payments can only be made if covered by the amount in the account. Like the Federal Reserve, there is a finite value in the system. There are currently 1.5 million accounts at e-gold.com, 175,000 of those Jackson considers "active." To have value, or e-gold, in an account, users must receive a payment in e-gold. Often, new account holders will pay cash to existing account holders in return for e-gold. Or, in the case of SCC, they will receive payment for a service. The only way to cash out of the system is to pay another party for a service or cash trade, which Jackson said creates an increasingly traceable web of activity. He did offer a caveat, however: "There is always the risk that they are clever enough to figure out an angle for offloading their e-gold in a way that leads to a dead end, but that tends to be much more difficult than most bad guys think." This is all assuming the SCC actually receives a payment, or even has the source code in the first place. It's the ultimate buyer beware?the code could be made up, tampered with or may not exist. And because the transaction through e-gold is instantaneous and guaranteed, there is no way for the buyer to back out. Dave Hawkins, technical support engineer with Radware Inc. in Mahwah, N.J., believes SCC is merely executing a publicity stunt. "If they had such real code, it's more likely they would have sold it in underground forums to legitimate hackers rather than broadcasting the sale on Usenet," he said. "Anyone who did have the actual code would probably keep it secret, examining it to build private exploits. By selling it, it could find its way into the public, and all those juicy vulnerabilities [would] vanish in the next version." "There's really no way to tell if this is legitimate," said Russ Cooper, senior scientist with security firm TruSecure Corp. of Herndon, Va. Cooper, however, believes there may be a market for it nonetheless. By posting publicly, SCC is able to get the attention of criminal entities they otherwise might not reach. "It's advertising from one extortion team to another extortion team," he said. "These DDOS [distributed denial of service] extortionists, who are trying to get betting sites no doubt would like to have more ways to do that." From isn at c4i.org Mon Nov 8 05:31:37 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 8 05:59:01 2004 Subject: [ISN] Experts Challenge Mi2g Security Study Message-ID: http://www.internetweek.com/breakingNews/showArticle.jhtml?articleID=52200309 By Tom Dunlap Courtesy of Linux Pipeline November 5, 2004 Some Linux experts are questioning a report by British-based mi2g, which calls Linux the "most breached" computing environment worldwide, with Microsoft Windows placing a distant second. The London-based security firm said its study analyzed more than 235,000 successful attacks against "permanently connected -- 24/7 online--computers" worldwide between November 2003 and October 2004. According to the study, computers running Linux accounted for about 65 percent of all recorded breaches, while Microsoft Windows-based systems accounted for about 25 percent of such attacks. Successful attacks against OS X and BSD-based online systems accounted for less than five percent of the worldwide total. Virus Threat Overlooked But the report has some gaping holes it its methodology, according to noted open source advocate Bruce Perens and others. "It's pretty ludicrous that they didn't count viruses," Perens said. "Even their own study says that the financial impact of viruses on Windows is tremendously greater than the penetration on Linux." Explaining his point further, Perens said, "The number of Windows systems penetrated by automatic viruses--rather than manual penetration that this report studies--is tremendously greater. Linux is still more secure, it's just the fact that this report doesn't count automatic viruses." "The report really did everyone a disservice by not pointing out that viruses are the main problem," Perens said. "When someone studies a restricted subset of the problem and by looking at that restricted subset makes the conclusion come out the opposite of what it would otherwise be, we have to question the motivation behind the study." Perens also noted that with the rise of Linux, the growing number of negative reports and comments about the open-source operating system shouldn't come as a surprise. "When you're on top, you're going to get hit more," Perens said. The Price Of Success Linux-based servers are commonly used to host a firm's Internet presence, with the open source Apache Web server commanding more than 64 percent of the market. Apache usually runs on Linux servers, although it can also run on other OSes. The mi2g study adds to a growing list of challenges to the burgeoning open-source operating system. In August, an Open Source Risk Management report stated that Linux potentially infringes 283 software patents, although none have been validated yet by court judgments. Patent issues have caused significant concern among Linux users since the SCO Group sued IBM in March 2003, accusing IBM of moving SCO's proprietary Unix code into Linux. Microsoft president and CEO Steve Ballmer has also taken the offensive, attempting to debunk every major Linux benefit with the company's "Get the Facts" campaign and a recent letter to customers. "Suspicious" Conclusions? Rob Enderle, principal analyst with the Enderle Group, also saw many problems with the mi2g study. The firm's methodologies have been questioned before on other studies, Enderle said: "They tend to do a lot of things that seem to be targeted at being media events and are not considered to be particularly credible as a result . . . they are trying to make headlines, and my guess is they were successful." Asked what he questioned about the study, Enderle said, "BSD and Apple are the least common for general use systems, so you would expect they would be targeted less. Why try to penetrate a system that doesn't get you where you want to go? "In addition, BSD in particular is generally used by groups that have a very high percentage of highly competent professionals, so it tends to be deployed in ways that are inherently more secure," Enderle stated. "What concerns me the most about this though is the omission of Unix, which is prevalent and should have numbers that fall between the two distinct groups. "The . . . conclusion may simply be that widely deployed systems used by large numbers of poorly trained people are inherently insecure," Enderle continued. "[Mi2g's] conclusion that these results are based on the platforms alone is questionable, because they have not normalized the populations based on skills and usage." Bruce Schneier, CTO of Counterpane Internet Security, had not yet studied the report, but said the conclusions "certainly sound suspicious." Mi2g appeared to anticipate criticism of its study. "We would urge caution when reading negative commentary against mi2g, which may have been clandestinely funded, aided or abetted by a vendor or a special interest group," it said in a press release publicizing the study. From isn at c4i.org Mon Nov 8 05:31:50 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 8 05:59:02 2004 Subject: [ISN] Term 'cyber-terrorism' damaging security investment, says ex-White House advisor Message-ID: http://www.vnunet.com/news/1159204 Daniel Thomas in Barcelona Computing 05 Nov 2004 Overuse of the term 'cyber-terrorism' is confusing board directors and preventing much needed investment in IT security, says former White House security advisor Richard Clarke. By describing denial of service attacks, hacking and defacement of corporate web sites as cyber-terrorism, IT directors are negatively affecting the amount of investment companies makes in IT by failing to properly communicate the real risks to businesses, he says. 'If you say cyber terrorism they get confused and think it's Osama Bin Laden in cave with a laptop,' said Clarke during his keynote speech at RSA Conference 2004 in Barcelona. 'And CEOs don't want to spend money on that because they don't think it's a real threat to them, they think it's a cost and not a benefit.' Clarke explained: 'Say information security, say information assurance, say cyber security, say cyber crime but don't say cyber terrorism.' But Clarke, who spent 11 years advising the last three Presidents on national security and IT threats, says firms also need to do more to join up physical and IT security procedures and that lack of attention could threaten business continuity. 'We go into a lot of buildings and sign-in and most of the time no one knows who we are,' said Clarke. 'I sign my name Benjamin Franklin most of the time and no one notices.' By creating secure computing and using two-factor authentication devices for access to both buildings and technology systems companies can hugely improve security, he says. 'If you worry about security you need to worry about cyber security as well - our economy is increasingly dependent on the internet,' he said. Clarke was also critical about the current US administration's commitment to internet security, saying more action was needed to combat growing threats. 'If the US administration keeps going through cyber security directors at the pace it is we could fill up this hall with them next year,' said Clarke. 'They are very good at saying they care about cyber security and then they don't give them the money or the power to do anything about it.' The Bush administration should also do more to allay citizen concerns around biometric citizen identification trials, says Clarke. 'An awful lot of people are concerned about civil liberties and see security technology as a threat,' he said. 'But technology is a tool - it's neither good or bad - it depends on the way that we use it.' He concluded that both governments and businesses need to be forward looking when it comes to security, rather than being reactive. 'I think that one of the lessons we learned from 9/11 is that shouldn't wait for something to happen,' he said. From isn at c4i.org Mon Nov 8 05:32:09 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 8 05:59:04 2004 Subject: [ISN] Velva Klaessy, government code breaker, dies at 88 Message-ID: http://www.startribune.com/stories/462/5072390.html Trudi Hahn Star Tribune November 7, 2004 Velva Klaessy, a government cryptanalyst who accomplished some firsts for female code breakers -- with accompanying problems in the male-dominated field -- died Sept. 16 in Golden Valley. She was 88. "She could never talk about it," said her brother Dale Klaessy of Minnetonka. "It was a lonely, lonely job." Born to a farm couple in 1915 in Renwick, Iowa, Klaessy got a scholarship during the Depression to attend what is now Northern Iowa University. With no money to buy clothes, her father bought her 500 baby chicks to raise. When she sold them, she bought fabric and made her wardrobe. She received her degree in math in 1937 and took her first job in a small town dominated by a Protestant congregation. It decreed that the public-school teachers weren't allowed to play cards or go to the movies. After the town protested that she was insulting its sons by dating a young man from a different town, she left at the end of the year. In 1944, she was teaching high school math and science in Cherokee, Iowa, when a government recruiter came to ask if she had any students good in math who might want to join the war effort as a cryptologist in the Army Signal Corps. Her best students were all headed for college, so she didn't want to recommend them, but she took the job herself. After World War II she stayed in the field as the Armed Forces Security Agency and the National Security Agency (NSA) were formed. Although much of her work remains classified, information from the National Cryptologic Museum of the NSA, based at Fort Meade, Md., states that she was a member for many years of the highly respected Technical Consultants group, which assisted other analytic offices with their most difficult problems. In the summer of 1953, she and a male officer were posted temporarily to the Far East to train military personnel. According to oral tradition, the museum said, female NSA employees had never gotten temporary posts in that part of the world. Before she left the consultants group, she was posted temporarily to the United Kingdom. Her British counterpart threw a welcoming party -- in a men's club from which women were barred, her brother said. Female NSA employees battled for recognition at home, too. At one point a supervisor told her that she had earned a promotion but he was giving it to a male co-worker "because he had a family," her brother said. From 1958 to 1967, Klaessy finally received positions of high responsibility in sectors dealing with cutting-edge technology, the museum said, including being named chief in 1964 of the New and Unidentified Signals Division. She returned in 1967 to what is now called the extended enterprise when she was named deputy senior U.S. liaison officer in Ottawa, Canada. In 1970 she was named senior liaison officer in Ottawa, becoming the first woman to hold the senior post anywhere in the world. As senior officer, she represented the U.S. Intelligence Board and the NSA with appropriate organizations in Canada in all matters about signal intelligence and communications security. She returned to Fort Meade in 1975 but retired shortly afterward to care for ill relatives, her brother said. She was found to have Parkinson's disease about 1987 and moved to the Twin Cities to be close to relatives. In addition to her brother Dale, survivors include another brother, Earl of Spencer, Iowa. Services have been held in Iowa. From isn at c4i.org Mon Nov 8 05:32:22 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 8 05:59:06 2004 Subject: [ISN] Fixing the DHS cybersecurity gap Message-ID: http://www.fcw.com/fcw/articles/2004/1108/pol-dhssec-11-08-04.asp By Florence Olsen Nov. 8, 2004 The Homeland Security Department's inspector general has completed an information security audit of the agency, which shows DHS officials are still struggling with internal cybersecurity issues. But that comes as no surprise to management experts. The public flogging of DHS and all federal agencies is fine as long as people have reasonable expectations about cybersecurity, said Paul Proctor, vice president of security and risk strategies at the META Group, an information technology and business consulting company. "I say, keep up the hammering, but recognize that many agencies are doing the work necessary to get there eventually," Proctor said. The report, released Oct. 27, highlights areas in which DHS officials have improved the department's information security practices and policies. But the overall tone of the report is negative. "We recommend that DHS continue to consider its information systems security program a significant deficiency" for fiscal 2004, the auditors state in the report's summary. They conducted the information security audit between April and September, according to guidelines set by Office of Management and Budget officials. OMB officials developed the guidelines to help federal agencies comply with the Federal Information Security Management Act of 2002. The report cites the chief information officer's lack of authority to manage DHS' departmentwide IT programs and spending as a significant factor in the department officials' struggle to secure the agency's information systems. It states that the absence of a formal reporting relationship between the CIO and the program organizations within the department continues to undermine DHS' information security program. Lynn McNulty, director of government affairs at the International Information Systems Security Certification Consortium and a former government computer security official, was quick to defend DHS' information security efforts in light of the constraints on its CIO. "He doesn't have command authority over what is going on in the 27 different agencies in DHS," McNulty said. "Unless they want to give him that, then all he can do is plead with them and offer constructive alternatives, but he has no mechanism to force compliance." In a written response to the audit, Steve Cooper, DHS' CIO, said he generally concurred with the findings. He also expressed appreciation for what he described as "the open dialogue and strengthened relationship ...that have emerged in the past year" between his office and the inspector general's office. -=- Audit reveals no surprises A new audit by the Homeland Security Department's inspector general highlights the following areas: Progress: DHS officials have hired a contractor to develop a methodology for conducting a systems inventory across the 27 agencies that merged in March 2003 to become DHS. Concern: The department still lacks a comprehensive inventory of its information systems, as required by the Federal Information Security Management Act of 2002. Source: Homeland Security Department From isn at c4i.org Tue Nov 9 06:51:50 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 9 07:06:43 2004 Subject: [ISN] Finding your weakest link Message-ID: Forwarded from: William Knowles http://www.fcw.com/fcw/articles/2004/1108/feat-wifi-11-08-04.asp By Bob Brewin and Frank Tiboni Nov. 8, 2004 Although concrete barricades block physical access to many roads and buildings throughout the Washington, D.C., region, a Federal Computer Week team discovered that information and systems at many defense and civilian agencies are left exposed through wireless networks. Despite all of the attention focused on cybersecurity, agencies still have vulnerabilities, either because data on the wireless links is unencrypted or because wireless access points are broadcasting signals that hackers could use to attack the network. But that may not be the worst of it. Agency officials may find that the weakest link is government contractors, which are involved in many of their programs. FCW found significant vulnerabilities among systems integrators, such as Computer Sciences Corp., which has multimillion-dollar contracts with the National Security Agency and the Internal Revenue Service. A survey of wireless security in the Washington area Oct. 19 found that Wi-Fi networks at several federal agencies and defense contractors did not meet the security policies issued by Defense Department officials last April or guidelines issued by National Institute of Standards and Technology officials in November 2002. At CSC's federal division's campus in Falls Church, Va., FCW reporters discovered five rogue, or unauthorized, wireless access points. During the tour, the reporters detected a wireless bridge at the headquarters of the Defense Information Systems Agency on Courthouse Road in Arlington, Va., which was transmitting megabytes of traffic. Open to trouble These vulnerabilities could potentially allow somebody to bring down the organization's network. A wireless security consultant who helped FCW with its wireless survey, on the condition of anonymity, said he could have launched a denial-of-service attack against these access point bridges, which operate in the easily detectable 2.4 Ghz band. He could have knocked them out in less than a minute. The DOD wireless directive states "measures shall be taken to mitigate denial-of-service attacks," and a DISA spokesperson said the agency complies with that policy. The spokesperson said the Wi-Fi network detected by FCW at Courthouse Road was part of a routine test to evaluate new wireless technologies. The Pentagon has a Wi-Fi network operating in a private Internet domain, which FCW was able to detect from a range of more than 1,000 yards from highways on three sides of the building. This network constantly recycled packets of data. Officials at the Army's Washington Headquarters Service, which manages the Pentagon, did not return calls from FCW for comment. Agency officials have at least some control of internal wireless access points. Security at contractors' facilities may be more difficult to manage. In July, for example, CSC won a multibillion dollar outsourcing contract from NSA to upgrade the agency's computer infrastructure. An NSA spokeswoman said the agency has mandatory Wi-Fi policies for contractors, including adherence to the April 2004 DOD wireless directive. That directive calls for active electromagnetic sensing for unauthorized wireless devices at DOD and contractor facilities. Chris Steinbach, CSC's vice president of global security, said company officials conducted a sweep for rogue access points Aug. 27 but did not launch another until the week of Oct. 25 after being contacted by FCW reporters. Wireless networks often can be detected because many access points have a built-in beacon function. That function broadcasts a signal known as a Service Set Identifier (SSID) to make it easier for wireless devices to find the link. However, it is also a beacon for hackers looking for an entry point into an organization's network. As part of their guidelines, NIST officials suggest agencies turn off the built-in function. Even with the broadcast function turned off, SSIDs are transmitted in other frames of the Wi-Fi signal, which can be detected by sniffing software. NIST officials recommend agency officials use an SSID that does not reveal information about the agency, such as name, division or department. FCW detected hundreds of default SSIDs and easily associated beacon signals during the Wi-Fi survey. These included GDWAP1 from an unencrypted access point at the headquarters of General Dynamics Corp. in Falls Church, NASA: Official Use Only from an access point at NASA headquarters on Independence Avenue in Washington and CMC from an access point located at the house of the Commandant of the Marine Corps at 8th and I streets in Washington. Trouble on the cheap Vendors and analysts said the FCW survey illustrates security problems federal agencies and contractors need to face with the rise of Wi-Fi technology during the past four years. Sheung Li, product line manager for Atheros Communications Inc., a Wi-Fi chip manufacturer, estimates there are 50 million active Wi-Fi devices nationwide. Abner Germanow, an analyst with International Data Corp., a research firm based in Framingham, Mass., said worldwide shipments of Wi-Fi devices could hit 19.2 million units in 2004, up from 11.3 million units in 2003. Wi-Fi's market growth has led to a steep drop in prices for access points, with consumer access points from companies such as the Linksys division of Cisco selling for $40 through Internet retailers. Linksys access points feature plug-and-play capabilities, taking less than a minute to set up. The combination of low cost and easy installation facilitates rogue access points, which is a serious concern for agency and defense contractor officials, said Richard Rushing, chief security officer of AirDefense Inc., a Wi-Fi security company based in Alpharetta, Ga., that sells stand-alone and networked Wi-Fi sensing systems. Rogue access points have the potential to open enterprise networks to sniffing by potentially malicious adversaries and contractors. Federal agencies need to have an active program to detect and prevent rogue access points. Steinbach said CSC officials have a policy barring installation of unauthorized access points, and they could fire any employee who installs one. Steinbach said the rogues discovered by FCW have been disconnected and emphasized that any intruder attempting to use them to penetrate CSC networks would have been stopped by firewalls on the company's wired networks. "We have multiple layers of security," Steinbach said. He added that CSC has contracted with AirDefense to provide systems with around-the-clock monitoring capabilities immediately. General Dynamics spokesman Kendall Pease said in a statement the GDWAP1 access points FCW discovered are part of a guest network used to provide Internet access for visitors to the company's headquarters. These visitors, including General Dynamics officials, other contractors and government customers, are warned that the Wi-Fi network is unsecure, and they are responsible for maintaining the security of their communications and compliance with policies of their home networks. Pease's statement did not address the potential security problems posed by transmitting unencrypted data via a Wi-Fi network with an easily identified SSID, but vendors and analysts expressed surprise that contractors and federal agencies would entrust traffic on unencrypted networks with easily associated SSIDs. NASA and Marine Corps officials did not return phone calls for comment about the networks FCW detected. Ken Evans, vice president of product management for Fortress Technologies Inc., based in Oldsmar, Fla., said "this is wireless security 101. This is stuff that has been covered in the popular press for the past two years." Fortress officials sell a security product widely used by the Army and the Department of Veterans Affairs. Evans said contractors and federal agencies should use such a system to provide gold-plated security that is better than the Wired Equivalent Privacy (WEP) encryption used on NASA and Marine networks detected by FCW. Officials at T-Mobile USA in Bellevue, Wash., which operates a nationwide network with more than 4,700 Wi-Fi hot spots, offer better security on their public-access networks than the General Dynamics guest network or the NASA and Marine networks detected by FCW, said Mark Bolger, the company's director of hot spot brand marketing. Since October, T-Mobile has offered security based on the Institute of Electrical and Electronic Engineers Inc. 802.1x standard, which provides stronger authentication and encryption than WEP, Bolger said. Rushing said any federal agency or defense contractor Wi-Fi network should have defense in depth, which includes the Advanced Encryption Standard, stronger authentication and constant monitoring of a campus or building to detect rogues. Joe Lawless, department manager for global network systems design at United Parcel Service Inc. in Atlanta, said physical security is another important component of Wi-Fi security. UPS officials say the company operates the world's largest wireless network with about 7,000 access points at the company's offices, hubs and distribution centers. Lawless said UPS security personnel are instructed to question suspicious individuals parked in or around the perimeter of UPS facilities, especially if they are aiming a three-foot antenna at the facility, similar to the methodology of the FCW reporting team during its assessment of Wi-Fi security in Washington. Florence Olsen contributed to this article. -=- Watch out for wireless vulnerabilities Security experts warn that wireless communications have certain vulnerabilities that need to be addressed. Among those threats: * Rogues: These are cheap ($100 or less) consumer-grade access points, most likely unauthorized, that have the potential of opening up an enterprise network to anyone within the range of the rogue access point. Users frustrated by lack of wireless access, easy installation and a continuing drop in the cost of access points make this a serious threat that will not go away. * Bug lights: The Wi-Fi utility in Microsoft Corp. Windows XP constantly searches for access points like moths headed toward a flame. This utility makes it easy for a hacker to set up an access point that XP clients will use. If that client is connected to a wired network, it will serve as a bridge for intruders. * Automatic address assignment hacks: Many wireless local-area networks use the Dynamic Host Configuration Protocol to assign IP addresses. That means a hacker can obtain an IP address and a connection to the access point and the network behind it as easily as an authorized user. * Man-in-the-middle attacks: Hackers collect IP addresses from access points and client cards during an initial association process and then set up a fake access point that looks like the real one, diverting traffic to the hacker. * Denial-of-service attacks: Like a polite dinner guest waiting his turn, the Wi-Fi Media Access Control layer avoids transmission when it senses other radio frequency activity. Hackers can exploit that vulnerability by flooding an access point with traffic and setting up a high-power radio frequency generator that denies legitimate users access to the network until the denial-of-service attack ends. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Tue Nov 9 06:52:13 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 9 07:06:44 2004 Subject: [ISN] Linux Security Week - November 8th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | November 8th, 2004 Volume 5, Number 44n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for "Installing and securing VoIP with Linux," "Securing Source Code Should Be a Priority," and "Keep an Eye on Your Linux Systems with Netstat." ---- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 ---- LINUX ADVISORY WATCH: This week, advisories were released for rsync, squid, subversion, gaim, apache, postgresql, mpg123, abiword, iptables, xpdf, libxml, lvm10, hdcp, ppp, Apache, speedtouch, proxytunnel, shadow, mysql, netalk, mod_ssl, and libtiff. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Openwall, Slackware, and Trustix. http://www.linuxsecurity.com/articles/forums_article-10206.html ----- Mass deploying Osiris Osiris is a centralized file-integrity program that uses a client/server architecture to check for changes on a system. A central server maintains the file-integrity database and configuration for a client and at a specified time, sends the configuration file over to the client, runs a scan and sends the results back to the server to compare any changes. Those changes are then sent via email, if configured, to a system admin or group of people. The communication is all done over an encrypted communication channel. http://www.linuxsecurity.com/feature_stories/feature_story-175.html ------ >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Installing and securing VoIP with Linux November 7th, 2004 Successful businesses usually have the same goal, minimize costs to maximize profits. Today with the plethora of open source solutions, a small business can present a high tech image and still keep a lid on the expenses. Early last winter, we had the opportunity to present a proposal for a financial institution to add two new remote offices. http://www.linuxsecurity.com/articles/documentation_article-10215.html * TCP/IP checksum vectorization using AltiVec, Part 1 November 6th, 2004 This two-part article demonstrates the kinds of performance gains AltiVec can produce on the TCP/IP checksum, or on code similar to it. It gives special attention both to instructions that help improve performance, and to general unrolling and scheduling techniques. The net result? Performance increased by a factor of four. http://www.linuxsecurity.com/articles/documentation_article-10214.html * SSH User Identities November 4th, 2004 OpenSSH supports more than just simple passwords for authentication. It can be configured to use PAM (Pluggable authentication modules), Challenge/Response protocols, Kerberos authentication, authenticated host-based trust[1], and there are even patches for other methods, such as X509 keys. However the most popular alternate authentication method is Identity/Pubkey authentication. http://www.linuxsecurity.com/articles/documentation_article-10189.html * Securing Source Code Should Be a Priority November 4th, 2004 The efforts of the "Source Code Club" to sell the source code to Cisco firewalls may be despicable, but they may also be a blessing in disguise. By making a public show of Cisco's inability to keep its secrets to itself, these desperados may actually be doing us all a big favor. http://www.linuxsecurity.com/articles/privacy_article-10200.html * Keep an Eye on Your Linux Systems with Netstat November 3rd, 2004 Two of the fundamental aspects of Linux system security and troubleshooting are knowing what services are running, and what connections and services are available. We're all familiar with ps for viewing active services. netstat goes a couple of steps further, and displays all available connections, services, and their status. It shows one type of service that ps does not: services run from inetd or xinetd, because inetd/xinetd start them up on demand. http://www.linuxsecurity.com/articles/documentation_article-10185.html +------------------------+ | Network Security News: | +------------------------+ * Alleged DDoS kingpin joins most wanted list November 6th, 2004 The fugitive Massachusetts businessman charged in the first criminal case to arise from an alleged DDoS-for-hire scheme has appeared on an FBI most wanted list, while the five men accused of carrying out his will are headed for federal court. http://www.linuxsecurity.com/articles/general_article-10211.html * Crack Program Released for Wireless Nets November 6th, 2004 One year after a vulnerability in the Wi-Fi Protected Access encryption algorithm was reported, a proof-of-concept program for the attack has been released. http://www.linuxsecurity.com/articles/network_security_article-10213.html * Recovering From an Attack November 6th, 2004 No matter the size of your network, sooner or later you'll have to clean up an infected machine. Recovery from an attack can be daunting, but following some simple steps will make it less painful. http://www.linuxsecurity.com/articles/intrusion_detection_article-10209.html * Sourcefire - the open source answer to network security November 4th, 2004 In the past couple of years, technologies such as intrusion detection and protection systems have become mainstream tools in the corporate security arsenal. But many feel less than satisfied with the performance of some of these technologies. http://www.linuxsecurity.com/articles/network_security_article-10193.html +------------------------+ | General Security News: | +------------------------+ * Linux in Government: Stanislaus County Does Linux with a Best Practices Slant November 6th, 2004 If you call the Stanislaus County administrative offices and ask for Richard Robinson, be sure to specify that you want to speak with the director of strategic business technology. If not, you most likely will get the county's CEO, who has the same name. http://www.linuxsecurity.com/articles/government_article-10212.html * Experts Debunk Linux Security Criticisms November 6th, 2004 Some Linux experts are questioning a report by British-based mi2g, which calls Linux the "most breached" computing environment worldwide, with Microsoft Windows placing a distant second. The London-based security firm said its study analyzed more than 235,000 successful attacks against "permanently connected -- 24/7 online--computers" worldwide between November 2003 and October 2004. http://www.linuxsecurity.com/articles/forums_article-10210.html * The Cost of Security Training November 5th, 2004 It has been said before that the cost of IT training for those of us in the computer security industry is really quite high. After all, there is not only the cost of the course itself, but also the associated costs of hotels, food, and rental vehicles if the course is out of town. http://www.linuxsecurity.com/articles/forums_article-10201.html * The Rise of Security Threats November 1st, 2004 Disgruntled or former employees pose a threat to any business and can gain access to internal systems relatively easily. Confidential company information can be used maliciously by employees either hacking into servers and files or by utilizing hacking tools readily available via the Internet and with a higher concentration of computer literate workers these risks are even more significant. http://www.linuxsecurity.com/articles/network_security_article-10156.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Nov 9 06:53:11 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 9 07:06:46 2004 Subject: [ISN] The Sling And The Stone Message-ID: http://www.washingtondispatch.com/article_10508.shtml [ http://www.amazon.com/exec/obidos/ASIN/0760320594/c4iorg - WK] Commentary by William S. Lind November 8, 2004 For at least a decade, Colonel Tom Hammes has been one of the Marine Corps. leading intellectuals. His new book, The Sling and the Stone, should be read by anyone who has an interest in Fourth Generation warfare (4GW). In some ways, this is two books in one. One book describes Fourth Generation war and the reforms our military needs in order to fight it, and here Colonel Hammes is at his best. His distinction between the first and second intifadas is especially valuable. He writes that the Palestinians won the first intifada because they were careful to present themselves as victims of a vastly more powerful Israeli military. Avoiding the use of weapons other than the stone, and taking full advantage of the television camera, the Palestinians .transformed (Israel) from the tiny, brave nation surrounded by hostile Arab nations to the oppressive state that condoned killing children in the street. This is the power of weakness which is central to Fourth Generation war. In contrast, in the second (al-Aqsa) intifada, the Palestinians resorted to violence, including suicide bombers, and gave up the power of weakness. Hammes writes, It is almost impossible to overstate how perfectly Arafat and the radical elements in Palestinian resistance have supported the Israeli effort. Their suicide bombing campaign has given Israel complete freedom of action. As is so often the case in the Fourth Generation, what seems weak is strong and what seems strong is weak. Hammes' descriptions of the situations in Iraq and Afghanistan are equally good. So is his analysis of the Pentagon.s faith that future wars will be decided by high technology. Correctly, he argues that developments such as the Internet favor our Fourth Generation adversaries, because they have flat, cooperative organizations while we are stuck with industrial-age, bureaucratic hierarchies. In effect, they are the free market while we represent the centrally-planned Soviet economy. Finally, Hammes' proposed reforms, while largely derivative, are also mostly sound. The second book is a book on military theory, and here Hammes is on less solid ground. He makes a major error early, in that he equates Fourth Generation war with insurgency. In doing so, he equates the Fourth Generation with how war is fought. It is usually fought guerilla-style, but that misses the point: what changes in the Fourth Generation is who fights and what they fight for. This error leads to others, such as believing that Fourth Generation war focuses on the mental level. Hammes writes, .The fourth generation has arrived. It uses all available networks, political, economic, social and military to convince the enemy's political decision makers that their strategic goals are either unachievable or too costly for the perceived benefit. In fact, Fourth Generation war focuses on the moral level, where it works to convince all parties, neutrals as well as belligerents, that the cause for which a Fourth Generation entity is fighting is morally superior. It turns its state enemies inward against themselves on the moral level, making the political calculations of the mental level irrelevant. Hammes still makes some useful contributions to Fourth Generation theory. For example, his short discussion of a difficult theoretical problem, the role of the OODA loop in Fourth Generation war, notes that, .the focus is no longer on the speed of the decision but on a correct understanding of the situation. Observation and orientation become the critical elements of the observation - orientation - decision - action [OODA] loop. I think the OODA loop's originator, Colonel John Boyd, might agree with that. But in the end, Colonel Hammes remains trapped in the framework of the state. He writes that 4GW in itself cannot win a decisive victory: The techniques [of 4GW] can only weaken the enemy.s will and reduce his resources to the point that a conventional military campaign can defeat him entirely. In fact, Fourth Generation war can unravel a state opponent so completely that he ceases to exist. We saw that with the Soviet Union, we are seeing it now with Israel, and if the United States fails to isolate itself from the Fourth Generation we may see it here as well. William S. Lind, expressing his own personal opinion, is Director for the Center for Cultural Conservatism for the Free Congress Foundation. From isn at c4i.org Tue Nov 9 06:53:25 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 9 07:06:48 2004 Subject: [ISN] New MyDoom draws on IE flaw to spread Message-ID: http://news.com.com/New+MyDoom+draws+on+IE+flaw+to+spread/2100-7349_3-5443828.html By Robert Lemos Staff Writer, CNET News.com November 8, 2004 A new version of MyDoom uses an unpatched flaw in Microsoft's Internet Explorer to spread, antivirus companies warned on Monday. The recently discovered vulnerability in the browser software allows the offshoot to infect a PC after a user clicks on a link, according to advisories from security software makers Symantec and McAfee. The program sneaks past antivirus applications that detect malicious software by scanning e-mail messages with attached programs. The companies said they had only detected a few instances of the infector, which is labelled MyDoom.AG by McAfee and MyDoom.AH by Symantec. "We have only received one submission from the field, but the technical aspects of this are concerning," said Craig Schmugar, senior virus research manager at McAfee. "It has all the components there to become a significant virus." It's not the first time a code writer has exploited a flaw in a Microsoft product before the software giant has had a chance to plug the hole. An aggressive advertiser attempted to surreptitiously install a pop-up toolbar in victim's Web browsers using two previously unpatched security flaws in Internet Explorer. Microsoft said that it was investigating the flaw and was aware of a new virus exploiting the issue. "As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources," said Microsoft in a statement sent to CNET News.com. "In addition, we continue to encourage customers follow our 'Protect Your PC' guidance of enabling a firewall, getting software updates and installing antivirus software." The latest MyDoom virus appears as an e-mail in an inbox. The body of the message states: "Look at my homepage with my last webcam photos!" or "FREE ADULT VIDEO! SIGN UP NOW!" Both messages have text that links them to a Web page generated by the virus and hosted on the infected computer that sent the e-mail. When the victim clicks on the link, a Windows-based PC will call Internet Explorer and load a malicious Web page from the previously infected computer. The page contains the IFrame vulnerability recently publicized on security mailing lists. The virus uses the flaw to execute code on the victim's computer, infecting the system. The virus harvests e-mail addresses on the compromised system, sends out mail to spread the virus further, sets up a Web server and attempts to contact several Internet relay chat (IRC) servers as a way to notify the virus's creator of that a new system has been compromised. The fact that the virus creates a Web server and uses that server to infect other systems is a significant departure from previous versions of MyDoom, and other viruses in general, Schmugar said. "There was a decent amount of work that went into this," he said. "There was a good bit of attention (among security researchers) to the demo code (of this flaw). Someone grabbed the demo code and tweaked it quite a bit." McAfee rates the program a low threat, but Schmugar said he thinks it might spread widely. From isn at c4i.org Tue Nov 9 06:53:37 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 9 07:06:50 2004 Subject: [ISN] Update: Some WLANs open to dictionary attack Message-ID: http://www.nwfusion.com/news/2004/1108wlandictionary.html By John Cox Network World Fusion 11/08/04 A dictionary attack tool designed to exploit a weakness the Wi-Fi Protected Access security for wireless LANs has been published on the Web. The software, called WPA Cracker, exploits one option that can be used in WPA, usually in consumer applications or residential WLANs: a pre-shared encryption key. This key is simpler to use and deploy than using the more complex 802.1x for authentication. With the pre-shared key, a common shared pass phrase is set for users and the WLAN access point. This phrase and the Service Set Identifier (SSID) (the network name) of the WLAN access point then are changed via an algorithm into an encryption key used to scramble the packets between clients and the access point. The story was first reported last Friday by the Wi-Fi Networking News Web site. WPA Cracker is available at the tinypeap.com site, which also offers a very compact RADIUS server supporting 802.1x authentication using PEAP as its authentication protocol, designed to run on WLAN access points such as the Linksys WRT54G. A whitepaper on the WPA Cracker code and the dictionary attack is here. Network World Test Alliance gurus Joel Snyder and Rodney Thayer highlighted the same weakness in this October article. The WPA vulnerability was first disclosed a year ago in a paper. The author, Robert Moskowitz, a senior technical director as ICSA Labs, noted that using the pre-shared key broadcasts in the clear certain information needed to create and verify the session encryption key. This information can be recovered and then subjected to an offline dictionary attack, usually with a program that runs through words and character combinations until it finds the original pass-phrase. The attack will not work against nets that don't use the pre-shared key option. But Moskowitz paints a disturbing picture for those that do rely on it, saying this attack is even easier than those mounted against the original WLAN encryption scheme called WEP. WPA was designed to correct key weaknesses in WEP. "As the [WPA] standard states, passphrases longer than 20 characters are needed to start deterring [dictionary] attacks. This is considerably longer than most people will be willing to use," he writes. "This offline attack should be easier to execute than the WEP attack." From isn at c4i.org Wed Nov 10 05:17:49 2004 From: isn at c4i.org (InfoSec News) Date: Wed Nov 10 05:46:22 2004 Subject: [ISN] Connecticut Man Accused of Selling Microsoft Code Message-ID: http://www.nytimes.com/2004/11/10/technology/10soft.html By ERIC DASH November 10, 2004 A Connecticut computer hacker was arrested yesterday and charged with selling copies of Microsoft Windows proprietary source code. The United States attorney's office said the hacker, William O. Genovese Jr., 27, of Meriden, Conn., used a Web site to unlawfully distribute the programming blueprints behind the Microsoft NT 4.0 and Windows 2000 operating systems. "This is someone who stole and attempted to sell for profit some valuable asset of Microsoft," said Tom Rubin, the associate general counsel for Microsoft. "It is our secret recipe, our secret formula like the Coke formula." The arrest is the most significant legal action to emerge from an F.B.I. investigation into the theft of Microsoft's source code; the inquiry began earlier this year and is continuing. Though sometimes Microsoft has provided its source code to business partners and government agencies, access is tightly guarded because it can allow software developers to replicate the program and hackers to exploit vulnerabilities in the operating system, which is used on hundreds of millions of computers. In mid-February, the complaint said, Mr. Genovese obtained a stolen copy of the Windows source code and posted a message on his Web site that he was willing to sell it. At about the same time, an investigator from an online security firm hired by Microsoft sent an e-mail message to Mr. Genovese, who was using an alias, and asked for a copy, the complaint said. Mr. Genovese requested that $20 be sent to a PayPal account and when the payment cleared, the investigator was given access to an Internet address where he could download a file with the source code. Mr. Rubin said that Microsoft then contacted federal authorities, who conducted a similar investigation with the company's help. This is not the first time Mr. Genovese has been at the center of a computer crimes case. In March 2003, he was convicted of eavesdropping and sentenced to two years of probation after gaining unauthorized access to computers in Connecticut. There has been another case this year involving a large technology company's having its proprietary software code published on the Internet. In September, Cisco Systems, the networking equipment manufacturer, said British authorities made an arrest after a four-month investigation. From isn at c4i.org Wed Nov 10 05:18:25 2004 From: isn at c4i.org (InfoSec News) Date: Wed Nov 10 05:46:24 2004 Subject: [ISN] Windows Forensics and Incident Recovery Message-ID: http://books.slashdot.org/books/04/11/09/202220.shtml [ http://www.amazon.com/exec/obidos/ASIN/0321200985/c4iorg - WK] Author: Harlan Carvey Pages: 460 Publisher: Addison Wesley Rating: 9 Reviewer: Mark McKinnon ISBN: 0321200985 Summary: Forensic analysis and incident recovery on a live Microsoft Windows is explained for