From isn at c4i.org Wed Sep 1 13:20:53 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 1 13:35:55 2004 Subject: [ISN] [Vmyths.com ALERT] Follow-up on latest cyber-terror prediction Message-ID: Forwarded from: Vmyths.com Virus Hysteria Alert Vmyths.com Virus Hysteria Alert Truth About Computer Security Hysteria {31 August 2004, 18:15 CT} CATEGORY: Dire predictions of a cyber-war or cyber-terrorism Russian news agency MosNews now reports "there was no terrorist attack on the Internet on August 26" as had been predicted. According to Kaspersky Labs spokesman Alex Zernov, "media reports had attracted huge attention to this information and caused users to strengthen security measures. 'This made [the scheduled cyber-terror launch] date less favorable for the attack,' Zernov said. 'Terrorists are not in a hurry because of such a serious reaction,' he added." MosNews follow-up story with photo: http://www.mosnews.com/news/2004/08/27/internetterror.shtml Vmyths coverage of the cyber-terror prediction: http://Vmyths.com/hoax.cfm?id=281&page=3 MosNews claims Zernov spoke directly to them. If they correctly reported Zernov's comments, then Vmyths insists he is sorely mistaken on two major points. First, only the Russian media focused "huge attention" on the predicted cyber-terror event. Computer security firms, government agencies, and mainstream global newswire services didn't warn of an alleged threat. Second, Vmyths has seen NO objective evidence to suggest computer users strengthened their security measures on or around 26 August. Computer security fearmongers almost always applaud the media for "getting the word out" after their predictions flop. If MosNews correctly reported Zernov's comments, then it suggests Kaspersky Labs may be trying to backpedal with the Russian press. This in turn would imply the antivirus firm engaged in a much larger publicity stunt on 24 August than Vmyths first suspected. On a lighter note: MosNews published their follow-up story with a photo of "Chechen terrorist Shamil Basayev" using a laptop in an unidentified woodland area. Basayev has threatened to launch "kamikaze" attacks in Russia, but Vmyths found nothing to suggest the warlord will mastermind a cyber-terror event in the near future. Stay calm. Stay reasoned. And stay tuned to Vmyths. Rob Rosenberger, editor http://Vmyths.com Rob@Vmyths.com (319) 646-2800 CATEGORY: Dire predictions of a cyber-war or cyber-terrorism --------------- Useful links ------------------ Remember this when virus hysteria strikes http://Vmyths.com/resource.cfm?id=31&page=1 Common clich?s in the antivirus world http://Vmyths.com/resource.cfm?id=22&page=1 False Authority Syndrome http://Vmyths.com/fas/fas1.cfm From isn at c4i.org Wed Sep 1 13:21:58 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 1 13:35:57 2004 Subject: [ISN] REVIEW: "The Secured Enterprise", Paul E. Proctor/F. Christian Byrnes Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKSEPYIA.RVW 20040719 "The Secured Enterprise", Paul E. Proctor/F. Christian Byrnes, 2002, 0-13-061906-X, U$34.99/C$54.99 %A Paul E. Proctor %A F. Christian Byrnes %C One Lake St., Upper Saddle River, NJ 07458 %D 2002 %G 0-13-061906-X %I Prentice Hall %O U$34.99/C$54.99 +1-201-236-7139 fax: +1-201-236-7131 %O http://www.amazon.com/exec/obidos/ASIN/013061906X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/013061906X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/013061906X/robsladesin03-20 %P 304 p. %T "The Secured Enterprise: Protecting Your Information Assets" The introduction states that the book is aimed at business professionals, but that security professionals may also find it useful as a reference. Part one is an introduction to security. So is chapter one, which extends the traditional CIA (Confidentiality, Integrity, Availability) security triad to include non-repudiation. (Most security analysts would see that function as a special case of integrity.) This muddled thinking is echoed by the muddled structure of the chapter, which touches tersely on roles and policies, and contains an extremely incomplete list of security technologies. Miscellaneous threats are mentioned in chapter two. Policies are revisited in chapter three, although the discussion is not clear in regard to high level policy formation, and more applicable to access privilege or procedures. Chapter four deals specifically with access control, but in a disorganized and incomplete fashion. Part two deals with security technologies. Chapter five is an incomplete definition and description of firewalls (stateful and circuit proxy types are never mentioned). An incomplete description of vulnerability scanners is given in chapter six. An incomplete and very dated discussion of viruses and protection makes up chapter seven. (Various implementations of scanning are noted, but there is no reference to activity monitors or change detection). The limited review of intrusion detection, in chapter eight, has a rather misleading explanation of sensor topology, and no clear explanation at all of engine types. Chapter nine has a simplistic outline of asymmetric cryptography and public key infrastructure (and a very odd example of the key management problem). Chapter ten has lots of verbiage about virtual private networks. A strange conflation of mobile communication and wireless LAN topics is in chapter eleven. Chapter twelve seems to both recommend and disparage single sign-on. A promotional piece for digital signature technology is in chapter thirteen. Part three discusses implementation. Chapter fourteen outlines the setting up of a security program, but only if you know what should go into the various pieces already. Security assessment, in chapter fifteen, is limited to different types of penetration or vulnerability testing, with a ludicrously short description of risk assessment. There is a simplistic overview of incident response and business continuity planning in chapter seventeen. Random bits of Web and Internet security are listed in eighteen. Given the scattered nature of the entire work, it is curious that part four is entitled "Odds and Ends." Miscellaneous legal issues are raised in chapter nineteen. Chapter twenty is supposed to help you with "Putting It All Together," but just contains editorial advice. OK, is it good for non-security businesspeople? Maybe, if they really know extremely little about security, and don't need to manage the security function. They will at least obtain some familiarity with the terms that might be used, although it could be a case of a little knowledge being a dangerous thing. As for security professionals: get some decent references. copyright Robert