the system administrator, security administrator and knowledgeable home user. The intended audience, according to the author, is "anyone with an interest in Windows security, which includes Windows system and security administrators, consultants, incident response team members, students and even home users." The author assumes the reader is familiar with basic networking (including TCP/IP) and has some Windows administration skills. Some programming ability, though not actually required, will help out greatly with reading and understanding the many examples provided, and will let you make your own modifications (this is encouraged by the author throughout the book). The chapter on data hiding was a real eye-opener -- it's amazing the things Microsoft has implemented as part of the operating system (and included applications) that can be used to hide things. Discovering the hidden information is talked about, as well how it is hidden. Sample topics include file attributes, alternate data streams, OLE and stenography. This is an excellent chapter with many examples; I found myself stopping after each subject to try out each of the discussed techniques. The next chapter delves into incident preparation. Carvey addresses some of the things that administrators can do to harden their systems. He goes over the application of security policies in general, as well as intelligent assignment of file permissions. He then covers Windows File Protection and how it is implemented, and includes a perl script to implement your own file watcher. He touches briefly on patch management and anti-virus programs, then moves into monitoring. He provides quite a few scripts, and discusses other means by which you can monitor your system. The next chapter describes tools that can be used in incident response. This chapter has quite a lot of information and took me the longest to get through, because of all the tools mentioned that I had to download and check while I was reading the book. Carvey uses a mixture of his own perl scripts and programs that can be downloaded from places like Sysinternals, Foundstone, DiamondCS and others. All of the tools used are open source (or are at least freely available). That equips the reader with a low-cost toolkit, especially important to the home user or small business owner who cannot afford to buy the commercial equivalent. Carvey does acknowledge, though, that there are quite a few commercial tools with great functionality out there. The first part of the incident-response tools chapter deals with the collection of volatile information (processes, services, etc.); this is a vital part of live analysis. The second part deals with the collection of non-volatile information (the content of the Windows registry, file MAC times and hashes, etc.) and tools for analyzing files. Carvey also shows how some of the tools complement each other, and that there is not one almighty tool that will find all the data you need. (This is also proven by example in a later chapter when he talks about rootkits.) The next chapter deals with developing a security methodology, and it's handled differently than in most books: the author presents the material as a series of dreams that a Windows system administrator has, showing how an individual can come up with and fine tune a methodology as incidents happen. Carvey has used this approach before in a series of articles entitled "No Stone Unturned" for SecurityFocus.com, and the creative approach appeals to me. As he moves from dream to dream, you can relate to the admin's circumstances (and mistakes), and how be and becomes better at responding to different incidents. The next chapter talks about what to usefully look for with the tools the book has introduced. It discusses infection vectors, types of malware and rootkits, and demonstrates tools and techniques for detecting them. This is where the author makes a clear point of why you would need to run several different tools, even if some overlap. His example uses an installed rootkit; running a particular program from a previous chapter, he shows that it fails to find that anything untoward is running -- it takes another program from the same chapter to actually reveal the rootkit's presence. By cross referencing the output for both programs, you can see why you should run more then one type of analysis tool for certain areas to make sure you are not missing anything. Finally, the author dedicates an entire chapter to his own Forensic Server Project, a two-pronged approach to live forensic analysis which uses two machines simultaneously. The first piece, the Forensic Server Module, is the listener software; this runs on a clean PC where the data will be sent from the compromised system. The other piece, called the First Responder Utility, runs several of the programs and scripts from the incident tools chapter on the compromised system . After installing everything needed for both parts of this system, I followed the author's instructions on how to run it. What a slick tool! I ran it from a couple of PCs on my home network and was able to get a lot of the information that was described in the book as well as hash values for each log file that was produced, and a general log of everything the First Responder Unit did. The whole principle of this is that when you have an incident there will be very little interaction with the compromised system, since everything is scripted to begin with. The framework that this software constitutes is very flexible. I was able to add two new features to the Forensic Server Module and the First Responder Utility with very little code. The first addition I made was to mark all the logs as read-only on the file system after they were written from the Forensic Server module. The next addition I made was to add a perl script to scan the c:\ drive of the PC that the First Responder Utility was running on. After I made both additions, I tested everything out, and it worked great. I had my extra log files and they were all read-only. My hat goes off to the author for coming up with and including this in the book, a really nice piece of software. From isn at c4i.org Wed Nov 10 05:18:37 2004 From: isn at c4i.org (InfoSec News) Date: Wed Nov 10 05:46:26 2004 Subject: [ISN] Domain transfer rules are a cyber squatter charter Message-ID: http://www.theinquirer.net/?article=19579 By Nick Farrell 10 November 2004 SECURITY AND network services outfit Netcraft has warned that the new rules for domain transfers that will come into effect on Friday, are a cyber squatter's charter. Internet Corporation for Assigned Names and Numbers (ICANN), has changed the rules so that requests for transferring a domain will be automatically approved in five days unless they are denied by the owner of the domain. The current rule is that domain and the nameservers names are kept even if a request for a transfer evokes no response. The problem is that if you the contact addresses given in the records are incorrect then a request for transfer would go to a wrong address and after five days of no response, the transfer would become effective. A Netcraft spokesman said that the new domain rules would make it far easier for cybersquatters to take over sites. It said some prominent domains which had lapsed without being renewed included The Washingon Post and the Gawker weblog. More famously PR outfit Ogilvy Mather, which looks after our friends in IBM, forgot to register their www.oglivy.co.uk address this week and found that the site had been hijaked by viral marketers ASABAILEY. ASABAILEY took control of the domain and promptly uploaded a picture of what appear to be dead feet, to make a point about brand protection. The image states: "If you understood the modern brand, you'd understand how to protect it." ICANN said it is anticipating more disputes as it has appointed staff to manage its domain dispute resolution policy. From isn at c4i.org Wed Nov 10 05:18:49 2004 From: isn at c4i.org (InfoSec News) Date: Wed Nov 10 05:46:27 2004 Subject: [ISN] Boom times ahead for IT security profession Message-ID: http://www.theregister.co.uk/2004/11/09/isc2_security_job_survey/ By John Leyden 9th November 2004 Boom times are ahead for security pros. The information security workforce will expand by an estimated 13.7 per cent annually to reach 2.1m workers by 2008. Approximately 680,000 of this expanded workforce will work in Europe. The (ISC)2 2004 Global Information Security Workforce Study found the wider use of internet technologies, a dynamic threat environment and increasingly stringent government regulations are driving the growth of the profession. The 1.3m information security professionals currently employed will see their ranks swell by more than 60 per cent within five years, according to IDC, which conducted the study on behalf of security certification body (ISC)2. Show me the money IDC analysed responses from 5,371 full-time information security professionals in 80 countries worldwide, with nearly half employed by organisations with $1bn or more in annual revenue. The web-based study is described as the first major study of the global information security profession ever undertaken. On average survey respondents had 13 years work experience in IT and seven years specialised security experience. This wealth of skill is often well rewarded. Around 10 per cent of the survey participants in both the US earned more than $125,000 per annum; 22 per cent of US residents who took part in the survey earned between $100,000-$120,000 a year (Europe 16 per cent). At the other end of the scale, five per cent of security pros in the states and nine per cent in Europe earn less than $50,000. In Asia, 60 per cent of security professionals earn less than $50,000. Gizza job Managers hiring security professionals (93 per cent) said certification was important in choosing potential recruits; but commercial awareness is also becoming increasingly important. "The study shows a shift in the information security profession, indicating that business acumen is now often required along with technology proficiency," said Allan Carey, the IDC analyst who led the study. "This widening responsibility means information security professionals not only have to receive a constant refresh of the best security knowledge but also must acquire a solid understanding of business processes and risk management to be successful in their roles." "With competing demands on industry and government to expand access to services and information, the highly trained and experienced information security professional must now be an active participant to fulfil stringent regulatory requirements and provide proactive solutions to circumvent emerging risks," he added. From isn at c4i.org Wed Nov 10 05:18:59 2004 From: isn at c4i.org (InfoSec News) Date: Wed Nov 10 05:46:30 2004 Subject: [ISN] New MyDoom variant exploits IE flaw Message-ID: http://www.nwfusion.com/news/2004/1109newmydoo.html By Scarlet Pruitt IDG News Service 11/09/04 A new variant of the MyDoom worm that exploits an unpatched flaw in Microsoft's Internet Explorer browser is in the wild and posing particular risk to home and small business users, security experts warned this week. The worm, which security firms dubbed MyDoom.AF, MyDoom.AH and MyDoom.AG, spreads by e-mail and exploits a recently discovered buffer overflow vulnerability in IE. Internet users should avoid opening suspicious e-mail with the subject headers "funny photos :)," "hello," "hey!" and blank headers, according to security firm iDefense. Users who open the infected e-mail and click on links in the message body will be directed to destinations from which an attack may be launched. Microsoft issued a statement saying that it was aware of the new variant and an investigation is underway. According to early reports the vulnerability does not exist on Windows XP Service Pack 2 (SP2) so customers running the security update are at a reduced risk of the threat, Microsoft said. The software maker and security experts advised users to install SP2 if they have not already. Users less likely to have a perimeter defense, such as those in homes and small offices, are more vulnerable to attack, security experts warned. The variant exploits a flaw in the way IE handles "iframe" and "frame" HTML tags. Code that takes advantage of the flaw began circulating last week and researchers warned that several new codes exploiting the vulnerability may appear in the next few weeks since it is still unpatched. Microsoft said however that it believes the current threat is low and that it is not aware of any significant customer impact. The company added that it will decide what further action to take upon completing its investigation and said it could issue a patch ahead of its regular monthly security update. From isn at c4i.org Thu Nov 11 04:41:29 2004 From: isn at c4i.org (InfoSec News) Date: Thu Nov 11 04:55:24 2004 Subject: [ISN] Security UPDATE--Blacklists Decrease Spam--November 10, 2004 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Free Patch Management White Paper from St. Bernard Software http://list.windowsitpro.com/cgi-bin3/DM/y/eiFL0MfYqv0Kma0BMnz0Ar The Unofficial Guide to IM for Executives http://list.windowsitpro.com/cgi-bin3/DM/y/eiFL0MfYqv0Kma0BMn10Ae ==================== 1. In Focus: Blacklists Decrease Spam 2. Security News and Features - Recent Security Vulnerabilities - Microsoft Security Bulletin Advance Notification - Rights Management Services SP1 Beta - Windows XP SP2: 110 Million Users and Counting 3. Security Matters Blog - SpoofStick: the Good, the Bad, and the Ugly - Mac OS X Security Guide 4. Security Toolkit - FAQ - Security Forum Featured Thread 5. New and Improved - SSL VPN for Small-Scale Deployments - Protect Users from Internet Threats ==================== ==== Sponsor: St. Bernard Software ==== Free Patch Management White Paper from St. Bernard Software Successful patch management is a core component of maintaining a secure computing environment. With a growing number of patches being released by Microsoft weekly, IT administrators must be vigilant in assuring that the machines on their networks are accurately patched. Although Microsoft offers tools to assist administrators with the tasks of patching, they are often time-consuming and far from comprehensive. However there are solutions on the market that can reliably and accurately automate the tasks involved in successful patch management. In this free white paper, learn more about the patch management dilemma and patch management solutions. Download this free white paper now! http://list.windowsitpro.com/cgi-bin3/DM/y/eiFL0MfYqv0Kma0BMnz0Ar ==================== ==== 1. In Focus: Blacklists Decrease Spam ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net I'm sure that most, if not all, of you use some sort of mail-filtering software to help eliminate unwanted email. Some mail-filtering solutions are server-based, some are desktop-based, and some are a combination of both. I use a desktop-based mail-filtering solution on my personal desktop system, and so far it works fairly well. As with many mail filters, mine has to be trained to recognize unwanted email messages and considers any messages that don't meet enough spam requirements to be legitimate messages. The good thing about this approach is that it decreases the possibility that I might not see a legitimate message that I really need. The downside of the approach is that it takes a while to train the mail filter to properly filter as much spam as possible. As each message is processed, more keywords (typically called tokens) are added to the spam-filtering engine. So naturally the more spam the engine filters, the better it operates. I receive a lot of junk mail. For example, in August and September, I received over 28,000 email messages. Of those, at least 18,090 (more than 64 percent) were spam. One thing I've found that really helps reduce the amount of spam that reaches my inbox is that my email filter supports the use of blacklist services. You might already know that blacklist services track IP addresses that are known to be used to send spam. So any mail filter that supports blacklist services can query the services for a given IP address (the sender's address or any address that might have relayed the message along the way). If the IP address is on a blacklist, then it's more probable that a message is spam. In my testing of mail-filter software, I've found that a mail filter that uses blacklists should query every mail server found in a message's "Received:" header. Doing so increases the likelihood of detecting spam messages. But some mail filters don't query all the "Received:" headers, so they're less effective. If your mail filter supports the use of blacklist services and you aren't using them, consider testing them to see if they help reduce the amount of unwanted email that you receive on your network. Blacklist services are somewhat controversial because of complaints that some services blacklist IP addresses at the drop of a hat without much, if any, investigation first. In my experience thus far, services such as SpamCop, Spamhaus, Relay Stop List, and Spam and Open Relay Blocking System (SORBS) work fairly well. To find other possible blacklist services, use your favorite search engine to query for "blacklist services." http://www.spamcop.net http://www.spamhaus.org http://relays.visi.com http://www.dnsbl.us.sorbs.net ==================== ==== Sponsor: Akonix Systems ==== The Unofficial Guide to IM for Executives This free white paper will help managers, directors and executives in all types of businesses understand Instant Messaging and the powerful benefits it brings to the workplace when properly managed and controlled. According to Giga Information Group, a large majority of mid- to large-sized organizations have no formal IT support for IM. This means employees are often logging onto public IM networks without permission and without protection from viruses and worms, corporate policy control or the ability to monitor and log conversations. Start protecting your organization and get the white paper now! http://list.windowsitpro.com/cgi-bin3/DM/y/eiFL0MfYqv0Kma0BMn10Ae ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.windowsitpro.com/departments/departmentid/752/752.html Microsoft Security Bulletin Advance Notification Microsoft announced that it will notify all customers of impending security bulletins three days before it releases the bulletins to help administrators plan for these security patches. http://www.windowsitpro.com/Article/ArticleID/44404/44404.html Rights Management Services SP1 Beta The Windows Rights Management Services (RMS) Service Pack 1 (SP1) beta is on the way. The new service pack will add the ability to deploy RMS without a connection to the Internet and "without an operational dependency on an external entity such as Microsoft," enhanced authentication with support for smart cards, and the ability to apply rights based on dynamic groups in Active Directory (AD). http://www.windowsitpro.com/Article/ArticleID/44402/44402.html Windows XP SP2: 110 Million Users and Counting On November 4, Microsoft announced that it had distributed Windows XP Service Pack 2 (SP2), released in August, to more than 110 million customers worldwide. Microsoft also said that 12.5 million users have used the Windows Security Center introduced by XP SP2 to update their antivirus software. http://www.windowsitpro.com/Article/ArticleID/44403/44403.html ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Subscribe Now to Windows IT Pro with Exclusive Online Access! Windows & .NET Magazine is now Windows IT Pro! Act now to get the November issue, which features a Linux primer for Windows administrators, the how-tos of making NTBackup work, and a checklist for Sarbanes-Oxley compliance. You'll save 30% off the cover price and receive exclusive subscriber-only access to our entire online library with your paid subscription! This is a limited-time offer, so click here to order today! http://list.windowsitpro.com/cgi-bin3/DM/y/eiFL0MfYqv0Kma0BMdM0Aw Get the Final Chapter Release--"The Expert's Guide for Exchange 2003: Preparing for, Moving to, and Supporting Exchange Server 2003" Download our final chapter, "Exchange Security," and learn 5 key strategies to help you secure your environment before vulnerabilities become a problem, including how to reduce the number of protocols used and how to partition your environment. Plus, start protecting authentication credentials, data transmission, and more. Get the entire eBook now! http://list.windowsitpro.com/cgi-bin3/DM/y/eiFL0MfYqv0Kma0BMnp0Ah Attend and Get a Free Subscription to Windows IT Pro! The Enterprise Alliance Roadshow Come and join us for this free event and find out how a more strategic and holistic approach to IT planning helps organizations increase operational efficiency and facilitate the implementation of new technology. Attend and you could win an iPod! Sign up today. Space is limited. http://list.windowsitpro.com/cgi-bin3/DM/y/eiFL0MfYqv0Kma0BMh10AY Win a Trip to TechEd 2005 Plus iPod and XBox Prizes Compete in the first-ever IT Prolympics to test your Active Directory knowledge against your peers. You could win recognition and great prizes. The IT Prolympian grand prize is an expense-paid trip to TechEd 2005. Click here to enter the competition. http://list.windowsitpro.com/cgi-bin3/DM/y/eiFL0MfYqv0Kma0BMh20AZ ==================== ==== 3. Security Matters Blog ==== by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters Check out these recent entries in the Security Matters blog: SpoofStick: the Good, the Bad, and the Ugly I recently heard about a tool called SpoofStick, which is a browser extension for Microsoft Internet Explorer (IE) and Mozilla Firefox. The good thing about this tool is that it shows you the real URL of the site you're visiting. The tool is designed to help prevent people from falling victim to URL spoof attacks (which are bad). But there was an ugly glitch when I tried to use the product. http://www.windowsitpro.com/Article/ArticleID/44383/44383.html Mac OS X Security Guide If you're using or planning to use Mac OS X, you might want to review the new "Apple Mac OS X v10.3.x 'Panther' Security Configuration Guide" from the National Security Agency (NSA). http://www.windowsitpro.com/Article/ArticleID/44394/44394.html ==== 4. Security Toolkit ==== FAQ by John Savill, http://www.windowsitpro.com/windowsnt20002003faq Q: How can I install a domain controller (DC) from backup media by using a DCPromo answer file? Find the answer at http://www.winnetmag.com/Article/ArticleID/44379/44379.html Security Forum Featured Thread A forum participant writes that Microsoft recommends putting Internet Security and Acceleration (ISA) Server in a demilitarized zone (DMZ) and publishing Outlook Web Access (OWA) from a Microsoft Exchange Server front-end server on the inside network. He wonders whether skipping the front-end server and publishing the back-end server is any less secure. Join the discussion at http://www.windowsitpro.com/Forums/messageview.cfm?catid=42&threadid=127173 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows IT Pro at http://www.windowsitpro.com/events ) IT Security Solutions Roadshow--Attend and Get a Free Subscription to Windows IT Pro Take your security to the next level with this free half-day event covering topics such as antivirus, intrusion prevention, vulnerability discovery, and more. Get a backstage pass to the ISA Server 2004 Hands-on Lab. Attend and enter to win tickets to a professional sports game. Register now! http://list.windowsitpro.com/cgi-bin3/DM/y/eiFL0MfYqv0Kma0BMh30Aa ==================== ==== 5. New and Improved ==== by Renee Munshi, products@windowsitpro.com SSL VPN for Small-Scale Deployments AEP Systems offers SureWare A-Gate AG-60, a Secure Sockets Layer (SSL) VPN designed specifically for small-scale deployments. The product supports up to 50 concurrent users and sells for $7000 per appliance with no extra licensing fees. A-Gate AG-60 supports both clientless Web-enabled applications, including Windows Terminal Services, and access to client-server applications. For more information, go to http://www.aepsystems.com Protect Users from Internet Threats Armor2net released Armor2net Personal Firewall, software that provides Internet security and privacy for computers. Armor2net Personal Firewall monitors the computer and tracks all connections, both incoming and outgoing. The software will show complete details of each connection and let the user turn off unsafe connections and block dangerous Internet sites. In addition, Armor2net Personal Firewall can stop Internet pop-up ads and search for and remove spyware from a computer. Armor2net Personal Firewall runs on Windows XP/2000/Me/98 and requires 32MB of RAM and 20MB of free hard disk space. It's available for $19.99 from the Armor2net Web site at http://www.armor2net.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://www.windowsitpro.com/forums About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://www.secadministrator.com/rd.cfm?code=00ep254xeb View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Nov 11 04:39:13 2004 From: isn at c4i.org (InfoSec News) Date: Thu Nov 11 04:55:26 2004 Subject: [ISN] Student charged with hacking into school's database, changing grades Message-ID: http://www.azcentral.com/news/articles/1110StudentArrested10-ON.html Associated Press Nov. 10, 2004 07:15 AM TUCSON - A Marana High School student has been arrested and charged with breaking into a computerized grade database to alter his and other students' grades, authorities said. Michael T. Campbell, 16, remains in the Pima County jail in lieu of $25,000 bond. Authorities said Campbell has a criminal record and has been arrested five times since January 2004 on charges including domestic violence and credit-card theft. At Marana High, Campbell was enrolled in a computer-based class where students learn curriculum and answer questions at individual computer stations. The program keeps track of each student's course grade. Police said that on Oct. 18, Campbell somehow acquired his teacher's user name to the system and got access to his grade. He then allegedly received money from three students in the class between Oct. 18 and Oct. 21 to change their grades, according to police. Campbell later gave the access information to another student, who turned him in to school authorities. From isn at c4i.org Thu Nov 11 04:39:27 2004 From: isn at c4i.org (InfoSec News) Date: Thu Nov 11 04:55:27 2004 Subject: [ISN] Ex-cybersecurity chief calls on feds to step up efforts Message-ID: http://www.govexec.com/dailyfed/1104/111004tdpm1.htm By William New National Journal's Technology Daily November 10, 2004 While progress is being made in the nation's efforts to ensure the security of its cyber assets, a revolution is needed in the federal government's thinking in order to win the "cat and mouse game" with cyber attackers, a former senior cybersecurity official said Wednesday. "The government doesn't know what its IT assets are," said Amit Yoran, who resigned as director of the Homeland Security Department's cybersecurity division last month. He added that the government is much like large multinational organizations, where cybersecurity awareness does not cut across all divisions. A recognized private-sector expert, Yoran said he tried to address the problem during his one-year stint at Homeland Security. By the time he left, he said the department had made progress in mapping which of the 127 federal entities are responsible for what parts of the government's cyber assets. His office found that there are 5,700 different "network blocks" across government. The division also began asking about agencies' Internet exposure in order to understand the risks. But scanning the 5,700 networks for that exposure is "a Herculean effort" and is ongoing, he said. Yoran spoke at a conference sponsored by the Computer Security Institute. Generally, Yoran said the government's risk assessments appear to be largely based on consultants' reports rather than on an actual examination of the systems. His vision for the government is to use the government-wide knowledge of risks to take more coordinated, effective security steps. There are "pockets" of top-flight cybersecurity skill within the government, Yoran said, and they need to be pulled together. Doing so will be fundamental to getting buy-in from the private sector, which owns about 80 percent of the nation's critical infrastructure, he added. Yoran said the future is bright for cybersecurity, especially for making more secure software. "We are still at the very early stages of cybersecurity," he said. A new way of thinking is ushering in the next generation of technologies, and the government needs to be out front in encouraging that transformation, he said. "We really need to revolutionize how we think about cybersecurity," Yoran said. "In three years time, there will be no definable perimeters on our systems." The typical systems, such as firewalls and intrusion-detection systems, will not be efficient any longer, he predicted. "You won't be able to protect or own all of the information you are providing to your customers," Yoran said. "In many cases, you won't even be able to identify where the data resides." Yoran's departure from the division caused concern among industry and in parts of the government that cyber security is not sufficiently high-profile in the government. He declined to comment on how the position should be structured, except to say that there should be sufficient access to senior-level decision-makers and that the person should have solid political skills. Yoran also said that while there is great experience at Homeland Security in physical security, "the same is not true for cybersecurity." From isn at c4i.org Thu Nov 11 04:39:42 2004 From: isn at c4i.org (InfoSec News) Date: Thu Nov 11 04:55:29 2004 Subject: [ISN] Viruses exploit Microsoft patch cycle Message-ID: http://news.com.com/Viruses+exploit+Microsoft+patch+cycle/2100-7349_3-5446624.html By Munir Kotadia Special to CNET News.com November 10, 2004 The creators of the latest MyDoom variant, which exploits a recently discovered iFrame vulnerability in Internet Explorer, may have timed the release of the viruses to throw Microsoft's monthly patch cycle into disarray, security experts say. In its latest monthly update on Tuesday, Microsoft was not able to fix a serious vulnerability in the Internet Explorer browser because the flaw was discovered only a few days before the company's regular update was due. The two variants of the MyDoom virus were released earlier this week, leaving the software giant without any option but to ignore the problem--for now. Sean Richmond, senior technology consultant at Sophos Australia, told ZDNet Australia that it would have been impossible for Microsoft to create and test a reliable patch in four days--the time between the vulnerability being published and Tuesday's patch update. "To release a stable patch for IE would be impossible (in that time) because they want to test it thoroughly before it goes out," Richmond said. "The monthly patch cycle was designed to make it easier for system administrators to schedule their updates, but a few days is just not enough time for Microsoft create and test a patch." Ben English, security team leader at Microsoft Australia, told ZDNet Australia that Microsoft advocates a process of responsible disclosure and is "very keen" to discover any vulnerabilities before they are made public. "The reasons are very obvious. We would not disclose any info about a vulnerability till we have mitigation in place," English said. "The worst scenario for us is that we release an update which has quality problems. We believe the downstream problems of releasing patches too quickly are even more serious than not putting in the quality that they deserve." English would not comment on whether Microsoft thought the timing of the worm's and the vulnerability's disclosure was malicious, but he said that if the problem were serious enough, the company would break its patch cycle to plug the gap. "In terms of the timing, I have no comment on whether there is malicious intent," he said. "But in a sense, it is academic because if this is a serious vulnerability and we have a patch available, we will release it out of cycle." The MyDoom virus, also referred to as a worm, has been dubbed Bofra by some antivirus firms. Munir Kotadia of ZDNet Australia reported from Sydney. From isn at c4i.org Thu Nov 11 04:40:03 2004 From: isn at c4i.org (InfoSec News) Date: Thu Nov 11 04:55:31 2004 Subject: [ISN] My summer of war driving Message-ID: http://www.computerworld.com/mobiletopics/mobile/story/0,10801,97352,00.html Opinion by Demetrios Lazarikos NOVEMBER 10, 2004 COMPUTERWORLD For most people, summer is about taking a vacation with family or heading to a secluded place to get away. Earlier this year, I read an article about the number of wireless hacks that were increasing globally. What I found interesting was that the hacks were pretty basic and that most of the information on how to break into default systems, how to look for Wired Equivalent Privacy (WEP) being enabled and other wireless steps could be found in a Google search. I had decided at the beginning of the summer that I wasn't going to take any downtime or a vacation per se. Instead, I would validate through "war driving" in five cities that wireless networking isn't ready for prime time. My itinerary involved Omaha; Chicago; Ann Arbor, Mich.; Denver and Atlanta. War driving is driving around an area with a laptop computer and an 802.11 network card to identify the presence of wireless networks. One common thread through this mission was that the cities involved had some aspect of high-tech or higher education with an emphasis on IT security. Another common thread was that I had friends and family in these cities, so I had a place to stay. Let me preface my experience with wireless networks. I embrace new technologies and try to understand how to make the workplace safe with security controls. It's not uncommon for individuals or organizations to speed up the process of implementation and not put security controls in place. I've been involved with many aspects of security and try to be proactive by educating. In my opinion, wireless security can be implemented safely, effectively and efficiently. While on this mission, it was critical for me to identify if the following could be picked up from the war drive: 1. If WEP was enabled. The WEP encryption method was designed to provide wireless networks with the same security available in wired networks; however, there are some challenges with this standard. 2. The presence of the service set identifier (SSID), the name assigned to a wireless network. Usually, the SSID comes by default using the vendor's name and should be changed to something nondescript. With these two pieces of information, an unauthorized user could be able to acquire access to a wireless network. Think about it. You're surfing the Net at home or in the office, and someone just hops onto your network connection. With information about whether or not WEP is disabled and SSID default settings, an unauthorized user could access your documents, financials or other sensitive information. Packing my car with the necessary gear -- my Dell Inspiron laptop, a newly purchased Orinoco wireless network card, lots of CDs and my wireless 2-GHz antenna (code-named Jasmine) -- I started a cross-country trip from my home in Denver. Omaha The initial drive on my way to the Midwest was pretty mellow, with lots of time to think about what I was going to pick up on my first destination. As soon as I started to exit from I-80, Jasmine and NetStumbler started to pick up multiple wireless access points. I pulled over and started to collect data in downtown Omaha. The results were incredible for the short period of time that I spent there: * 59 media access control (MAC) addresses identified in a 30-minute period * 57 SSIDs were able to be identified * 25 had WEP enabled * 24 didn't have WEP enabled Inventory of the manufacturers discovered: * (2) Agere Systems Inc./Lucent Technologies Inc. * (2) Apple Computer Inc. * (3) Cisco Systems Inc. * (2) D-Link Corp. * (26) Linksys (which was acquired by Cisco last year) * (7) NetGear Inc. * (5) Symbol Technologies Inc. I figured this would be a good baseline. If I could drive in a city for 30 minutes and gather this information, I felt my summer experience would prove that wireless security still needs a great deal of attention. I pulled into my friends' driveway and started to haul the gear into their house. Mr. Mom's (my friend is a stay-at-home dad) eyes popped out of his head. "What the heck is that?" he asked. Jasmine is always a nice conversation piece to have with me at the airport, at the house or on a vulnerability assessment. I demonstrated how it worked, and while doing so, I picked up another five wireless networks within five minutes. I left early the next morning. I wanted to get to Chicago at a reasonable time so I could do some quality war driving before people went home for the day. Chicago I arrived in Chicago by early afternoon and checked in with some friends who live downtown. The Captain and his wife have been friends for some time. Actually, the Captain is responsible for my being on a computer. He gave me my first Commodore VIC-20 and taught me how to make those early computers sing with 64KB of memory. We got into the car and loaded the gear. I was driving slowly downtown, and with my car's Colorado marker plates, it was only a matter of time before we were gathering stares from local cops on horses. Our patience paid off. We spent about a little over half an hour downtown and were able to gather the following information: * 165 MAC addresses identified in a 30-minute period * 164 SSIDs were able to be identified * 28 had WEP-enabled * 137 didn't have WEP enabled Inventory of the manufacturers discovered: * (2) Agere/Lucent * (18) Apple * (10) Cisco * (29) D-Link * (52) Linksys * (16) NetGear Inc. * (1) Senao International Co. Ann Arbor After a brief visit in Chicago, the Captain told me that they were going up north to see his in-laws and I was welcome to tag along. I accepted, and several hours later we picked up another friend, Old Timer. I also bought a battery charger for the car from RadioShack. I was quickly burning through laptop batteries, but I needed to keep the laptop charged for more driving efforts. We arrived at the University of Michigan around midday. As we approached Greek Row, Jasmine lit up, and we were capturing more data. Old Timer commented on how many "thunk" sounds NetStumbler was making as we gathered more statistics: * 222 MAC addresses identified in a 30-minute period * 221 SSIDs were able to be identified * 75 had WEP enabled * 147 didn't have WEP enabled Inventory of the manufacturers discovered: * (1) Acer Inc. * (13) Agere/Lucent * (6) Apple * (11) Cisco * (20) D-Link * (56) Linksys * (22) NetGear * (3) Senao International Denver I was feeling pretty good about my drive, and I headed back to Colorado after spending time with my family back in the Midwest. When I arrived in Denver, I drove through downtown like I did the other cities. Operating on autopilot, I fired up Jasmine and started to gather my data. It wasn't that hard driving and managing the computer by now. With three cities under my belt, it was easy to manage this by myself. Setting up Jasmine in the back window, I drove for 40 minutes while gathering information. Here's what I found: * 175 MAC addresses identified in a 40-minute period * 168 SSIDs were able to be identified * 29 had WEP enabled * 146 didn't have WEP enabled Inventory of the manufacturers discovered: * (4) Acer * (9) Agere/Lucent * (12) Apple * (18) Cisco * (24) D-Link * (37) Linksys * (15) NetGear I was satisfied. Or so I thought. Atlanta Toward the middle of August, I received a phone call from some friends in Atlanta, which got me thinking about Atlanta as another city where I could gather war-driving data. Two weeks after the call, I arrived in my final war drive city. After lunch and catching up with my friends, I walked through the business district and let Jasmine do her thing. This time, I was on foot so I could take my time and gather data at a relaxed pace. Atlanta was alive with wireless networks: * 392 MAC addresses identified in a 2-day period on foot * 343 SSIDs were able to be identified * 119 had WEP enabled * 273 didn't have WEP enabled Inventory of the manufacturers discovered: * (12) Acer * (7) Agere/Lucent * (26) Apple * (37) Cisco * (48) D-Link * (63) Linksys * (24) NetGear Overall, I was pleased with the time I took off this summer. I was able to demonstrate some basic data gathering from vulnerable wireless networks. I was reminded of several issues while writing this article: 1. People who use wireless networks should implement secure controls before going live with a wireless network. 2. Wireless networks are ready for prime time if security controls are implemented properly. 3. The cyberworld never sleeps. This summer project really has me thinking of what research I could accomplish if I take some time off during the winter holidays. Demetrios "Laz" Lazarikos, CISM, is an IT security consultant and auditor who has worked with small to midsize businesses, Fortune 500 companies and government agencies for more than 18 years. He is the co-author of Cover Your Assets: A Guide to Building and Deploying Secure Internet Applications, which has been used to help define the security awareness training for companies including Galileo International Inc. He can be reached at security (at) laz.net From isn at c4i.org Thu Nov 11 04:40:17 2004 From: isn at c4i.org (InfoSec News) Date: Thu Nov 11 04:55:33 2004 Subject: [ISN] Cyber crime tools could serve terrorists Message-ID: http://www.reuters.co.uk/newsArticle.jhtml?type=internetNews&storyID=6778715 By Michael Christie 11 November, 2004 MIAMI (Reuters) - The hacking and identity theft tools now earning big money for mainly eastern European organised crime could be used by terrorists to attack the United States, an FBI official has said. FBI Deputy Assistant Director Steve Martinez said on Wednesday cyber crime was no longer the domain of teenage geeks but had been taken over by sophisticated gangs. "Tools and methods used by these increasingly skilled hackers could be employed to cripple our economy and attack our critical infrastructure as part of a terrorist plot," Martinez told a conference in Miami on Internet security. People had to assume, he said, that terrorists would seek to hire hackers to "raise money, aid command and control, spread terrorist propaganda and recruit more into their ranks and, lastly and most ominously, attack at little risk." The seminar in Miami, hosted by Florida International University, focused on the growing incidence of "phishing," in which hackers send computer users e-mails to convince them to enter financial data or passwords in fake Web sites. Victims can compromise their credit cards, bank accounts and even their identities. Martinez, acting head of the FBI's Cyber Division, said the agency had not seen traditional organized crime in the United States migrate to the Internet but that eastern European gangs had embraced cyber crime with enthusiasm. "They're targeting your money, access to your personal information, identity. They're doing it on a massive scale. The price of a credit card number is dropping into the pennies now," he said. The FBI was trying to convince foreign law enforcement agencies to crack down on the culprits, he said. In many former Soviet republics, laws covering cyber crimes were inadequate and the U.S. Justice Department was working with foreign governments to fill the legal gaps, he said. In the meantime, he said the risk of cyber terrorism post-September 11, 2001, should not be ignored. The Internet could allow attackers to remain anonymous, to strike at multiple targets from a distance, and escape detection. Critical infrastructure such as water, power and transportation systems remained vulnerable, Martinez said. "In the future cyber terrorism may become a viable option to traditional physical acts of violence," he said. "Terrorists have figured out that we have a technological soft underbelly." From isn at c4i.org Thu Nov 11 04:40:36 2004 From: isn at c4i.org (InfoSec News) Date: Thu Nov 11 04:55:35 2004 Subject: [ISN] 'Hacking Exposed' author sees major threats ahead Message-ID: http://www.itbusiness.ca/index.asp?theaction=61&lid=1&sid=57287 by Martin Slofstra 11/10/2004 Stuart McClure has already put hackers in the spotlight. Now he's ready to shine it on himself. As the former president and chief executive of security software firm Foundstone, McClure's profile rose even higher earlier this year when the company was acquired by McAfee, Inc. McClure, author of the book Hacking Exposed, has chosen to stay on with McAfee as a vice-president of risk management and product development. McClure was in Toronto this week to discuss his transition to the larger firm and the evolution of IT security in the enterprise. ITBusiness.ca: Security has been a No. 1 IT issue for quite some time now. Why does it continue to be top of mind? Stuart McClure: First, it's nothing that you can actually achieve and determine that you are successful. Because security is evolving and changes all the time, and the fact that it is a process, and it's not something that you can buy or make -- I just don't see it ever going away. ITB: Do you then see the threat escalatings and should we be more worried than ever? SM: It depends on how you look at security. If you look at it from the perspective that vendors are better at making their products more secure, the answer is yes. If you look at it from what it means to me, and how it will affect me on a day-to-day basis, you have to be more worried. ITB: Identity theft, spyware and phishing are the security threats de jour, but how real are they? SM: Spyware is one of the biggest plagues of this decade. It's a big threat because there is money to be made. You have businesses that make a lot of money from understanding and tracking people that buy and sell, and that use the Internet. And they are getting more and more sophisticated with technology so low-level that it makes it difficult to remove. It will only go away if we are regulated at some point and say, "You cannot do this." Phishing is something that will hit any company with an online presence of some sort where they have user names and passwords into these systems. This is money-driven as well. I got one this week (that appeared to be from) Citibank. People will send out blanket e-mails that spoof a bank, for exampe -- "We are having problems with your account and log into this server and make sure it works." What do nine out of 10 people do? They'll click it. It looks incredibly legitimate. ITB: Most of these scams, though, can't you spot them from a mile away? SM: They've gotten very sophisticated. If you weren't savvy, it would by very hard to tell. The one from Citibank, which I checked out, is from a server in China, and there is a lot of speculation whether this is a government-sponsored effort or a commercial effort. It's a big problem, they want to get your password so they can take over your identity. I myself have been a victim of identity theft. I know it?s real. ITB: How long did it take for you to realize this? SM: It was a matter of weeks. It came out of an (industry) event. I moved from San Francisco to Los Angeles, and during the move, I lost everything in the truck. As soon as that happened, I panicked. I'm at the new house with no truck. I go through the inventory of everything in the truck -- passport, social security card and backup driver license -- you name it. I think to myself I could get hit with identity theft. I figure out a week later this is a big problem, I notify all the credit card companies, everything you are supposed to do. Multiple attempts were made about two weeks after that event. A number of our employees were hit as well. The speculation was that it had to be a targeted effort because there were five or six of our employees that had that problem. It's very real, it happens a lot. It's so simple to do this. ITB: Your book, Hacking Exposed, is now in its fourth edition. Is the feeling also here that we should be more concerned than ever? SM: I do think we need to be more aware than ever, but not because there are more vulnerabilities. It's pretty static now. We are actually seeing a dip. The bigger concern is that a lot of companies are trying to consolidate and reduce expenses. So they standardize. When you have a homogenous environment, it's much easier for a worm to get around. ITB: Meanwhile, the act of hacking itself has gone from more of a sporting exercise to an act of corporate espionage. SM: In the last five years, there has definitely been an increase in organized government hacks and international hacker groups. Oftentimes you wouldn't even know it. The hacker has been sitting there for months or it's from the inside. We still get tons of calls, we come in and clean up a mess, and try to help prevent it happening again in the future. ITB: There's a trendiness to computer security violations, isn't there? A year or two ago, it seems all we heard about were denial of service attacks. SM: Or maybe you are hearing less about it. I have a friend at an Internet Service Provider and he says they are still getting quite a lot of these. In it's simplest form, it is a cat and mouse game, and it's trying to be smarter than the hacker. The old adage, "You don't need to be the most secure house on the block, you just need to be more secure than your next door neighbour," really holds true here. You don't have to be perfect -- there is no such thing anyway. You need to be the company that says, "We may have hackers that hang around a door for an hour or two, but then they give up." ITB: So does this also mean that if a hacker wants to go after a bank, they'll go out and find the easiest bank to hack. SM: There are two types of attacks -- direct and random. Random will self-propagate while directed attacks are very difficult, slow and could take a long time to produce. They are often monetarily or politically motivated. But again, because hackers get more sophisticated, it is a cat and mouse game. ITB: Does Windows continue to be the most vulnerable platform? SM: That's actually a bit of a presumption. Earlier this year, I did a study. I put together a spreadsheet with all vulnerabilities since 1999. You always get the question that Microsoft Windows must be the least secure because there so many vulnerabilities. I don't know if that is true. I looked at Linux, Novell and Windows, and once I normalized the data -- which means if there is an Internet Explorer vulnerability in Windows, there could be a Mozilla vulnerability in Linux -- once we normalized that out, Linux had more. ITB: What should CIOs be thinking about a year out or so? SM: In terms of future threats, I believe one hundred per cent that we are going to have a zero-day incident, probably in months, which means that a worm will hit the Internet or your business where you will not be able to fix the worm. It will continue to take out more and more systems. The reason I say that is I looked at all the research I got from 1999 to 2004, and all the worms, and all the core vulnerabilities and how quickly the worm came out. It went from vulnerability-to-worm in 280 days in 1999, to 10 days in 2004, and one of those worms was in 48 hours. ITB: So they are being developed a lot faster. Could this mean that some corporations will be ground to a halt? SM: I'm seriously worried about this. And it will happen, probably next year. ITB: But corporations have huge networks with thousands of people and thousands of access points. Are you saying it could all shut down? SM: It will probably target Windows or it could target Cisco and it will exploit something that will keep it spreading. Even if you have redundant systems, it's not going to matter because if you bring up the new system, it will just get re-infected. ITB: So how do you prevent this, besides awareness? SM: There is only one thing to do, and this is to try to mitigate the threat as much as possible before it comes out. The problem, though, is you don't know all the mitigating factors, you can't get 100 per cent. You can say, I'm going to make sure all my firewalls are blocking a certain port and all my anti-virus is up to date, but the bottom line is that it will happen. ITB: What else should we worry about? SM: On the worm side, you also need to worry about the multi-platform variety of some of the worms that are coming out. Some of these worms are going to very virulent, and they will be known by how well they change or morph and still survive. We are seeing viruses and worms getting more sophisticated and more cross-platform. This is not rocket science, they are not very hard to do. ITB: They used to be considered nuisance threats, now they seem to be potentially global enterprise destroying threats. SM: They certainly have that potential. And if the overstatement gets the attention to fix it, then it's okay to overstate it. The absolute reality is that it could happen. I could write it myself. Will somebody else write it? Yes, Eventually. From isn at c4i.org Mon Nov 15 05:48:04 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 15 06:02:15 2004 Subject: [ISN] NSA honors security efforts Message-ID: http://gcn.com/vol1_no1/daily-updates/27885-1.html By Dawn S. Onley GCN Staff 11/12/04 The National Security Agency handed out two information assurance awards during a ceremony at Fort Meade, Md., recognizing excellence in protecting Defense Department networks. Army Lt. Col. Timothy Buennemeyer won the Frank B. Rowlett individual excellence award for leading the Pacific Command?s Computer Network Defense Team. Buennemeyer established PACOM?s Computer Network Vulnerability Team, leading the group to finish more than 4,500 system patches within 6 months without losing mission capabilities, and successfully coordinating the vital system certification and accreditation process that approved more than 130 mission-critical information systems. The Transportation Command?s Information Assurance Branch, C4 Systems Directorate, won the 2003 Rowlett Organizational Excellence Award for its successful joint information assurance programs. The directorate was honored for advancing security capabilities, enhancing operational readiness and establishing new standards for coordination and analysis, according to an NSA release. NSA established the Rowlett Awards in 1989 to salute excellence in information assurance. Rowlett was a distinguished cryptologic pioneer at NSA. From isn at c4i.org Mon Nov 15 05:47:54 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 15 06:02:18 2004 Subject: [ISN] How a guy's gizmo spread fear at Fed Message-ID: Forwarded from: William Knowles http://www.nydailynews.com/front/story/251774p-215484c.html BY THOMAS ZAMBITO DAILY NEWS STAFF WRITER November 11, 2004 It nearly sparked a financial catastrophe. An electrician's homemade gadget wreaked havoc on the Federal Reserve Bank of New York, causing computer convulsions at a facility that houses the world's biggest cash vault, the Daily News has learned. The foulup short-circuited the career of journeyman electrician John Cravetts, who was fired though he insists he meant no harm. But it could have been much worse, according to papers filed in Manhattan Federal Court. "The results could have been catastrophic," said Barry Schindler, an attorney for the New York Fed. Fed officials say they might have had to shut down computers that process some $2.5 trillion in funds and securities payments and $4 billion in checks every day. Fortunately, backup systems kicked in after the Nov. 17, 2002, incident. The heavily guarded facility in East Rutherford, N.J., is also home to a vault that handles more than $1 billion in currency, coins and food coupons. Cravetts, 62, was canned two weeks after the incident. A surveillance tape caught him using the crude device - two red wires strung between an ordinary household switch and plug. He later filed an age discrimination suit and also charged his firing was retaliation for reporting an electrocution hazard at the facility where he'd worked for almost 10 years. Manhattan Federal judge Harold Baer tossed out Cravetts' claim this week. "I had an unblemished record," Cravetts told The News yesterday. "What I did was in good faith. I did not do anything malicious," added the licensed electrician, who has since found a new job. "What do they think I'm going to do, sabotage it?" Although Fed attorneys presented a near-doomsday scenario in court filings, Fed spokesman Peter Bakstansky downplayed the incident yesterday. "There was no point at which the operations of the Fed were in danger," Bakstansky said. "We stopped him. ... We have a lot of redundancy." Cravetts had been asked to locate circuit breakers on the Fed computers that had not been properly labeled. He used his gizmo to conduct the search, plugging it in and tripping breakers, knocking out power as he went along. Cravetts told The News his superiors knew he used the device. He had made four of them at work. Fed attorneys say he should have used a device that sends a harmless tone back to the breaker and doesn't cause disruptions. Cravetts said that for more than a year, he had asked his bosses to order the manufactured device needed for the job, but they never did. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Nov 15 05:48:20 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 15 06:02:19 2004 Subject: [ISN] Japanese Government Bans Security Researcher's Speech Message-ID: http://www.ejovi.net/archives/2004/11/japanese_govern.html November 12, 2004 [JUKI net is Japan's national ID system. Ejovi performed a security audit of the system for Nagano Prefecture one year ago] Its been a long day. I am greatly disappointed that Soumushou, the Japanese government that maintains JUKI net, prevented me from speaking today at the PacSec security conference. Soumushou prevented my talk by threatening the Japanese event who currently are seeking contracts from the government The Japanese government gave me two options. 1) Do not talk 2) Drastically change your slides to say what they want me to. When I offered to not use slides at all and give my own opinion they told me that I would not be permitted to speak AT ALL. It is obvious to me that they did not have an issue with my slides or presentation. They were afraid that I would draw attention to problems in JUKI net. Soumushou thinks that they can hide from the issues. They think that if they keep people from speaking about the issues, it will go away. I thought I would be immune from such Japanese government pressures however I underestimated Soumushou's ability to manipulate those around me. Soumushou's reason for forbidding me to speak was this "Since we are endorsing the convention we have to right to tell you not to speak" if this is the case, the Japanese government needs only sponsor or endorse ANY event in which they don't agree with and force the organizers to change the content. If this is the case Japan will never make any progress towards a safer environment. What is most upsetting to me is the fact that I HAD NO PLANS TO CRITIZE the Japanese government. My talk was going to be extremely fair and balanced addressing the issues raised by both sides. In fact I invited Soumushou to meet with me directly so that I can address any issues they may have. I told them this on the telephone and by email. Instead they choose to pressure the Japanese representatives of the conference. They never attempted to talk with me directly. Why is this? If they had issues with something I may say why not ask me about it? Why pressure a company they relies on government contracts? Is this fair? The purpose of my talk was to present both sides of JUKI net security systems. I have no vested interest in seeing it fail or in seeing it succeed. I only wanted to recommend how best to make it safer, how best to improve the system. But Soumushou believed that my recommendations on how to improve its security alone would mean that JUKI net has problems and they refused to admit this. I'm sorry to tell them but it does have security problems. The good news is that the technical issues can be easily resolved. However the greatest problem with JUKI net is not technical but Soumushou's inability to even acknowledge that they exist! How can a system become secure if the Japanese government are not willing to listen to someone who points out issues. Today was a sad day for Japan and a frustrating day for me. From isn at c4i.org Mon Nov 15 05:48:33 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 15 06:02:20 2004 Subject: [ISN] Defendant: Microsoft source code sale was a setup Message-ID: http://www.theregister.co.uk/2004/11/12/microsoft_source_code_sale_was_setup/ By Kevin Poulsen SecurityFocus Nov 12 2004 A 27-year-old Connecticut man facing felony economic espionage charges for allegedly selling a copy of Microsoft's leaked source code for $20 says he's being singled out only because the software giant and law enforcement officials can't find the people who stole the code in the first place. "They're using me as an example, to show if you do something like this, they're going to [work] you over," said William Genovese, in a telephone interview Thursday. "Why go after me? Why not go after the guy who took the code? Why not go after the guy who released it on the net?" In February, two 200 megabyte files containing incomplete portions of the source code for the Windows 2000 and Windows NT operating systems appeared on websites and peer-to-peer networks around the world. Evidence in the files pointed to Microsoft partner Mainsoft, a developer of Unix tools for Windows, as the original source, but how the files were leaked, and by whom, remains a mystery. What distinguishes Genovese from perhaps thousands of other curious computer geeks who shared the proprietary source code at the time is a short message he posted to his website, illmob.org - a hacker destination from which he distributes open source intrusion tools written under his handle, "illwill." "Everyone was throwing up Bit Torrent links and downloading it on IRC," says Genovese. "I wrote on my website, joking, I have it, and if anybody wants it they can donate to my site." Genovese claims he meant it as a joke, and he was surprised when someone actually responded a few days later and asked how much he should donate. "I was laughing, because I thought it was somebody stupid who wanted it and didn't know how to download it," he says. The stranger gave Genovese $20 through the PayPal donation button on his website, and Genovese let him download a copy of the source code from his server. In July, the same man contacted Genovese again. "He emailed me again and said he had formatted his computer and basically he wanted to download the source again," says Genovese. "I didn't have it any more, and he said if you can find it I'll send you more money just for the hassle." Genovese says he found the files easily on a peer-to-peer network, and again provided them to the donor. He isn't laughing any more. According to court records, the mysterious donor was actually an investigator with an unnamed online security firm that Microsoft had hired to track people sharing the source code online. After the first "sale" was complete, Microsoft reported Genovese to the FBI. The Bureau took the case seriously, and the Microsoft investigator arranged the second transaction at the FBI's request. 'Economic Espionage' Armed with a federal criminal complaint out of Manhattan, FBI agents converged on Genovese's Connecticut home early Tuesday morning, searched his condo and arrested him. Now free on a $50,000 signature bond, Genovese stands accused of violating the 1996 Economic Espionage Act. Passed to meet the perceived threat of foreign espionage against American companies, the Economic Espionage Act carries up to ten years in prison for stealing trade secrets for personal financial gain, or for a third party's economic benefit. For the first five years of its existence the law could only be used with approval from the Justice Department in Washington -- a limitation that was lifted in March, 2002. The $20 payment is what opened the door for prosecutors to invoke the rarely-used law, says attorney Jennifer Granick, executive director of the Stanford Center for Internet and Society. "The statute requires you to act for the economic benefit of someone other than the trade secret owner," she says. "The real question is whether this information remains a trade secret after it is globally available to anyone with an Internet connection," says Granick. "This is something that the courts have been grappling with, so it's pretty shocking that the government would pursue criminal charges for something that the civil courts can't even agree on." Government offices were closed Thursday for Veteran's Day. Microsoft declined to comment for this story. Although the complaint describes him as a "vendor" of stolen source code, Genovese says the only person who took his website post seriously was Microsoft's undercover agent. He claims that the same person later purchased another widely-traded underground file, the Paris Hilton video, for a $15 payment, though the transaction escaped mention in the complaint. If convicted, under federal sentencing guidelines Genovese's sentence would be based on the value of the source code, if any, and his criminal history: Genovese has a conviction for intruding into private user's computers in 2000 and spying on their keystrokes, for which he was sentenced to two years of probation. "It happened right after I got my computer," he says. "I started using Trojan horses and stuff like that, and I ended up getting in trouble." From isn at c4i.org Mon Nov 15 05:48:43 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 15 06:02:22 2004 Subject: [ISN] DARPA wants info about war ideas Message-ID: http://www.fcw.com/fcw/articles/2004/1108/web-darpa-11-12-04.asp By Frank Tiboni Nov. 12, 2004 Defense Advanced Research Projects Agency officials want ideas on using computational techniques to disrupt enemy leaders' decision-making processes. DARPA officials want papers on the topic by Dec. 10. They will choose the best ones and ask the authors attend a meeting in late January 2005, according to a Nov. 10 notice on the Government Business Opportunities Web site. Military officials' growing emphasis on information warfare precipitated the request. Information warfare involves the use of applications, radio frequencies and psychological means to dissuade and deter U.S. enemies. "The enemy command organization's structure and processes are often little known to the friendly forces and difficult to observe," DARPA's notice states. "Such organizations evolve and change rapidly, especially during a military operation, due in part to physical attrition as well as to other factors." To view the notice, go to: www2.eps.gov/spg/ODA/DARPA/CMO/SN05%2D09/Synopsis.html From isn at c4i.org Tue Nov 16 08:34:06 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 16 08:49:35 2004 Subject: [ISN] Linux Security Week - November 15th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | November 15th, 2004 Volume 5, Number 45n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Sloppy Sysadmins Leave Linux Security Lacking," "CLASS 5 Automated Vulnerability Remediation," and "Building a LAMP Server w/ LDAP Authentication." ---- >> LinuxSecurity.com Version 2 << Get ready ... the new LinuxSecurity.com site will soon be revealed. The same great content you've come to expect with a whole new look and great new features. A sneak preview is coming soon! ---- LINUX ADVISORY WATCH: This week, advisories were released for xpdf, libtiff3, sasl, shadow, ruby, freeam, gzip, libgd1, gnats, libgd2, Gallery, ImageMagick, zgv, mtink, Apache, pavuk, samba, libxml, webmin, and speedtouch. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, and Trustix. http://www.linuxsecurity.com/articles/forums_article-10247.html Mass deploying Osiris Osiris is a centralized file-integrity program that uses a client/server architecture to check for changes on a system. A central server maintains the file-integrity database and configuration for a client and at a specified time, sends the configuration file over to the client, runs a scan and sends the results back to the server to compare any changes. Those changes are then sent via email, if configured, to a system admin or group of people. The communication is all done over an encrypted communication channel. http://www.linuxsecurity.com/feature_stories/feature_story-175.html >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Sloppy Sysadmins Leave Linux Security Lacking November 12th, 2004 Linux has gaping security holes caused by systems administrators who either can't or won't keep up with the latest patches, according to a report from British security firm mi2g. http://www.linuxsecurity.com/articles/server_security_article-10248.html * Say hello to the 'time bomb' exploit November 12th, 2004 Prepare yourself for "time bomb" exploits that attack web-based systems at a pre-determined time. http://www.linuxsecurity.com/articles/network_security_article-10249.html * Security pros bemoan need for tactical focus November 12th, 2004 Operational and tactical considerations continue to dominate the IT security agenda, despite a growing need for more strategic approaches to data protection, said attendees at the Computer Security Institute's annual conference here this week. http://www.linuxsecurity.com/articles/general_article-10251.html * Exclusive interview of DK Matai with Linux/Security Pipeline November 12th, 2004 This exclusive interview with Mitch Wagner and Tom Dunlap at Security Pipeline in California succeeded the mi2g Intelligence Unit's response to Matthew McKenzie and Scott Finnie on 6th November to the Linux Pipeline article "Experts Challenge mi2g security study" authored by Tom Dunlap and published on 5th November. http://www.linuxsecurity.com/articles/forums_article-10250.html * CLASS 5 Automated Vulnerability Remediation November 11th, 2004 CLASS 5 AVR (Automated Vulnerability Remediation) is a tiered architecture platform that provides customizable and automated remediation capabilities based on user-defined action policies when vulnerabilities are reported. http://www.linuxsecurity.com/articles/host_security_article-10244.html * Guardian Digital Offers Free Sarbanes Assessment November 10th, 2004 Guardian Digital, Inc., the world's premier provider of open source security solutions, today announced the launch of a new initiative aimed at helping companies assess their network-readiness in meeting Sarbanes-Oxley (SOX) legislation requirements. http://www.linuxsecurity.com/articles/vendors_products_article-10240.html * The reality of virtual servers November 9th, 2004 Server virtualization is one of those rare technologies that sounds too good to be true, but it's real. Its earliest use was to consolidate underutilized server hardware onto a smaller number of machines. Since those early days, it has grown into a multipurpose solution that enables greater reliability, improved management, and other benefits that make it an all-but-indispensable tool for enterprise datacenter administrators. http://www.linuxsecurity.com/articles/general_article-10230.html * Recovering From an Attack November 8th, 2004 No matter the size of your network, sooner or later you'll have to clean up an infected machine. Recovery from an attack can be daunting, but following some simple steps will make it less painful. http://www.linuxsecurity.com/articles/security_sources_article-10220.html +------------------------+ | Network Security News: | +------------------------+ * Cisco Beefs Up WLAN Security November 10th, 2004 Cisco Systems Wednesday unveiled a line of enterprise-grade multi-band wireless access points that include beefed up security. It also said it is adding intrusion detection capabilities for its entire Structured Wireless-Aware Network (SWAN) wireless LAN framework. http://www.linuxsecurity.com/articles/vendors_products_article-10238.html * Is Gap Growing Between Security Haves and Have-Nots? November 9th, 2004 Patch management, compliance and vulnerability management all vied for the attention of attendees on Monday at the Computer Security Institute's annual Computer Security conference here. However, some security professionals worried about a new digital divide: large enterprises that can afford security and small companies that can't. http://www.linuxsecurity.com/articles/security_sources_article-10232.html * Building a LAMP Server w/ LDAP Authentication November 9th, 2004 This tutorial is designed to guide you through the initial steps of setting up an Apache, MySQL, and PHP server on Linux which will utilize an external LDAP server for authenticating users. The server will be able to use either Apache's authentication process (i.e. via httpd.conf), or PHP's (i.e. coded into your app). http://www.linuxsecurity.com/articles/documentation_article-10227.html * Interview: The men behind ettercapNG November 9th, 2004 In 2001 two Italians released the first beta version of ettercap, a network protocol analyzer. This summer they released ettercapNG, which was completely rewritten from scratch with better, modular code, making it easier to add new features and write and submit patches. Ettercap is now covered in most security books. http://www.linuxsecurity.com/articles/projects_article-10228.html * Prevention Methods Shore Up Wireless LAN Defenses November 8th, 2004 Security developers took more than a decade to move from intrusion detection to intrusion prevention in the world of wired networking. But in the fast-paced wireless space, vendors are already jumping on prevention as the first step in security. http://www.linuxsecurity.com/articles/network_security_article-10223.html +------------------------+ | General Security News: | +------------------------+ * IT Managers Have False Sense Of Security November 15th, 2004 Corporate IT managers are a bit bi-polar when it comes to network security, said a survey released this week at the Computer Security Institute's annual conference in Washington, D.C. Just as an overwhelming majority of IT execs think that their networks are safer than they were a year ago, an even larger percentage admit in that attacks are on the rise. http://www.linuxsecurity.com/articles/network_security_article-10252.html * Security company defends Linux-is-vulnerable survey November 11th, 2004 A UK security company has published an open letter following a furore in the Linux camp after a study claimed that nearly two thirds of successful Internet-based attacks occurred on the open source operating system. http://www.linuxsecurity.com/articles/general_article-10246.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Nov 16 08:34:34 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 16 08:49:38 2004 Subject: [ISN] Annual Computer Security Conference reminder Message-ID: Forwarded from: ACSAC Announcement List Just to remind you that the 20th Annual Computer Security Applications Conference (ACSAC) in Tucson, AZ, is three weeks away and that: * The last day to pay the discounted Conference fee is 17 November 2004 * The last day for getting a room at the Conference hotel (see below) is 17 November 2004 * The Advance Program is available at our web site http://www.acsac.org The conference for our 20th year will be held in Tucson, Arizona, USA, at the Hilton Tucson El Conquistador Golf & Tennis Resort from 6-10 December 2004. The Resort provides a comfortable setting - both indoors and outdoors - for meeting and discussing issues, lessons learned, and possible solutions with presenters, authors, tutorial instructors, and other Conference attendees. You can register for the conference at our web site http://www.acsac.org. However, you must either telephone or mail your request for a room at the Resort at the Conference rate. Note that there is only a limited number of rooms available at the prevailing Federal Government per diem lodging rate (currently $76.00 per night) plus taxes. The telephone number and address are also at our web site: Once there, click "General Information" and then "Hotel Reservations." This year, the Conference will be providing 6 full-day, pre-conference tutorials for information security novices as well as experienced veterans: Monday, 6 December: - Information System Security Basics - Security Risk Assessment Techniques - Exploring IEEE 802.11i and Providing Secure Mobility Tuesday, 7 December: - Security Policy Modeling - The Worm and Virus Threats - Acquisition and Analysis of Large Scale Network Data. This year, the Conference will also be hosting two free, pre-conference workshops: - Monday, 6 December: Workshop on Security Awareness Programs - Tuesday, 7 December: Workshop on Trusted Computing We are pleased to have Steven B. Lipner, Director of Security Engineering Strategy at Microsoft Corporation, as our 2004 Distinguished Practitioner, and Rebecca Mercuri, a recognized expert and researcher in the field of electronic voting from the Radcliffe Institute of Advanced Study at Harvard University, as our 2004 Invited Essayist. We're sure that their plenary presentations on Wednesday and Thursday morning, respectively, will be of interest to attendees and no doubt inspire discussion during the Conference luncheons and the Thursday evening Conference Dinner. The ACSAC-20 Program (8 - 10 December) will include presentations of 35 refereed papers, a Classic Papers Session that revisits past issues that seem to persist today - "A1 is the Answer: What Was the Question?" and "A Look Back at Security Problems in the TCP/IP Protocol Suite," 16 Case Studies, 2 panels, and 1 debate. Be sure to check out our web site for details not only about the presentations, workshops, and tutorials but also about the Resort and early Conference and Resort registration discounts. http://www.acsac.org You can help ACSAC reach people who might benefit from this information. Feel free to forward this message with a personal note to your friends and colleagues. They can sign up at the above URL. ACSAC is sponsored by Applied Computer Security Associates, a not-for-profit all-volunteer Maryland corporation. Our postal address is 2906 Covington Road, Silver Spring, MD 20910-1206. From isn at c4i.org Tue Nov 16 08:34:56 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 16 08:49:40 2004 Subject: [ISN] BlackBerry prickles Department of Defence spooks Message-ID: http://www.theage.com.au/articles/2004/11/15/1100384480556.html By Rob O'Neill November 16, 2004 Next Department of Defence communications spooks are restricting the use of wireless BlackBerry devices in government over concerns about the security of confidential and restricted information. The Defence Signals Directorate (DSD), the nation's high-tech electronic eavesdropper, says the popular devices must not be used to transmit confidential or secret information or connect to systems that process it. Agencies may use BlackBerry devices with systems that handle "unclassified, x-in-confidence (excluding cabinet-in-confidence) and restricted information". Telstra, one of several providers of BlackBerry services, insists the systems are secure. "They are used by a lot of customers that require high levels of security in the financial services industry, and even the CIA and the Pentagon," a Telstra spokesman says. Paul Osmond, Asia-Pacific regional director of BlackBerry developer Research In Motion, is "thrilled" the Government has decided the Department of Defence can use the device, because 18 months ago they were prohibited. "Their restrictions are fairly common when you look at a first go-around," Osmond says. "They are similar to those the US defence forces put out when they first used it." The DSD will review the guidelines in February when it is expected RIM and ISPs will seek to have their say. The hand-held BlackBerry device, which allows access to corporate email, including attachments, from almost any location, has become the new must-have corporate accessory in the US and is receiving strong support here. But the swarm of new mobile computing devices poses security challenges to government and private organisations. They are keen to have the functionality but worry about privacy and access. Other consumer devices have also generated alarm. A British security firm's survey revealed Apple's iPod, which has large portable storage capacity and can be plugged into most PCs, is considered a threat. Sometimes such concerns can seem overblown, as in 1999 when the Furby, a computerised toy, was banned from US National Security Agency premises because it could be used as a recorder. From isn at c4i.org Tue Nov 16 08:35:30 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 16 08:49:43 2004 Subject: [ISN] Intercept Threats of Cisco IP Phones Message-ID: http://cryptome.org/cisco-holes.htm Thanks to A. 14 November 2004 In the SIP images of Cisco 7960/7940 (and perhaps 7970/7980) phones, there is a "telnet" option which can be enabled. In the highest access mode of this interface, it is possible to activate a "test keys" mode, which would allow an external party to make calls to remote (external) destinations without the local user hearing any indication that the phone had been placed into "remote intercom" mode. The test key mode allows a telnet user to simulate the exact keystrokes of a local user. Additionally, there is a feature called "auto-answer" which can be activated on a single line, meaning that whatever SIP username is associated with that line will also achieve an auto-answer (on speakerphone, if available) for that line. This also can be used as a remote area surveillance system. (Example: in our office, I have a special extension which calls all phones across the entire office and muxes them back into a single conference bridge, so that I can listen to the entire office at night to see if there is anything amiss (fan noises, UPS signalling, fire alarms, voices.)) Both variations create a bright green LED to light up on the deskset, and also the LCD screen shows the status of the "call" in progress, so there is some external indication that something is happening. Cisco has made some progress in ensuring that "pirate" versions of code for the phones is not easily developed and uploaded; updated versions need to be cryptographically signed before the phone will upload them (exact methods unknown) which to some degree mitigates threat from versions which have no physical indications, though anything is possible with enough budget and brainpower. Both of these "features" are available currently on the SIP images and present different threat situations for voice surveillance. I don't know if they're also available in the SCCP or H.323 versions of the code. Both are exceedingly dangerous, and telnet mode should never be enabled in an insecure (or even secure) environment. The intercom feature is also an issue, since there is no reverse authentication from the Cisco phones (another major failing inmy opinion of Cisco's SIP practical implementation strategy.) From isn at c4i.org Tue Nov 16 08:35:56 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 16 08:49:44 2004 Subject: [ISN] Desktop search engines threaten SSL VPN security Message-ID: http://www.nwfusion.com/news/2004/111504googledesktop.html By Tim Greene Network World 11/15/04 New PC indexing tools such as Google Desktop Search pose security risks to businesses that use SSL remote access because the tools copy material accessed during SSL sessions and make it available to unauthorized people who later use the same PC. Caches created by PC search tools get around security many SSL vendors have put in place to purge cached data from remote machines as secure sessions shut down. These so-called cache-cleaning agents wipe out temporary files created during SSL sessions, but they don't wipe out the copies made by the search tools. "You could end up caching and indexing files you don't want cached and indexed on machines outside your control," says Dan Harman, remote access administrator for real estate developer Lewis Group in Upland, Calif., which uses SSL remote-access gear made by Whale Communications. One touted benefit of SSL remote-access technology is that any machine with a Web browser can be used to access a corporate network securely. The downside is that the PCs might not be owned by the corporation, so any number of unauthorized users could have access to them. "This tends to negate user authentication," says Rick Fleming, CTO of Digital Defense, a vulnerability assessment company. Besides Google's product, such search engines are made by Blinkx, Copernic, ISYS Search Software and X1. Yahoo and Microsoft are said to be on the verge of having them, too. SSL VPN vendor Aventail says its Secure Desktop, a virtual desktop for SSL sessions that is destroyed when the session closes, prevents files downloaded during the session from being viewed by Google Desktop Search. To solve the problem for its customers, Whale has a software upgrade that detects whether Google Desktop Search is running on a remote PC. If so, access to the corporate network is denied or restricted. The company is developing similar upgrades to address nine other desktop search engines, says Whale CTO Noam Ben-Yochanan. Google Desktop Search makes it easier to find data on PC hard drives and doesn't address these security concerns, a Google spokesman says. Customers can manually turn off Desktop Search or put it on pause during SSL remote-access sessions to avoid having the sessions cached by the search engine, he says. Ben-Yochanan says he installed Google Desktop Search on a PC, opened an e-mail attachment, altered the document, sent it as an attachment then deleted the file from the hard drive. Desktop Search retained a copy of the original attachment and the modified version. Fleming says such tools pose similar threats to shared PCs on corporate LANs. So a person working the 4 p.m.-to-midnight shift could access all the data accessed by the person working the 8 a.m.-to-4 p.m. shift, including personal human resources data or Internet banking information, he says. Similarly, if a network administrator uses a random desktop to reconfigure a firewall, a desktop search engine will record those settings and the password used to gain access, Fleming says. It also makes it easier for attackers to search machines they have taken over, says Fred Felman, vice president of marketing for Zone Labs. From isn at c4i.org Tue Nov 16 08:36:23 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 16 08:49:46 2004 Subject: [ISN] How to smash a home computer Message-ID: http://news.bbc.co.uk/1/hi/technology/4003733.stm 14 November, 2004 An executive who froze his broken hard disk thinking it would be fixed has topped a list of the weirdest computer mishaps. Although computer malfunctions remain the most common cause of file loss, data recovery experts say human behaviour still is to blame in many cases. They say that no matter how effective technology is at rescuing files, users should take more time to back-up and protect important files. The list of the top 10 global data disasters was compiled by recovery company Ontrack. Click 'Yes' for catastrophe Careless - and preventable - mistakes that result in data loss range from reckless file maintenance practices to episodes of pure rage towards a computer. This last category includes the case of a man who became so mad with his malfunctioning laptop that he threw it in the lavatory and flushed a couple of times. "Data can disappear as a result of natural disaster, system fault or computer virus, but human error, including 'computer rage', seems to be a growing problem," said Adrian Palmer, managing director of Ontrack Data Recovery. "Nevertheless, victims soon calm down when they realise the damage they've done and come to us with pleas for help to retrieve their valuable information." A far more common situation is when a computer virus strikes and leads to precious files being corrupted or deleted entirely. Mr Palmer recalled the case of a couple who had hundreds of pictures of their baby's first three months on their computer, but managed to reformat the hard drive and erase all the precious memories. "Data can be recovered from computers, servers and even memory cards used in digital devices in most cases," said Mr Palmer. "However, individuals and companies can avoid the hassle and stress this can cause by backing up data on a regular basis." -=- OH NO, MY FILES! * One user put his hard drive in a freezer, after reading on the internet that this can fix malfunctioning hardware * When tidying up his computer folders, one user inadvertently deleted the ones he meant to keep. He only realised he'd made the mistake after emptying the recycle bin and defragging the hard drive * While a large office was being constructed, a steel beam fell on a laptop that contained the plans for the building. * A female user placed her laptop on top of her car while getting in. Forgetting about the laptop, it slid off the roof and she then reversed straight over it as she set off Source: Ontrack Data Recovery From isn at c4i.org Tue Nov 16 08:36:47 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 16 08:49:48 2004 Subject: [ISN] Sarbanes-Oxley kicks in Message-ID: http://news.com.com/Sarbanes-Oxley+kicks+in/2100-7355_3-5453279.html By Dawn Kawamoto Staff Writer, CNET News.com November 15, 2004 A section of the Sarbanes-Oxley Act took effect Monday, part of new accounting regulations that promise to be a multimillion-dollar bonanza for security companies. Under Section 404 of the law, publicly traded companies must have policies and controls in place to secure, document and process material information dealing with their financial results. Vendors helping companies with compliance are expect to reap $5.8 billion next year, with 28 percent going to technology companies, according to an AMR Research survey released Friday. "Technology will play an increasingly significant role in the integration of SOX (Sarbanes-Oxley) compliance initiatives into the business process," John Hagerty, vice president of research at AMR, said in a statement. This year, companies and organizations are expected to spend $1.13 billion on technology to comply with Sarbanes-Oxley. That is expected to increase to $1.62 billion next year, according to the study. Providers of technology for internal and external security are expected to capture a good slice of this business. Other sectors set to benefit include document and record management; business process management to integrate disparate business systems; applications compliance management software; and application suites to standardize the business processes for financial transparency. Technology vendors have changed their marketing pitch as the regulations have taken hold, industry analysts have noted. Congress passed the Sarbanes-Oxley Act in 2002, aiming to counter financial scandals such as those at Enron or WorldCom, by imposing more transparency in accounting procedures. "A year ago, the vendors had ineffective messaging. They said their products were compliant and put a patina of compliance on everything they wrote to market them," said Paul Proctor, vice president of security and risk strategies at Meta Group. "Now vendors say their products address compliance." From isn at c4i.org Wed Nov 17 03:45:42 2004 From: isn at c4i.org (InfoSec News) Date: Wed Nov 17 04:11:24 2004 Subject: [ISN] Critical W2K bug unpatched after 105 days Message-ID: http://www.smh.com.au/news/Breaking/Critical-W2K-bug-unpatched-after-105-days/2004/11/16/1100384533654.html By Sam Varghese November 16, 2004 A critical flaw in Windows 2000, discovered by eEye Digital Security, is yet to be patched by Microsoft though 105 days have elapsed since full details of the bug were provided to the software giant. eEye has characterised the bug as a "remotely-exploitable vulnerability that allows anonymous attackers to compromise default installations of the affected software, without requiring user interaction, and gain absolute access to the host machine." Details were sent to Microsoft on August 2. eEye started informing the public of upcoming security advisories last year. The procedure it follows is to provide the bare details of the bug and then wait for a patch to be issued before it released full details of the flaw in question. Yesterday, eEye sent details of another critical bug - in Windows ME, Windows 2000, Windows XP and Windows 2003 - to Microsoft. This was described as "a vulnerability in default installations of the affected software that allows malicious code to be executed with minimal user interaction." Microsoft chief executive officer Steve Ballmer was quoted recently as saying that patches for Windows were issued swiftly, compared to those for other operating systems. From isn at c4i.org Wed Nov 17 03:46:04 2004 From: isn at c4i.org (InfoSec News) Date: Wed Nov 17 04:11:26 2004 Subject: [ISN] Hacker hire costs SecurePoint an ally Message-ID: http://news.com.com/Hacker+hire+costs+SecurePoint+an+ally/2100-7349_3-5453166.html By Dan Ilett Special to CNET News.com November 15, 2004 A German antivirus-software company has broken off its partnership with firewall firm SecurePoint because of SecurePoint's decision to hire Sven Jaschan, the alleged creator of the Sasser virus. H+BEDV Datentechnik confirmed on Monday that it has halted cooperation with SecurePoint because of the security implications of the hire. "Whatever SecurePoint does is its own decision, but I do not wish to see any stage of our product development closely linked to an alleged virus author," said Tjark Auerbach, chief executive of H+BEDV. "We take a dim view of employing virus authors. The attempt to offer a second chance to an allegedly reformed virus author must be balanced against the exclusive security interests of our customers." Auerbach said his company had hoped to put its antivirus software in SecurePoint's firewall, but "I was getting cold feet. If a former virus writer is working on the program where a component is ours, what would the customer think? If this engine misses a virus and a former virus writer is working for that company, that smells a little bit stinky." Jaschan, who at one point was said to have been responsible for 70 percent of the world's viruses, was hired by SecurePoint earlier this year. The company's offer came shortly after Jaschan was released on bail after he admitted writing the virus. Jaschan has not yet been sentenced. Auerbach said he made the decision to break ties with SecurePoint two minutes after he heard that Jaschen would be working there. "I cannot support the decision," Auerbach said. "It casts a shadow of doubt over the IT security industry, which has the top priority of the minimization of security risks. This, and not least the security interest of our customers, motivates us in halting cooperation with SecurePoint." SecurePoint had not responded to requests for comment at the time of writing. Dan Ilett of ZDNet UK reported from London. From isn at c4i.org Wed Nov 17 03:45:54 2004 From: isn at c4i.org (InfoSec News) Date: Wed Nov 17 04:11:28 2004 Subject: [ISN] Mi2g defends its Linux claims Message-ID: http://www.theinquirer.net/?article=19665 By Nick Farrell 15 November 2004 UK SECURITY outfit Mi2g has gone on the defensive after its report which claimed that Linux was the most manually breached operating system for computers has been panned by open sourcers worldwide. Open sourcers from as far away as the Antipodes waded into the company after it claimed that 65 per cent of the security breaches occurred on permanently connected Linux systems and 25 percent on Windows systems. They hissed and snarled and accused Mi2G of being in league with the devil, well at least his Volish servants. Aussie Cybersource company CEO Con Zymaris said the report lacked any raw data, references to sources and had a broken methodology. He told the INQ: "In pulling apart the limited amount of information that is given by Mi2g it seems that the company did not include automated penetration attacks in its study." Mi2g also failed to factor in viruses and malware, something that open source expert Bruce Perens told Linux Pipeline, here that it was "pretty ludicrous" when even its own study said that the financial impact of viruses on Windows is tremendously greater than the penetration on Linux. However, on the company website here, an Mi2G spokesperson defended the report insisting that manual hacker breaches were more common in Linux. He said that good administration is central to working with Linux and these were lacking in the global market. "Manual breaches can be much more complex and sophisticated than automated ones proliferated through malware." The company is mightily miffed at what it calls clandestinely attacks funded, aided or abetted by vendors or special interest groups. Previously the company stirred up a hornets' net when it came out in favour of Apple and BSD, because the entrenched supporters of Linux and Windows felt that mi2g was guilty of 'computing blasphemy'. Mi2G also felt the need today to remind people that it is a Linux supporter. The mi2g Security Intelligence Products and Systems (SIPS) Engine runs on Linux, Apache, MySQL and PHP (LAMP) architecture. For the record, the company also has no business relationship with Microsoft or Apple either. From isn at c4i.org Wed Nov 17 03:59:07 2004 From: isn at c4i.org (InfoSec News) Date: Wed Nov 17 04:11:29 2004 Subject: [ISN] The value of bad news Message-ID: http://www.fcw.com/fcw/articles/2004/1115/tec-vulscan-11-15-04.asp By Florence Olsen Nov. 15, 2004 "John, your vulnerability assessment grade for October is B." Such messages have become a staple of Philip Heneghan's communication with executives at the U.S. Agency for International Development (USAID). As the agency's information systems security officer, Heneghan said notifying the right people about network and system vulnerabilities is his foremost concern. Heneghan is among a growing number of federal information security managers who rely on vulnerability scanners to discover and report hidden network security risks. Even the usually protracted process of selling to federal agencies has been shortened for sales of vulnerability scanners, said one company executive, who added that he has not seen anything like it in his 25 years in the industry. The scanners find potential security risks, which in most instances, can be blamed on employees who lack systems engineering knowledge. But agency officials cannot improve their cybersecurity grades until vulnerabilities are fixed, and information security officers say they have little power other than persuasion for getting program officials to fix them. "In our environment, you can't force anybody," said Thomas O'Keefe, deputy director of information systems security in the Federal Aviation Administration's Office of the Chief Information Officer. Because the CIO's office owns none of the FAA's systems or networks, he said, the only recourse is to alert and advise. "We just cajole and convince and work the organizations," he said. Some federal networks, such as the FAA's, have about 100,000 devices connected to them. A few have more. A network scan can discover every router, server, workstation, printer and wireless access point ? basically any device on a network that is passing IP traffic. Vulnerability scanners also can check for risky configurations such as open ports that allow peer-to-peer file sharing. Scans can find leaks, which are zones in which unnecessary or unauthorized network connections pose a security risk. "It's like sanitizing your hard drive or doing an antivirus scan," said Pedro Cadenas Jr., cyber and information security chief at the Department of Veterans Affairs. Federal security experts have found that vulnerability scanners can be useful even in difficult circumstances. USAID's global network has 15,000 devices in 80 spots worldwide, many of them in developing countries served by low-bandwidth connections. "We have a fairly poor infrastructure as a ground rule," Heneghan said. But the agency's vulnerability scanner, IP360, made by nCircle Network Security, adapts to those conditions and "basically allows us to monitor the vulnerability of all devices." Heneghan said he runs scans on USAID's network three or four times a week and sends about 100 report card messages each month to senior agency executives. These people don't like to be told they have anything less than an A, he said. "If they don't have an A, they start pounding on people, and things get fixed." USAID's technicians, however, don't need to wait a month to gain access to vulnerability scan results and begin making fixes. After finding security risks, nCircle's software automatically prepares a work plan, assigns a priority to each vulnerability and describes how to fix it. "That has made it much easier for people," Heneghan said. For the vulnerability scanner and related equipment, he said, agency officials pay less than $100,000 a year, an expense he regards as well justified. "It has heightened people's knowledge of risk," he said. Still, raising awareness can be frustrating for security officials at any CIO office because they lack the authority to fix the vulnerabilities they find. VA officials have used IPsonar, a vulnerability scanner from Lumeta, to help raise security awareness, especially among employees not well trained in systems or network engineering. But security officials cannot do much more than that, Cadenas said. "We're not writing any tickets; we're not threatening to shut anybody down," he said. The situation at the VA is similar to the one facing the FAA, except that if a malicious worm or virus got through to the air traffic control system, it could shut down that vital system. "My job is to worry on a [round-the-clock], 365-day basis that the controllers will not have a negative cyber event in their infrastructure," O'Keefe said. He and Cadenas spoke at a corporate briefing sponsored by Lumeta. When FAA officials ran their first scan using the IPsonar tool, the results were shocking. "We found many connections that we didn't know about," O'Keefe said. Because of the critical nature of the FAA's network, security officials have only a few hours a week in which they can run a scan of the network. But the scans have been effective in reducing risks, he said. Now, when FAA officials run a vulnerability scan, they rarely experience any surprises. "Zero is the number," he said. "I don't want anybody connected to our network whom I don't know about and whom I haven't looked in the eye and asked, 'What in the heck are you doing?'" From isn at c4i.org Thu Nov 18 06:20:35 2004 From: isn at c4i.org (InfoSec News) Date: Thu Nov 18 06:36:15 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-47 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-11-11 - 2004-11-18 This week : 48 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Monitor, Filter, and Manage Security Information - Filtering and Management of Secunia advisories - Overview, documentation, and detailed reports - Alerting via email and SMS Request Trial: https://ca.secunia.com/?f=s ======================================================================== 2) This Week in Brief: ADVISORIES: Again this week, two Secunia advisories regarding vulnerabilities in Internet Explorer was issued, one of which can be exploited to circumvent a security feature in Windows XP Service Pack 2. Microsoft has not yet issued patches. Please view the Secunia advisories below for more information. References: http://secunia.com/SA13208 http://secunia.com/SA13203 -- The popular VoIP program Skype was reported vulnerable to a buffer overflow vulnerability, which according to the vendor can be exploited to compromise vulnerable systems. The vulnerability can be exploited by e.g. tricking a user into visiting a malicious web site. A new version, which addresses this vulnerability has been released. References: http://secunia.com/SA13191 VIRUS ALERTS: Secunia has not issued any virus alerts during the last week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12959] Internet Explorer IFRAME Buffer Overflow Vulnerability 2. [SA13191] Skype "callto:" URI Handler Buffer Overflow Vulnerability 3. [SA13144] Mozilla Firefox Multiple Vulnerabilities 4. [SA13203] Microsoft Internet Explorer Two Vulnerabilities 5. [SA12889] Microsoft Internet Explorer Two Vulnerabilities 6. [SA12712] Mozilla / Mozilla Firefox / Camino Tabbed Browsing Vulnerabilities 7. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerability 8. [SA13208] Microsoft Internet Explorer Cookie Path Attribute Vulnerability 9. [SA13148] Cisco IOS DHCP Packet Handling Denial of Service Vulnerability 10. [SA13156] Internet Explorer Flash/Excel Content Status Bar Spoofing Weakness ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA13207] Hired Team: Trial Multiple Vulnerabilities [SA13191] Skype "callto:" URI Handler Buffer Overflow Vulnerability [SA13186] Army Men RTS Format String Vulnerability [SA13215] IceWarp Web Mail Account Settings Unspecified Vulnerability [SA13203] Microsoft Internet Explorer Two Vulnerabilities [SA13200] IMail IMAP Service DELETE Command Buffer Overflow Vulnerability [SA13178] Cisco Security Agent Buffer Overflow Detection Security Bypass [SA13173] Hotfoon Inappropriate Link Handling [SA13169] Zone Labs IMsecure Active Link Filter Bypass Vulnerability [SA13197] Secure Network Messenger Denial of Service Vulnerability [SA13195] NetNote Server Denial of Service Vulnerability [SA13198] Spy Sweeper Enterprise Password Information Disclosure Vulnerability [SA13208] Microsoft Internet Explorer Cookie Path Attribute Vulnerability UNIX/Linux: [SA13214] Debian update for imagemagick [SA13190] TWiki "Search.pm" Shell Command Injection Vulnerability [SA13221] Gentoo update for SquirrelMail [SA13217] Gentoo update for bnc [SA13193] Red Hat update for freeradius [SA13192] Red Hat update for libxml2 [SA13183] Debian update for ez-ipupdate [SA13182] Fedora update for unarj [SA13180] Fedora update for gd [SA13179] GD Graphics Library Unspecified Buffer Overflow Vulnerabilities [SA13175] Gentoo update for ez-ipupdate [SA13219] Red Hat update for samba [SA13210] SUSE update for samba [SA13216] Gentoo update for ruby [SA13196] Fedora update for httpd [SA13194] Red Hat update for httpd [SA13176] Gentoo update for samba [SA13220] Debian update for apache [SA13218] Trustix update for sudo [SA13209] Fcron Multiple Vulnerabilities [SA13199] Sudo Environment Cleaning Privilege Escalation Vulnerability [SA13185] Gentoo update for davfs2/lvm-user [SA13184] WEB-DAV Linux File System Insecure Temporary File Creation [SA13181] Fedora update for glibc [SA13171] Conectiva update for sasl2 Other: [SA13212] 3Com OfficeConnect Wireless 11g Cable/DSL Gateway UDP Traffic Handling Denial of Service [SA13170] HP PSC 2510 Printer FTP Service Printer Denial of Service Weakness Cross Platform: [SA13213] PHP-Nuke Event Calendar Module Multiple Vulnerabilities [SA13201] PunBB Private Message System Module Two Vulnerabilities [SA13177] UNARJ Filename Handling Buffer Overflow Vulnerability [SA13174] Phorum "follow.php" SQL Injection Vulnerability [SA13189] Samba QFILEPATHINFO Request Handler Buffer Overflow Vulnerability [SA13206] phpScheduleIt Reservation Manipulation Vulnerability [SA13202] Aztek Forum Cross-Site Scripting Vulnerabilities [SA13172] phpWebSite HTTP Response Splitting Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA13207] Hired Team: Trial Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2004-11-16 Luigi Auriemma has reported multiple vulnerabilities in Hired Team: Trial, which can be exploited by malicious people to compromise a vulnerable system, cause a DoS (Denial of Service), and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13207/ -- [SA13191] Skype "callto:" URI Handler Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-15 A vulnerability has been reported in Skype, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13191/ -- [SA13186] Army Men RTS Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-15 Luigi Auriemma has reported a vulnerability in Army Men RTS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13186/ -- [SA13215] IceWarp Web Mail Account Settings Unspecified Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-11-16 A vulnerability with an unknown impact has been reported in IceWarp Web Mail. Full Advisory: http://secunia.com/advisories/13215/ -- [SA13203] Microsoft Internet Explorer Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Spoofing Released: 2004-11-17 cyber flash has discovered two vulnerabilities in Internet Explorer, which can be exploited by malicious people to bypass a security feature in Microsoft Windows XP SP2 and trick users into downloading malicious files. Full Advisory: http://secunia.com/advisories/13203/ -- [SA13200] IMail IMAP Service DELETE Command Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-16 Muts has discovered a vulnerability in IMail Server, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13200/ -- [SA13178] Cisco Security Agent Buffer Overflow Detection Security Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-11-12 A vulnerability has been reported in Cisco Security Agent (CSA), which can be exploited by malicious people to bypass certain security features. Full Advisory: http://secunia.com/advisories/13178/ -- [SA13173] Hotfoon Inappropriate Link Handling Critical: Less critical Where: From remote Impact: Released: 2004-11-12 saudi linux has reported a security issue in Hotfoon, allowing malicious people to open arbitrary links. Full Advisory: http://secunia.com/advisories/13173/ -- [SA13169] Zone Labs IMsecure Active Link Filter Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-11-12 Paul Kurczaba has reported a vulnerability in Zone Labs IMsecure, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13169/ -- [SA13197] Secure Network Messenger Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-11-15 Luigi Auriemma has reported a vulnerability in Secure Network Messenger, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13197/ -- [SA13195] NetNote Server Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-11-15 class101 has discovered a vulnerability in NetNote Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13195/ -- [SA13198] Spy Sweeper Enterprise Password Information Disclosure Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-11-15 Frank Mileto has discovered a vulnerability in Spy Sweeper Enterprise, which can be exploited by malicious, local users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/13198/ -- [SA13208] Microsoft Internet Explorer Cookie Path Attribute Vulnerability Critical: Not critical Where: From remote Impact: Hijacking Released: 2004-11-17 Keigo Yamazaki has reported a vulnerability in Internet Explorer, which potentially can be exploited by malicious people to conduct session fixation attacks. Full Advisory: http://secunia.com/advisories/13208/ UNIX/Linux:-- [SA13214] Debian update for imagemagick Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-16 Debian has issued an update for imagemagick. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13214/ -- [SA13190] TWiki "Search.pm" Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-15 Hans Ulrich Niedermann has reported a vulnerability in TWiki, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13190/ -- [SA13221] Gentoo update for SquirrelMail Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-17 Gentoo has issued an update for SquirrelMail. This fixes a vulnerability, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13221/ -- [SA13217] Gentoo update for bnc Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-11-16 Gentoo has issued an update for bnc. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13217/ -- [SA13193] Red Hat update for freeradius Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-11-15 Red Hat has issued an update for freeradius. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13193/ -- [SA13192] Red Hat update for libxml2 Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-15 Red Hat has issued an update for libxml2. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13192/ -- [SA13183] Debian update for ez-ipupdate Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-12 Debian has issued an update for ez-ipupdate. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13183/ -- [SA13182] Fedora update for unarj Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-12 Fedora has issued an update for unarj. This fixes two vulnerabilities, which potentially can be exploited by malicious people to overwrite files or compromise a user's system. Full Advisory: http://secunia.com/advisories/13182/ -- [SA13180] Fedora update for gd Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-12 Fedora has issued an update for gd. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13180/ -- [SA13179] GD Graphics Library Unspecified Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-12 Some vulnerabilities have been reported in GD Graphics Library, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13179/ -- [SA13175] Gentoo update for ez-ipupdate Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-12 Gentoo has issued an update for ez-ipupdate. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13175/ -- [SA13219] Red Hat update for samba Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-11-17 Red Hat has issued an update for samba. This fixes two vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13219/ -- [SA13210] SUSE update for samba Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-11-16 SUSE has issued an update for samba. This fixes two vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13210/ -- [SA13216] Gentoo update for ruby Critical: Less critical Where: From remote Impact: DoS Released: 2004-11-16 Gentoo has issued an update for ruby. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13216/ -- [SA13196] Fedora update for httpd Critical: Less critical Where: From remote Impact: DoS, Security Bypass Released: 2004-11-15 Fedora has issued an update for httpd. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13196/ -- [SA13194] Red Hat update for httpd Critical: Less critical Where: From remote Impact: Security Bypass, DoS Released: 2004-11-15 Red Hat has issued an update for httpd. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13194/ -- [SA13176] Gentoo update for samba Critical: Less critical Where: From local network Impact: DoS Released: 2004-11-12 Gentoo has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13176/ -- [SA13220] Debian update for apache Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-17 Debian has issued an update for apache. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13220/ -- [SA13218] Trustix update for sudo Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-17 Trustix has issued an update for sudo. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13218/ -- [SA13209] Fcron Multiple Vulnerabilities Critical: Less critical Where: Local system Impact: Security Bypass, Exposure of system information, Exposure of sensitive information Released: 2004-11-16 Karol Wiesek has reported four vulnerabilities in Fcron, which can be exploited by malicious, local users to gain knowledge of sensitive information, bypass access restrictions, and delete arbitrary files. Full Advisory: http://secunia.com/advisories/13209/ -- [SA13199] Sudo Environment Cleaning Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-15 Liam Helmer has reported a vulnerability in sudo, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13199/ -- [SA13185] Gentoo update for davfs2/lvm-user Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-12 Gentoo has issued updates for davfs2 and lvm-user. These fix some vulnerabilities, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13185/ -- [SA13184] WEB-DAV Linux File System Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-12 Florian Schilhabel has reported a vulnerability in WEB-DAV Linux File System (dav2fs), which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13184/ -- [SA13181] Fedora update for glibc Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-12 Fedora has issued an update for glibc. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13181/ -- [SA13171] Conectiva update for sasl2 Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-12 Conectiva has issued an update for sasl2. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13171/ Other:-- [SA13212] 3Com OfficeConnect Wireless 11g Cable/DSL Gateway UDP Traffic Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-11-16 A vulnerability has been reported in 3Com OfficeConnect Wireless 11g Cable/DSL Gateway, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13212/ -- [SA13170] HP PSC 2510 Printer FTP Service Printer Denial of Service Weakness Critical: Not critical Where: From local network Impact: DoS Released: 2004-11-12 Justin Rush has reported a weakness in HP PSC 2510 Photosmart All-in-One printer, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13170/ Cross Platform:-- [SA13213] PHP-Nuke Event Calendar Module Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information Released: 2004-11-17 Janek Vind "waraxe" has reported a vulnerability in Event Calendar, allowing malicious people to conduct cross-site scripting, script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/13213/ -- [SA13201] PunBB Private Message System Module Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2004-11-15 Digital-X has reported two vulnerabilities in Private Message System module for PunBB, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/13201/ -- [SA13177] UNARJ Filename Handling Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-12 A vulnerability has been reported in UNARJ, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13177/ -- [SA13174] Phorum "follow.php" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-11-12 Janek Vind "waraxe" has reported a vulnerability in Phorum, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/13174/ -- [SA13189] Samba QFILEPATHINFO Request Handler Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-11-15 Stefan Esser has reported a vulnerability in Samba, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13189/ -- [SA13206] phpScheduleIt Reservation Manipulation Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-11-16 A vulnerability has been reported in phpScheduleIt, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13206/ -- [SA13202] Aztek Forum Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-15 benji lemien has reported two vulnerabilities in Aztek Forum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13202/ -- [SA13172] phpWebSite HTTP Response Splitting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-12 Maestro De-Seguridad has reported a vulnerability in phpWebSite, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13172/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Thu Nov 18 06:20:47 2004 From: isn at c4i.org (InfoSec News) Date: Thu Nov 18 06:36:18 2004 Subject: [ISN] More security hiccups for IE Message-ID: http://news.com.com/More+security+hiccups+for+IE/2100-1002_3-5457105.html By Robert Lemos Staff Writer, CNET News.com November 17, 2004 Microsoft's Internet Explorer has become a turkey shoot for flaw finders. This week, three more vulnerabilities were found in version 6 of the software giant's flagship Web browser, security information provider Secunia said on Wednesday. That brings the total number of IE vulnerabilities disclosed in the past two months to 19, including eight flaws fixed by Microsoft during its October patch cycle. The latest flaws were found by two different researchers, Secunia said. Two could be used together to allow malicious content to bypass an mechanism in Microsoft Windows XP Service Pack 2 that alerts people about potentially harmful programs, Secunia stated. The third vulnerability could be used to overwrite the cookies of a trusted site to hijack a Web session, if the site handles authentication in an insecure manner, according to that advisory. The flaws were rated "moderately critical" and "not critical," respectively, by Secunia. "We have not been made aware of any active attacks against the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports," Microsoft said in a statement sent to CNET News.com. The company said that customers who needed advice should visit its software security site and its PC Protect site for home users. Microsoft also criticized the researchers for publicizing the flaws without allowing it to work to solve the problems first. "Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk," the company said in the statement. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests." Security researchers and hackers, however, are not paying heed to the software giant's standard chastisement of public disclosure. In the past two months, flaw finders have publicized critical Internet Explorer vulnerabilities and a slew of security issues in Service Pack 2, the company's latest update to Windows XP. Already, viruses have started to use the critical Internet Explorer flaw to spread. From isn at c4i.org Thu Nov 18 06:21:03 2004 From: isn at c4i.org (InfoSec News) Date: Thu Nov 18 06:36:19 2004 Subject: [ISN] China boosting cyberwar ability Message-ID: Forwarded from: William Knowles http://www.taipeitimes.com/News/taiwan/archives/2004/11/17/2003211401 AP TAIPEI Nov 17, 2004 China is developing the means to electronically blockade rival Taiwan with attacks to the country's vital utilities, the Internet and other communications networks, a high-ranking US defense official has said. The stern warning was issued by Richard Lawless -- deputy undersecretary of defense -- during a closed-door meeting with business leaders last month in the US. A copy of Lawless' speech was obtained by The Associated Press yesterday under the US Freedom of Information Act. Lawless cautioned that if a war broke out between Taiwan and China, the first casualties might not be "brave men and women in uniform." He said China might first target things that keep Taiwan's high-tech society running. "China is actively developing options to create chaos on the island, to compromise components of Taiwan's critical infrastructure: telecommunications, utilities, broadcast media, cellular, Internet and computer networks," Lawless said on Oct. 4 to the US-Taiwan Business Council. ``Taiwan could be electronically blockaded, isolated from the world, creating a kind of perfect storm in which the US could not communicate with Taiwan or Taiwan with the world,'' Lawless said during the council's meeting in the southwestern city of Scottsdale, Arizona. Lawless said such a strategy could be called an "acupuncture" attack aimed at "the destruction of a national will" with "the insertion of a hundred needles." Beijing insists that self-ruled, democratic Taiwan is part of China and has repeatedly threatened to attack if the Taiwanese seek a permanent split or delay too long on unification. Much of the debate over whether China will invade has focused on China's growing arsenal of destroyers, jets, submarines and hundreds of missiles aimed at Taiwan, just 160km off China's southern coast. But in recent years, analysts have touted the possibility that China could be developing new high-tech weapons that could give the Chinese an edge over US forces -- which are widely expected to help defend Taiwan. Lawless said that several recent incidents have exposed vulnerabilities in Taiwan's critical infrastructure and communication systems and that China is aware of these weak spots. In 1999, the loss of a single transformer station on Taiwan "left thousands without power for weeks," while a massive earthquake the same year "left Taiwan dependent on satellite communications to the outside world for more than a month." "Many feared China would attempt to take advantage of Taiwan's ill fortune," Lawless said. Taiwan must do more to safeguard telecommunications, fiber optics, energy supplies and major transportation arteries, and should consider allowing private agencies to assist in national defense, he said. "Taiwan is one of the most technologically advanced societies in the world, but the expertise and wealth of experience that exist in the private sector remains largely untapped," he said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Nov 18 06:21:14 2004 From: isn at c4i.org (InfoSec News) Date: Thu Nov 18 06:36:21 2004 Subject: [ISN] Petco settles charge it left customer data exposed Message-ID: http://www.nwfusion.com/news/2004/1117petcosettl.html By Robert McMillan IDG News Service 11/17/04 The U.S. Federal Trade Commission has reached a settlement with pet food retailer Petco Animal Supplies of charges that the company's Web site violated federal law by making deceptive security claims. A security flaw in Petco's Web site left customers' credit card numbers exposed to attackers. The FTC alleges that Petco did not take reasonable measures to protect its Web site and made deceptive claims in stating that customers' credit card numbers would be "shielded from unauthorized access." This flaw was exploited in a June 2003 attack on Petco.com in which a visitor was able to read customer data stored in Petco's database. According to Petco, the attack was perpetrated by an independent security consultant named Jeremiah Jacks, who immediately informed Petco of the vulnerability. The vulnerability exposed only a limited amount of customer information, a Petco spokesman said. "What he got was credit card numbers, but there was no other customer information accompanying those numbers," he said. Under the terms of the settlement, announced Wednesday, Petco is prohibited from misrepresenting the security of its Web site and must establish a comprehensive security information program, which will be subject to independent audits for the next 20 years, said Alain Sheer, an attorney in the FTC's Division of Financial Practices. Petco could be held in contempt of court if it violates the agreement, Sheer said. It should help to deter other companies from ignoring and misrepresenting security vulnerabilities on their Web sites, he added. "Obviously there's some pretty bad publicity here," Sheer said. "We think that should be a deterrent." The FTC has reached similar settlements with Eli Lilly, Microsoft, Guess and Tower Direct, Sheer said. "Petco is committed to keeping all customer information obtained through our Web site and stores private and secure," the Petco spokesman said. From isn at c4i.org Thu Nov 18 06:21:26 2004 From: isn at c4i.org (InfoSec News) Date: Thu Nov 18 06:36:23 2004 Subject: [ISN] Hoosiers don't take cybercrime seriously Message-ID: http://www.indystar.com/articles/7/195545-9937-223.html By Norm Heikens norm.heikens @ indystar.com November 18, 2004 Computer security isn't improving fast enough to prevent hackers from causing ever more mayhem -- or ultimately ward off the likely rise of organized cybercrime, a Purdue University expert said at an IUPUI-sponsored conference Wednesday. Computer professor Marc Rogers, speaking to about 110 participants -- most of whom are involved in corporate or government information technology -- warned that many companies doubt they'll be targeted by people wanting to steal information or damage their systems. But the individuals now tormenting systems personnel will seem like Boy Scouts compared to the expected increase in organized cybercrime, Rogers predicted. "If we don't have our house in order before that happens, we're in for a world of hurt," said Rogers, who worked more than a decade in law enforcement before joining Purdue. "The criminals realize we're moving much too slow." Monday was a landmark for information-technology workers. It was the effective date for a provision in the federal Sarbanes-Oxley Act of 2002 requiring corporations to make their information secure. But few are in compliance, Rogers said at the forum at Indianapolis University-Purdue University Indianapolis. Assistant U.S. Attorney Steve DeBrota also advised companies to erect thick firewalls. Among the biggest problems are the highly sophisticated hackers in Eurasia -- sometimes former Soviet Union intelligence employees -- who have taken up identity theft, DeBrota said. They're hard to catch because they sell the information to lower-level criminals. But the problem can just as easily be an employee who steals sensitive information. He warned companies to beware of employees who set up outside e-mail accounts that can be used to send information out of the company. Other times, hackers steal information and extort a company by threatening to divulge it publicly. Few companies report such crimes, said both DeBrota and Rogers. Purdue's Rogers said one of the largest holes in cybersecurity is high-speed Internet lines, particularly those hooked to homes. Companies work hard to secure their own systems, then open themselves to trouble when employees log in from homes, where their computers may be infected with viruses. Malfeasance is growing as the world wires itself together. "Everybody is potentially our neighbor now," Rogers said. Hoosiers who think cyber-attacks happen elsewhere should think again. Quoting common attitudes, Rogers said, "We're little Indiana. Why would anyone want to hack into our system?" Participant Jack Osborne said the speakers confirmed what he hears and reads elsewhere. Osborne, a computer technician at the Indianapolis electrical control maker Transportation Safety Technologies, said co-workers "get tired of hearing me say, 'This is going to happen.' " "I'm amazed the terrorists haven't entered it yet," he said. Osborne thinks his company is fairly well-protected. Yet, he added, "It's like your car. If someone wants in badly enough, they will" get in. From isn at c4i.org Thu Nov 18 06:21:39 2004 From: isn at c4i.org (InfoSec News) Date: Thu Nov 18 06:36:25 2004 Subject: [ISN] Colleges easy prey to hackers Message-ID: http://www.denverpost.com/Stories/0,1413,36~53~2539839,00.html By George Merritt Denver Post Staff Writer November 17, 2004 Boulder - University computer systems are an easy and likely target for computer hackers, and experts warn that students will be more likely to become victims of identity theft if changes don't come soon. "These universities have a real issue on their hands," said Jay Foley of the Identity Theft Resource Center in San Diego. Foley said hackers can use personal information such as Social Security numbers to open fraudulent credit accounts in students' names. "It does you absolutely no good to graduate a class of 1,000 highly skilled people ... who can't get jobs because most of them are so deeply in debt that no one will hire them," he said. Last month, about 1,000 University of Colorado continuing-education students became the latest to have their personal information compromised. Officials said CU's hacker was a "joyrider" who broke into the system without actually taking identifying information. But the break-in added CU to the list of victim universities throughout the country. In August, a hacker broke into the University of California at Berkeley's system and got access to about 600,000 people's personal information. A University of Texas hacker accessed about 55,000 identities from that system last year. There have been similar incidents recently from Boston University to Georgia Tech, from Southern Illinois University to San Diego State University. Campus technology experts say universities are in a unique and vulnerable security situation. While their computer systems contain a wealth of personal identifiers, universities represent a culture of open information sharing. "It is hard because security and convenience are kind of mutually exclusive," said San Diego State's technology security officer, John Denune. "So with a university environment, we always have to keep our educational mission in perspective because we can't lock things down like a business would." CU officials have been trying since summer 2003 to combat the risk by issuing new students identification numbers that are different from their Social Security numbers. There are plans to convert ID numbers for the entire student body sometime next year. The University of Denver has also done away with Social Security numbers as identifiers, and Colorado State University students can opt for a different identification number. CSU plans to change over completely in 2006. State law requires all universities to drop Social Security numbers as identification by 2008. Security experts praise the effort but say it is only one step. "Security has become the No. 1 agenda item every day for all the IT professionals," said Dennis Maloney, CU's head of information technology. "It is a daunting task because it is hard to know what is going on with (the university's) 25,000 computing devices at all points in time." Maloney said his staff tries to lock down students' most sensitive personal information. "Why hack universities?" asked Rick Dakin, president of Coalfire Systems Inc., a Superior computer security consulting firm. "Because there is a ton of personal information, a ton of computing power and a ton of computers." Maloney said CU offers free antivirus software for students to download and a computer scan to make sure individual computers have up-to-date defenses. He said campuses have to rely more and more on students to keep up security on their personal computers. Identity theft is not the only motivation for those hacking into university systems - in fact, identity thieves represent a small percentage of hackers, experts said. Hackers are also intent on scoring bragging rights among their online buddies or manipulating an army of computers to do their bidding. As they look for any holes in a system's security, universities can even fall prey out of dumb luck. "Most of the worms - or even the low-level hackers - out there are just looking for any vulnerability out there that they can exploit," Denune said. "Universities tend to be a large target of opportunity because we have a lot of bandwidth." Enforcing the laws against hacking is complicated. While there has been success tracking down hackers, authorities said the nature of the Internet makes it hard to know where to begin investigating, or whose jurisdiction should handle it. "There really isn't any central agency for this," said Mike Knight, spokesman for the district attorney's office for the 18th Judicial District. Maloney said security remains the top priority. But even with changes, hackers remain an elusive "moving target" for universities. "I look at the security alerts every day, and there is a new vulnerability every day somewhere on campus," Maloney said. "I don't think we've seen the light at the end of the tunnel for that stopping." From isn at c4i.org Fri Nov 19 06:02:13 2004 From: isn at c4i.org (InfoSec News) Date: Fri Nov 19 06:14:22 2004 Subject: [ISN] Oracle announces quarterly patching schedule Message-ID: http://www.nwfusion.com/news/2004/1118orpatch.html By Ellen Messmer Network World Fusion 11/18/04 Oracle plans to begin issuing cumulative software patches for Oracle Database, E-Business Suite, Application Server, Oracle Enterprise Manager and Collaboration Suite on a quarterly basis beginning Jan. 18. Oracle's three other scheduled patch-release dates in 2005 are April 12, July 12 and Oct. 18. Oracle's chief security officer, Mary Ann Davidson, said the quarterly software patch releases will address any needed security fixes as well as general non-security-related changes in Oracle products. The planned quarterly software releases, which Oracle is calling "Critical Patch Updates," are intended to make it easier for Oracle customers to handle the software-maintenance process. Patching typically requires shutting down servers and other systems to install new software code, a process that Oracle customers may be especially reluctant to do during certain business periods, such as when they're closing their books at the end of a financial quarter, Davidson said. Oracle for the first time in its history selected four specific days it intends to release cumulative patches for its products to help customers plan ahead and keep the disruption caused by patching to a minimum. However, Davidson noted that Oracle would make an exception to its quarterly update schedule in the event that the software company had to issue a "high-severity security alert" due to a vulnerability discovered in any Oracle product, particularly if an exploit for it were known to be in the wild. For this kind of "one-off patch," said Davidson, "We don't want our customers to wait for months." In general, though, if customers decide they don't want to apply any software patches issued Jan. 18, for whatever reason, they can wait until the next scheduled update, which would come April 12. At that time, any software changes issued in the January patch would also be included in the April patch. Davidson said the fixed schedule will help Oracle produce a single, well-integrated and well-tested patch. From isn at c4i.org Fri Nov 19 06:02:30 2004 From: isn at c4i.org (InfoSec News) Date: Fri Nov 19 06:14:24 2004 Subject: [ISN] Secrecy News -- 11/17/04 Message-ID: ---------- Forwarded message ---------- Date: Wed, 17 Nov 2004 14:35:33 -0500 From: "Aftergood, Steven" To: secrecy_news@lists.fas.org Subject: Secrecy News -- 11/17/04 SECRECY NEWS from the FAS Project on Government Secrecy Volume 2004, Issue No. 101 November 17, 2004 ** NGA PURSUES CONTROL OF UNCLASSIFIED SATELLITE IMAGERY ** SECURITY GUARDS AND CRITICAL INFRASTRUCTURE (CRS) ** AL QAEDA: STATEMENTS AND EVOLVING IDEOLOGY (CRS) ** LINK ANALYSIS: CONNECTING THE DOTS ** MELBA PHILLIPS, FAS CO-FOUNDER [...] SECURITY GUARDS AND CRITICAL INFRASTRUCTURE (CRS) Much of the burden of protecting the nation's critical facilities against terrorist attack falls on approximately one million security guards and other security personnel. A new report from the Congressional Research Service examines their adequacy to the task, including questions of training, authority, salary, and more. The Congressional Research Service does not permit direct public access to its products. A copy of the new report was obtained by Secrecy News. See "Guarding America: Security Guards and U.S. Critical Infrastructure Protection," November 12, 2004: http://www.fas.org/sgp/crs/RL32670.pdf [...] _______________________________________________ Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists. To SUBSCRIBE to Secrecy News, send email to secrecy_news-request@lists.fas.org with "subscribe" in the body of the message. To UNSUBSCRIBE, send a blank email message to secrecy_news-remove@lists.fas.org OR email your request to saftergood@fas.org Secrecy News is archived at: http://www.fas.org/sgp/news/secrecy/index.html Secrecy News has an RSS feed at: http://www.fas.org/sgp/news/secrecy/index.rss _______________________ Steven Aftergood Project on Government Secrecy Federation of American Scientists web: www.fas.org/sgp/index.html email: saftergood@fas.org voice: (202) 454-4691 From isn at c4i.org Fri Nov 19 06:02:46 2004 From: isn at c4i.org (InfoSec News) Date: Fri Nov 19 06:14:26 2004 Subject: [ISN] Eight best practices for disaster recovery Message-ID: http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,97620,00.html Advice by CIO NOVEMBER 18, 2004 www.cio.com Given the number of blackouts, hurricanes and other disasters that have come our way over the past few years, many CIOs are wisely reexamining their disaster recovery strategies. Executive Council members share some of their tried-and-true methods. 1. Dedicate and empower staff At the New York Mercantile Exchange, CIO Sam Gaer has dedicated a department within IT to manage business continuity planning and disaster recovery. Gaer ensures that the department's leader has access to upper-level management by running interference. "You can't just set up a director and a department and let them run on their own," he says. "The CIO must pay constant attention to this department and set of resources." 2. Divide and conquer In order to ensure business involvement in the development and maintenance of the business continuity plan, Martin Gomberg, CTO of A&E Television Networks, has separated business continuity planning and disaster recovery into two initiatives, each with its own governance and goals. For disaster recovery, the goal is technical recovery, and the plan is created and managed by developers and engineers. Business continuity's goal is business process stability, and that plan is developed - in partnership with IT - by business unit representatives. 3. Make sure the plan can stand alone "When a disaster strikes, the staff who wrote the recovery plan may not be available to execute it," says Greg Smith, vice president and CIO of the World Wildlife Fund. "You have to make sure your disaster recovery plan will work with or without the internal key people who developed it." If the director in charge of financial ERP applications wrote the plan, for example, ask the business intelligence manager to test the recovery. 4. Challenge the business "If business unit managers tell me they need an application recovered quickly, but that application is not providing revenue generation or financial compliance, I will challenge those individuals to think hard about how long they can really go without that application," Smith says. The same goes for staffing an offsite facility during a disaster. Determining the right people to involve-as well as the right services to recover-is part of the negotiation process. 5. Align disaster recovery with application development At A&E, the IT team incorporates disaster recovery into its application development processes. "We've developed an isolated test environment that enables full-time access and continuous testing of all systems and applications," Gomberg says. "Our business-continuity database includes a report on application-testing status, so we know when a system was last tested and whether it demands our attention to assure its performance in recovery." 6. Tabletop tests won't cut it Regularly reviewing your plan on paper is important, Gaer says, but it is not enough. In addition to tabletop tests, Gaer semiannually springs mock disasters on his crisis management team, which is made up of staff and board members, who must set up a replica data center so that it is operational within a few hours. "Given how busy our board members are, it is not easy to demand their participation in these tests," Gaer says. "But their participation is extremely important and is a testament to NYMEX's dedication to disaster recovery." 7. Try (and test) before you buy When WWF's Smith was looking at a new technology for creating systems images (snapshots of the operating system disk and registry settings that allow for a relatively simple recovery process), not only did he employ a "try before you buy" approach, he actually used the product in a test at no charge. "It was a real test: entirely offsite with a different network, firewall and environment," he says. 8. Hold postmortems and adjust What you do with the results of the test is a critical part of disaster recovery planning. "If you are recovering without third-party services, create an action-item checklist out of your review of what worked well and what didn't," Smith says. "If you are working with a vendor, document what went wrong and use that report to outline your expectations for the next test." Editor's Note: The CIO Executive Council is a professional organization for CIOs. Its mission is to leverage the strengths of a large coalition of CIOs for the purpose of achieving change within our organizations and shaping the framework for the future of IT. From isn at c4i.org Fri Nov 19 06:03:00 2004 From: isn at c4i.org (InfoSec News) Date: Fri Nov 19 06:14:28 2004 Subject: [ISN] Under Phishing Attack, British Bank Shuts Down Some Services Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=CIGVP13WT43RMQSNDBGCKHSCJUMEKJVN?articleID=53700579 By Gregg Keizer TechWeb News Nov. 18, 2004 One of the four biggest banks in the United Kingdom has taken the unusual step of suspending some features of its online service following a phishing attack. On Wednesday, NatWest, which is part of the Royal Bank of Scotland Group and one of Britain's big four banks, shut off features to its million-plus online customers. When users logged on to the NatWest site, they saw a message that read, "We have temporarily suspended the ability to create or amend Third Party Payment mandates and create Standing Order mandates." Third-party-payment mandates, said Caroline Harris, a NatWest spokesperson, are ad-hoc electronic-payment requests outside the normal bill payments already established. They're typically used to pay individuals electronically. Standing-order mandates are the U.K. equivalent of a scheduled bill payment. "We've not shut down the entire site, as some press reports would have you believe," said Harris, "but we've only restricted one small part." The phishing e-mail received by NatWest customers claimed to be part of a software update to the online banking service. "This is only temporary," said Harris, "and is a preventative measure to protect our customers. Because we've [blocked third-party-payment and standing orders] the phishers haven't been able to take money out of customer accounts." She reiterated that no NatWest customer had lost money to the scam. NatWest urged customers who may have given up personal information to contact the bank, and said that alternate ways to make payments, such as by telephone, remained an option. Although Harris said such action was "nothing new" and that the bank had done similar things before when faced with determined phishers, a U.S.