M. Slade, 2004 BKSEPYIA.RVW 20040719 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Why not go out on a limb? Isn't that where the fruit is? - Frank Scully http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed Sep 1 13:22:18 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 1 13:35:58 2004 Subject: [ISN] Open Source Vulnerability Database Opens Vendor Dictionary Message-ID: Forwarded from: Jake Open Source Vulnerability Database Opens Vendor Dictionary The Open Source Vulnerability Database, a project to catalog and describe the world's security vulnerabilities, has expanded its offering and opened a vendor dictionary that serves as a centralized resource for vendor contact information for public use on 31 August 2004. The OSVDB vendor dictionary is a resource through which the security community will be able to gather contact information for a desired vendor. The vendor dictionary is a list of vendors, indexed by name, which may be freely searched and utilized by all who wish to find both general and security contact information. The service also provides a way for vendors to keep their information current within the dictionary. With straightforward forms, OSVDB will be a concise and central repository for up-to-date, accurate vendor contact information-- and it's free. "Vendors expect to be contacted when researchers find security holes-- no matter what." says Jake Kouns, project lead for OSVDB. "However, many vendors do not provide easy to locate contact information on their websites. This makes it challenging, time consuming and sometimes impossible for security researchers to follow responsible disclosure practices." OSVDB aims to make it simple for contact information to be shared between researchers and vendors. The vendor dictionary is essentially a giant phonebook of vendors with current contact information, interfaced directly with the OSVDB database. It is designed for vendors, security professionals, and the security community alike. Many security researchers that routinely practice ethical disclosure find themselves unable to do so, due to the fact that the vendor contact information required is sometimes too challenging to find. Alexander Koren, an OSVDB volunteer from Germany, explains, "There will no longer be a need to dig through web pages to hopefully find all the necessary information anymore." OSVDB realizes the necessity for a current and free resource for this information, and has responded by developing the dictionary to fill this gap. Even though anyone can help maintain the dictionary, OSVDB calls for all software and hardware vendors to visit the vendor dictionary and ensure that their contact information is accurate and complete. OSVDB also urges vendors to reassess the means through which a researcher may contact them with vulnerability research. While populating the dictionary, it was noticed that many vendors utilize web forms for a user to submit information, which is not always convenient or the preferred contact medium. OSVDB encourages vendors to follow RFC 2142 (section 4) guidelines and have a specific security email address available for use by researchers. This will facilitate the ability for vulnerability researchers to communicate with vendors, and to ensure vulnerability reports are not missed. Brandon Shilling, a member of the OSVDB development team who worked extensively on the vendor dictionary, says, "The function of the dictionary is merely just a foundation for how OSVDB intends to revolutionize the way vulnerabilities are disclosed to the vendor." The OSVDB dictionary is the first phase for additional upcoming services including assisting researchers with ethically disclosing vulnerabilities, helping to verify vulnerabilities, and the OSVDB vulnerability portal. The OSVDB vendor dictionary can be found at www.OSVDB.org. ### More Information: Jake Kouns Open Source Vulnerability Database Project +1.804.306.8412 jkouns@osvdb.org From isn at c4i.org Wed Sep 1 13:22:31 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 1 13:35:59 2004 Subject: [ISN] Miami Attorney Files Lawsuits Against Castro Message-ID: http://www.nbc6.net/news/3693176/detail.html August 30, 2004 MIAMI -- A Miami attorney is filing two lawsuits against Cuban President Fidel Castro, accusing him of crimes against humanity and cyber terrorism. Larry Klayman is filing the first lawsuit with the Organization of American States and the second in U.S. District Court in Miami. Klayman, who is running for the U.S. Senate in Florida, brought a number of cases against Castro and Cuba while he was chairman and general counsel of Judicial Watch. Last summer, he spearheaded a private diplomatic mission to six European countries and the Vatican, where he successfully lobbied for increased sanctions against Castro. Klayman claims Castro is an avowed terrorist, has assisted Middle Eastern terrorist regimes and encouraged a return to Communism in Latin American, Venezuela, Brazil, Argentina and Bolivia. Klayman also accused Castro of hacking his Web site, causing significant damage. From isn at c4i.org Wed Sep 1 13:22:47 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 1 13:36:00 2004 Subject: [ISN] Police question report of India code theft Message-ID: http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,95615,00.html By John Ribeiro AUGUST 31, 2004 IDG NEWS SERVICE Police officials investigating the alleged theft of source code at Jolly Technologies' Mumbai development center are questioning aspects of the security incursion reported by the company (see story) [1]. Jolly lacked a security policy at its Mumbai center, according to investigators examining the alleged theft of company code by a development center employee. "We have done a preliminary inquiry and took the help of technical experts, but prima facie nothing during this inquiry indicated that the employee had transferred any file or document from her office computer to any other location," said Anami Roy, Mumbai's commissioner of police. Roy added that Sandeep Jolly, president of Jolly, refused to give police a formal complaint and didn't cooperate with the investigation. "We got a letter from an employee of the company, but that was a sketchy kind of a report and cannot be treated as a complaint," Roy said. Without a formal complaint from Sandeep Jolly or evidence of a theft, the Mumbai police can't proceed with an investigation. "Our own inquiry does not disclose the commission of a cognizable crime," Roy said. The police aren't willing to register the case, according to Sandeep Jolly. "We have learned that the police will not file a FIR [first information report] until they are heavily bribed, as they know that there has been a huge loss to the company," Jolly said by e-mail. Jolly Technologies is a division of San Carlos, Calif.