-based banking analyst said it was news to her. "I've never heard of that tactic before," said Avivah Litan, a research director and vice president with Gartner who specializes in bank fraud and phishing issues. "Not that it's a bad action, but it sounds to me that NatWest didn't have a way to contain the damage. "It's an extreme measure. It probably means that they don't have other risk-control mechanisms in place, or the attack was getting out of hand," she added. And while NatWest reacted quickly, there's a real chance a temporary measure like this won't stop phishers from exploiting stolen information. Increasingly, she said, it seems phishers are a lot more patient than anyone thought. "When you look at the big picture, there's more and more evidence that phishers are sitting on the information [they steal], and that the real damage may not show up for a year or two." Phishers, Litan went on, "are very clever, and have a lot of time and patience." Rather than use their ill-gotten information immediately -- which is what NatWest assumes by temporarily limiting on-the-fly payments -- there's growing concern that cyber-criminals wait a long time before pouncing. One tactic phishers are using, said Litan, is to apply for new credit cards using stolen identity information, use and pay those cards, and over a period of months, even as long as two years, build up the cards' credit limits. "Then they'll do 'bust-outs,'" said Litan. "That's when they run through the credit limit, say $50,000, before the first bill comes due, with no intention of paying." The worst news, about NatWest's move, concluded Litan, is that it may only be the beginning of a new wave of banking business disruptions. "Once I thought that maybe phishing was a fad, and after a while it would be replaced by some other scam, like keyloggers. But it's not a fad. It's going to get worse, and it's not going to slow down." From isn at c4i.org Fri Nov 19 06:03:11 2004 From: isn at c4i.org (InfoSec News) Date: Fri Nov 19 06:14:29 2004 Subject: [ISN] Russian fined for virus-writing exploits Message-ID: http://www.theregister.co.uk/2004/11/18/russian_vxer_fined/ By John Leyden 18th November 2004 A Russian member of well-known 29A virus writers group has been fined 3,000 roubles (approximately ?57) after he admitted writing malicious code. Eugene Suchkov (AKA Whale), from the little-known Russian republic of Udmurtia, admitted writing the Stepan and Gastropod viruses. He posted live code for the viruses alongside the source code necessary to create variants onto a number of underground virus exchange websites. Neither of these viruses spread. The nickname Whale comes from the name of a virus rather than any reference to Suchkov's physical size. 29A (hexadecimal for 666) is well known for creating proof of concept viruses. Its active membership, reckoned to be between 12 and 20 by antivirus company Sophos, is drawn from across Europe. Last week we reported how former 29A crew member "Benny" is taking a lead role in developing anti-virus software for a Czech company. Zoner Software, whose main business is graphics and multimedia, hired Benny to develop security software to protect servers run by Zoner's Internet division. According to Sophos, Benny resigned from 29A yesterday From isn at c4i.org Mon Nov 22 07:10:17 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 22 07:26:56 2004 Subject: [ISN] Linux Advisory Watch - November 19th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | November 19th, 2004 Volume 5, Number 46a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for libxml2, MySQL, imagemagick, Apache, fetch, Ruby, BNC, Squirrelmail, gd, sudo, totem, drakxtools, httpd, freeradius, libxml2, and iptables. The distributors include Conectiva, Debian, Fedora, FreeBSD, Gentoo, Mandrake, Red Hat, Suse, and Trustix. ----- LinuxSecurity.com Version 2 ----- Get ready ... on December 1st the new LinuxSecurity.com site will be revealed. The same great content you've come to expect with a whole new look and great new features. A sneak preview is coming soon! http://ads.linuxsecurity.com/cgi-bin/ads.pl?banner=lsv2flashdemo ------ Root Security The most sought-after account on your machine is the superuser account. This account has authority over the entire machine, which may also include authority over other machines on the network. Remember that you should only use the root account for very short specific tasks and should mostly run as a normal user. Running as root all the time is a very very very bad idea. Several tricks to avoid messing up your own box as root: * When doing some complex command, try running it first in a non destructive way...especially commands that use globbing: e.g., you are going to do a rm foo*.bak, instead, first do: ls foo*.bak and make sure you are going to delete the files you think you are. Using echo in place of destructive commands also sometimes works. * Provide your users with a default alias to the /bin/rm command to ask for confirmation for deletion of files. * Only become root to do single specific tasks. If you find yourself trying to figure out how to do something, go back to a normal user shell until you are sure what needs to be done by root. * The command path for the root user is very important. The command path, or the PATH environment variable, defines the location the shell searches for programs. Try and limit the command path for the root user as much as possible, and never use '.', meaning 'the current directory', in your PATH statement. Additionally, never have writable directories in your search path, as this can allow attackers to modify or place new binaries in your search path, allowing them to run as root the next time you run that command. * Never use the rlogin/rsh/rexec (called the ``r-utilities'') suite of tools as root. They are subject to many sorts of attacks, and are downright dangerous run as root. Never create a .rhosts file for root. * The /etc/securetty file contains a list of terminals that root can login from. By default (on Red Hat Linux) this is set to only the local virtual consoles (vtys). Be very careful of adding anything else to this file. You should be able to login remotely as your regular user account and then use su if you need to (hopefully over ssh or other encrypted channel), so there is no need to be able to login directly as root. * Always be slow and deliberate running as root. Your actions could affect a lot of things. Think before you type! If you absolutely positively need to allow someone (hopefully very trusted) to have superuser access to your machine, there are a few tools that can help. sudo allows users to use their password to access a limited set of commands as root. sudo keeps a log of all successful and unsuccessful sudo attempts, allowing you to track down who used what command to do what. For this reason sudo works well even in places where a number of people have root access, but use sudo so you can keep track of changes made. Although sudo can be used to give specific users specific privileges for specific tasks, it does have several shortcomings. It should be used only for a limited set of tasks, like restarting a server, or adding new users. Any program that offers a shell escape will give the user root access. This includes most editors, for example. Also, a program as innocuous as /bin/cat can be used to overwrite files, which could allow root to be exploited. Consider sudo as a means for accountability, and don't expect it to replace the root user yet be secure. Excerpt from the LinuxSecurity Administrator's Guide: http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html Written by: Dave Wreski (dave@guardiandigital.com) ----- Mass deploying Osiris Osiris is a centralized file-integrity program that uses a client/server architecture to check for changes on a system. A central server maintains the file-integrity database and configuration for a client and at a specified time, sends the configuration file over to the client, runs a scan and sends the results back to the server to compare any changes. Those changes are then sent via email, if configured, to a system admin or group of people. The communication is all done over an encrypted communication channel. http://www.linuxsecurity.com/feature_stories/feature_story-175.html --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 11/18/2004 - libxml2 buffer overflow vulnerabilities fix This update fixes a buffer overflow vulnerability[2,3] in the URI parsing code found by "infamous41md" at the nanoftp and nanohttp modules of libxml2. An attacker may exploit this vulnerability to execute arbitrary code with the privileges of the user running an affected application. http://www.linuxsecurity.com/advisories/conectiva_advisory-5193.html 11/18/2004 - MySQL vulnerabilities fix Oleksandr Byelkin noticed[2] that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table instead of the new one. Lukasz Wojtow noticed[3] a buffer overrun in the mysql_real_connect() function. http://www.linuxsecurity.com/advisories/conectiva_advisory-5194.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 11/12/2004 - ez-ipupdate format string vulnerability fix vulnerabilities fix Ulf Hrnhammar from the Debian Security Audit Project discovered a format string vulnerability in ez-ipupdate, a client for many dynamic DNS services. This problem can only be exploited if ez-ipupdate is running in daemon mode (most likely) with many but not all service types. http://www.linuxsecurity.com/advisories/debian_advisory-5162.html 11/16/2004 - imagemagick arbitrary code execution fix A vulnerability has been reported for ImageMagick, a commonly used image manipulation library. Due to a boundary error within the EXIF parsing routine, a specially crafted graphic images could lead to the execution of arbitrary code. http://www.linuxsecurity.com/advisories/debian_advisory-5172.html 11/17/2004 - Apache arbitrary code execution fix "Crazy Einstein" has discovered a vulnerability in the "mod_include" module, which can cause a buffer to be overflown and could lead to the execution of arbitrary code. http://www.linuxsecurity.com/advisories/debian_advisory-5180.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 11/12/2004 - httpd-2.0.51-2.9 update arbitrary code execution fix This update includes the fixes for an issue in mod_ssl which could lead to a bypass of an SSLCipherSuite setting in directory or location context (CVE CAN-2004-0885), and a memory consumption denial of service issue in the handling of request header lines (CVE CAN-2004-0942). http://www.linuxsecurity.com/advisories/fedora_advisory-5166.html 11/12/2004 - httpd-2.0.52-3.1 update arbitrary code execution fix This update includes the fix for a memory consumption denial of service issue in the handling of request header lines (CVE CAN-2004-0942). http://www.linuxsecurity.com/advisories/fedora_advisory-5167.html 11/12/2004 - subversion-1.0.9-1 update arbitrary code execution fix This update includes the latest release of Subversion 1.0, including the fix for a regression in the performance of repository browsing since version 1.0.8. http://www.linuxsecurity.com/advisories/fedora_advisory-5168.html 11/12/2004 - subversion-1.1.1-1.1 update arbitrary code execution fix This update includes the latest release of Subversion 1.1, including the fix for a regression in the performance of repository browsing since version 1.1.0 and a variety of other bug fixes. http://www.linuxsecurity.com/advisories/fedora_advisory-5169.html 11/12/2004 - gdb-6.1post-1.20040607.43 update arbitrary code execution fix #136455 workaround to prevent gdb from failing and getting stuck when hitting certain DWARF-2 symbols. http://www.linuxsecurity.com/advisories/fedora_advisory-5170.html 11/16/2004 - abiword-2.0.12-4.fc3 update arbitrary code execution fix Backport fix to stop #rh139201# crash on CTRL-A and making font changes http://www.linuxsecurity.com/advisories/fedora_advisory-5178.html 11/16/2004 - authd-1.4.3-1 update arbitrary code execution fix fix double-free prob detected on x86_64 glibc (#136392) http://www.linuxsecurity.com/advisories/fedora_advisory-5182.html 11/16/2004 - gaim-1.0.3-0.FC3 update arbitrary code execution fix 1.0.3 another bugfix release http://www.linuxsecurity.com/advisories/fedora_advisory-5183.html 11/17/2004 - xorg-x11-6.7.0-10 update arbitrary code execution fix Several integer overflow flaws in the X.Org libXpm library used to decode XPM (X PixMap) images have been found and addressed. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. http://www.linuxsecurity.com/advisories/fedora_advisory-5191.html 11/17/2004 - xorg-x11-6.8.1-12.FC3.1 update arbitrary code execution fix Several integer overflow flaws in the X.Org libXpm library used to decode XPM (X PixMap) images have been found and addressed. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. http://www.linuxsecurity.com/advisories/fedora_advisory-5192.html +---------------------------------+ | Distribution: FreeBSD | ----------------------------// +---------------------------------+ 11/18/2004 - fetch Overflow error An integer overflow condition in the processing of HTTP headers can result in a buffer overflow. http://www.linuxsecurity.com/advisories/freebsd_advisory-5195.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 11/16/2004 - Ruby Denial of Service issue The CGI module in Ruby can be sent into an infinite loop, resulting in a Denial of Service condition. http://www.linuxsecurity.com/advisories/gentoo_advisory-5173.html 11/16/2004 - BNC Buffer overflow vulnerability BNC contains a buffer overflow vulnerability that may lead to Denial of Service and execution of arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-5174.html 11/17/2004 - Squirrelmail Encoded text XSS vulnerability Squirrelmail fails to properly sanitize user input, which could lead to a compromise of webmail accounts. http://www.linuxsecurity.com/advisories/gentoo_advisory-5189.html 11/17/2004 - GIMPS, SETI@home, ChessBrain Insecure installation Encoded text XSS vulnerability Improper file ownership allows user-owned files to be run with root privileges by init scripts. http://www.linuxsecurity.com/advisories/gentoo_advisory-5190.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 11/17/2004 - gd integer overflows fix Integer overflows were reported in the GD Graphics Library (libgd) 2.0.28, and possibly other versions. These overflows allow remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx() function. http://www.linuxsecurity.com/advisories/mandrake_advisory-5185.html 11/17/2004 - sudo vulnerability fix Liam Helmer discovered a flow in sudo's environment sanitizing. This flaw could allow a malicious users with permission to run a shell script that uses the bash shell to run arbitrary commands. http://www.linuxsecurity.com/advisories/mandrake_advisory-5186.html 11/17/2004 - Apache buffer overflow fix A possible buffer overflow exists in the get_tag() function of mod_include, and if SSI (Server Side Includes) are enabled, a local attacker may be able to run arbitrary code with the rights of an httpd child process. http://www.linuxsecurity.com/advisories/mandrake_advisory-5187.html 11/17/2004 - Apache2 request DoS fix A vulnerability in apache 2.0.35-2.0.52 was discovered by Chintan Trivedi; he found that by sending a large amount of specially- crafted HTTP GET requests, a remote attacker could cause a Denial of Service on the httpd server. http://www.linuxsecurity.com/advisories/mandrake_advisory-5188.html 11/18/2004 - bootloader-utils kheader issue fix request DoS fix A problem with generating kernel headers exists when using the newer kernel-i686-up-64GB package. The updated bootloader-utils package corrects the issue. http://www.linuxsecurity.com/advisories/mandrake_advisory-5196.html 11/18/2004 - totem problem with blue screen fix There is a problem in the totem package where in some cases when running totem a blue screen would appear. Resizing the screen seems to fix the problem temporarily, however upon minimizing or maximizing the screen it would once again become blue. http://www.linuxsecurity.com/advisories/mandrake_advisory-5197.html 11/18/2004 - drakxtools various issues fix A number of fixes are available in the updated drakxtools package. http://www.linuxsecurity.com/advisories/mandrake_advisory-5198.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 11/12/2004 - httpd security issue and bugs fix Updated httpd packages that include fixes for two security issues, as well as other bugs, are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-5163.html 11/12/2004 - freeradius security flaws fix Updated freeradius packages that fix a number of denial of service vulnerabilities as well as minor bugs are now available for Red Hat Enterprise Linux 3. http://www.linuxsecurity.com/advisories/redhat_advisory-5164.html 11/12/2004 - libxml2 security vulnerabilities fix An updated libxml2 package that fixes multiple buffer overflows is now available. http://www.linuxsecurity.com/advisories/redhat_advisory-5165.html 11/16/2004 - samba security vulnerabilities fix Updated samba packages that fix various security vulnerabilities are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-5179.html +---------------------------------+ | Distribution: Suse | ----------------------------// +---------------------------------+ 11/15/2004 - samba remote buffer overflow There is a problem in the Samba file sharing service daemon, which allows a remote user to have the service consume lots of computing power and potentially crash the service by querying special wildcarded filenames. http://www.linuxsecurity.com/advisories/suse_advisory-5171.html 11/17/2004 - xshared, XFree86-libs, xorg-x11-libs remote system compromises remote buffer overflow The XPM library which is part of the XFree86/XOrg project is used by several GUI applications to process XPM image files. A source code review done by Thomas Biege of the SuSE Security-Team revealed several different kinds of bugs. http://www.linuxsecurity.com/advisories/suse_advisory-5184.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 11/16/2004 - gd samba sqlgrey sudo Various security fixes gd is a graphics library. It allows your code to quickly draw images complete with lines, arcs, text, multiple colors, cut and paste from other images, and flood fills, and write out the result as a PNG or JPEG file. http://www.linuxsecurity.com/advisories/trustix_advisory-5175.html 11/16/2004 - apache automake bind console-tools Package bugfix Apache is a full featured web server that is freely available, and also happens to be the most widely used. http://www.linuxsecurity.com/advisories/trustix_advisory-5176.html 11/16/2004 - iptables Loading too many modules Olaf Rempel pointed out that the list of modules we autoload is too large. This has now been fixed. http://www.linuxsecurity.com/advisories/trustix_advisory-5177.html 11/16/2004 - gd samba sqlgrey sudo several overflows There has been found serveral overflows in gd. This can be used to execute arbitary code in programs using the gd library. http://www.linuxsecurity.com/advisories/trustix_advisory-5181.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Nov 22 07:11:58 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 22 07:26:58 2004 Subject: [ISN] Bofra exploit hits The Register's ad serving supplier Message-ID: http://www.theregister.co.uk/2004/11/21/register_adserver_attack/ By Team Register 21st November 2004 Important notice: Early on Saturday morning some banner advertising served for The Register by third party ad serving company Falk AG became infected with the Bofra/IFrame exploit. The Register suspended ad serving by this company on discovery of the problem. Bofra/IFrame is a currently unpatched exploit which affects Internet Explorer 6.0 on all Windows platforms bar Windows XP SP2. If you may have visited The Register between 6am and 12.30pm GMT on Saturday, Nov 20 using any Windows platform bar XP SP2 we strongly advise you to check your machine with up to date anti-virus software, to install SP2 if you are running Windows XP, and to strongly consider running an alternative browser, at least until Microsoft deals with the issue. We have asked Falk for an explanation and for further details of the incident, and pending this we do not intend to restart ad-serving via the company. Falk will, we understand, be making a statement regarding the matter on Monday. Although the matter was beyond our direct control, we do not regard it as acceptable for any Register reader to be exposed in this way, and wish to apologise sincerely to anyone who was. Further information about this particular exploit is available here [1] or here [2]. [1] http://www.theregister.co.uk/2004/11/04/ie_iframe_vuln/ [2] http://www.theregister.co.uk/2004/11/10/bofra_worm/ From isn at c4i.org Mon Nov 22 07:12:27 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 22 07:27:05 2004 Subject: [ISN] Falk statement on Bofra attack Message-ID: http://www.theregister.co.uk/2004/11/22/falk_bofra_statement/ By Falk eSolutions 22nd November 2004 Site notice On Saturday, The Register suspended service by third party ad serving supplier, Falk, following security issues detailed here [1]. Here is Falk's account of what went wrong: Summary Incident at delivery level - Between 6:10 AM and 12:30 AM (GMT) on Saturday, 20th November 2004 Falk sSolutions clients using AdSolution Global experienced problems with banner delivery. This started on Saturday morning with a hacker attack on one of our load balancers. This attack made use of a weak point on this specific type of load balancer. The function of a load balancer is to evenly distribute requests to the multiple servers behind it. The system concerned was only used to handle a specific request type to our ad server and has now been investigated. The results are outlined in this document. Description of the problem The use of a weak point in one of our load balancers type FLB02/CP lead to user requests not being passed to the ad servers. Instead the user requests were answered with a 302 redirect to the URL 'search.comedycentral.com' (199.107.184.146). This happened with approximately every 30th request. Users visiting websites that carry banner advertising delivered by our system were periodically delivered a file from 'search.comedycentral.com'. This file tries to execute the IE-Exploit function on the users' computer. We don't know yet whether the publishers of 'search.comedycentral.com' are aware of the exploit or their server has been attacked by a hacker, too. Problem analysis The weak point occurred due to a memory leak on the load balancer concerned. After the load balancer was taken out of service on Saturday at 11:30 AM (GMT) this was no longer possible. Because of this it was difficult at the beginning to find an error on our side. The servers that deliver the banners were not affected at all. Only afterwards we were able to find the error on the load balancer by analysing its log files. Results of investigation By attacking a single load balancer type FLB02/CP it was possible for users to be redirected to 'search.comedycentral.com' which tried to install the exploit type 'Bofra/IFrame-Expoit'. With approximately every 30th request for banner media this redirect occurred. Further measures The load balancer concerned has been taken out of service indefinitely and has been replaced with a newer model. An additional monitoring has been instated that supervises the load balancing process and whether this has been interrupted of manipulated. Further, a policing tool that supervises redirects to unknown, erroneous or infected files has been deployed. [1] http://www.theregister.co.uk/2004/11/21/register_adserver_attack/ From isn at c4i.org Mon Nov 22 07:12:59 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 22 07:27:08 2004 Subject: [ISN] Air Force to standardize Microsoft configurations Message-ID: http://www.nwfusion.com/news/2004/1119airforce.html By Ellen Messmer Network World Fusion 11/19/04 The U.S. Air Force early next year will require its 525,000 personnel and civilian support staff to use a single and specially configured version of Microsoft's operating system and applications, said the military department's CIO. At a press conference at the Pentagon Friday to announce the strategy, Air Force CIO John Gilligan said the department wants to use a single version of Microsoft products, configured with security in mind, on its desktops and servers to help it reduce the problems it faces in applying software patches whenever Microsoft announces new vulnerabilities. As part of the initiative, the Air Force has hashed out an agreement directly with Microsoft CEO Steve Ballmer that includes the consolidation of 38 separate contracts and replacing them with two. The new contracts involve Microsoft supplying a version of its desktop and server operating system and applications that include System Management Server 2003, Office 2003, and Exchange. Gilligan said the new arrangement with Microsoft would save the Air Force about $100 million. The Air Force will also receive automated patch updates under a program in which Microsoft will work closely with the Air Force to identify new vulnerabilities early on. The laborious patch testing and distribution process would be automated through a single center. In addition, the procedure of separate Air Force commands buying their own Microsoft software would be discontinued in lieu of a central purchasing decision. "We expect significant economies of scale through this," Gilligan said. The Microsoft products will be configured under guidelines still to be determined but expected to be based on input from the National Security Agency, Defense Information Systems Agency as well as the Center for Internet Security. The Air Force endures about one network-based attack per week that successfully exploits new vulnerabilities, Gilligan said. "There's some disruption and loss of capability," he pointed out, noting that Air Force bases all over the world support the operations of the war in Afghanistan and Iraq. The idea of sticking with a single version of Microsoft products, and setting up a way to centralize distribution of software updates, is expected to alleviate the severe time delays and expense associated with patching software in the Air Force, Gilligan said. "We're spending more money patching and fixing than buying software," said Gilligan during the press conference. It's not unusual for patching of vulnerabilities to take months to complete, he said. Gilligan said the problem of Air Force commands using different versions of the Microsoft operating system and applications had not only engendered some interoperability problems, but also produced more work in applying patches, which is generally still done manually within the Air Force. "We want Microsoft focused not on selling us products but to enhance the Air Force in our mission," said Gilligan, adding that he hoped the new effort would lead to the kind of support Microsoft could provide other organizations in the future. Gilligan acknowledged that in grappling with the patch-update issue, the Air Force had considered transitioning to open-source software but determined the transition costs would simply be too high. Also, he noted that all software from all vendors, as well as open source, faces the problem of newly-discovered vulnerabilities that have to be patched. The Air Force operates several hospitals, and many medical devices used in operating rooms also use commercial operating systems, including Microsoft's Windows. Gilligan said the Air Force is mindful that these medical devices also face patching issues and that medical devices can also be vulnerable to attack when they are left unpatched. Gilligan said a separate certification program under which vendors must agree to timely patch updates is now in place to address this problem. The Air Force has started to insist on that in contracts with device vendors, he noted. In addition, Gilligan added that the Food & Drug Administration, which regulates medical devices, has issued guidelines to the Air Force that will allow the military department to directly install software patches as well in certain circumstances. From isn at c4i.org Mon Nov 22 07:13:24 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 22 07:27:09 2004 Subject: [ISN] Interior's CIO fights fires Message-ID: http://www.fcw.com/fcw/articles/2004/1122/mgt-tipton-11-22-04.asp By Sarita Chourey Nov. 22, 2004 The Interior Department's chief information officer was beginning to wonder if he had become the guy in charge of killing projects. Every job that W. Hord Tipton has had, he said, seemed to come with an ailing system and a plug in need of pulling. In 1999, as a state director, he was given the task of putting to rest the Bureau of Land Management's waning Automated Land and Mineral Records System. But his work on the other part of the assignment ? to rebuild it - caught many people's attention and helped him climb to the post of chief information officer two and a half years later. Tipton, a qualified firefighter, karate black belt and certified land surveyor, has the calm of a seasoned sheriff. Indeed, he was once a law enforcement official. But Tipton's expertise reflects a work ethic that is simple yet arduous: Practice what you preach. In March, months before taking the job as Interior's CIO, Tipton, 60, did something unusual for a federal agency CIO: He became a Certified Information Systems Security Professional. The certification matches the job at hand. Security is at the forefront at Interior, an agency that has been beleaguered by hackers and system vulnerabilities. The problems resulted in a court-ordered shutdown of Internet access to parts of Interior's eight bureaus. Since Tipton took the helm, Interior officials have spent about $100 million on systems and network security. Two years earlier, the agency was spending about $4 million per year. By emphasizing business systems security, he said, the level of security is many times stronger than it was before. Tipton, a father of two, is an engineer among lawyers: His wife, daughter and son-in-law are attorneys. Tipton's wife, Nina Hatfield, is a descendant of the family involved in the famous Hatfield-McCoy feud. Born in Kentucky, Tipton speaks with an unmistakable Southern twang. The folksiness of his speech is a product of his upbringing. With a 13-year private-sector career in Tennessee, Tipton has a keen understanding of information technology and the expansive nature of Interior's mission. The department, the fourth federal agency created, was started in 1849, a number that matches its address on C Street in Washington, D.C. It has 53 business operations, eight bureaus, 77,000 employees and 2,500 offices scattered from the Insular Islands to the remote reaches of Alaska. "Nothing we do is untouched by the flow of electrons," he said. The individual bureaus receive direct appropriations from Congress rather than funds from Interior's central budget. The arrangement is good, Tipton said, because it requires a discussion by business people and IT staff. Business drives IT, not the other way around, he said. Most Interior employees have a mix of business and IT skills, so they can devise their own ideas without relying on the agency's IT shop. Certified project managers have become a mandatory component of initiatives under Tipton's lead. But he said the agency has a way to go, especially with regard to finding project managers with enough experience to lead major cross-agency projects. Randy Feuerstein, the Bureau of Reclamation's CIO, said Tipton is dedicated, persistent and persuasive. "Hord does his best to keep us all moving in the right direction and has accomplished a great deal in a very short period of time," Feuerstein wrote in an e-mail. Interior officials, like those at many agencies, are abuzz with the notions of enterprise. The question to ask, Tipton said, is, "Why do we need more systems or support or help desks?" Taking law enforcement as an example, he said, "we 'architect' what we want it to look like from a law enforcement [perspective] with the departmental owner of that program. They lead that effort from a business side, and we complement it from an IT side, and it comes together." Tipton said employees in his office are working on a business case this year for a consolidated law enforcement system for all of Interior. His goal is "shutting down four systems for the benefits of operating one." Agency officials are trying to consolidate 13 independent networks with different service providers to a single one with a backup system. One of the 13 is the Enterprise Services Network, which "comes under the overarching view of an enterprise, [including] approach, standardization, economies of scale and service deliveries," Tipton said. The common strand running through all the networks is security. The agency has been dogged by Government Accountability Office reports, congressional criticism and legal battles involving the Indian Trust. Agency officials argue that the legal accusations greatly discount Interior officials' ability to protect data. In addition to his security professional certification, Tipton also is certified as an Information Systems Security Engineering Professional. Therefore, he isn't likely to be swayed by employees who want to automate a program if it isn't necessary. He can discern whether something is crucial or simply nice to have. IT employees must answer important questions about business practices before a program is automated. Tipton demands vigorous analysis to build a strong case. "We are not going to automate the cow path," he said. Chourey is a freelance writer based in Palo Alto, Calif From isn at c4i.org Mon Nov 22 07:14:05 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 22 07:27:12 2004 Subject: [ISN] New security standards to strengthen SCADA Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,97606,00.html By Mark Willoughby NOVEMBER 18, 2004 COMPUTERWORLD The security of critical-infrastructure processes, long festering as a thorny issue in securing everything from food and water to energy and transportation, will be getting a boost from proposed standards for industrial controls. The National Institute of Standards and Technology (NIST) fostered the creation of the Process Control Security Requirements Forum in 2001. The group issued the first draft of its System Protection Profile for Industrial Control Systems (SPP ICS) in October. "It started out as a group of a dozen end users," said Keith Stouffer, the forum's chairman and an engineer at NIST. "Now we have about 600 members. It includes everybody from the process control world," he said, such as users, academics, government officials, integrators and vendors. The original group held about 10 meetings and "a bunch of conference calls" seeking input from the 13 critical-infrastructure groups designated by the U.S. Department of Homeland Security, Stouffer said. Those infrastructure groups include critical civil services such as transportation, food, water utilities, electric power, pharmaceuticals and energy, and typically are large users of process control or Supervisory Control and Data Acquisition (SCADA) systems. "SCADA systems were designed around reliability and safety, not security. Now SCADA systems are becoming increasingly interconnected with IP networks and have become vulnerable to Internet threats," Stouffer said. The group looked initially to model their security standards after the work done by the National Information Assurance Partnership, a partnership between the National Security Agency and NIST that administers the Common Criteria Evaluation and Validation Scheme for trusted systems. "There's no other formal languages for specifying security requirements," Stouffer said, adding that the SPP "says what needs to be done, not how you have to address it." The SPP requirements address system life-cycle security and were developed by consensus, he said. They will be periodically updated with marketplace feedback. "It's not a NIST specification. It comes from industry. We're trying to get people to think about security from the get-go when architecting a system," Stouffer said. The SPP ICS includes such time-honored security concepts as defense in-depth, or layered security, extending from industrial process sensors and programmable logic controllers (PLC) up through the factory control and enterprise business hierarchy to the Internet. The process control security issues addressed in the draft SPP ICS mirror security baselines found elsewhere. According to Stouffer they are: 1. Spoofing countermeasures: To prevent masquerading attacks and to maintain confidentiality and data integrity for PLC and sensor data. 2. Identification and authorization: For both users and data, "to make sure the data is authentic" between devices, sensors, PLCs, controllers and up the manufacturing hierarchy, including human users. 3. Logging and auditing: To provide forensic capabilities if something goes wrong, with time and date stamps. 4. Encryption: Voluntary encryption for sensitive or private information, where necessary. 5. Default security: Products need to come secure from the vendor "out of the box" with security turned on by default. 6. Physical security: To maintain the integrity of the system. 7. Policies and procedures: To provide for secure management practices. "Certification has only recently been discussed. It hasn't been worked out if certification is useful," Stouffer said. "That will be a marketplace issue. There are issues with certification, like cost." The cost of having a commercial software product undergo a Common Criteria evaluation can be $250,000 and up, according to industry sources. A user representative on the forum, Thomas Good of Du Pont Co. in Wilmington, Del., said the new standards would have an impact on the security of industrial processes in "two to three years," as well as on their management. "By having a set of products available with configurable security features, end users can select the appropriate off-the-shelf device and configure its security features to match their risk/impact situation," he said. "Companies will consider SPP ICS compliant control systems on modernization projects or new production lines when the risk is sufficiently high. Due to the total cost of replacement, I would not anticipate many companies ripping out and replacing existing control systems." Some retraining may be required for plant operations, Good said. "Effective use of new security features will likely require skills not currently found in many process control system managers," he said. Sources for the additional security knowledge would be the internal IT organization, more training for process control operators, or bringing in contractors, he said. Process control vendor Honeywell International Inc. expects to see a ready marketplace for SPP ICS-compliant products. "We believe our customers will be adopting these requirements," said Kevin Staggs, a Honeywell control systems planner in Phoenix. Many products already meet some of the requirements, he said. "We understand that security is a journey more than a destination. We will be continuing to evolve our products and services to meet the requirements of our customers." Cost, he said, should not be an objection to SPP ICS compliance because the security will be "baked into the system" for the customer to configure. Mark Willoughby, CISSP, is a 20-year IT industry veteran and journalist with degrees in computer science and journalism. For the past seven years, he has tracked security and risk management start-ups and is a managing consultant at MessagingGroup, a Denver-based content development specialist. From isn at c4i.org Mon Nov 22 07:14:58 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 22 07:27:14 2004 Subject: [ISN] More funding needed for security R&D, IT committee says Message-ID: http://gcn.com/vol1_no1/daily-updates/27979-1.html By William Jackson GCN Staff 11/19/04 The government has shortchanged basic research into cybersecurity and should at least quadruple the money available for civilian research, the President's IT Advisory Committee says. The government plays a key role in supplying the intellectual capital to improve the security of IT systems, said F. Thomas Leighton, chairman of the PITAC subcommittee on cybersecurity. "The government has largely failed in this regard," he said. Leighton, chief scientist of Akamai Technologies of Cambridge, Mass., and a faculty member at the Massachusetts Institute of Technology, presented draft findings and recommendations from a subcommittee study at a PITAC meeting Friday. In addition to being underfunded, government research efforts are becoming increasingly classified and focused on short-term results, the committee found. It recommended that these trends be reversed and that a central authority be established to evaluate research needs and oversee federal funding. The subcommittee examined funding for basic research by the National Science Foundation, Defense Advanced Research Projects Agency, Homeland Security Department, National Security Agency, and the National Institute of Standards and Technology. Most R&D money goes to such agencies as DARPA and NSA, where it is focused on military and intelligence issues. Because more and more of their work is being classified, little benefit is being seen in overall IT security. NSF is the primary source of funds for civilian security research, with its $30 million Cyber Trust program. In 2004, it funded 8 percent of grant proposals, at 6 percent of the requested amount. The subcommittee recommended that the program be expanded by at least $90 million annually. The current emphasis on short-term programs means most research is focused on reactive technologies rather than producing more secure systems. "We are in a vicious cycle of having to spend more money to plug the holes in the dyke rather than moving forward," Leighton said. Money should be made available for more long-term, revolutionary work, with a willingness to accept the risk of failure in some programs. * The subcommittee identified 10 critical areas for future research: * Computer authentication methodologies so sources of packets can be traced in large-scale networks * Securing fundamental networking protocols * Secure software engineering * End-to-end system security, rather than merely secure components * Monitoring and detection to quickly identify problems * Mitigation and recovery methodologies to avoid catastrophic failure when problems occur * Cyberforensics tools for aid in criminal prosecutions * Modeling and test beds for new technologies * Metrics, benchmarks and best practices for evaluating the security of security products and implementing them * Nontechnical societal and government issues. The subcommittee expects to present a final draft report at the next PITAC meeting on Dec. 5. From isn at c4i.org Tue Nov 23 06:23:38 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 23 06:38:09 2004 Subject: [ISN] Mi2g responds to criticism over its security study Message-ID: http://www.linuxworld.com.au/index.php/id%3B1616857056%3Bfp%3B2%3Bfpid%3B1 Phil Hochmuth Network World 23/11/2004 U.K. research firm mi2g generated a lot of heat for itself when it released a report last month on the most-hacked operating systems on the Internet. In its "deep study," the firm said it had analyzed almost 240,000 computers attached to the Internet that had been hacked over the last 12 months. It found Linux to be the operating system on 65% of the computers that were hacked, while Microsoft represented 25% of the systems. BSD and Mac OS X were deemed the "safest" systems as they represented about 5% of the systems hacked. Since the study's release, many Linux industry observers and experts have called into question mi2g's findings and methodology. What observers call the fatal flaw in mi2g's logic is that fact that its analysis of the 235,907 hacked systems it studied only reflects the market share of the various operating systems running on the Internet - not the technical strength of the systems studied. Since Linux and Microsoft are among the majority of operating systems running on the 'Net, this correlates with those systems being represented as "most hacked" in mi2g's report, since it only studied hacked systems. (That fact that Unix was left out of the report - when Netcraft research shows that Solaris runs 32% of the Fortune 100 Web sites - also brings into question how mi2g got its numbers, observers say). Research showing BSD and Mac OS X are the least-hacked operating system does not tell you if the code in those products is stronger or weaker than Windows, Linux or any other platform - it just shows how little they are used on the 'Net. Mi2g's response to this type of argument is this (from its Web site): "When applying the benchmark of uptime on the full sample of permanently connected 235,907 machines, the mi2g ... found that the only computing environments left standing without the need for a single reboot at the end of the 12 month period were either BSDs or Apple Mac OS Xs ... "On this basis, when it comes to the approach of relativistic safety and security in computing environments, we consider the market share safety and security debate to be looking through the wrong end of the binoculars. Instead of a bigger market share being a positive and smaller being negative, it has been shown that, bigger market share is a contributor to much higher risk profiles and small may be beautiful." By this logic, users are better off picking the most obscure operating systems on the Internet to ensure site safety and uptime. Will this lead the security gurus in the Fortune 500 to flock to OpenVMS and OS/2 for their Web infrastructure? Not likely. So, ultimately, does the mi2g study reflect any inherent or alarming weaknesses in Linux as a Web server platform? Not really. From isn at c4i.org Tue Nov 23 06:23:51 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 23 06:38:11 2004 Subject: [ISN] U.S. security critic sues Japan for censorship Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,97758,00.html By Paul Kallender NOVEMBER 22, 2004 IDG NEWS SERVICE TOKYO - A U.S. computer security expert is suing the Japanese government for violation of his freedom of speech, alleging that officals censored him at a recent computer security conference. The lawsuit is the first of its kind in Japan, according to his lawyer. A law firm representing Ejovi Nuwere, chief technology officer of SecurityLab Technologies Inc. in Boston, filed a petition at the Tokyo District Court against the Japanese government for punitive damages of $290,406 for violation of Nuwere's rights under Article 21 of the Japanese Constitution, according to Nuwere's attorney Tsutomu Shimizu. Clause one of the article guarantees freedom of speech, press and all other forms of expression. The petition was filed following a claim by Nuwere that officials of Japan's Ministry of Internal Affairs and Communications (MIC) forced him to abandon a presentation he was to have given on Nov. 12 on security issues related to Japan's online citizen registry network, called Juki Net. Juki Net is a national network of databases that contain the names and personal details of nearly every person residing in Japan. It has been surrounded by controversy, particularly over its security. During a security audit conducted last year, Nuwere and Japanese experts managed to compromise servers in part of the system maintained by one of Japan's prefectural governments. It was about these experiences that Nuwere had intended to talk. Nuwere claims he was forced to cancel his talk after MIC officials demanded that he remove a series of slides and not voice his conclusions about the audit. The revisions imposed on the talk were drastic, and amounted to censorship, he said. "The [MIC] has no right to tell any one citizen or noncitizen that they cannot speak," he said. "We should all be entitled to think and speak our own opinion, free from government oversight," he said. Nuwere said he felt he should file the suit because the MIC did little or nothing to resolve disagreements about the contents of the speech, despite offers by Nuwere to meet with officials to reach an agreement. "What they did was censorship in its most basic form," he said. The government will probably respond with a counter-petition in about a month or six weeks, according to Shimizu. The plaintiff will then decide whether to reply, and the case will probably go to court, said Shimizu. If or when this happens, legal proceedings will probably take more than a year, he said. From isn at c4i.org Tue Nov 23 06:24:09 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 23 06:38:12 2004 Subject: [ISN] Hackers Pocket W16 Billion in Cyber Cash Message-ID: http://times.hankooki.com/lpage/200411/kt2004112315444353460.htm By Chung Ah-young Staff Reporter 11-23-2004 The state prosecution on Tuesday indicted two computer hackers and one of their accomplices on charges of stealing cyber money worth 16.4 billion won ($15.3 million) by infiltrating one of the largest online game firms. The Seoul Central District Public Prosecutors?? Office said the suspects pocketed the largest amount of cyber money ever obtained in hacking crimes. Investigators said the suspects allegedly broke into the online game site to steal cyber cash, which can be exchanged for real money, and sold it to cyber brokers on Sept. 24-27. Prosecutors said that suspects plotted the crime beforehand through closely reviewing the company??s electronic payment system and conducted practice runs beforehand. They found that the Web site run by the major game company has a loophole that enabled them to manipulate file contents. Before committing the crime, the suspects did a mock hacking via the service and stole cyber cash worth 27 million won in March and June. Prosecutors said they connected to the company??s information network system 227 times during the Chusok holiday in September. They illegally charged mileage points worth 164.7 billion won through 152 identification numbers that they set up beforehand. The suspects then allegedly traded stolen cyber cash at 750 million won to a broker, identified as Kim, who also raked in a total of 168 million won by selling it to other brokers through e-mails or identification numbers. Prosecutors said the company??s damages have been minimized because it immediately shut down the use of the identification numbers right after the crime occurred. However, prosecutors did not exclude the possibility that more damages are expected because game mileage is vulnerable to illegal trading and is circulated through the black market between cyber traders. The amount of cyber money they stole, estimated at mileage points worth 164.7 billion won, is equivalent to the amount only after users have spent 16.4 billion won in buying items or using services the company provides. From isn at c4i.org Tue Nov 23 06:24:26 