-based Jolly Inc., which sells labeling and card software. It issued a statement earlier this month, reporting that an employee at its 3-month-old research and development center in Mumbai stole portions of source code and confidential design documents related to one of its key products. On July 19, the employee in Mumbai uploaded and e-mailed files containing the source code and other confidential company data to her Yahoo e-mail account, according to Sandeep Jolly. One hurdle to any investigation of the case is that Jolly Technologies' Mumbai facility fell short on security, according to investigators. "It does not have a security policy, it has no log of the computer and network activity at the center, and passwords are known to all and sundry," said Vijay Mukhi, a technical consultant to the Mumbai police on this investigation. "We asked Jolly Technologies for the log, and they were unable to provide it to us," Mukhi added. "As the company has no log, I have no proof that there was a source code theft, and if so who did it." However, Jolly Technologies does have the log, according to Sandeep Jolly. He also said that while passwords were shared for getting into the PC to access a common data server, the password used by the employee to access her e-mail account wasn't available to others. Jolly Technologies filed a writ petition on Aug. 19 before the Bombay High Court asking the court to direct the Mumbai police to register the offense and start investigations. This occurred a month after the employee allegedly stole the code and left the company without notice. "As an association, we are quite satisfied with the investigation by the police," said Sunil Mehta, vice president of the National Association of Software and Service Companies in Delhi. In another twist to the story, approximately an hour after Sandeep Jolly went to the Mumbai police, the employee accused of the theft filed a complaint with the police alleging that she had been harassed at work and mentioned advances such as invitations to dinner and the movies, according to Roy. "There was no explicit reference to sexual harassment, but to what you would perhaps call 'soft advances' by Sandeep Jolly," he added. The police fabricated the information, according to Sandeep Jolly. The employee filed the complaint two days after he went to the police, he claimed, and he said it lacked a reference to sexual harassment. Instead, the complaint stated that Jolly had falsely accused her of stealing, causing her mental stress. "There is more than meets the eye, and we are investigating all angles," Roy said. [1] http://www.computerworld.com/softwaretopics/software/story/0,10801,95045,00.html From isn at c4i.org Wed Sep 1 13:23:19 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 1 13:36:01 2004 Subject: [ISN] DOD reveals viral infection Message-ID: Forwarded from: William Knowles http://www.fcw.com/fcw/articles/2004/0830/web-siprnet-08-31-04.asp By Bob Brewin Published on Aug 31, 2004 FT. LAUDERDALE, Fla. - A virus infected two computers managed by the Army Space and Missile Defense Command operating on the Defense Department's classified Internet recently, according to Lt. Gen Larry Dodgen, head of the command. Dodgen, speaking here at the Army Director of Information Management (DOIM) conference said two computers in the Space and Missile Defense command connected to the DOD Secret Internet Protocol Router Network (SIPRNET) were infected because they did not have any virus protection. The breach of security, Dodgen said, illustrated the need for "diligence, diligence, diligence" when it comes to information security and assurance - although he described his initial reaction to the incident as, "Who are we going to shoot?" William Congo, a spokesman for the Huntsville, Ala.-based Space and Missile Defense Command said the two computers were located at a facility in Colorado Springs, Colo. The viruses were detected quickly and the two computers were then isolated from the SIPRNET, Congo added. The incident occurred "within the past month" and officials are still investigating the matter to determine how the infection occurred and prevent future occurrences, he said. Other Army officials also underscored the need for better information security. Despite years of emphasis, the Army still does a poor job of protecting its information systems, said Lt. Gen Steve Boutelle, the Army's chief information officer, in a speech here. "How many accounts still have no password?" Boutelle asked. But, he added, that will change now that "information assurance is a commander's responsibility," not just the job of the Army's IT establishment. Linton Wells, acting secretary of networks and information integration also emphasized information security in his presentation. "Security is not an appliqu?," or add-on in the era of network-centric warfare, Wells said. Security attributes must be built into systems from the start, he said, adding that the "most stupid thing" the military could do is build a "ubiquitous, global network that is insecure." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Sep 1 13:27:01 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 1 13:36:02 2004 Subject: [ISN] NK man faces computer-hacking charges Message-ID: http://pittsburghlive.com/x/tribune-review/trib/newssummary/s_246743.html By Michael Hasch Tribune-Review Media Service and Chuck Biedka Staff writer September 1, 2004 NEW KENSINGTON -- A 21-year-old city man was accused Tuesday of being a computer hacker responsible for stealing more than 2,000 credit card numbers stored in the computer systems of businesses and corporations. Michael Ray "Hairball" Wally, of the 400 block of 10th Street, is charged with 42 counts of identity theft and 247 various counts of using a computer in a crime, police said. Wally is accused of posting the stolen credit card numbers on his Internet Web site, HBX Networks [1], so that other people could use them to gain access to various Internet sites and other network components, according to Trooper Robert Erdely of the Area III State Police computer crimes task force. Some of the stolen numbers also were used to purchase goods and services, state police said. Erdely said he is still compiling data to determine how much was charged to the credit cards. New Kensington Detective Sgt. Tom Klawinski, who also is part of a regional computer task force, said the investigation is continuing and additional arrests are possible. Wally's Web site bills itself as "a nonprofit organization with many