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 23 06:38:14 2004 Subject: [ISN] IP VPNs save, but they can carry 'gotchas' Message-ID: http://www.nwfusion.com/news/2004/112204vpnhidden.html By Tim Greene Network World 11/22/04 While IP VPNs are widely accepted as an effective remote access and WAN technology that can save money, there are hidden challenges users should be aware of to avoid costly problems. For instance, Concord, Mass., business consultancy Mercator Partners is scrapping the SonicWall IPSec VPN appliances it deployed in home offices in favor of IPSec client software on employees' PCs. Although the appliances live up to their promise of segregating business machines from home machines via separate ports, it turns out the arrangement leaves open the possibility that family members still could tap into the corporate VPN, says Seth Cordes, IT manager at the firm. Rather than risk that, Mercator changed technology and now just home PCs with the software can tap into the VPN. Still, looking at the big picture, there are significant savings to be gleaned from VPNs, particularly site-to-site VPNs that replace traditional WAN links. "On average, customers are paying anywhere between $450 and $1,200 a month per site on dedicated circuits," says John Pouliot, a principal with WAN Strategies, an integrator and VPN service provider in Manchester, N.H. With an Internet-based VPN, those costs can plummet. "Compare that with $45 a month average per site for DSL connections and the upfront cost - anywhere from $350 to $1,295 [per site] of the VPN hardware," he says. Even with these big savings in mind, businesses have to keep in mind that VPNs are full of cost "gotchas." Lancet Technology, a medical software company in Boston, in the past has created VPN connections with its business partners using Cisco and Nortel VPN clients, says Kevin Mulligan, CIO of the firm. But the clients are tricky to configure and the partners generally don't have experience with them. Plus, the VPNs require reconfiguring firewalls so VPN traffic can pass through, which winds up costing Lancet time on the phone to help out. "We had more headaches with them," Mulligan says. He had to spend a lot of time negotiating with partners to get them to agree to the VPN in the first place, the major objection being that firewall reconfiguration goes against their corporate policies. Similarly, being on the receiving end of such a proposal and joining a partner's existing VPN can tie up valuable time, he says, which again translates into expense. Customers trying to comply with requests to use the same client ran into trouble, creating more work for Lancet, Mulligan says. "They would call us, and we would call Cisco technical support, and six hours later we might resolve it," he says, but by then the day was shot. Instead the firm has switched to a managed SSL remote-access service that requires no client and no firewall reconfiguration. Even when VPNs are successful, their very success can cut in on expected savings, says Dan King, network administrator for The Mental Health Center of Greater Manchester, N.H. He replaced point-to-point T-1 lines from four satellite offices to the main office with a SonicWall IPSec VPN. The switch saved enough money to give a fifth, unconnected office an ISDN-based DSL line. But the new connections gave each office its own Internet access, meaning Internet traffic was no longer funneled through the lone Internet connection at the main site. These new connections also provided faster downloads, a performance boost that resulted in more use. And when he was offered a price reduction on his 768K bit/sec DSL lines or an increase in bandwidth to 1,024K bit/sec, he gave up the savings for the bandwidth. Customers should check out proposed VPNs in all their probable uses before committing to them, says Tony McCafferty, director of IT for Hualalai Resort in Kailua Kona, Hawaii. It can eliminate a lot of costly swapping, he says. The resort needed remote access for traveling executives, and he believed an IPSec VPN was the way to go. Initially Check Point's Secure Remote clients were installed in company laptops, which worked well much of the time. But at hotels and at business partner sites, there were problems crossing firewalls, resulting in calls for help. SSL remote McCafferty decided to try SSL remote access because it required no special firewall configuration. The gear he bought though, made by Aventail, was too complex to get running properly. "The unexpected cost on our part was trying to troubleshoot," he says. Software upgrades and even having the company ship him a configured unit didn't solve the basic problem of getting it to work with Outlook Web Access. After about nine months of trying he gave up and bought an SSL gateway from Enkoo, a vendor that designed its gear to be easy to set up. The gateway lacked features of other SSL gear, but it had enough to meet Hualalai's needs, he says. He only recently turned off the Check Point gear. "We had so much trouble getting the Aventail up and running we couldn't get rid of the IPSec altogether," McCafferty says. When customers buy VPN gear, they have to accept that it is more equipment on their network that requires maintenance. "When you buy security gear, you are constantly installing updates and patches," says Robert Whiteley, a VPN analyst with Forrester Research, and that can mean a big investment in time. "If you're an enterprise worth your salt, you're going to test [the updates] first." VPN gear also can carry peripheral expenses, Whiteley says. Securing VPNs might involve authenticating remote users with digital certificates, another investment in time and education. "It means managing digital certificates and making sure they are properly deployed," he says. Businesses also face the cost of upgrading as technologies improve, says Desmond Lee, VPN project manager for group IT infrastructure and operations at PartnerRe, an international re-insurance company in Bermuda. The company has decided to forego an upgrade of its IPSec VPN equipment from Check Point because it requires replacing gear at 15 sites. Instead, it is switching to just three SSL remote-access gateways from Juniper. SSL requires less equipment, and it comes with software to check the security of the remote machines, something that would have meant an upgrade with Check Point, Lee says. From isn at c4i.org Tue Nov 23 06:24:38 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 23 06:38:16 2004 Subject: [ISN] Security bosses feel patch pain Message-ID: http://www.fcw.com/fcw/articles/2004/1122/web-ciso-11-22-04.asp By Florence Olsen Nov. 22, 2004 A survey to be released today cites patch management as the No. 1 concern of chief information security officers in the federal government. The survey, conduced by O'Keeffe & Co. for Intelligent Decisions, a federal systems integrator, highlights the day-to-day concerns of federal CISO's and the effects that the Federal Information Security Management Act has had on them professionally. "The fact that they're saying software quality and patch management are way up there in terms of their pain ? that's a pretty clear message to the vendor community that we need to figure out how to solve that problem," said Ted Ritter, director for cybersecurity at Intelligent Decisions. In the survey results, achieving FISMA compliance and avoiding a compromised network tied for second place among the concerns of federal CISOs. The survey results also showed CISOs spending a large portion of their time on administrative activities related to FISMA compliance, with the burden falling heaviest on those whose average full-time staff size is 2.6 employees. Federal CISOs who control a budget of less than $500,000 spend 45 percent of their time on FISMA compliance reporting and only 15 percent of their time on network security monitoring and inventory control. By contrast, CISOs who control a budget of more than $10 million spend 27 percent of their time on FISMA compliance reporting and an equal amount of time on network security monitoring, systems administration and trouble shooting. The telephone survey was based on interviews with 25 out of 117 federal CISOs. From isn at c4i.org Wed Nov 24 08:59:29 2004 From: isn at c4i.org (InfoSec News) Date: Wed Nov 24 09:15:14 2004 Subject: [ISN] Hackers hijack county phones Message-ID: http://www.gazettetimes.com/articles/2004/11/24/news/community/wedloc05.txt By Les Gehrett For the Gazette-Times November 24, 2004 ALBANY - Hackers broke into the Linn County government's phone system earlier this month and billed the county for many hours worth of expensive international calls. The county has fixed the problem and is working with phone company fraud investigators to sort out the charges. Linda Penick, an administrative assistant in the county's general services division in charge of telecommunications, said the problem seems to have begun over the weekend of Nov. 13-14. She said hackers began by calling the main dial-in number for various county departments. Using the voicemail system, they reached individual employee voicemail boxes. The hackers then tried to figure out each employee's password, so that they could change the greeting on the employee's voicemail. This turned out to be pretty easy to do in some cases, because a few employees were using their extension number as their voicemail password. Once the hackers figured out the password, they recorded a new greeting. This new greeting was basically, "Hello. Yes, I'll accept the charges." This was done to between 10 and 20 county phone lines. These phone lines were then used to authorize third-party collect calls overseas. Callers would simply make collect phone calls, say that they wanted to bill the call to a home phone, and give a county employee's phone number as the home number. When the operator dialed the county number, the altered voicemail system kicked in, answered the phone and authorized the billing. Penick said county departments were contacted by fraud investigators from MCI on Monday, Nov. 15. The departments referred the problems to her, since she handles the county's phone system. "I spent all week fighting through this and trying to figure out what they had done," Penick said. She thinks that once the phone system was broken into, the hackers publicized and sold the access numbers. Throughout the week, employees continued to receive a barrage of phone calls from operators asking them to authorize the collect phone calls. The employees, of course, refused. Penick said county employees have been told to change their voicemail passwords and to not use their extension number as their password. She has also changed their system so that third-party collect calls cannot by billed to the county. County departments will continue to accept legitimate collect calls from residents of the county. Debbie Lewis, a spokeswoman for MCI, said this is a common scheme. "This is one way that intruders try to damage the integrity of a phone system for their own illegal activities," Lewis said. To guard against such an attack, Lewis said companies and government agencies should work closely with their internal phone system vendors to follow proper security measures. Passwords should be long enough that they are difficult to hack, and they should never be based on birthdays or social security numbers. Passwords should also be varied, not using either a single number, such as "9999" or a sequential number, such as "1234." Penick said the total amount of fraudulent charges has not been determined, but she doesn't think the county will be stuck with the bill. "It's my understanding that we'll be able to contact them and get the charges dropped," Penick said. From isn at c4i.org Wed Nov 24 09:00:24 2004 From: isn at c4i.org (InfoSec News) Date: Wed Nov 24 09:15:16 2004 Subject: [ISN] FBI Subpoenas Message-ID: ---------- Forwarded message ---------- From: Fyodor To: nmap-hackers@insecure.org Subject: FBI Subpoenas Date: Tue, 23 Nov 2004 17:41:49 -0800 Dear Nmap hackers, Let me first wish you Americans a happy Thanksgiving. Meanwhile, I'm hard at work on a holiday Nmap version which should be available by Christmas. But enough pleasantries -- I want to discuss a sobering topic. With increasing regularity this year, FBI agents from all over the country have contacted me demanding webserver log data from Insecure.Org. They don't give me reasons, but they generally seem to be investigating a specific attacker who they think may have visited the Nmap page at a certain time. If they see that an attacker ran the command "wget http://download.insecure.org/nmap/dist/nmap-3.77.tgz" from a compromised host, they assume that she might have obtained that URL by visiting the Nmap download page from her home computer. So far, I have never given them anything. In some cases, they asked too late and data had already been purged through our data retention policy. In other cases, they failed to serve the subpoena properly. Sometimes they try asking without a subpoena and give up when I demand one. One can argue whether helping the FBI is good or bad. Remember that they might be going after spammers, cyber-extortionists, DDOS kiddies, etc. In this, I wish them the best. Nmap was designed to help security -- the criminals and spammers put my work to shame! But the desirability of helping the FBI is immaterial -- I may be forced by law to comply with legal, properly served subpoenas. At the same time, I'll try to fight anything too broad (like if they ask for weblogs for a whole month). Protecting your privacy is important to me, but Nmap users should be savvy enough to know that all of your network activity leave traces. I'm not the only one who gets these subpoenas -- large ISPs and webmail providers receive them daily. Most other major security sites probably do too. Most of you probably don't care if someone finds out that you downloaded Nmap, Nessus, Hping2, John the Ripper, etc. Nothing on Insecure.Org is illegal. But for those of you who do care, there are plenty of mechanisms available to preserve your anonymity. Remember this security mantra: defense in depth. Cheers, Fyodor -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help@insecure.org . List archive: http://seclists.org From isn at c4i.org Wed Nov 24 09:00:42 2004 From: isn at c4i.org (InfoSec News) Date: Wed Nov 24 09:15:18 2004 Subject: [ISN] How good is UK.gov at its own security agenda? Message-ID: http://www.theregister.co.uk/2004/11/24/parliament_security_holes/ By John Lettice 24th November 2004 Comment: Yesterday Peter Hain, the Leader of the Commons, was happily telling journalists that the Government's security-heavy legislative programme was intended to frustrate the opposition by "crowding out any place for them on the security agenda". Which one might think a remarkably cynical thing to say on its own, but he went a step further later; speaking to Radio 4, he groomed Labour as the only party that could protect us adequately from terror. And this isn't scaremongering? But leave that one aside, lets just take a little look at how good Peter Hain's and the Government's own security records are. As Leader of the Commons Hain has some considerable responsibility for the security of the premises, and as we've seen in the past couple of years, performance in this area hasn't been exactly stellar. Parliament, other Government premises and the Royal Palaces have all been the scene of embarrassing incidents, and these have provoked much huffing, puffing and outrage from our legislators. But after the huffing, does anything worthwhile happen? Pop your security analysts' hats on for a moment, and we'll go through a couple of them. Weirdos in Palaces and Parliament trigger the huffing, and calls that Something Must Be Done. Usually Something Is Done, but subsequent outrages tend to illustrate that it's not usually the right something. Anyone with a grasp of network security (which is largely, as is more general security, the bleeding obvious) should be able to see what's going on here. The responses tend to address the wrong problem, or a small, possibly not very relevant aspect of the problem. Which suggests that nobody has sat down and figured out what the problem actually was. Result: problem unsolved, next outrage built into system. The something being done about royal security was discussed recently in the House of Lords, and relates to atrocities involving comedians dressed as Osama bin Laden penetrating royal birthday parties, and men dressed as Batman leaping around on Buckingham Palace ledges. Shocking stuff, and indeed Something Must Be Done, as the noble lords opined at some length. Unhappily the something, as the government minister present indicated, is likely to be stiffer penalties for people trespassing on royal property. Brilliant. That's really going to make terrorists think twice before they dress up as Batman and try to blow themselves up on Her Maj's balcony, isn't it? Really, what the noble lords were doing here was not (as many of them seemed to imagine) addressing a security issue but increasing the penalties for embarrassing the security forces. In the case of the comedy Osama, the real security problem was a combination of a perimeter weakness which allowed the initial breach, and failures in access validation which meant he could bluff his way into the event. The answer might be to strengthen the perimeter defence, but the venue, Windsor um, Castle allows a high degree of public access, so strengthening the perimeter to the point of impregnability isn't likely to be either cost-effective or feasible. Introducing more effective validation procedures within the perimeter is likely to be a more fruitful route, as is questioning the sense of using the venue for a major royal bash in the first place. As for Batman at Buckingham Palace, he whipped out a stepladder, scaled a wall, hopped onto a convenient flat roof then shimmied along ledges to one very close to the balcony the Queen waves from. If that is she's in the Palace at the time, and scheduled to wave. Which she wasn't. The network pros will instantly identify that convenient flat roof as a handy quick perimeter fix, and it may well be, fixing it surely can't hurt. But people in various states of attire have been hopping over the Buckingham Palace walls for years, and it's a long time since one of them made it into a Queen's bedroom with an actual Queen in it. So maybe, considering that they don't seem to do a great deal of harm before they get scooped up, it makes more sense to put the resources into making sure you spot them and scooping them up quickly once they're in. You might consider the possibility that the security (even with that roof) is good enough already. Things to factor in while you're considering is whether he'd have got so far if the Queen had been on the balcony (because you should be relating your security posture to the value of the assets protected), and whether he'd have got so far if he'd been a terrorist. Note here that it's at least arguable that a publicity seeker is likely to take bigger risks than your average thinking terrorist, because getting caught is usually one of the objectives, and getting shot while dressed as Batman and waving banners isn't a likely outcome. Closer to home for Hain we have the Greenpeace anti-war protesters who climbed up Big Ben with a banner. This was another 'might have been terrorists', and there's a pretty impressive one of these here [1]. "If two seemingly innocent people can get up there to hang a banner, then terrorists could plant a mobile phone and set this to blow up Big Ben." Oh yeah, right... Analyse this one and the prospect of terrorists climbing up the outside of Big Ben rather than doing something threatening anybody's lives but their own sounds quite positive. Even the stupidest terrorist will have noted that there's not a lot you can do up there, and you're going to be spotted by what one assumes is one of London's largest collections of trained marksmen right after you start climbing. Get inside Big Ben and do something, that's maybe a different matter - but have we looked at this, or have we just got riled about demonstrators climbing up the outside? Big Ben has more recently figured in fevered truck bomb scenarios that result in it crashing down. Which is a possibility, certainly, but if you're going to try to get a lorryload of fertiliser into Whitehall and set it off, you're surely going to do it somewhere in Whitehall where it'll wreak more havoc than just (maybe) knocking over a clock tower. Since the IRA mortared John Major from there, the security services have been pretty careful about suspicious trucks in Whitehall, so there ought to be a perimeter defence for this already. Even factoring in suicide bombers, the thinking terrorist is going to be more worried about the percentages than the demonstrator is. The supply of people smart enough to, say, bluff their way into the House of Commons and blow themselves up is likely to be pretty limited, and such people would be assets that smart terror organisations would be reluctant to expend without a pretty high chance of success. Comfortably-off pro-hunt demonstrators, on the other hand, are well-equipped for the bluffing bit, not worried by a low probability of success (the ones who made it into the Commons chamber said they were surprised they got so far) and don't need to carry any hardware through the metal detectors. So rather than asking loudly, as usually happens, "What if they'd been terrorists?" it would be more useful to ask how might a malicious attacker have exploited the weaknesses exposed by an intrusion, what damage could have been done and what is the likelihood of a malicious attacker using this or similar routes? Parliament itself is a showcase to wrong-headed thinking about security. A security screen fencing off most of the public gallery went in over Easter and in May a group of protesters who had sneakily obtained seats in the unscreened part (for MPs' invited guests) threw a condom filled with purple powder at Tony Blair. Then shortly after that stable door was shut (nobody now gets to sit in the unscreened seats) a bunch of hunt protesters came in through the chamber door instead. The BBC's list of memorable outrages [2] may be helpful here, but we oughtn't to place too much significance on the screen going in just after Tony Blair was shouted at; they'd been planning it for a lot longer. The list might indicate that Tony Blair is the sort of Prime Minister people particularly want to abuse or throw stuff at (makes sense), but noting that Parliament has managed fairly well for over 30 years since somebody lobbed a CS cannister at it (could have been a grenade, and in 1970 it really could have been) gives us a bit of perspective. Yes, the purple powder could have been anthrax, but remember your threat assessment techniques and consider the probabilities. If a terror organisation is going to lose an asset in an attack, it's not going to be wasting its time with a chancy weapon like a condom full of anthrax. It's going to try to get a gun or a bomb in, so the hell with people throwing ordure from the public gallery - that's democracy. Concentrate on making sure people don't get guns and bombs into the public gallery, or indeed anywhere else where they could do damage. The pro-hunt outrage suggests strongly that nobody's been doing joined up security thinking for Parliament. The intruders passed at least two points which should have been properly policed, with passes being checked (Parliament's pass system is notoriously wrecked at the moment, but still...), and they could have been stopped just short of their objective if the default on the commons chamber door had been locked, rather than open, or if the door guards could have locked it with a panic button. Yes yes, they could have been terrorists, they could have been armed, but they weren't, and that should just remind you that stopping people getting bombs and guns in is very important. The prosaic truth is probably that few people actually want to kill a British politician right now, and the people who would like to kill them either don't have the means to do so, or don't think the cost/benefits from their point of view stack up. That will change, and it's been different in recent memory, but it's at least arguable that the Provisional IRA posed a much more serious threat in the UK than those we face in the current 'war on terror.' Unhappily, our security forces seem, if anything, more unglued than our politicians. In response to the killer condom attack, it says here [3], a review by MI5 chiefs recommended erecting a steel barrier around Parliament, and has warned of the perils of the current concrete blocks, which could be dangerous if blown up. That's so weird and disconnected that the Beeb must surely have made some of it up, but probably not enough to make it OK. The killer concrete panic might be an upside though. The US Embassy in Grosvenor Square has always been damned ugly, but it's been more so since the fencing and the concrete went in, so persuading them that the concrete's dangerous might improve matters. Persuading them suicide 4x4s (it has steps, lots of steps) are particularly unlikely doesn't stand much chance. Nor, we suppose, does relocation to Salisbury Plain or Fylingdales (secluded, close to global snooping services), so killer concrete it has to be. [1] http://news.bbc.co.uk/1/hi/uk/3552491.stm [2] http://news.bbc.co.uk/1/hi/uk_politics/3730255.stm [3] http://news.bbc.co.uk/1/hi/uk_politics/3885537.stm From isn at c4i.org Wed Nov 24 09:00:58 2004 From: isn at c4i.org (InfoSec News) Date: Wed Nov 24 09:15:21 2004 Subject: [ISN] Hidden gold in corporate clean-up Message-ID: http://news.com.com/Hidden+gold+in+corporate+clean-up/2100-1029_3-5465305.html By Dawn Kawamoto Staff Writer, CNET News.com November 24, 2004 Sarbanes-Oxley may strike dread in the hearts of some IT executives, but not Tracy Austin. Austin, the chief information officer with casino operator Mandalay Resort Group, said the financial reporting regulations act resulted in a 30 percent increase in her information technology budget this year and battle-tested her fairly young IT staff. "I was able to beef up our test and development system budget, as well as our firewall and intrusion detection system budget," Austin said. "Sarbanes-Oxley opened up the awareness of our (chief) executives and prompted questions about...our business risks. So instead of talking about technology, we were talking about what are our business risks and the technology to address them." Compliance technology has gone from the wish lists of bean-counters to the important to-do lists of key executives and board members. That's because the regulations laid down in the Sarbanes-Oxley Act and other laws hold executives' feet to the fire, making them responsible for signing off on the accuracy of their financial statements. Last week, a key section of Sarbanes-Oxley kicked in, turning up the heat. That push to overhaul systems looks likely to be a boon for security technology providers. Overall spending on complying with the Sarbanes-Oxley Act is expected to reach $5.5 billion this year, according to a recent survey by AMR Research. That's more than double the $2.5 billion that was spent last year. And technology companies are expected to grab nearly a third of the multibillion-dollar spending pie in 2005. Companies are spending more on compliance in general, according to a PricewaterhouseCoopers survey released on Tuesday, which found that about half of U.S. and European businesses expect to increase those budgets by an average of 23 percent during the next year to two. "We knew that companies would only get serious with compliance once they were faced with deadlines and penalties," said Richard Weiss, enterprise product marketing director for Check Point Software Technologies. "So, in 2002, there was not a lot of interest from customers and some interest in 2003. But it wasn't until this year that it became part of the (sales) conversation in a standard kind of way." On the face of it, there seems to be little for the security industry in Sarbanes-Oxley, which aims to make corporate accounting more transparent, or in the Health Insurance Portability and Accountability Act (HIPAA), which deals with health care payments. Nor does there seem much opportunity in the regulations laid down by the Basel II accounting standard and the Gramm-Leach-Bliley Act, which sets standards for protecting consumers' personal information. But under these laws, corporations can be held liable for the inadvertent disclosure of information. That means that businesses need to protect their information and verify the identity of those who access records, making security product companies well-placed to benefit from the boost in compliance spending. "Regulatory compliance has affected the budgets at IT departments in a positive way. CIOs went from having to convince their management that they need security products to one where their management says, 'We have to have it,'" said John Gmuender, vice president of engineering at SonicWall, seller of network security devices. Before the arrival of the regulations, only companies in high-stakes industries such as banking took pains to minimize the risk of unauthorized access to information. That's changed. In the PricewaterhouseCoopers survey of U.S. and European businesses, 78 percent of respondents said the top focus of their compliance spending would be improvements to risk management. Next in importance was finding where the company would fall short on meeting compliance requirements and then strengthening those programs. Streamlining ways to reduce costs ranked third at 66 percent. "If I were a security vendor, I would be playing a role in the first two areas, even though Sarbanes-Oxley doesn't specifically say security (technology) is needed," said Dan DiFilippo, U.S. leader for governance, risk and compliance at PricewaterhouseCoopers. "Whenever you talk about internal controls, which SOX does, you can't have a well-controlled applications or environment without security technology." Earlier this year, Richard Weiss, director of enterprise product marketing at Check Point Software Technologies, got to see Sarbanes-Oxley in action as a deal clincher--to the tune of a six-figures. "When we approached a senior security manager at a large software company, he wanted our firewall product to protect all the desktops and laptops at his company from worms, Trojan horses and other attacks at the network end-points," Weiss recalled. "When he was selling this substantial initiative to the executive group that approves all large security deployments, he said the most valuable point he was able to make was it could also comply with Sarbanes-Oxley. That turned out to be one the most important things to get it approved for the budget." While Section 404 of Sarbanes-Oxley provided a boost to security vendors, industry analysts note the other two phases of Sarbanes-Oxley are expected to have less of an impact on security sales. "Security vendors and those that help companies with their document and records management will benefit from this section the most," said John Hagerty, AMR Research vice president of research. "Section 302 and 409 are less important to security. One deals with the signing off on the financial records and the other is about real-time reporting of material events." In addition, some security vendors said that it's hard to determine the extent of the effect of compliance pressure on their sales. The recent rapid rise in viruses, spyware, Trojan horses and other digital threats may well have prompted corporations to bump up spending anyway, they noted. "It's hard to put a number on it," Check Point's Weiss said. "Some companies tell us explicitly that SOX has affected their decision to deploy our technology, while other companies that purchase our technology don't like to talk about the internal factors that are driving their needs." Moreoever, indiscriminate spending is out. Customers have become more savvy in the way they approach regulatory compliance and the technology choices they make, industry analysts said. That, in turn, has affected the way security providers market their products. Norm Fjeldheim, chief information officer at Qualcomm, a wireless technology provider, pointed to a recent purchase of enterprise resource planning software that underlines this approach. "We are getting a new ERP system that will make reporting for SOX easier," Fjeldheim said. "But SOX is not the only reason why we're getting it. We're going to be replacing an old, homegrown system we previously had." What's the future hold? Despite the push to meet regulatory deadlines, industry analysts and security vendors say its unlikely sales will plummet after the deadlines pass, as happened with the rush to get ready for the Year 2000 bug. "Y2K was a one-time event, around one specific date. There was only one thing to worry about and it came and went," said Gmuender of SonicWall. "But security is dynamic, and the requirements constantly change, so it won't be impacted by the regulation deadlines going away." The momentum of compliance demand could be kept up if regulations are expanded. For example, the Sarbanes-Oxley rules may be extended from publicly traded corporations to cover private companies and organizations too. Some requirements may be enforced with businesses overseas--in Europe, for example, AMR's Hagerty said. "It is voluntary in Europe, but as it becomes more structured, then we may see changing dynamics," Hagerty said. "We'll also have to see how rigorous the (U.S.) auditors will be in judging companies for compliance." A big question is how rigorous federal auditors will be in judging whether businesses have met requirements. The harsher the auditors are, the more companies might feel compelled to spend on getting systems buttoned up. The Meta Group, a research firm, is predicting 20 percent of companies audited for compliance will fail on their first review. "Our opinion is that companies that don't pass will be scrambling," said Paul Proctor, vice president of security and risk strategies for Meta Group. "What happens with the first round of audits in March will make a huge difference as to what happens in the future." From isn at c4i.org Wed Nov 24 09:03:26 2004 From: isn at c4i.org (InfoSec News) Date: Wed Nov 24 09:15:22 2004 Subject: [ISN] (Parody) - Congresswoman closes office over computer threat Message-ID: http://www.thespoof.com/news/spoof.cfm?headline=s5i6978 by Robin Berger WASHINGTON, D.C. -- On the eve of the return of a lame duck Congress, Zoe Lofgren has announced she will close her office on Capitol Hill. Lofgren is a Democrat who was re-elected in California's 16th congressional district. Lofgren said she fears "a possible cyberterror attack" that could harm her staff's computers or those of her visitors. Her move follows that of Democratic Senator Mark Dayton of Minnesota, who closed his D.C. office in October, citing the threat of a physical terrorist attack. Lofgren will move all of her computers and part of her staff to an office in the Fort Snelling Federal Building, replacing Senator Dayton and his office staff who recently stopped cowering from threats on Capitol Hill. Email and telephone calls to Lofgren will be routed to her California office. Lofgren explained her reasons for fleeing Washington in an open letter published on Cnet.com. "Malicious code--viruses and worms--is being created to exploit software flaws within days, when only a year ago it would have taken months for such code to appear. Our water supply, electric grid, nuclear energy system and other critical infrastructures are interconnected and interdependent, increasing the likelihood that a cyberattack could disrupt major services and cripple economic activity. "Indeed, if a cyberattack occurred at the same time as a physical attack," Lofgren asserted, "critical emergency response systems and communications operations could be taken out, increasing the confusion of an attack, and the number of casualties." Lofgren is the ranking member of the House Cybersecurity, Science, and Research & Development Subcommittee. As such, she is in a key position to know about future cyberterror attacks, said Steven Beforebad, a senior analyst at the Federation of American Scientists. "I'm thinking of turning off our website and fleeing the capitol myself," he said. However, U.S. government officials said there was no new intelligence concerning a possible digital attack, and authorities said congressional members have not been advised to shut down their computers. "We continue to advise (people) to take caution ... but there's no new information that we've put out," said Sgt. Contrivia Chevy of the U.S. Capitol Cyber Law Enforcement Division. But Lofgren told reporters in San Jose that Senate majority leader Bill Frist briefed lawmakers on a "top-secret cyberintelligence report." She claimed "I would not let my two children bring a GameBoy or an Xbox to Capitol Hill before inauguration day." Lofgren said she could not give details of the cybersecurity report that Frist presented. She said she's asked Frist three times to convene a meeting to discuss the situation, but Frist has not agreed. Lofgren is closing her office "out of extreme, but necessary, precaution to protect the safety of my Congressional computers. I feel compelled to do so, because I will not be here in Washington to share in what I consider to be an unacceptably greater risk to their safety." California is one of the top states in terms of technology. Lofgren herself uses one of the more powerful computers in her office, with an Intel 80486 processor running at 75MHz and a 1.6GB Western Digital hard disk. Senator John Warner, chairman of the Armed Services Committee, said the House and Senate leaderships have kept elected officials "fully apprised" of threats against the U.S. Capitol, but he has seen nothing to prompt the need to close offices. "Even when we are out of session," he said, "we have a job to run web servers for our constituents, and in the war on cyberterror, we can't let non-imminent threats prevent us from using our computers." -=- The story as represented above is written as a satire or parody. It is fictitious. From isn at c4i.org Fri Nov 26 01:13:49 2004 From: isn at c4i.org (InfoSec News) Date: Fri Nov 26 01:30:32 2004 Subject: [ISN] Air Force to standardize Microsoft configurations Message-ID: Forwarded from: matthew patton --- InfoSec News wrote: > http://www.nwfusion.com/news/2004/1119airforce.html > > By Ellen Messmer > Network World Fusion > 11/19/04 > > The U.S. Air Force early next year will require its 525,000 personnel > and civilian support staff to use a single and specially configured > version of Microsoft's operating system and applications, said the > military department's CIO. right, so if "configured with security in mind" is defined the same way DISA/USAF/USNAVY have defined "secured windows OS configuration" then I seriously doubt they've accomplished anything really productive. I'd settle for Office2004 fitting inside 50MB. That would kill 90+% of the features that are unneeded cruft anyway and which cause most of the problems. And then I wouldn't have to worry about arcane voodoo to "secure" something that is as out of control as MS NT let alone Office. But from an attacker's standpoint I couldn't be more DELIGHTED at the prospect of taking down all 525,000 users with one hole. Afterall, instead of an ecosystem of varying configurations, I can come up with one hole to rule them all. (Lord of the Rings reference) WHEN OH WHEN will they learn that a single image is a lousy idea? I don't mean to imply that we shouldn't have guidelines and group policy objects that have a modicum of teeth to them but this is just begging for disaster IMO. For some reason whenever I design a GPO or strip an NT system (win2K etc are just NT) my users bellyache about stuff not working like it used to. I like to respond with, "well, you have no business doing that as your normal user account. And if some piece of software is so poorly written that it doesn't work now, go beat the vendor's door down and demand they fix their bleeping product!" Hasn't been an entirely popular stance for some reason. Can't imagine why... Instead of negotiating 30+ contracts down to 2, I have a much more useful bargaining chip. "The US Air Force (neigh the entire DoD) will forthwith refuse to use windows in any form until you Microsoft can fit it inside 100MB and strip it of every service and feature not absolutely inseparable from the core functions of an OS as defined as filesystem storage, memory allocation, process control, and basic UI. The list of immediate rejection criteria includes even the smallest vestiges of Internet Explorer. Ok, maybe 100MB is too small but a fully fledged Linux box runs on 60MB or less. Barebones X11 adds a bit more. > "We're spending more money patching and fixing than buying > software," Yo USAF, in case you missed the memo, the rest of the IT World has the same issue. > "We want Microsoft focused not on selling us products but to enhance > the Air Force in our mission," said Gilligan, adding that he hoped > the new effort would lead to the kind of support Microsoft could > provide other organizations in the future. "Hope"? That's all you guys got out of Balmer? Why don't we spring for DEMAND and HOLD FEET TO THE FIRE instead? > determined the transition costs would simply be too high. probably true. Windoze admins who grace the ranks of gov't help desks are more often than not, not exactly of superior quality. And many have the utmost fear of anything CLI. From isn at c4i.org Fri Nov 26 01:14:50 2004 From: isn at c4i.org (InfoSec News) Date: Fri Nov 26 01:30:34 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-48 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-11-18 - 2004-11-25 This week : 58 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Monitor, Filter, and Manage Security Information - Filtering and Management of Secunia advisories - Overview, documentation, and detailed reports - Alerting via email and SMS Request Trial: https://ca.secunia.com/?f=s ======================================================================== 2) This Week in Brief: ADVISORIES: Winamp is vulnerable to a buffer overflow, which can be exploited to execute arbitrary code on a vulnerable system. Initially, it was reported by the vendor that Winamp version 5.06 fixed this vulnerability. However, according to Brett Moore, the discoverer of the vulnerability, the latest version is also vulnerable to this buffer overflow. Currently, no vendor solution is available. Please review referenced Secunia advisory below for details. References: http://secunia.com/SA13269 -- Security Researcher Jouko Pynnonen has reported a vulnerability in Sun Java, which can be exploited to compromise vulnerable systems. The vendor has released fixes for the vulnerable versions, which can be downloaded from Sun. Please view Secunia advisory below for details. References: http://secunia.com/SA13271 VIRUS ALERTS: During the last week, Secunia issued 1 MEDIUM RISK virus alert and 1 HIGH RISK virus alert. Please refer to the grouped virus profiles below for more information: Sober.I - HIGH RISK Virus Alert - 2004-11-23 23:37 GMT+1 http://secunia.com/virus_information/13463/sober.i/ Sober.I - MEDIUM RISK Virus Alert - 2004-11-19 10:37 GMT+1 http://secunia.com/virus_information/13463/sober.i/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA13203] Microsoft Internet Explorer Two Vulnerabilities 2. [SA12959] Internet Explorer IFRAME Buffer Overflow Vulnerability 3. [SA13269] Winamp "IN_CDDA.dll" Buffer Overflow Vulnerability 4. [SA13271] Sun Java Plug-in Sandbox Security Bypass Vulnerability 5. [SA13191] Skype "callto:" URI Handler Buffer Overflow Vulnerability 6. [SA13208] Microsoft Internet Explorer Cookie Path Attribute Vulnerability 7. [SA13239] phpBB Multiple Vulnerabilities 8. [SA12889] Microsoft Internet Explorer Two Vulnerabilities 9. [SA12048] Microsoft Internet Explorer Multiple Vulnerabilities 10. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA13275] SecureCRT Arbitrary Configuration Folder Specification Vulnerability [SA13269] Winamp "IN_CDDA.dll" Buffer Overflow Vulnerability [SA13248] DMS POP3 Server Authentication Buffer Overflow Vulnerability [SA13282] CoffeeCup Direct/Free FTP ActiveX Component Buffer Overflow Vulnerability [SA13270] wodFtpDLX ActiveX Component Buffer Overflow Vulnerability [SA13273] Halo Client Server List Browsing Denial of Service Vulnerability [SA13268] Fastream NETFile FTP/Web Server Multiple HEAD Requests Denial of Service [SA13264] Sacred Multiple Connection Denial of Service Vulnerability [SA13244] ZoneAlarm Advertising Blocking Denial of Service Vulnerability [SA13304] WinFTP Server Clear Text User Credential Disclosure [SA13279] Prevx Home Intrusion Prevention Feature Bypass Vulnerability [SA13265] Altiris Deployment Solution AClient "View Log File" Privilege Escalation [SA13256] Danware NetOp System Information Disclosure Weakness [SA13246] Citrix MetaFrame Presentation Server Client Debugging Security Issue UNIX/Linux: [SA13297] Mandrake update for xfree86 [SA13296] Gentoo update for twiki [SA13295] Gentoo prozilla Multiple Buffer Overflow Vulnerabilities [SA13294] ProZilla Multiple Buffer Overflow Vulnerabilities [SA13293] Gentoo update for phpbb [SA13288] Mandrake update for libxpm4 [SA13274] Cyrus IMAP Server Multiple Vulnerabilities [SA13249] Gentoo update for xorg-x11/xfree [SA13290] Debian update for bnc [SA13281] Gentoo update for pdftohtml [SA13280] pdftohtml Multiple PDF Document Handling Vulnerabilities [SA13277] Apple iCal Calendar Alarm Program Execution Vulnerability [SA13272] Fedora update for kernel [SA13238] Conectiva update for libxml [SA13237] Cscope Insecure Temporary File Creation and Buffer Overflow Vulnerabilities [SA13240] Mandrake update for samba [SA13250] Timbuktu Buffer Overflow Denial of Service Vulnerability [SA13305] Debian update for sudo [SA13283] Conectiva update for shadow-utils [SA13259] wmFrog Insecure Temporary File Creation Vulnerability [SA13242] Gentoo update for fcron [SA13299] Conectiva update for bugzilla Other: [SA13278] ZyXEL Prestige 650HW Unprotected Reset Functionality [SA13266] W-Channel TC-IDE Shell Command Injection Vulnerabilities Cross Platform: [SA13271] Sun Java Plug-in Sandbox Security Bypass Vulnerability [SA13247] phpBB Cash_Mod Arbitrary File Inclusion Vulnerability [SA13239] phpBB Multiple Vulnerabilities [SA13300] PHPNews "mid" Parameter SQL Injection Vulnerability [SA13289] Soldier of Fortune II Buffer Overflow Vulnerability [SA13287] SugarCRM Unspecified Security Issues [SA13284] Zwiki Link Script Insertion Vulnerability [SA13263] F-Secure Products Zip Archive Virus Detection Bypass Vulnerability [SA13262] PHPKIT SQL injection and Cross-Site Scripting Vulnerabilities [SA13260] Invision Power Board ibProArcade "cat" SQL Injection Vulnerability [SA13255] WebGUI Unspecified "user profile" Vulnerability [SA13245] Invision Power Board "qpid" SQL Injection Vulnerability [SA13301] RediCart Exposure of Configuration File [SA13285] JSPWiki "query" Parameter Cross-Site Scripting Vulnerability [SA13261] SecretSanta Security Bypass Vulnerability [SA13243] IBM HTTP Server Denial of Service Vulnerabilities [SA13241] phpMyAdmin Cross-Site Scripting Vulnerabilities [SA13236] ClickandBuild Constructed Store "listPos" Cross-Site Scripting Vulnerability [SA13286] KorWeblog "path" Directory Listing Information Disclosure Weakness [SA13257] Opera "sun.*" System Information Disclosure Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA13275] SecureCRT Arbitrary Configuration Folder Specification Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-23 Brett Moore has reported a vulnerability in SecureCRT, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13275/ -- [SA13269] Winamp "IN_CDDA.dll" Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-23 Brett Moore has reported a vulnerability in Winamp, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13269/ -- [SA13248] DMS POP3 Server Authentication Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-19 Reed Arvin has discovered a vulnerability in DMS POP3 Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13248/ -- [SA13282] CoffeeCup Direct/Free FTP ActiveX Component Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-23 Komrade has reported a vulnerability in the third-party wodFtpDLX ActiveX component included in CoffeeCup Direct and CoffeeCup Free FTP, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13282/ -- [SA13270] wodFtpDLX ActiveX Component Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-23 Komrade has reported a vulnerability in wodFtpDLX ActiveX Component, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13270/ -- [SA13273] Halo Client Server List Browsing Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-11-24 Luigi Auriemma has reported a vulnerability in Halo, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13273/ -- [SA13268] Fastream NETFile FTP/Web Server Multiple HEAD Requests Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2004-11-23 bratax has reported a vulnerability in Fastream NETFile FTP/Web Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13268/ -- [SA13264] Sacred Multiple Connection Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-11-22 soylent has reported a vulnerability in Sacred, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13264/ -- [SA13244] ZoneAlarm Advertising Blocking Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-11-19 Nicolas Robillard has reported a vulnerability in ZoneAlarm Pro and ZoneAlarm Security Suite, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13244/ -- [SA13304] WinFTP Server Clear Text User Credential Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-11-24 Ziv Kamir has discovered a security issue in WinFTP Server, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/13304/ -- [SA13279] Prevx Home Intrusion Prevention Feature Bypass Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2004-11-23 Tan Chew Keong has reported a vulnerability in Prevx Home, which can be exploited certain malicious processes to bypass security features provided by the product. Full Advisory: http://secunia.com/advisories/13279/ -- [SA13265] Altiris Deployment Solution AClient "View Log File" Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-22 Reed Arvin has discovered a vulnerability in Altiris Deployment Solution, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13265/ -- [SA13256] Danware NetOp System Information Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2004-11-22 Martin O'Neal has reported a weakness in NetOp, which can be exploited by malicious people to disclose some system information. Full Advisory: http://secunia.com/advisories/13256/ -- [SA13246] Citrix MetaFrame Presentation Server Client Debugging Security Issue Critical: Not critical Where: Local system Impact: Exposure of sensitive information Released: 2004-11-22 A security issue has been reported in Citrix MetaFrame Presentation Server Client, which can be exploited by malicious users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/13246/ UNIX/Linux:-- [SA13297] Mandrake update for xfree86 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-11-24 MandrakeSoft has issued an update for xfree86. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13297/ -- [SA13296] Gentoo update for twiki Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-24 Gentoo has issued an update for twiki. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13296/ -- [SA13295] Gentoo prozilla Multiple Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-24 Gentoo has acknowledged some vulnerabilities in the prozilla package, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13295/ -- [SA13294] ProZilla Multiple Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-24 Multiple vulnerabilities have been reported in ProZilla, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13294/ -- [SA13293] Gentoo update for phpbb Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, System access Released: 2004-11-24 Gentoo has issued an update for phpbb. This fixes some vulnerabilities, which can be exploited by malicious people to execute arbitrary commands, conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13293/ -- [SA13288] Mandrake update for libxpm4 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-11-24 MandrakeSoft has issued an update for libxpm4. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13288/ -- [SA13274] Cyrus IMAP Server Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-23 Stefan Esser has reported four vulnerabilities in Cyrus IMAP Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13274/ -- [SA13249] Gentoo update for xorg-x11/xfree Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-11-22 Gentoo has issued updates for xorg-x11 and xfree. These fix some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13249/ -- [SA13290] Debian update for bnc Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-11-24 Debian has issued an update for bnc. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13290/ -- [SA13281] Gentoo update for pdftohtml Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-23 Gentoo has issued an update for pdftohtml. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13281/ -- [SA13280] pdftohtml Multiple PDF Document Handling Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-23 Some vulnerabilities have been reported in pdftohtml, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13280/ -- [SA13277] Apple iCal Calendar Alarm Program Execution Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-23 Aaron has reported a vulnerability in iCal, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13277/ -- [SA13272] Fedora update for kernel Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-11-23 Full Advisory: http://secunia.com/advisories/13272/ -- [SA13238] Conectiva update for libxml Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-18 Conectiva has issued an update for libxml. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13238/ -- [SA13237] Cscope Insecure Temporary File Creation and Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: Privilege escalation, System access Released: 2004-11-18 Two vulnerabilities have been reported in Cscope, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and by malicious people to potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/13237/ -- [SA13240] Mandrake update for samba Critical: Moderately critical Where: From local network Impact: System access Released: 2004-11-19 MandrakeSoft has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13240/ -- [SA13250] Timbuktu Buffer Overflow Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-11-19 Corsaire has reported a vulnerability in Timbuktu for Mac OS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13250/ -- [SA13305] Debian update for sudo Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-24 Debian has issued an update for sudo. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13305/ -- [SA13283] Conectiva update for shadow-utils Critical: Less critical Where: Local system Impact: Security Bypass Released: 2004-11-23 Conectiva has issued an update for shadow-utils. This fixes a vulnerability, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13283/ -- [SA13259] wmFrog Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-24 Joey Hess has reported a vulnerability in wmFrog, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13259/ -- [SA13242] Gentoo update for fcron Critical: Less critical Where: Local system Impact: Security Bypass, Exposure of system information, Exposure of sensitive information Released: 2004-11-19 Gentoo has issued an update for fcron. This fixes four vulnerabilities, which can be exploited by malicious, local users to gain knowledge of sensitive information, bypass access restrictions, and delete arbitrary files. Full Advisory: http://secunia.com/advisories/13242/ -- [SA13299] Conectiva update for bugzilla Critical: Not critical Where: From remote Impact: Security Bypass Released: 2004-11-24 Conectiva has issued an update for bugzilla. This fixes a security issue, which can be exploited by malicious users to remove keywords from bugs, even though the user doesn't have the proper permissions. Full Advisory: http://secunia.com/advisories/13299/ Other:-- [SA13278] ZyXEL Prestige 650HW Unprotected Reset Functionality Critical: Less critical Where: From local network Impact: DoS Released: 2004-11-24 Francisco "Jos?" Canela has reported a vulnerability in ZyXEL Prestige 650HW, which can be exploited by malicious people to reset the configuration of a vulnerable device. Full Advisory: http://secunia.com/advisories/13278/ -- [SA13266] W-Channel TC-IDE Shell Command Injection Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-24 ECL team has reported some vulnerabilities in W-Channel TC-IDE, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13266/ Cross Platform:-- [SA13271] Sun Java Plug-in Sandbox Security Bypass Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-23 Jouko Pynnonen has reported a vulnerability in Sun Java Plug-in, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13271/ -- [SA13247] phpBB Cash_Mod Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-19 Jerome Athias has reported a vulnerability in the Cash_Mod module for phpBB, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13247/ -- [SA13239] phpBB Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, System access Released: 2004-11-19 Some vulnerabilities have been reported in phpBB, which can be exploited by malicious people to execute arbitrary commands, conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13239/ -- [SA13300] PHPNews "mid" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-11-24 A vulnerability has been reported in PHPNews, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/13300/ -- [SA13289] Soldier of Fortune II Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-11-24 Luigi Auriemma has reported a vulnerability in Soldier of Fortune II, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13289/ -- [SA13287] SugarCRM Unspecified Security Issues Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-11-24 Some security issues with unknown impacts have been reported in SugarCRM. Full Advisory: http://secunia.com/advisories/13287/ -- [SA13284] Zwiki Link Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-24 Jeremy Bae has reported a vulnerability in Zwiki, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13284/ -- [SA13263] F-Secure Products Zip Archive Virus Detection Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-11-23 A vulnerability has been reported in various F-Secure products, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/13263/ -- [SA13262] PHPKIT SQL injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-11-24 Steve has reported some vulnerabilities in PHPKIT, allowing malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/13262/ -- [SA13260] Invision Power Board ibProArcade "cat" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-11-22 Axl has reported a vulnerability in the ibProArcade module for Invision Power Board, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/13260/ -- [SA13255] WebGUI Unspecified "user profile" Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-11-22 A vulnerability with an unknown impact has been reported in WebGUI. Full Advisory: http://secunia.com/advisories/13255/ -- [SA13245] Invision Power Board "qpid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-11-19 Positive Technologies has reported a vulnerability in Invision Power Board, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/13245/ -- [SA13301] RediCart Exposure of Configuration File Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2004-11-24 Cassiopeia has reported a security issue in RediCart and S-Mart Shopping Cart Script, allowing malicious people to view the configuration file. Full Advisory: http://secunia.com/advisories/13301/ -- [SA13285] JSPWiki "query" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-24 Jeremy Bae has reported a vulnerability in JSPWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13285/ -- [SA13261] SecretSanta Security Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-11-23 A vulnerability has been reported in SecretSanta, which can be exploited by malicious users to bypass some security restrictions. Full Advisory: http://secunia.com/advisories/13261/ -- [SA13243] IBM HTTP Server Denial of Service Vulnerabilities Critical: Less critical Where: From remote Impact: DoS Released: 2004-11-19 IBM has acknowledged two vulnerabilities in IBM HTTP Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13243/ -- [SA13241] phpMyAdmin Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-19 Cedric Cochin has reported some vulnerabilities in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13241/ -- [SA13236] ClickandBuild Constructed Store "listPos" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-19 Andrew Smith has reported a vulnerability in Click and Build, which can be exploited by malicious people to conduct cross-site scripting attacks on certain built stores. Full Advisory: http://secunia.com/advisories/13236/ -- [SA13286] KorWeblog "path" Directory Listing Information Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2004-11-24 Jeremy Bae has reported a weakness in KorWeblog, which can be exploited by malicious people to disclose system information. Full Advisory: http://secunia.com/advisories/13286/ -- [SA13257] Opera "sun.*" System Information Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2004-11-22 Marc Schoenefeld has reported a weakness in Opera, which can be exploited by malicious people to disclose some system information. Full Advisory: http://secunia.com/advisories/13257/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Nov 26 01:15:14 2004 From: isn at c4i.org (InfoSec News) Date: Fri Nov 26 01:30:36 2004 Subject: [ISN] Virus names could be standardized Message-ID: http://www.cbronline.com/article_news.asp?guid=11D11704-DE5B-45BD-AF4B-45D8F44E055C November 25, 2004 US-CERT, the Computer Emergency Readiness Team within the US Department of Homeland Security, is coordinating a Common Malware Enumeration initiative among vendors, according to a letter sent to The SANS Institute. The letter, signed by representatives of the DHS, Symantec, Microsoft, McAfee, and Trend Micro, said the industry hopes to address "the challenges surrounding the 'Virus Name Game'," with a pilot program coming as early as January. US-CERT will act as a "neutral third party" that coordinates a database of malware identifiers. It will look quite a lot like the Common Vulnerabilities and Exposures list, currently managed by The Mitre Corp and sponsored by US-CERT. "By building upon the success of CVE and applying the lessons learned, US-CERT, along with industry participants... hopes to address many of the challenges that the anti-malware community currently faces," they wrote. The identifiers will look something like "CME-1234567", the letter says. Headline writers need not be too dismayed, however, as it appears there could be room to apply media-friendly names like "Blaster" and "Slammer" to new threats. At first, CME will be confined to "major" threats. The project leaders wrote: "There are significant obstacles to effective malware enumeration, including the large volume of malware and the fact that deconfliction can be difficult and time-consuming". Deconfliction, while not a word, is used in military circles to mean the removal of conflict. This was evident recently when some vendors named the first mobile exploit for the Internet Explorer 6 Iframe bug Bofra, while others said it was a variant of MyDoom. F-Secure Corp said Bofra and MyDoom had less than half their code in common. This kind of conflict could presumably still arise under a CME numbering system, but at least security administrators would be able to tell they were the same threat and only one signature or definition is needed for protection. Generally, assigning names to viruses is currently the job of the companies that find them. In fast outbreaks, companies will often assign different names, and the media does the job of deciding which one will stick in the public consciousness. Names are often derived from the filenames, the content of the email the worm attaches itself to, or plaintext found inside the code. Blaster, one of the most serious threats ever, was MSBlast.exe, but somebody at Symantec decided Blaster sounded better. McAfee called the same worm Lovsan after finding plaintext reading "I just want to say LOVE YOU SAN!!". Plaintext ridiculing Bill Gates also led to the suggestion "billy". Neither name is widely used today. Sometimes naming can be even more arbitrary. The Melissa worm was named by its own author after a stripper known to him, it later emerged in court. Code Red is a high-caffeine soft drink the geeks at eEye Security Inc were drinking when they spotted it. From isn at c4i.org Fri Nov 26 01:15:39 2004 From: isn at c4i.org (InfoSec News) Date: Fri Nov 26 01:30:38 2004 Subject: [ISN] Pointillist Protection Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,97629,00.html Future Watch by Matt Hamblen NOVEMBER 22, 2004 COMPUTERWORLD Carnegie Mellon University is researching some of the biggest challenges in computer security, data availability and systems reliability through a year-old interdisciplinary program known as CyLab. Funded with federal dollars and contributions from 40 private companies, CyLab brings together graduate students and 30 professors, mostly in computer sciences, to work in teams on a wide range of research areas. For example, in September, Pittsburgh-based Carnegie Mellon won a $6.4 million grant from the National Science Foundation for an initiative called Security Through Interaction Modeling (STIM), which studies complex interactions between people, the computers they use and attacks from the outside. STIM will explore means of improving computer defenses by incorporating the models' behaviors into the defenses themselves. Another CyLab project takes the name of the French impressionist painter Georges Seurat, who painted vast canvasses with many tiny dabs, or "points," of paint, a process dubbed pointillism. The Seurat team at CyLab is developing methods to monitor anomalous behavior that may be induced by buffer overloads and other glitches. The Seurat technique compares a precomputed profile of how a system should be performing to the combination of all the application interactions with the operating system. "So it looks at a profile of what this system should be doing and says maybe this thing has been corrupted," explains Mike Reiter, technical director of CyLab and a professor of computer engineering and science. "It can track accesses and changes across many machines all at once or in a short time period." The Seurat project is so named because there are many layers, points or places where one might measure what is going on in a system in order to see evidence of an attack, much the same way the 19th century painter discovered that what we see comprises many points of color and light. The Seurat technique is a broad-brush approach to security, and indeed, the overall scope of CyLab's $10 million annual research mission is broad, says Pradeep Khosla, dean of the Carnegie Mellon College of Engineering and co-director of CyLab. "We want a world where we can push measurable, sustainable, secure, trustworthy and available data," explains Khosla. He says CyLab will attempt to help reduce the number of bugs in software, for example. Khosla estimates that for every dollar spent on computer hardware and software, it takes $6 to $8 in personnel costs to maintain it. For that reason, vulnerability analysis is part of the CyLab program as well as malicious code detection. But even more basic, several projects at CyLab are devoted to creating self-healing systems that can survive malicious attacks, Khosla says. "We know attacks exist, so you can either build a system that survives the attack or find a way to stop the attack," Khosla says. "But trying to find a way to stop attacks is akin to saying, 'I'll kill all the bacteria and viruses out there.' Instead, we are going to find a way to live with worms and attacks with self-healing." CyLab's immediate work on self-healing is a project called Self * Storage System, which researchers are about to demonstrate to the U.S. Army and will show publicly in six months or so. The idea is that there is no single point of failure in a system, especially storage, so if a piece of information is corrupted, the system can quickly determine that and automatically set itself back to its original state. The system survives the attack without actually finding a way to prevent it, Khosla explains. Reiter says Self * Storage is also about improving management of large-scale storage systems in a process some call autonomic computing. Cell Phone Remote Control Another vision at CyLab is to use smart phones as ubiquitous access control devices. It is an idea that mobile phone companies have already implemented, but CyLab is working on new approaches to making that vision very scalable. As a hypothetical example, Reiter cites the intrepid business traveler flying halfway around the world and using his cell phone as a key to open his hotel room door. The idea goes far beyond promoting a single standard and instead involves what Reiter calls a "flexible access-control network which allows new policies to be introduced into a system to permit devices to work." The traveler would have his credentials transferred to the hotel from his phone by Bluetooth or ultrawideband technology, with a hotel room digital key transferred back to reside on the phone. There would be no problem if the phone was stolen, because it would authenticate the user by PIN or thumbprint before revealing the key. Using its WAN capabilities, the phone would request permission from a remote server, perhaps at the traveler's place of employment, which wouldn't know the key but could authenticate the traveler based on the PIN or thumbprint. Once clearance was granted, the phone would be allowed to complete the computation of the cryptographic key to allow the traveler to get some sleep. Reiter says CyLab is starting to demonstrate this capability and will move forward with the opening this winter of the Collaborative Innovation Center, a facility in which researchers will be able to control building functions using smart phones. From isn at c4i.org Fri Nov 26 01:16:03 2004 From: isn at c4i.org (InfoSec News) Date: Fri Nov 26 01:30:40 2004 Subject: [ISN] CIA funds chatroom surveillance Message-ID: http://news.zdnet.co.uk/0,39020330,39175016,00.htm Declan McCullagh CNET News.com November 25, 2004 The CIA is quietly funding federal research into surveillance of Internet chatrooms as part of an effort to identify possible terrorists, newly released documents reveal. In April 2003, the CIA agreed to fund a series of research projects that the documents indicate were intended to create "new capabilities to combat terrorism through advanced technology". One of those projects is research at the Rensselaer Polytechnic Institute in Troy, N.Y., devoted to automated monitoring and profiling of the behaviour of chatroom users. Even though the money ostensibly comes from the National Science Foundation, CIA officials were involved in selecting recipients for the research grants, according to a contract between the two agencies obtained by the Electronic Privacy Information Center (EPIC) and reviewed by ZDNet UK sister site CNET News.com. NSF programme director Leland Jameson said on Wednesday the two-year agreement probably will not be renewed for the 2005 fiscal year. "Probably we won't be working with the CIA anymore at all," Jameson said. "I think that people have moved on to other things." The NSF grant for chatroom surveillance was reported earlier this year, but without disclosure of the CIA's role in the project. The NSF-CIA memorandum of understanding says that while the 11 September, 2001 attacks and the fight against terrorism presented US spy agencies with surveillance challenges, existing spy "capabilities can be significantly enhanced with advanced technology". EPIC director Marc Rotenberg, whose nonprofit group obtained the documents through the Freedom of Information Act, said the CIA's clandestine involvement was worrisome. "The intelligence community is changing the priorities of scientific research in the US," Rotenberg said. "You have to be careful that the National Science Foundation doesn't become the National Spy Foundation." A CIA representative would not answer questions, saying the agency's policy is never to talk about funding. The two Rensselaer Polytechnic Institute researchers involved, Bulent Yener and Mukkai Krishnamoorthy, did not respond to interview requests. Their proposal, also disclosed under the Freedom of Information Act, received $157,673 from the CIA and NSF. It says: "We propose a system to be deployed in the background of any chatroom as a silent listener for eavesdropping... The proposed system could aid the intelligence community to discover hidden communities and communication patterns in chatrooms without human intervention." Yener and Krishnamoorthy, both associate professors of computer science, wrote that their research would involve writing a program for "silently listening" to an Internet Relay Chat (IRC) channel and "logging all the messages". One of the oldest and most popular methods for chatting online, IRC attracts hundreds of thousands of users every day. A history written by IRC creator Jarkko Oikarinen said the concept grew out of chat technology for modem-based bulletin boards in the 1980s. The Yener and Krishnamoorthy proposal says their research will begin 1 January, 2005 but does not say which IRC servers will be monitored. A June 2004 paper they published, also funded by the NSF, described a project that quietly monitored users of the popular Undernet network, which has about 144,000 users and 50,000 channels. In the paper, Yener and Krishnamoorthy predicted their work "could aid [the] intelligence community to eavesdrop in chatrooms, profile chatters and identify hidden groups of chatters in a cost-effective way" and that their future research will focus on identifying "topic-based information." Al Teich, director of science and policy programmes at the American Association for the Advancement of Science, said he does not object to the CIA funding terrorism-related research in general. "I don't know about chatroom surveillance, but doing research on issues related to terrorism is certainly legitimate," Teich said. "Whether the CIA ought to be funding research in universities in a clandestine manner is a different issue." From isn at c4i.org Fri Nov 26 01:16:27 2004 From: isn at c4i.org (InfoSec News) Date: Fri Nov 26 01:30:41 2004 Subject: [ISN] Hacker evidence could be accepted in court Message-ID: http://computerworld.co.nz/news.nsf/0/0CCAB3539D3945EACC256F570008D68A Stephen Bell Wellington 26 November, 2004 A bill likely to be introduced to Parliament early next year will clarify the legal status of evidence of an offence gained by hacking, as well as other evidence collected through illegal acts. Evidence of electronic or other crime gathered by a hacker illegally intruding into a suspect's computer system would probably be admissible in a New Zealand court, according to lawyers and Police e-crime unit chief Maarten Kleintjes. One lawyer acknowledges the risk of "vigilantes" hacking into systems in the hope that any detected crime would be serious enough for the hack to be seen as a lesser offense not worth prosecuting. Such evidence would be subject to the same guidelines as evidence coming from any other informant where the illegal nature of the act of gathering such evidence may not rule it out, say the sources.But the principles governing such a judgement are purely case law at present. Government officials are working on a new bill amending the Evidence Act, which aims to make such questions as admissibility of illegally obtained evidence a matter of statute law. At the same time, the Law Commission is drafting a paper on rights of entry, search and seizure, which has been delayed until next year to consider more fully the issues presented by new technology. This could well include further thoughts on the acceptability of hacking, says Commissioner Warren Young, though a previous Law Commission paper forms the basis of the planned Evidence Act amendment bill. This could be tabled early next year, he says. Young points to a watershed case two years ago, R v Shaheed, which modified a previous assumption that such evidence, particularly where obtained in a way contravening the NZ Bill of Rights, would be inadmissible. None of the sources consulted can call to mind a case in the computer hacking arena. Admissibility would depend on the relative gravity of the two crimes; if murder were at issue, says one lawyer, it can hardly be imagined that the relatively minor crime of hacking would render the evidence inadmissible. The question came up in the wake of a local case where images in breach of the censorship law were given to the Department of Internal Affairs by a computer repair shop to which the offender took a failing hard disk drive. The DIA used that prosecution to warn that it.s not only the Department.s inspectors that are alert for possible illegal activity. But the case led IT commentator Bruce Simpson to ask in his online Aardvark column whether there was any real difference between viewing files without permission while the PC is being repaired and "hacking into someone's PC and inspecting the files on its hard drive without permission over the internet." He sees the latter as unjustifiable and some of his respondents agree. A few months ago, a US appeal court allowed evidence gathered by a freelance hacker. A former judge was charged with an offence where incriminating information was rooted out by the hacker introducing a Trojan into the offender.s system. The appeal court found it would be improper for a government agency to indulge in hacking and evidence gained in this way could not be used in court. But since the hacker in this case was not directly employed by the government (although he considered himself to be working on their behalf) his evidence was ruled admissible. Images which the former judge downloaded had had a Trojan attached to them by the hacker, who used the vulnerability to read other material on the offender's computer. The anti-hacking provisions of the Crimes Act are still relatively untried, says lawyer Craig Horrocks, of Clendon Feeney, so there is some doubt whether a particular act of hacking could even be demonstrated to be illegal. Assuming such evidence to be admissible does open the danger of "vigilante" activity of the kind evident in the US case, he says. In the local case, a Christchurch man, Lance Thomas Priestly, was convicted of possessing objectionable material. His arrest followed information from a Christchurch computer company to which Priestly took his hard disk for repair. The acting director of the department.s gaming and censorship regulation group, Peter Burke, emphasises that reports of suspected offences by members of the public are not a breach of privacy. The repair case is straightforward, since the Privacy Act has exemptions for cases where maintenance of the law or furtherance of a prosecution "for an offence carrying a pecuniary penalty" is at issue. .There is a common misconception that reporting a possible crime is a breach of privacy laws. It is not. If you see a burglary and report it to the police you are acting as a responsible citizen and are helping protect someone.s property," Burke says in a statement on the Priestly case. "If you find information about movies or pictures of children being sexually abused or sexually posed and you report that, then you are being a responsible member of the community by helping protect children.. The DIA, however, declines comment on the acceptability of hacker assistance in tracking down the kind of illegal online activity it pursues. From isn at c4i.org Fri Nov 26 01:16:50 2004 From: isn at c4i.org (InfoSec News) Date: Fri Nov 26 01:30:44 2004 Subject: [ISN] Hackers Put Stolen Tax Police Database Up for Sale in Moscow Message-ID: http://www.mosnews.com/news/2004/11/25/hackedtax.shtml 25.11.2004 MosNews Russian hackers have broken in to the tax authorities. database and released the information on a CD. Now Russians can pay just over $30 to get access to information about income, address, business, telephone and the financial history of just about anyone in the Moscow region. Earlier in 2004, a database of tax information on private individuals was released on a disk costing nearly $100, though the price has fallen to 2000 rubles (about $68), the Vedomosti financial daily reported. The current database includes information on Prime Minister Mikhail Fradkov and business tycoon Roman Abramovich, as well as other well known politicians and businessmen. An official from the Federal Tax Service said it was necessary to find out how such information could have been leaked, but otherwise declined to comment on the hackers. Officials in the Interior Ministry also declined to comment. From isn at c4i.org Mon Nov 29 01:59:40 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 29 02:32:23 2004 Subject: [ISN] Linux Advisory Watch - November 26th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | November 26th, 2004 Volume 5, Number 47a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for bugzilla, samba, bnc, sudo, Cyrus, yardradius, AbiWord, unarj, pdftohtml, ProZilla, phpBB, TWiki, XFree86, libxpm4, a2ps, zip, kdebase, and kdelibs. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Openwall, and Trustix. ----- LinuxSecurity.com Version 2 ----- Get ready ... on December 1st the new LinuxSecurity.com site will be revealed. The same great content you've come to expect with a whole new look and great new features. A sneak preview is coming soon! http://ads.linuxsecurity.com/cgi-bin/ads.pl?banner=lsv2flashdemo ------ Security Basics In the ever-changing world of global data communications, inexpensive Internet connections, and fast-paced software development, security is becoming more and more of an issue. Security is now a basic requirement because global computing is inherently insecure. As your data goes from point A to point B on the Internet, for example, it may pass through several other points along the way, giving other users the opportunity to intercept, and even alter, your data. Even other users on your system may maliciously transform your data into something you did not intend. Unauthorized access to your system may be obtained by intruders, also known as ``crackers'', who then use advanced knowledge to impersonate you, steal information from you, or even deny you access to your own resources. If you're still wondering what the difference is between a ``Hacker'' and a ``Cracker'', see Eric Raymond's document, ``How to Become A Hacker'', available at: http://www.catb.org/~esr/faqs/hacker-howto.html How Vulnerable Are We? * While it is difficult to determine just how vulnerable a particular system is, there are several indications we can use: * The Computer Emergency Response Team consistently reports an increase in computer vulnerabilities and exploits. * TCP and UDP, the protocols that comprise the Internet, were not written with security as their first priority when it was created more than 30 years ago. * A version of software on one host has the same vulnerabilities as the same version of software on another host. Using this information, an intruder can exploit multiple systems using the same attack method. * Many administrators don't even take simple security measures necessary to protect their site, or don't understand the ramifications of implementing some se Excerpt from the LinuxSecurity Administrator's Guide: http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html Written by: Dave Wreski (dave@guardiandigital.com) ----- Mass deploying Osiris Osiris is a centralized file-integrity program that uses a client/server architecture to check for changes on a system. A central server maintains the file-integrity database and configuration for a client and at a specified time, sends the configuration file over to the client, runs a scan and sends the results back to the server to compare any changes. Those changes are then sent via email, if configured, to a system admin or group of people. The communication is all done over an encrypted communication channel. http://www.linuxsecurity.com/feature_stories/feature_story-175.html --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 11/23/2004 - shadow-utils authentication bypass vulnerability fix Martin Schulze reported a vulnerability[2] in the passwd_check() function in "libmisc/pwdcheck.c" which is used by chfn and chsh and thus may allow a local attacker to use them to change the standard shell of other users or modify their GECOS information (full name, phone number...). http://www.linuxsecurity.com/advisories/conectiva_advisory-5223.html 11/23/2004 - bugzilla remote vulnerability fix Bugzilla versions prior to 2.16.7 have a vulnerability[3] which allows a remote user to remove keywords from a ticket even without the necessary permissions. Such an action, however, would trigger the usual e-mail detailing the changes, making it easy to discover what happened and what was changed. http://www.linuxsecurity.com/advisories/conectiva_advisory-5224.html 11/25/2004 - samba denial of service vulnerability fix Karol Wiesek found a vulnerability[2] in the input validation routines in Samba 3.x used to match filename strings containing wildcard characters that may allow a remote attacker to consume abnormal amounts of CPU cycles. http://www.linuxsecurity.com/advisories/conectiva_advisory-5234.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 11/24/2004 - bnc buffer overflow Leon Juranic discovered that BNC, an IRC session bouncing proxy, does not always protect buffers from being overwritten. This could exploited by a malicious IRC server to overflow a buffer of limited size and execute arbitrary code on the client host. http://www.linuxsecurity.com/advisories/debian_advisory-5227.html 11/24/2004 - sudo privilege escalation fix Liam Helmer noticed that sudo, a program that provides limited super user privileges to specific users, does not clean the environment sufficiently. Bash functions and the CDPATH variable are still passed through to the program running as privileged user, leaving possibilities to overload system routines. http://www.linuxsecurity.com/advisories/debian_advisory-5228.html 11/24/2004 - sudo removes debug output Liam Helmer noticed that sudo, a program that provides limited super user privileges to specific users, does not clean the environment sufficiently. Bash functions and the CDPATH variable are still passed through to the program running as privileged user, leaving possibilities to overload system routines. http://www.linuxsecurity.com/advisories/debian_advisory-5229.html 11/25/2004 - Cyrus IMAP arbitrary code execution fix Stefan Esser discovered several security related problems in the Cyrus IMAP daemon. Due to a bug in the command parser it is possible to access memory beyond the allocated buffer in two places which could lead to the execution of arbitrary code. http://www.linuxsecurity.com/advisories/debian_advisory-5240.html 11/25/2004 - yardradius arbitrary code execution fix Max Vozeler noticed that yardradius, the YARD radius authentication and accounting server, contained a stack overflow similar to the one from radiusd which is referenced as CAN-2001-0534. This could lead to the execution of arbitrary code as root. http://www.linuxsecurity.com/advisories/debian_advisory-5241.html 11/25/2004 - tetex-bin arbitrary code execution arbitrary code execution fix Chris Evans discovered several integer overflows in xpdf, that are also present in tetex-bin, binary files for the teTeX distribution, which can be exploited remotely by a specially crafted PDF document and lead to the execution of arbitrary code. http://www.linuxsecurity.com/advisories/debian_advisory-5242.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 11/19/2004 - system-config-users-1.2.28-0.fc3.1 update arbitrary code execution fix check for running processes of a user about to be deleted (#132902) http://www.linuxsecurity.com/advisories/fedora_advisory-5205.html 11/19/2004 - system-config-users-1.2.28-0.fc2.1 update arbitrary code execution fix check for running processes of a user about to be deleted (#132902) http://www.linuxsecurity.com/advisories/fedora_advisory-5206.html 11/19/2004 - rhgb-0.16.1-1.FC3 update arbitrary code execution fix This should fix the problem where rhgb blocks the boot process when X fails to initialize correctly, as well as the one preventing vncserver to start when rhgb is used. http://www.linuxsecurity.com/advisories/fedora_advisory-5207.html 11/22/2004 - redhat-menus-3.7-2.2.fc3 update arbitrary code execution fix This update adds additional file types to the list of file types associated with the OpenOffice.org application suite, allowing users to open more documents with OpenOffice.org through Nautilus and Evolution. http://www.linuxsecurity.com/advisories/fedora_advisory-5213.html 11/22/2004 - kernel-2.6.9-1.6_FC2 update arbitrary code execution fix This update brings a rebase to 2.6.9, including various security fixes incorporated into the upstream kernel, and also includes Alan Cox's -ac patchset, which adds additional security fixes. http://www.linuxsecurity.com/advisories/fedora_advisory-5214.html 11/22/2004 - kernel-2.6.9-1.681_FC3 update arbitrary code execution fix This update brings an updated -ac patch which which adds several security fixes, and various other fixes that have occured since the release of Fedora Core 3. http://www.linuxsecurity.com/advisories/fedora_advisory-5215.html 11/22/2004 - redhat-menus-3.7.1-1.fc3 update arbitrary code execution fix This update fixes the missing evolution icon bug (#rh138282). http://www.linuxsecurity.com/advisories/fedora_advisory-5216.html 11/23/2004 - system-config-display-1.0.24-1 update arbitrary code execution fix This fixes tracebacks experienced by some users with dual head support http://www.linuxsecurity.com/advisories/fedora_advisory-5217.html 11/24/2004 - system-config-samba-1.2.22-0.fc3.1 update arbitrary code execution fix add missing options (#137756) http://www.linuxsecurity.com/advisories/fedora_advisory-5230.html 11/24/2004 - system-config-samba-1.2.22-0.fc2.1 update arbitrary code execution fix add missing options (#137756), don't raise exception when writing /etc/samba/smb.conf (#135946), updated translations http://www.linuxsecurity.com/advisories/fedora_advisory-5231.html 11/25/2004 - AbiWord bug fixes Fixes for tempnam usages and startup geometry crashes http://www.linuxsecurity.com/advisories/fedora_advisory-5232.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 11/19/2004 - X.org, Xfree vulnerabilities bug fixes libXpm contains several vulnerabilities that could lead to a Denial of Service and arbitrary code execution. http://www.linuxsecurity.com/advisories/gentoo_advisory-5209.html 11/19/2004 - unarj Long filenames buffer overflow and a path traversal vulnerability unarj contains a buffer overflow and a directory traversal vulnerability. This could lead to overwriting of arbitrary files or the execution of arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-5210.html 11/23/2004 - pdftohtml Vulnerabilities in included Xpdf pdftohtml includes vulnerable Xpdf code to handle PDF files, making it vulnerable to execution of arbitrary code upon converting a malicious PDF file. http://www.linuxsecurity.com/advisories/gentoo_advisory-5219.html 11/23/2004 - ProZilla Multiple vulnerabilities ProZilla contains several buffer overflow vulnerabilities that can be exploited by a malicious server to execute arbitrary code with the rights of the user running ProZilla. http://www.linuxsecurity.com/advisories/gentoo_advisory-5220.html 11/23/2004 - phpBB Remote command execution phpBB contains a vulnerability which allows a remote attacker to execute arbitrary commands with the rights of the web server user. http://www.linuxsecurity.com/advisories/gentoo_advisory-5221.html 11/24/2004 - TWiki Arbitrary command execution A bug in the TWiki search function allows an attacker to execute arbitrary commands with the permissions of the user running TWiki. http://www.linuxsecurity.com/advisories/gentoo_advisory-5222.html 11/25/2004 - Cyrus IMAP Multiple remote vulnerabilities The Cyrus IMAP Server contains multiple vulnerabilities which could lead to remote execution of arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-5233.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 11/23/2004 - XFree86 vulnerabilities fix A source code review of the XPM library, done by Thomas Biege of the SuSE Security-Team revealed several different kinds of bugs. These bugs include integer overflows, out-of-bounds memory access, shell command execution, path traversal, and endless loops. http://www.linuxsecurity.com/advisories/mandrake_advisory-5225.html 11/23/2004 - libxpm4 vulnerabilities fix A source code review of the XPM library, done by Thomas Biege of the SuSE Security-Team revealed several different kinds of bugs. These bugs include integer overflows, out-of-bounds memory access, shell command execution, path traversal, and endless loops. http://www.linuxsecurity.com/advisories/mandrake_advisory-5226.html 11/25/2004 - Cyrus IMAP multiple vulnerabilities A number of vulnerabilities in the Cyrus-IMAP server were found by Stefan Esser. Due to insufficient checking within the argument parser of the 'partial' and 'fetch' commands, a buffer overflow could be exploited to execute arbitrary attacker-supplied code. http://www.linuxsecurity.com/advisories/mandrake_advisory-5235.html 11/25/2004 - a2ps vulnerability fix The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitray commands with the privileges of the user running the vulnerable application. http://www.linuxsecurity.com/advisories/mandrake_advisory-5236.html 11/25/2004 - zip vulnerability fix A vulnerability in zip was discovered where zip would not check the resulting path length when doing recursive folder compression, which could allow a malicious person to convince a user to create an archive containing a specially-crafted path name. http://www.linuxsecurity.com/advisories/mandrake_advisory-5237.html 11/26/2004 - kdebase various bugs fixes A number of bugs in kdebase are fixed with this update. http://www.linuxsecurity.com/advisories/mandrake_advisory-5238.html 11/26/2004 - kdelibs various bugs fix A number of bugs in kdelibs are fixed with this update. http://www.linuxsecurity.com/advisories/mandrake_advisory-5239.html +---------------------------------+ | Distribution: Openwall | ----------------------------// +---------------------------------+ 11/23/2004 - 2.4.28-ow1 security-related bugs various bugs fix Linux 2.4.28, and thus 2.4.28-ow1, fixes a number of security-related bugs, including the ELF loader vulnerabilities discovered by Paul Starzetz (confirmed: ability for users to read +s-r binaries; potential: local root), a race condition with reads from Unix domain sockets (potential local root), smbfs http://www.linuxsecurity.com/advisories/openwall_advisory-5218.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 11/22/2004 - apache, kernel, sudo Multiple vulnerabilities various bugs fix An issue was discovered where the field length limit was not enforced for certain malicious requests. This could lead to a remote denial of service attack. http://www.linuxsecurity.com/advisories/trustix_advisory-5211.html 11/22/2004 - amavisd-new, anaconda, courier-imap, ppp, setup, spamassassin, swup, tftp-hpa, tsl-utils Package bugfixes various bugs fix amavisd-new: Add tmpwatch of the virusmails directory to keep it from growing infinitely. Anaconda: Increase ramdisk-size as needed by netboot floppy. Courier-imap: Now use $HOME/Maildir. http://www.linuxsecurity.com/advisories/trustix_advisory-5212.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Nov 29 01:59:52 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 29 02:32:27 2004 Subject: [ISN] Lycos screensaver to blitz spam servers Message-ID: http://www.theregister.co.uk/2004/11/26/lycos_europe_spam_blitz/ By Jan Libbenga 26th November 2004 Lycos Europe has started to distribute a special screensaver [1] in a controversial bid to battle spam. The program - titled Make Love Not Spam, and available for Windows and the Mac OS - sends a request to view a spam source site. When a large number of screensavers send their requests at the same time the spam web page becomes overloaded and slow. The servers targeted by the screensaver have been manually selected from various sources, including Spamcop, and verified to be spam advertising sites, Lycos claims. Several tests are performed to make sure that no server stops working. Flooding a server with requests so that the server is unable to respond to the volume of requests made - a process known as a distributed denial of service (DDoS) attack - is considered to be illegal. Lycos believes the program will eventually hurt spammers. 