goals," including documenting flaws and inadequacies of computer security systems and the ease with which they can be compromised. The Web site details how Wally used a system called "war dialing" to access the computer networks of businesses and corporations. "War dialing" is basically the sequential dialing of various numbers until the right sequence comes up to gain access to a computer network. Erdely said a search warrant was executed at the HBX office on May 14 and that the analysis of 15 computers seized at that time form the basis of the charges filed. More computers were seized Tuesday and additional charges could be filed once those are analyzed. Wally is charged with multiple counts of identity theft; unlawful use of a computer to access other computers; using a computer to obtain passwords, identifying codes, and personal identification numbers or other confidential information from other computers without authorization of their owners; using a communication facility -- a computer and telephone line -- to attempt a crime, and unlawful use of a computer by obtaining information he did not have permission to access. Pallone said Wally's preliminary hearing is scheduled for Sept 9. Wally gained notoriety in 2002 when he created BurrellSucks.com, a Web site that students from numerous school districts often used to air dirty laundry. Wally said at the time that the site was intended to give students a chance to discuss school-related problems and potential solutions. Earlier this year, Wally announced he wanted to create a similar site on a much broader scale, although the site, schoolhigh.com, got little use. [1] http://www.hbx.us/ From isn at c4i.org Thu Sep 2 07:50:44 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 2 08:12:21 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-36 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-08-26 - 2004-09-02 This week : 33 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia has implemented new features at Secunia.com SECUNIA ADVISORIES NOW INCLUDE "Solution Status": In addition to the extensive information Secunia advisories already include, Secunia has added a new parameter: "Solution Status". This simply means that all Secunia advisories, including older advisories, now include the current "Solution Status" of a advisory, e.g. if the vendor has released a patch or not. IMPROVED PRODUCT PAGES: The improved product pages now include a detailed listing of all Secunia advisories affecting each product. The listings include a clear indication of the "Solution Status" each advisory has ("Unpatched", "Vendor patch", "Vendor workaround", or "Partial fix"). View the following for examples: Opera 7: http://secunia.com/product/761/ Internet Explorer 6: http://secunia.com/product/11/ Mozilla Firefox: http://secunia.com/product/3256/ EXTRA STATISTICS: Each product page also includes a new pie graph, displaying the "Solution Status" for all Secunia advisories affecting each product in a given period. View the following for example: Internet Explorer 6: http://secunia.com/product/11/#statistics_solution FEEDBACK SYSTEM: To make it easier to provide feedback to the Secunia staff, we have made an online feedback form. Enter your inquiry and it will immediately be sent to the appropriate Secunia department. Ideas, suggestions, and other feedback is most welcome Secunia Feedback Form: http://secunia.com/contact_form/ ======================================================================== 2) This Week in Brief: ADVISORIES: Several unspecified vulnerabilities have been reported in various products from Oracle. Oracle has issued patches that reportedly address the vulnerabilities. See Secunia advisory below for details. Reference: http://secunia.com/SA12409 -- Multiple vulnerabilities has been reported in Kerberos V5, which can be exploited to compromise vulnerable systems. The vendor has issued patches to address the vulnerabilities. Furthermore, several vendors that has Kerberos implemented, are expected to issue updated versions. Please visit secunia.com for further details on updated programs and distributions. Reference: http://secunia.com/SA12408 VIRUS ALERTS: During the last week, Secunia issued one MEDIUM RISK virus alert. Please refer to the grouped virus profiles below for more information: HTML_BAGLE.AI - MEDIUM RISK Virus Alert - 2004-09-01 02:40 GMT+1 http://secunia.com/virus_information/11645/htmlbagle.ai/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12381] Winamp Skin File Arbitrary Code Execution Vulnerability 2. [SA12321] Microsoft Internet Explorer Drag and Drop Vulnerability 3. [SA12304] Internet Explorer Address Bar Spoofing Vulnerability 4. [SA12394] OpenBSD ICMP Denial of Service Vulnerability 5. [SA12392] Netscape Apple Java Plugin Tab Spoofing Vulnerability 6. [SA12403] Mozilla / Mozilla Firefox Apple Java Plugin Tab Spoofing Vulnerability 7. [SA12376] Microsoft Outlook Express "BCC:" Recipient Disclosure Weakness 8. [SA11978] Multiple Browsers Frame Injection Vulnerability 9. [SA12395] Cisco IOS Telnet Service Denial of Service Vulnerability 10. [SA12371] Symantec Multiple Products ISAKMPd Buffer Overflow Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA12420] WFTPD Pro Server MLST Command Denial of Service Vulnerability [SA12419] Titan FTP Server Long Command Argument Denial of Service Vulnerability [SA12416] DasBlog Script Insertion Vulnerability [SA12407] Password Protect Multiple Vulnerabilities [SA12401] Smart Guest Book Database Content Disclosure Security Issue [SA12422] Cerbere Proxy Server "Host:" Header Denial of Service Vulnerability [SA12417] Cesar FTP Server Long Command Denial of Service Vulnerability [SA12398] Chat Anywhere User Flooding Denial of Service Vulnerability UNIX/Linux: [SA12414] Red Hat update for krb5 [SA12413] Fedora update for krb5 [SA12412] Mandrake update for krb5 [SA12411] Debian update for krb5 [SA12408] Kerberos V5 Multiple Vulnerabilities [SA12405] Debian update for qt [SA12402] Gentoo update for zlib [SA12400] OpenBSD update for zlib [SA12396] FileZilla Server zlib Denial of Service Vulnerability [SA12421] SCO OpenServer update for apache [SA12403] Mozilla / Mozilla Firefox Apple Java Plugin Tab Spoofing Vulnerability [SA12392] Netscape Apple Java Plugin Tab Spoofing Vulnerability [SA12399] Trustix update for samba [SA12397] Samba Printer Change Notification Request Denial of Service Vulnerability [SA12394] OpenBSD ICMP Denial of Service Vulnerability [SA12428] Gentoo update for mysql [SA12391] Mandrake update for kernel Other: [SA12410] Cisco VPN 3000 Concentrator Multiple Kerberos Vulnerabilities [SA12395] Cisco IOS Telnet Service Denial of Service Vulnerability [SA12393] Network Everywhere Cable/DSL 4-Port Router NR041 DHCP Script Insertion Cross Platform: [SA12409] Oracle Products Multiple Unspecified Vulnerabilities [SA12404] PvPGN Buffer Overflow Vulnerability [SA12415] pLog Register Script Insertion Vulnerability [SA12424] XOOPS Dictionary Cross-Site Scripting Vulnerability [SA12406] WS_FTP Server File Path Parsing Denial of Service Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA12420] WFTPD Pro Server MLST Command Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-09-01 lion has discovered a vulnerability in WFTPD Pro Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12420/ -- [SA12419] Titan FTP Server Long Command Argument Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-09-01 lion has discovered a vulnerability in Titan FTP Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12419/ -- [SA12416] DasBlog Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2004-09-01 Dominick Baier has reported a vulnerability in DasBlog by Newtelligence, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12416/ -- [SA12407] Password Protect Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information Released: 2004-08-31 Criolabs has reported multiple vulnerabilities in Password Protect, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/12407/ -- [SA12401] Smart Guest Book Database Content Disclosure Security Issue Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2004-08-30 A security issue has been reported in Smart Guest Book, which may allow malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12401/ -- [SA12422] Cerbere Proxy Server "Host:" Header Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-09-01 Ziv Kamir has reported a vulnerability in Cerbere Proxy Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12422/ -- [SA12417] Cesar FTP Server Long Command Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-09-01 lion has discovered a vulnerability in Cesar FTP Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12417/ -- [SA12398] Chat Anywhere User Flooding Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-08-31 Luigi Auriemma and Donato Ferrante have discovered a vulnerability in Chat Anywhere, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12398/ UNIX/Linux:-- [SA12414] Red Hat update for krb5 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-01 Red Hat has issued an update for krb5. This fixes multiple vulnerabilities, where the most critical potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12414/ -- [SA12413] Fedora update for krb5 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-01 Fedora has issued an update for krb5. This fixes multiple vulnerabilities, where the most critical potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12413/ -- [SA12412] Mandrake update for krb5 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-01 MandrakeSoft has issued an update for krb5. This fixes multiple vulnerabilities, where the most critical potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12412/ -- [SA12411] Debian update for krb5 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-01 Debian has issued an update for krb5. This fixes multiple vulnerabilities, where the most critical potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12411/ -- [SA12408] Kerberos V5 Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-01 Multiple vulnerabilities have been reported in Kerberos V5, where the most serious potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12408/ -- [SA12405] Debian update for qt Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-08-31 Debian has issued an update for qt-copy. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12405/ -- [SA12402] Gentoo update for zlib Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-08-30 Gentoo has issued an update for zlib. This fixes a vulnerability, which potentially can be exploited by malicious people to conduct a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12402/ -- [SA12400] OpenBSD update for zlib Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-08-30 OpenBSD has issued an update for zlib. This fixes a vulnerability, which potentially can be exploited by malicious people to conduct a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12400/ -- [SA12396] FileZilla Server zlib Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-08-30 A vulnerability has been reported in FileZilla Server, which can be exploited by malicious people to conduct DoS (Denial of Service) attacks. Full Advisory: http://secunia.com/advisories/12396/ -- [SA12421] SCO OpenServer update for apache Critical: Less critical Where: From remote Impact: Security Bypass, Spoofing Released: 2004-09-01 SCO has issued an update for apache. This fixes a vulnerability, which potentially can be exploited by malicious people to gain unauthorised access to other websites. Full Advisory: http://secunia.com/advisories/12421/ -- [SA12403] Mozilla / Mozilla Firefox Apple Java Plugin Tab Spoofing Vulnerability Critical: Less critical Where: From remote Impact: Spoofing Released: 2004-08-30 A vulnerability has been reported in Mozilla / Mozilla Firefox, which can be exploited by malicious people to conduct phishing attacks. Full Advisory: http://secunia.com/advisories/12403/ -- [SA12392] Netscape Apple Java Plugin Tab Spoofing Vulnerability Critical: Less critical Where: From remote Impact: Spoofing Released: 2004-08-27 J. Courcoul has discovered a vulnerability in Netscape, which can be exploited by malicious people to conduct phishing attacks. Full Advisory: http://secunia.com/advisories/12392/ -- [SA12399] Trustix update for samba Critical: Less critical Where: From local network Impact: DoS Released: 2004-08-30 Trustix has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12399/ -- [SA12397] Samba Printer Change Notification Request Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-08-30 A vulnerability has been reported in Samba, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12397/ -- [SA12394] OpenBSD ICMP Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-08-27 Vafa Izadinia has reported a vulnerability in OpenBSD, which can be exploited by malicious people to conduct DoS (Denial of Service) attacks. Full Advisory: http://secunia.com/advisories/12394/ -- [SA12428] Gentoo update for mysql Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-01 Gentoo has issued an update for MySQL. This fixes a vulnerability, potentially allowing malicious users to escalate their privileges. Full Advisory: http://secunia.com/advisories/12428/ -- [SA12391] Mandrake update for kernel Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information