'Spamvirtised' sites typically don't sell advertising, so they have to pay for bandwidth. Therefore more requests means higher bills, Lycos argues. A spokesman for Lycos in Germany told The Register he believed that the tool could generate 3.4MB in traffic on a daily basis. When 10m screensavers are downloaded and used, the numbers quickly add up, to 33TB of 'useless' IP traffic. Seems Lycos may hurt not just spammers. [1] http://makelovenotspam.com/intl From isn at c4i.org Mon Nov 29 02:00:05 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 29 02:32:31 2004 Subject: [ISN] ISPs 'must do more' to combat cybercrime Message-ID: http://news.zdnet.co.uk/internet/0,39020369,39175286,00.htm Andrew Donoghue ZDNet UK November 26, 2004 The chief technology officer of online gaming portal Betfair has called on more government and industry cooperation to combat the growing threat of distributed denial of service (DDoS) attacks to online businesses. In an exclusive interview with ZDNet UK, David Yu said that DDOS attacks may have only really affected a handful of businesses so far but any company that relies on the web to transact with customers or partners should be aware of the problem. "I think in general, there is a lot more that the e-commerce industry as a whole needs to be aware of. Security threats are not a gaming related problem, they could easily affect any other e-commerce company, online travel, online books, they could affect healthcare and government," he said. "I think there have been some sectors who have said its not our problem; its not for us to worry about ? well I would tell them that it is going to be their problem if they don't pay attention." Betfair, along with several other UK betting sites, has been targeted by Web-based criminals -- and has been a victim of DDoS attacks on three separate occasions. The attacks work by flooding servers with traffic often generated by hijacking private PCs -- so called botnets. In July the company admitted that its main exchange site was affected for just over an hour due to a DDoS attack. The attack prevented users from accessing the site with some customers claiming they been unable to view or place bets and some claiming to have lost money. Yu, recently voted Daily Telegraph IT Director of the Year 2004 and runner up in the CNET UK Technology Awards, explained that during a period of sustained DDoS attacks earlier this year, various gaming organisations banded together to exchange information on how best to tackle the problem. "What we saw is that the gaming industry as a whole has been under threat but worked pretty well at the time to combat the problem together. What we started to do was have industry-wide forums where the heads of infrastructure from all these other companies got together," he said. "It worked very well, it was nice to see that the industry, although we compete against each other as hard as we can, here was a common threat which we came together to combat and shared information," he added. Yu claimed that although its own service provider Cable & Wireless had been very effective, there is a lot more that ISPs could be prevent DDoS attacks and help security agencies track down the culprits. "I think there is more that network providers and ISPs can do. A lot of these attacks stem from individual [broadband-connected] PCs being compromised and then using that broadband access to flood these sites. We think that ISPs could do a lot if they took more responsibility. We do see a mix -- we see some network providers who work very actively to try and cleanse their system and provide high-quality bandwidth and the others who don't." Yu's comments echo earlier remarks from ex-US cybersecurity chief Richard Clarke earlier this month. "I think we are going to see companies asking their ISPS to do more. A lot of denial-of-service attacks could be prevented if ISPs co-operated with each other." From isn at c4i.org Mon Nov 29 02:00:17 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 29 02:32:35 2004 Subject: [ISN] More security for Government PCs Message-ID: http://www.news.com.au/common/story_page/0,4057,11507214%255E1702,00.html November 26, 2004 THE Federal Government will pay experts to upgrade its computer security in a bid to ward off any future attempts of hacking or cyber terrorism. Attorney-General Philip Ruddock said the Government would protect its critical networks through the Computer Network Vulnerability Assessment program. Specialist computer experts would be employed to identify vulnerabilities in the systems that support the provision of essential services to Australians, Mr Ruddock said. "The growth in the use of the internet and the development of high-speed connections between computer systems has transformed the way that organisations, companies and governments share information and do business," he said. "While the benefits have been enormous, this reliance on high-speed connections between computer systems and the internet is not without its risks." Computer systems could be attacked and disabled in many ways by deliberate criminal acts such as hacking and cyber terrorism or by the accidental or deliberate distribution of a computer virus, he said. Mr Ruddock said the CNVA program would identify weaknesses in existing computer networks and test systems to see how they can be compromised. "This will provide the government and the owners and operators of computer systems with valuable information on how to better protect their networks," he said. From isn at c4i.org Mon Nov 29 02:00:35 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 29 02:32:38 2004 Subject: [ISN] A Burglary Foiled by Calls That Didn't Reach 911 Message-ID: Forwarded from: William Knowles http://www.nytimes.com/2004/11/27/nyregion/27theft.html By MARC SANTORA November 27, 2004 The plan seemed simple enough. The building had been cased and the burglars knew exactly what they wanted - advanced computer circuit panels that could be sold on the black market for hundreds of thousands of dollars. The night before Thanksgiving, about 8 p.m., they entered the Verizon building in White Plains undetected and set to work. But as the criminals removed the panels, they soon triggered problems across Westchester County. Most problematic, 911 systems across the region began to crash. By the time some 150 panels were removed, roughly 25,000 people had lost 911 service. At 9:51 p.m., the White Plains Police received a call alerting them to the fact that there might be a problem at the Verizon building. Still unaware that burglars were at work inside, a patrol car rolled up to the site, according to Inspector Daniel Jackson. "Literally, the two guys were walking out the door," Mr. Jackson said. They were carrying two large boxes when the officer shouted for them to stop. The men dropped the stolen boxes, fled on foot and were eventually run down by the officer and arrested, Mr. Jackson said. The two men were identified in a criminal complaint as Larry D. Davis, 43, of Brooklyn, and Gailican Phillips, 34 of Manhattan. They have been charged with conspiracy to commit interstate shipment of stolen property, a federal crime with a maximum sentence of five years in jail, according to the complaint. Mr. Jackson said that the burglary itself was not as disturbing as the widespread effect it had on the 911 system. The police are working with the F.B.I. and the Department of Homeland Security on the case. Terrorism has been ruled out as a possible motive. Although the burglary occurred in the Verizon building, the stolen equipment belonged to some half-dozen other telecommunications companies that use the premises to house part of their operations. No Verizon customers were affected, a company official said. Dan Diaz Zapata, a spokesman for Verizon, said the building had many levels of security - from video cameras to security badges to on-site guards - and that the company was cooperating with local and federal authorities. Mr. Zapata said that Verizon had redundancy capabilities built into its system that would have prevented a theft of their own equipment from having such a wide impact. Mr. Jackson said that there had been a theft at the building once before, in 2003, and the police had reason to believe one of the two men involved Wednesday also took part in that operation. He would not elaborate on other details in that case. However, much less was stolen then. According to the complaint filed in Southern District of New York, the circuit boards ranged in value from $5,000 to $70,000 each and, all told, were worth in excess of $1 million. The plan was to deliver them to an unnamed co-conspirator who, in turn, planned to sell them to an unnamed company in California, according to the complaint. "There apparently is a strong, robust black market for this stuff," said a federal law enforcement official, who insisted on anonymity for fear of saying something that would compromise the investigation. There have been two other similar burglaries in New York City and New Jersey in recent years, according to Mr. Jackson. Those thefts were much smaller in scale. National Infrastructure Coordination Center of the Department of Homeland Security is also working with local police because of concern that the 911 system could be relatively easily compromised. After arresting the two men and photographing the stolen circuit panels, the police returned them to the companies that owned them. Once reinstalled, the 911 problems ended, and by 7 a.m. the system was back to normal, Mr. Jackson said. Police said the panels that were stolen were each about the size of a legal pad and are used by telecommunications companies to transmit data and connect calls. There is an industry standard for the panels and they can easily be transferred from one computer to another. Potential buyers of the panels on the black market range from small telecommunications companies to overseas clients, the police said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Nov 29 02:00:50 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 29 02:32:40 2004 Subject: [ISN] The big Hiatus Message-ID: +------------------------------------------------------------------+ | Linux Security: Tips, Tricks, and Hackery 27-November-2004 | | Published by Onsight, Inc. Edition | | | | http://www.hackinglinuxexposed.com/articles/20041127.html | +------------------------------------------------------------------+ This issue sponsored by Beginning Perl, Second Edition Hacking Linux Exposed author James Lee's most recent book, Beginning Perl Second Edition, emphasizes the cross-platform nature of Perl. Throughout the book, Lee promotes Perl as a legible, sensible programming language and dispels the myth that Perl is confusing and obscure. Perfect for the beginning Perl user looking to gain a quick and masterful grasp on the language, this concise and focused book begins with the basics and moves on to more advanced features of Perl, including references, modules, and object-oriented programming. For purchasing information, go to http://www.hackinglinuxexposed.com/books/ -------------------------------------------------------------------- The big Hiatus By Brian Hatch Summary: Brian take some time off writing about SSH ... to write about SSH. ------ Several folks have written in the past few weeks wondering where I've gone. Here I started a nice SSH thread about SSH 'Bouncing', and seemed to have dropped off the face of the earth. Some reader's questions included * "Hey, Where'd you go? Did you lose your Internet connection?" * "Lemme guess, your dog ate your articles?" * "Did you go off and get a job with Microsoft or something?" * "Why the huge break in articles - don't tell me you had another kid!" Well, truth be told I was asked by SecurityFocus to write some articles on one of my favourite topics, SSH. For the last month and a half I have been writing, just not here -- I simply don't have the time to do both. Writing for SecurityFocus does have some advantages, such as * Folks to remind me to get my butt in gear and write. * An editor who fixes my typos before I publish them. * It pays... That last one is really the biggest one, to be honest. All that baby food is expensive! And babysitting ain't cheap either. Man, we need to have our relatives closer, and I never thought I'd say that. Anyway, just wanted to let'cha all know that I'm alive and well. If you want to read the SSH articles at SecurityFocus, here are the links thus far: * http://www.securityfocus.com/infocus/1806 - SSH Host Key Protection * http://www.securityfocus.com/infocus/1810 - SSH User identities * http://www.securityfocus.com/infocus/1812 - SSH and ssh-agent I'll be writing on this topic for SecurityFocus for a while, so this list will be rather quiet until I'm done there. Also, if you're interested, I'll be participating in a Live Chat at http://www.linuxsecurity.com on December 1st at 4pm EST as they launch the new version of their website -- I've seen a preview, and it's quite cool. For more information, go to http:// www.linuxsecurity.com/ ------------- Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He's totally out of anything witty to put here, you'll just have to make due on your own. Brian can be reached at brian@hackinglinuxexposed.com. -------------------------------------------------------------------- This newsletter is distributed by Onsight, Inc. The list is managed with MailMan (http://www.list.org). You can subscribe, unsubscribe, or change your password by visiting http://lists.onsight.com/ or by sending email to linux_security-request@lists.onsight.com. Archives of this and previous newsletters are available at http://www.hackinglinuxexposed.com/articles/ -------------------------------------------------------------------- Copyright 2004, Brian Hatch. From isn at c4i.org Mon Nov 29 02:01:04 2004 From: isn at c4i.org (InfoSec News) Date: Mon Nov 29 02:32:42 2004 Subject: [ISN] Failed Windows XP Upgrade Downs 60,000 UK Gov't PCs Message-ID: http://www.eweek.com/article2/0,1759,1732672,00.asp By John Lettice The Register - special to eWEEK.com November 27, 2004 Most of the desktop computers in the UK's Department for Work and Pensions were paralyzed for four days on Monday, when a failed upgrade took them offline. The outage, covering 75 percent to 80 percent of the DWP's 80,000 PCs, is one of the largest in the UK government's not entirely impressive IT history. And possibly one of the most costly. According to staff reports, the outage occurred on Monday afternoon, disconnecting staff e-mail, benefits processing, and Internet and intranet connectivity. According to one, a limited network upgrade from Windows 2000 to Windows XP was taking place, but instead of this taking place on only a small number of the target machines, all the clients connected to the network received a partial, but fatal, "upgrade." Another source says that the DWP was trialing Windows XP on a small number ("about seven") of machines. "EDS was going to apply a patch to these. Unfortunately the request was made to apply it live and it was rolled out across the estate, which hit around 80 percent of the Win2K desktops. This patch caused the desktops to BSOD and made recovery rather tricky as they couldn't boot to pick any further patches or recalls. I gather that [Microsoft Corp.] consultants have been flown in from the U.S. to clear up the mess." EDS is also thought to be flying in fire brigades. If these claims are true, the DWP could face grave difficulties in rolling all of its machines back to their previous, working state. Staff from Microsoft and EDS are reported to have been working around the clock to dig the department out of the pit, while speaking on the "Today" program Friday morning, a spokeswoman amusingly insisted that the department's systems had not in fact fallen over. They were working; it was merely the case that "80 percent of desktop computers are not connecting through to the mainframe systems." So that's cleared that up then. She added that the emergency payments system was "working perfectly." The emergency system appears to have kicked in on Wednesday, and the department was preparing a press release on the matter Thursday. There was no sign of it when this story was published. Reports coming in on Friday however suggest that at least some of the DWP's systems are coming back online. From isn at c4i.org Tue Nov 30 01:49:12 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 30 02:15:42 2004 Subject: [ISN] ITL Bulletin for November 2004 Message-ID: Forwarded from: Elizabeth Lennon UNDERSTANDING THE NEW NIST STANDARDS AND GUIDELINES REQUIRED BY FISMA How Three Mandated Documents are Changing the Dynamic of Information Security for the Federal Government By Ron Ross and Patricia Toth Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce The Federal Information Security Management Act (FISMA) of 2002 places significant requirements on federal agencies, including the National Institute of Standards and Technology (NIST), for the protection of information and information systems. In response to this important legislation, NIST is leading the development of key information system security standards and guidelines as part of its FISMA Implementation Project. This high-priority project includes the development of security categorization standards, standards and guidelines for the specification, selection, and testing of security controls for information systems. The flagship standard among those being developed by NIST is Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, published in February 2004. This mandatory standard, applicable to non-national security systems as defined by FISMA, introduces some significant changes in how the U.S. Government protects its information and information systems, including those systems that comprise the nation's critical infrastructure. To gauge the impact of FIPS 199 on the massive inventory of federal information systems, one must first understand how the world of information technology has changed over the past two decades. Not long ago, the information systems that populated federal enterprises consisted of large, expensive, standalone mainframes, taking up a significant amount of physical space in the facilities and consuming substantial portions of organizational budgets. Information systems were viewed as "big ticket items" requiring specialized policies and procedures to effectively manage. Today, information systems are more powerful, less costly (for the equivalent computational capability), networked, and ubiquitous. The systems, in most cases, are viewed by agencies as commodity items, although items coupled more tightly than ever to the accomplishment of agency missions. However, as the technology raced ahead and brought a new generation of information systems into the federal government with new access methods and a growing community of users, some of the policies, procedures, and approaches employed to ensure the protection of those systems did not keep pace. The Problem with the Old Way of Doing Business - Establishing Priorities The administrative and technological costs of offering a high degree of protection for all federal information systems at all times would be prohibitive, especially in times of tight governmental budgets. Achieving adequate, cost-effective information system security (as defined in Office of Management and Budget Circular A-130, Appendix III) in an era where information technology is a commodity requires some fundamental changes in how the protection problem is addressed. Information systems must be assessed to establish priorities based on the importance of those systems to agency missions. There is clearly a criticality and sensitivity continuum with regard to agency information systems that affects the ultimate prioritization of those systems. At one end of the continuum, there are high-priority information systems performing very sensitive, mission-critical operations, perhaps as part of the critical information infrastructure. At the other end of the continuum, there are low-priority information systems performing routine agency operations. The application of safeguards and countermeasures (i.e., security controls) to all these information systems should be tailored to the individual systems based on established agency priorities (i.e., where the systems fall on the continuum of criticality/sensitivity with regard to supporting the agency's missions). The level of effort dedicated to testing and evaluating the security controls in federal information systems and the determination and acceptance of risk to the mission in operating those systems (i.e., security certification and accreditation) should also be based on the same agency priorities. Until recently, there were a limited number of standards and guidelines available to help agencies implement a more granular approach to establishing security priorities for their information systems. The result-many agencies would end up expending too many resources (both administratively and technologically) to protect information systems of lesser criticality/sensitivity and not enough resources to protect systems of greater criticality/sensitivity. Some "load balancing" was needed. Ushering in a New Era with FIPS 199 FIPS 199, the mandatory federal security categorization standard approved by the Secretary of Commerce, provides the first step toward bringing some order and discipline to the challenge of protecting the large number of information systems supporting the operations and assets of the federal government. The standard is predicated on a simple and well-established concept-determining appropriate priorities for agency information systems and subsequently applying appropriate measures to adequately protect those systems. The security controls applied to a particular information system should be commensurate with the system's criticality and sensitivity. FIPS 199 assigns this level of criticality and sensitivity based on the potential impact on agency operations (mission, functions, image, or reputation), agency assets, or individuals should there be a breach in security due to the loss of confidentiality (i.e., unauthorized disclosure of information), integrity (i.e., unauthorized modification of information), or availability (i.e., denial of service). FIPS 199 requires federal agencies to do a "triage" on all of their information types and systems, categorizing each as low, moderate, or high impact for the three security objectives of confidentiality, integrity (including authenticity and non-repudiation), and availability. Employed within the System Development Life Cycle (SDLC), FIPS 199 can be used as part of an agency's risk management program to help ensure that appropriate security controls are applied to each information system, and that the controls are adequately assessed to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the system security requirements. The following activities, consistent with NIST Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems, can be applied to both new and legacy information systems within the SDLC- (Note: A chart of the Risk Management Framework appears here in the paper copy.) * Categorize the information system, and the information resident within that system, based on a FIPS 199 impact analysis. (See NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, for guidance in assigning security categories.) * Select an initial set of security controls for the information system (as a starting point) based on the FIPS 199 security categorization. (See NIST SP 800-53, Recommended Security Controls for Federal Information Systems. Note: FIPS 200, Minimum Security Controls for Federal Information Systems, will replace NIST SP 800-53 in December 2005 in fulfillment of the FISMA legislative requirement for mandatory minimum security requirements for federal information systems.) * Refine the initial set of security controls selected for the information system based on local conditions including organization-specific security requirements, specific threat information, cost-benefit analyses, the availability of compensating controls, or other special circumstances. * Document the agreed-upon set of security controls in the system security plan including the organization's justification for any refinements or adjustments to the initial set of controls. (See NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems.) * Implement the security controls in the information system. For legacy systems, some or all of the security controls selected may already be in place. * Assess the security controls using appropriate methods and procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. (See NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, initial public draft, fall 2004.) * Determine the risk to organizational operations and assets resulting from the planned or continued operation of the information system. (See NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.) * Authorize information system processing (or for legacy systems, authorize continued system processing) if the level of risk to the agency's operations or assets is acceptable to the authorizing official. (See NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.) * Monitor selected security controls in the information system on a continuous basis including documenting changes to the system, conducting security impact analyses of the associated changes, and reporting the security status of the system to appropriate agency officials on a regular basis. (See NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.) Significant changes to the information system or the security requirements for that system may prompt the agency to revisit the above activities. Examples of significant changes to an information system include, but are not limited to, installation of a new or upgraded operating system, middleware component, or application; modifications to systems ports, protocols, or services; installation of a new or upgraded hardware platform or firmware component; or modifications to cryptographic modules or services. Changes in laws, directives, policies, or regulations, while not always directly related to the information system, can also potentially affect the security of the system. The Benefits to Agency Security Programs The long-term effect of employing a FIPS 199 standards-based approach is more targeted, more cost-effective, and improved security for federal information and information systems. While the interconnection of information systems often increases the risk to an agency's operations and assets, FIPS 199 and the associated suite of standards and guidelines provide a common framework and understanding for expressing information security, and thus promote greater consistency across diverse organizations in managing that risk. Agencies will determine which information systems are the most important to accomplishing assigned missions based on the security categorization of those systems and will protect the systems appropriately. Agencies will also determine which systems are the least important to their missions and will not allocate excessive resources for the protection of those systems. In the current high technology era where information systems are viewed as commodities and are routinely used to protect some of the nation's most important assets within the federal government and the critical infrastructure, FIPS 199 is a standard that is right for the time. In the end, the new security standard, when properly applied, will facilitate a more effective allocation of available resources for protecting information systems, determine the need and provide a justification for the allocation of additional resources, and result in a substantial improvement in the security posture of the government's information systems. The FISMA-related security standards and guidelines discussed in this ITL bulletin are available at the FISMA Implementation Project website at http://csrc.nist.gov/sec-cert. Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 840-1357 From isn at c4i.org Tue Nov 30 01:49:43 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 30 02:15:44 2004 Subject: [ISN] Linux Security Week - November 29th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | November 29th, 2004 Volume 5, Number 47n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Linux vendors rush out e-mail server patches," "SANS updates its list of the Top 10 Linux/UNIX threats," and "Open Road: Intrusion Detection Systems." ---- >> LinuxSecurity.com Version 2 << Get ready ... the new LinuxSecurity.com site will soon be revealed. The same great content you've come to expect with a whole new look and great new features. A sneak preview is coming soon! ---- LINUX ADVISORY WATCH: This week, advisories were released for bugzilla, samba, bnc, sudo, Cyrus, yardradius, AbiWord, unarj, pdftohtml, ProZilla, phpBB, TWiki, XFree86, libxpm4, a2ps, zip, kdebase, and kdelibs. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Openwall, and Trustix. http://www.linuxsecurity.com/articles/forums_article-10300.html --------------------------------------------------------------------- AIDE and CHKROOTKIT Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit. http://www.linuxsecurity.com/feature_stories/feature_story-173.html ------ >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Linux vendors rush out e-mail server patches November 26th, 2004 Several major Linux vendors have warned they are vulnerable to four flaws in a widely used IMAP e-mail server from Carnegie Mellon University's Cyrus Electronic Mail Project. The flaws could allow an attacker to take over a server. http://www.linuxsecurity.com/articles/server_security_article-10299.html * X marks the Linux security hole November 23rd, 2004 The X.Org Foundation and several Linux vendors have released updates for the X Window System technology on which most Linux graphical front-ends are based, fixing serious security flaws in a graphics-manipulation component. http://www.linuxsecurity.com/articles/host_security_article-10289.html * SANS updates its list of the Top 10 Linux/UNIX threats November 22nd, 2004 For the past four years the SANS Institute has partnered with the FBI's National Infrastructure Protection Center to compile and publish its list of the most commonly exploited IT security vulnerabilities. This list is regularly updated and revised. Earlier, I examined the latest Windows threats from the list. http://www.linuxsecurity.com/articles/network_security_article-10283.html * Get ready for biometric security in the workplace, finds new survey November 22nd, 2004 UK companies are anticipating the introduction of biometric technology to increase workplace security, according to a new independent survey commissioned as part of the Hitachi Data Systems Storage Index. The survey finds that 65 per cent of firms expect to see iris scanning and fingerprint recognition systems in the office, with 44 per cent expecting to see them introduced within two years. http://www.linuxsecurity.com/articles/network_security_article-10285.html +------------------------+ | Network Security News: | +------------------------+ * SSH and ssh-agent November 24th, 2004 No one likes typing passwords. If people had their way, computers would simply know who they were and what they should have access to without us proving it at every turn. In my last article I showed you how to create SSH Identities/Pubkeys, which can be used as an alternative to password authentication. http://www.linuxsecurity.com/articles/documentation_article-10293.html * Open Road: Intrusion Detection Systems November 24th, 2004 This month, I'll begin the foray into Intrusion Detection Systems (IDS). There are several decent IDS projects that run on Linux, one of the most popular being Snort. Snort is a flexible tool that can be used for packet sniffing, packet logging, or network intrusion detection http://www.linuxsecurity.com/articles/intrusion_detection_article-10291.html * Fighting Spammers With Honeypots: Part 1 November 24th, 2004 Like most advertising flyers found in postal mailboxes, millions of emails -- now classically referred to as spam -- fill email inboxes around the world everyday. Spam can be considered as the most annoying cyber-pollution that targets all of us with tons of unsolicited emails. Those emails usually contain advertisements and spammers are paid to spread as many of them as possible. http://www.linuxsecurity.com/articles/intrusion_detection_article-10298.html +------------------------+ | General Security News: | +------------------------+ * 'Virtual Tradeshow' to Address Top Security Threats November 24th, 2004 Hackers are continuously finding new ways to break into corporate networks and steal proprietary and sensitive data. Virus writers are elevating their technology prowess, creating new worms and bugs that can sneak onto your desktop or through a network firewall and wreak havoc on your IT infrastructure. http://www.linuxsecurity.com/articles/hackscracks_article-10296.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Nov 30 01:49:56 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 30 02:15:46 2004 Subject: [ISN] Govt looks to protect critical Aust IT systems Message-ID: http://www.itnews.com.au/storycontent.asp?ID=3&Art_ID=22656 By Staff writers iTnews November 29, 2004 The federal government has set up a program aimed at identifying vulnerabilities in Australia's critical IT infrastructure. The government has set up the Computer Network Vulnerability Assessment (CNVA) Program. Philip Ruddock, federal attorney general, said the program would identify weaknesses in existing computer networks and test systems to see how they could be compromised. Ruddock said industries involved in the operation of critical infrastructure had become increasingly reliant on computers and computer networks. As part of the program, specialist computer experts would be funded to help owners and operations of critical infrastructure to identify vulnerabilities. The growth in the use of the internet and the development of high speed connections between computer systems has transformed the way that organisations, companies and governments share information and do business,. Ruddock said. However, Ruddock said that the reliance on high speed connections between computer systems and the internet wasn't without risks. Computer systems can be attacked and disabled in many ways by deliberate criminal acts such as hacking and cyber terrorism or by the accidental or deliberate distribution of a computer virus.. According to a statement, the aim is to provide assistance to owners and operators of critical infrastructure in the New Year. From isn at c4i.org Tue Nov 30 01:50:22 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 30 02:15:48 2004 Subject: [ISN] SCO Web site hack mocks company's legal claims Message-ID: http://www.nwfusion.com/news/2004/1129scowebs.html By Paul Roberts IDG News Service 11/29/04 Malicious hackers have compromised The SCO Group's Web page twice in as many days, posting messages that appear to mock the company's claims to own parts of the Linux operating system. On Monday, hackers compromised the site and inserted a banner image that reads "We own all your code. Pay us all your money." The image was removed on Monday morning in the U.S., but the incident followed a similar attack on Sunday. SCO acknowledged that its Web site "experienced two intrusions by a malicious hacker that temporarily altered two Web pages." The Lindon, Utah, company acted quickly to restore the hacked pages and patch a vulnerability that the hackers used to compromise the site, according to an e-mail statement from Blake Stowell, the company's public relations director. IDG News Service could not confirm the nature of the attack on Sunday, but open source news Web site Newsforge.com on Sunday claimed that the SCO site was altered to say that the company would be making intellectual property claims against Microsoft's software. That hack displayed the signature "hacked by realloc(," according to Newsforge.com. The same signature was displayed in the background of the altered banner image in Monday's attack. SCO has been a frequent target of online attacks since it filed a multibillion-dollar lawsuit against IBM in March 2003, charging the company with misappropriation of trade secrets and unfair competition. Among other things, SCO claims that IBM violated SCO's copyright on Unix System V, which SCO purchased from Novell, by copying elements of that operating system into Linux, which is distributed for free. SCO's legal claim to own parts of Linux, and its threats to enforce its ownership through patent infringement lawsuits against Linux users, raised the ire of open source enthusiasts. The company's legal actions are seen as a threat to the spread of Linux, which many consider a possible rival to the dominance of Microsoft's proprietary desktop and server operating systems. The lawsuits have prompted companies, including Novell and HP, to offer customers protection against copyright infringement suits. Despite the serial attacks, SCO believes that it addressed security issues on its site to prevent future intrusions, Stowell said. From isn at c4i.org Tue Nov 30 01:50:36 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 30 02:15:50 2004 Subject: [ISN] Desktop Google Finds Holes Message-ID: http://www.eweek.com/article2/0,1759,1730748,00.asp By Bruce Schneier November 29, 2004 Google's desktop search software is so good that it exposes vulnerabilities on your computer that you didn't know about. Last month, Google released a beta version of its desktop search software: Google Desktop Search. Install it on your Windows machine, and it creates a searchable index of your data files, including word processing files, spreadsheets, presentations, e-mail messages, cached Web pages and chat sessions. It's a great idea. Windows' searching capability has always been mediocre, and Google fixes the problem nicely. There are some security issues, though. The problem is that GDS indexes and finds documents that you may prefer not be found. For example, GDS searches your browser's cache. This allows it to find old Web pages you've visited, including online banking summaries, personal messages sent from Web e-mail programs and password-protected personal Web pages. GDS can also retrieve encrypted files. No, it doesn't break the encryption or save a copy of the key. However, it searches the Windows cache, which can bypass some encryption programs entirely. And if you install the program on a computer with multiple users, you can search documents and Web pages for all users. GDS isn't doing anything wrong; it's indexing and searching documents just as it's supposed to. The vulnerabilities are due to the design of Internet Explorer, Opera, Firefox, PGP and other programs. First, Web browsers should not store SSL-encrypted pages or pages with personal e-mail. If they do store them, they should at least ask the user first. Second, an encryption program that leaves copies of decrypted files in the cache is poorly designed. Those files are there whether or not GDS searches for them. Third, GDS' ability to search files and Web pages of multiple users on a computer received a lot of press when it was first discovered. This is a complete nonissue. You have to be an administrator on the machine to do this, which gives you access to everyone's files anyway. Some people blame Google for these problems and suggest, wrongly, that Google fix them. What if Google were to bow to public pressure and modify GDS to avoid showing confidential information? The underlying problems would remain: The private Web pages would still be in the browser's cache; the encryption program would still be leaving copies of the plain-text files in the operating system's cache; and the administrator could still eavesdrop on anyone's computer to which he or she has access. The only thing that would have changed is that these vulnerabilities once again would be hidden from the average computer user. In the end, this can only harm security. GDS is very good at searching. It's so good that it exposes vulnerabilities on your computer that you didn't know about. And now that you know about them, pressure your software vendors to fix them. Don't shoot the messenger. Bruce Schneier is CTO of Counterpane Internet Security Inc. From isn at c4i.org Tue Nov 30 01:50:52 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 30 02:15:52 2004 Subject: [ISN] Guarding the Grid Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,97815,00.html by Jaikumar Vijayan NOVEMBER 29, 2004 COMPUTERWORLD Deploying a grid infrastructure can help companies dramatically improve hardware utilization rates and boost computing power. But the massive resource aggregation and wider end-user access enabled by grids also have the potential to magnify security risks, implementers say. As a result, companies that are implementing grid technologies need to pay special attention to issues such as user authentication, authorization and access control, as well as auditing and data integrity -- both when data is in storage and while it's in transit. Ensuring that adequate measures are in place for responding to the effects of worms and viruses, which can be amplified in a grid setup, is also crucial in grid computing, IT managers say. Most of the problems that users have to deal with in a grid environment are similar to the ones they face in nongrid environments, says John Hurley, senior manager for distributed software and systems integration at The Boeing Co.'s mathematics and computing technology group in Seattle. "But [they] take on much greater significance in a grid environment because of the fundamental premise of grids -- access, sharing and collaborative computing," he notes. Grid computing creates the "potential for gateways into an environment" where none existed before, says Hurley. More Power, More Risk A grid installation harnesses the combined power of numerous servers and PCs to run applications and services as one large system. Grids have been used for years to run compute-intensive applications in academic and research organizations. The improved resource utilization and power delivered by grids have also begun to attract the attention of corporate America. A survey of 550 database professionals, released in January by Santa Cruz, Calif.-based Evans Data Corp., showed that one in five companies is planning to deploy grids during the next two years. The potential severity of grid-related security problems depends largely on the context in which grids are being used, says Dane Skow, deputy computer security executive at the Fermi National Accelerator Laboratory in Batavia, Ill. "When you talk to people about grids, they have different scenarios in mind -- everything from clusters in the same room run by the same infrastructure team to global power-grid-like infrastructures," says Skow. Research grids, for instance, typically provide access to users from multiple organizations and security domains. Fermi operates a grid for high-energy physics applications that's accessed by more than 5,000 users in some 80 organizations -- several of which are in Europe. User access, authentication and authorization in such an environment can be a big challenge, given the fact that there's no single identity authority, says Skow, who is also part of the security group at the Global Grid Forum, a Lemont, Ill.-based organization with members from more than 400 vendors and user companies. In contrast, a grid being run by a private-sector company typically uses internal resources and is accessed by users whose identities are already stored in an internal directory. As a result, it's easier to get a grip on identity management in a company grid than it is with grids in a research setting, Skow says. Central Management Needed Regardless of the manner in which grids are being used, there is "more of a requirement for a centrally managed ID infrastructure, whether it is PKI-based or Kerberos-based," says Clifford Neuman, associate director at the University of Southern California's Information Sciences Institute in Marina del Rey, Calif. What's also required is a way to authenticate the clients and servers that are attached in a grid configuration, he notes. Because of the wider access enabled in a grid environment, it becomes crucial to ensure that data flowing through the network comes from a trusted source and not an imposter. There are several methods currently available to do this, Neuman says. In a public-key infrastructure environment, for instance, servers and clients could mutually authenticate each other using digital certificates issued by a trusted authority. In a Kerberos setup, the same thing could be accomplished via encrypted keys stored in advance on a Kerberos authentication server, he suggests. Other methods include the use of Secure Sockets Layer technology to authenticate servers by clients before starting an encrypted session. Companies that are deploying grids also must protect data during transmission on the network via encryption, says Jikku Venkat, chief technology officer at United Devices Inc., an Austin-based vendor of technologies for aggregating computing resources into clusters and grids. In addition, companies must put mechanisms in place to guarantee that the data isn't tampered with in any manner while it traverses the grid, according to Venkat. Both measures are needed because anyone connected to the grid could access, modify or delete data flowing through it, either accidentally or maliciously, Venkat says. United Devices attaches checksums to data before it's encrypted and then verifies that the checksum is the same when the message is being decrypted to ensure that nothing has been tampered with, Venkat explains. "We also recommend that only digitally signed code modules are permitted on a grid. If it is not signed, don't run it on a grid," he says. There are also certain security concerns that get "amplified" in grid architectures, says Lee Cooper, chairman of the Enterprise Grid Alliance, a San Ramon, Calif.-based consortium of vendors and users. One obvious example is the threat from worms and viruses. The same highly automated and efficient manner in which resources are allocated on a grid could be used by a malicious attacker to his advantage, Hurley warns. As a result, "keeping all grid resources fully patched and configured securely begs for some sort of centralized solution," Cooper says. Good incident-response mechanisms should help minimize the impact of such attacks in case one occurs, Hurley says. Careful With Policies Another crucial area with security implications is policy reconciliation on a grid, according to Skow. Because grids can run different applications at different times, companies should have a clear understanding of the various policies -- such as user access restrictions or the authentication requirements -- that are attached to each application, Skow says. "There needs to be some consistent and congruent way to mediate those rules. And it has to be done in a very significant way" before companies can take full advantage of grids, Hurley says. Addressing grid security may not involve new technologies, but because of the increased potential vulnerability, protective measures become more urgent. Grid architectures in the enterprise face the same security issues that one sees in a nongrid environment, so "clearly, these need to be addressed," Cooper points out. But, he adds, "the same tools and technologies that are used today to secure storage, computing and network resources all apply in a grid architecture." From isn at c4i.org Tue Nov 30 01:51:05 2004 From: isn at c4i.org (InfoSec News) Date: Tue Nov 30 02:15:54 2004 Subject: [ISN] Hacker answers critics, invites them to 'crusade' Message-ID: http://news.inq7.net/infotech/index.php?index=1&story_id=19689 By Erwin Lemuel Oliva Nov 29, 2004 INQ7.net INSTEAD of hitting back at critics, the founder of a hacker group out to expose network vulnerabilities in the Philippines remained optimistic, as he invited other like-minded hackers to help him in the group's crusade to increase security awareness in the country. "I respect [Team] Asianpride because of their contribution to Internet security but we have different kinds of approach on this issue. I hope we can work together to secure the Philippine Information superhighway," said PI_Flashbulb, founder of the Internet Security and Warfare (ISAW) group. Team Asianpride is different group of Filipino hackers who recently criticized the efforts of ISAW. R00tkitty, a member of the group, said ISAW's crusade to expose vulnerabilities in Philippine networks had only encouraged more attacks instead of abating them. PI_Flashbulb, however, said ISAW's disclosure of network security holes found in government and private firms had increased security awareness in the Philippines. "I believe ISAW has accomplished a lot because more and more government and private agencies are now aware of the implications if they would not improve their security, and I also believe that no time was wasted because we were able to help more than a hundred private and government agencies to secure their sites," PI_Flashbulb wrote INQ7.net in an e-mail. The hacker admitted that ISAW had stirred a hornet's nest. "[But] this is a good sign that will make people think twice before putting up a new website or adding new web applications," he added. ISAW maintains a web log or "blog" at phackers.org that contains postings of website vulnerabilities the group uncovers. R00tkitty accused PI_Flashbulb of being media hungry and wanting only to create a frenzy about what they were doing. "It's all about personal gain, control, and kiss-bottom all the way to the top," added r00tkitty. R00tkitty is a member of Team AsianPride who organized the 4 * Clock Project, a supposed organized attack on Philippine networks to teach local Internet service providers and telephone companies a lesson on security in 2001. Since that time, r00tkitty said the Philippine information technology security scene "has improved dramatically." Following its 4* Clock Project, Team Asianpride has decided to work with the Filipino Developers Network in the development of an "innovative security solution," according to the hacker. This solution was presented in 2003 at the first ManilaCon hackers conference, he said.