Released: 2004-08-27 MandrakeSoft has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious, local users to disclose sensitive information in kernel memory. Full Advisory: http://secunia.com/advisories/12391/ Other:-- [SA12410] Cisco VPN 3000 Concentrator Multiple Kerberos Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-01 Cisco has acknowledged multiple vulnerabilities in the Kerberos implementation in Cisco VPN Concentrator 3000, where the most critical potentially can be exploited by malicious people to compromise a vulnerable device. Full Advisory: http://secunia.com/advisories/12410/ -- [SA12395] Cisco IOS Telnet Service Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-08-27 A vulnerability has been reported in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12395/ -- [SA12393] Network Everywhere Cable/DSL 4-Port Router NR041 DHCP Script Insertion Critical: Less critical Where: From local network Impact: Cross Site Scripting Released: 2004-08-27 Mathieu Lacroix has reported a vulnerability in Network Everywhere Cable/DSL 4-Port Router NR041, allowing malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12393/ Cross Platform:-- [SA12409] Oracle Products Multiple Unspecified Vulnerabilities Critical: Highly critical Where: From remote Impact: Unknown, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2004-09-01 Multiple vulnerabilities with an unknown impact have been reported in various Oracle products. Reportedly, some of the vulnerabilities can be exploited to compromise a vulnerable system, cause a DoS (Denial of Service), or conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/12409/ -- [SA12404] PvPGN Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-08-31 A vulnerability has been reported in PvPGN, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12404/ -- [SA12415] pLog Register Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-09-01 Jason Thistlethwaite has discovered a vulnerability in pLog, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12415/ -- [SA12424] XOOPS Dictionary Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-09-01 CyruxNET has discovered a vulnerability in Dictionary module for Xoops, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12424/ -- [SA12406] WS_FTP Server File Path Parsing Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-08-31 lion has discovered a vulnerability in WS_FTP Server, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12406/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Thu Sep 2 07:50:58 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 2 08:12:23 2004 Subject: [ISN] Tech threats: the new front in the War on Terror Message-ID: http://www.cbc.ca/news/viewpoint/vp_hughes/20040901.html Greg Hughes September 01, 2004 There's little doubt nowadays that the 21st century is shaping up to be a very unstable era in human history. Non-state actors like al-Qaeda are stepping up their fight against nation-states, employing mostly conventional, low-tech solutions to their acts of terrorism. Yet there is a new frontier emerging in the War on Terror - cyber terrorism. As the internet continues to grow in popularity and usage around the globe, more malevolent forces are using the web as a means to spark fear and spread their messages of hate and violence. Cyber terrorism is a diverse set of technologies that ranges from viruses and denial-of-service attacks to posting messages, pictures and videos on websites whose purpose is to scare people. It's particularly effective in the West because westerners are the most connected people in the world. For terrorists, the web offers the ability to reach the common people in a way that's uncontrolled and unnerving. If a website or virus reaches enough people and incites enough chaos, it's a cheap, easy way to scare people on a level similar to a "real world" terrorist attack. And you don't even have to be in a western country to make it all happen. The most obvious example of cyber terrorism so far has been websites devoted to westerners held hostage by terrorists in the aftermath of the war in Iraq. The videos available on these sites have featured content that includes torture and live beheadings - content not suitable for any time of day on TV or radio. But online, the curious will, eventually, find it. More disturbing, however, is that a cyber terrorist attack could, in theory, help to create more damage than the events of 9/11 could ever have accomplished. Here's a potential scenario. Let's say a major city in the U.S. or Canada is hit with a terrorist attack similar to the attacks on the World Trade Center. The casualties are not as high as 9/11, but many people are injured and need help quickly. Under normal circumstances, emergency dispatchers would be sending medical teams to help the wounded. But what if, at the same time as the physical attacks were occurring, an army of viruses with instructions to crash communication networks - emergency radio frequencies and cellphone radio towers - was deployed from elsewhere? This isn't an unfeasible scenario; various viruses such as MyDoom have taken down entire networks with relative ease. Who's to say that an enterprising, net-savvy terrorist group couldn't make this happen? And how many more people could be in trouble because our high-tech communication networks are down after the fallout of a major explosion? The United States, the prime target of many terrorist groups, is charged with the greatest burden in making sure cyber terrorism scenarios don't actually happen. But it's a tough task, given how quickly things can spread online. It only takes one downloaded file, one opened e-mail, to spread a virus worldwide in a matter of days. BBC News has reported that in July of this year, a U.S. Department of Homeland Security internal memo described cyber terrorism as one of America's top five security threats. A new unit within the DHS, the National Cyber Security Division, was created explicitly for the purpose of tackling net security and addressing criticisms that the U.S. government has not done a good enough job of preventing future cyber terrorist attacks. Some have argued that cyber terrorism is hardly a threat in comparison to a weapon of mass destruction going off in a major city like Chicago or London. Perhaps they're right and talk of cyber terrorism is simply fear mongering. But the tools that could enable terrorists to gain possession of weapons of mass destruction are already online. And technology that allows terrorists to gain information required to create these weapons is only improving as the web continues to evolve. Quantum encryption - the use of photons as gatekeepers - is one such example. While still a few years away from being used for mass-market purposes, quantum encryption could be the most impenetrable form of encryption ever created. The use of decryption sequences employing quantum variables known only to the sender and recipient makes the job of intercepting and cracking encrypted e-mails, instant messages and websites nearly impossible. This is very worrisome for groups devoted to preventing terrorist acts, for how do you stop communications you can't even find a source for? Various websites have for years offered detailed instructions on bomb-making techniques. So-called "darknets" - intranets that have no IP addresses listed so they can't be traced - spring up overnight where terror groups can share information secretly and disappear without a trace. Should we be worried? Possibly. Is this a reason to minimize our dependence on the web? Not in the least. The internet is becoming the tool of choice for many aspects of our lives; abandoning what has become one of our greatest inventions would be to give in to fear. Yet like most technology, the web is a double-edged sword: for every benefit we gain from it, there's an equal trade-off. All we can do is be vigilant, be responsible and be educated about the web - the better informed we are, the less chance cyber terrorists will succeed. -=- Greg Hughes is a 26 year-old freelance writer. He has written on culture and technology for Shift, Silicon Valley North and globetechnology.com, and he has also contributed to the National Post, the Queen's Alumni Review and other publications. He holds a Bachelor of Arts (Honours) from Queen's University in Kingston, Ontario. From isn at c4i.org Thu Sep 2 07:51:08 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 2 08:12:24 2004 Subject: [ISN] Indian woman hacker nabbed in Philippines Message-ID: http://sify.com/news/international/fullstory.php?id=13557774 02 September, 2004 Manila: An Indian woman has been arrested for allegedly leading a gang which hacked into the Philippines telecommunications system to make unauthorised long-distance calls, officials said today. Pooja Khemlani was arrested in her Manila apartment earlier this week after her husband, also an Indian citizen, reported her to the police, the immigration bureau said in a statement. Khemlani allegedly financed a gang which tapped into the telephone systems of some 369 institutions, including private companies, government agencies and foreign embassies to make unauthorised long-distance calls for which they charged a fee, the bureau said. Their activities cost the Philippine Long Distance Telephone Co. some 197 million pesos (3.5 million dollars) in lost revenues, the bureau charged. Two other Indians and a Bangladeshi were arrested in July in connection with the case. Khemlani is also the principal suspect in allegedly smuggling 11 Indians into the southern Philippines in 2002. She is being investigated for possible involvement in illegal dollar trading, drug trafficking and smuggling of medicine and jewellery, the bureau added. From isn at c4i.org Thu Sep 2 07:51:23 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 2 08:12:25 2004 Subject: [ISN] Beefing up NIPRNET Message-ID: Forwarded from: William Knowles http://www.fcw.com/fcw/articles/2004/0830/web-niprnet-09-01-04.asp By Frank Tiboni Sept. 1, 2004 FORT LAUDERDALE, Fla. -- Defense Department information technology officials recently installed new hardware to better protect military networks. But the new equipment cannot achieve its full capability unless DOD's IT workers install products correctly and patches more quickly, according to a Defense Information Systems Agency official. DISA officials put in large routers from Juniper Networks Inc. at the base borders of the Unclassified but Sensitive Internet Protocol Router Network (NIPRNET), said Joe Boyd, chief of DISA's Center for Network Services, speaking here today at the Directorate of Information Management/Army Knowledge Management conference sponsored by AFCEA International. The new hardware should increase NIPRNET's security, letting DOD workers do their day-to-day activities, Boyd said. But he added that improving information assurance departmentwide also requires IT workers to work more diligently. About 62 percent of military networks' intrusions result from poor configuration practices, Boyd said. Another 24 percent comes from not installing software fixes and updates in a timely fashion ? a negligence that DOD technology officials describe as unresponsiveness to information assurance vulnerability alerts, said Boyd, who oversees combat support of the Global Information Grid, the military's network of voice, video and data systems. Officials in the Joint Task Force-Global Network Operations, the organization that oversees protection of military networks, report a gradual increase in the number of attempted intrusions during the past three years. They reported 40,076 in 2001, 43,086 in 2002, 54,488 in 2003 and 24,745 as of June, said Tim Madden, task force spokesman. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Sep 2 07:51:35 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 2 08:12:27 2004 Subject: [ISN] Security Researchers Call for More Info from Oracle Message-ID: http://www.eweek.com/article2/0,1759,1641847,00.asp By Lisa Vaas September 1, 2004 Oracle's first monthly rollout of patches threw security researchers into a tizzy Wednesday as they complained of a lack of information on which vulnerabilities had actually been fixed and what Oracle software components had been affected. "Oracle's a little tight-lipped on what they've fixed and what they haven't fixed, and they haven't described in any detail at all what the security problems are," said Aaron Newman, database security expert, chief technology officer and co-founder of Application Security Inc. New York-based Application Security is a security software company that discovered about 20 of the vulnerabilities covered in the patch release, which researchers estimated covers 60 to 100 bugs and vulnerabilities. "Oracle is making some good approaches, rolling out monthly patches to resolve these issues," said Noel Yuhanna, an analyst at Forrester Research Inc., in Santa Clara, Calif. "But again, what issues are being resolved? Oracle needs to be clear on that and keep customers up to date on what issues exist and how they should overcome them with patches." In addition, researchers noted that there are still outstanding vulnerabilities that await patching. "We still have a number of open ones with Oracle," said Stephen Kost, chief technology officer at Integrigy Corp., which found five to 10 of the vulnerabilities addressed. "They didn't fix anything in the ERP [enterprise resource planning] suite." Oracle has known about some still-unfixed vulnerabilities for more than a year, according to multiple researchers, although none of the known vulnerabilities have resulted in any known exploits. Oracle Corp. declined to comment further than it did Tuesday when it released the patches. But although more communication from the Redwood Shores, Calif., database company would be welcome, many say the accumulating swamp of security flaws is not indicative of a failure on Oracle's part, but rather has to do with the increasing complexity of its products. "People come to it from a high-level perspective and say, 'Everything should be fixed in 90 days,'" said Integrigy's Kost. "That's not realistic. Oracle takes a long time on everything." Furthermore, growing pains are to be expected as Oracle becomes more ubiquitous and as security researchers focus their attention on ferreting out flaws in its products. "Oracle in the past has been very responsive in delivering security patches," Yuhanna said. "But there have been very few of them. Now that there's too many of them coming together [in clusters], it's a challenge to Oracle," he said. "They need to streamline the process and make it effective within Oracle and make sure customers follow the right approach?and convey the right message that these patches get deployed as appropriate to the given environment." Oracle products have long had a reputation of being secure and stable, of being supported by a DBA (database administrator) population with above-average skills, and of being protected behind firewalls at a higher rate than rival databases. Still, Yuhanna said, with the flood of new features that have been packed into the latest release, Database 10g, security problems were bound to arise. "I feel that Oracle focused more on delivering more features and functionality in 10g rather than securing Oracle itself," he said. "They want to deliver more features and functionality, and security was not a top priority." But any glitches associated with Oracle's first monthly rollout are bound to be ironed out in coming releases, Yuhanna predicted. "They obviously promised to deliver these patches by the 31st, and they've done it," he said. "Oracle hasn't been accustomed very much to security patches as other vendors have been, so the whole process of management is coming to light, and Oracle's trying to refine the process and make sure they do a good job delivering the patches. "Given that this is the first major rollout, I think, going forward, they will be more cautious about deploying newer versions and making sure they're more secure, just like Microsoft [Corp.], which is now taking security more seriously than ever before," he said. ASI's Newman said his company is telling clients to consider the recent patch a point update and to perform appropriate testing, since the patch fixes so many problems. "They'll have to do more testing than they would normally for a security release," he said. "It's amazing how Oracle went from fixing one buffer overflow to 20 or 30 buffer overflows in the patch. I think they got swamped. A lot of people started looking at it and pulling back the covers and finding things." From isn at c4i.org Thu Sep 2 07:51:46 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 2 08:12:28 2004 Subject: [ISN] Security pros warn of critical flaws in Kerberos Message-ID: http://news.com.com/Security+pros+warn+of+critical+flaws+in+Kerberos/2100-1002_3-5343325.html By Robert Lemos Staff Writer, CNET News.com September 1, 2004 Vulnerabilities in a technology widely used for network authentication have left computers running Unix, Linux and Apple Computer's Mac OS X potentially open to attack. The flaws could allow an online intruder to gain access to computers running a security feature known as Kerberos. The vulnerabilities, found by the developers at the Kerberos Team at the Massachusetts Institute of Technology, should be patched as soon as possible, Sam Hartman, engineering lead for the team, said Wednesday. "I would not expect this to lead to a worm," Hartman said. "Most sites will patch it because patching is easy to do. Whereas, if you do have a compromise, it is a lot of work to recover." Kerberos is the keystone to security for many networks. The software essentially acts as a gatekeeper, identifying the people who are allowed to access computers in the network and those who are not. That makes the software flaws particularly pernicious. The flaws, known as double-free vulnerabilities, are caused because a part of the program attempts to free up the same computer memory space twice. Such errors are not as easy to take advantage of as another, more common memory error--the buffer overflow. That gives administrators a little breathing room, Hartman said. "We have no reason to believe that anyone has produced an exploit program," he said. "Moreover, this is not something where we have seen an attack in the wild." Kerberos is a building block of many network security devices and software. Microsoft uses the mechanism to control security in its Active Directory authentication. However, the company uses a homegrown version of Kerberos that is not affected by the flaws, Hartman said. However, Sun Microsystems' Solaris, Linux from Red Hat and Mandrake, and OS X all use Kerberos. Some companies, such as Red Hat, have announced patches for the problem, but not all have. [...] From isn at c4i.org Fri Sep 3 06:14:01 2004 From: isn at c4i.org (InfoSec News) Date: Fri Sep 3 06:22:17 2004 Subject: [ISN] Alarming Garden security breaches Message-ID: http://www.nydailynews.com/front/story/228239p-195985c.html BY DAVID EPSTEIN DAILY NEWS WRITER September 2, 2004 On the eve of President Bush's address to the nation, the Daily News has uncovered alarming breaches in security at the Republican National Convention. The News learned yesterday that delegates and guests were freely handing out unused passes. A News reporter investigated - and within five hours he was inside Madison Square Garden to catch Vice President Cheney's speech. Even more shocking, the pass was obtained without anyone asking for or checking on the reporter's identity. The breach came after three security incidents in three days. So it should have been near impossible to slip past the thousands of cops and federal agents inside and outside the Garden. But it was all too easy. The generic credentials don't have the user's name, and as for a photo, forget about it. In short, there was nothing to prevent anyone, from protester to hardened criminal, from getting inside the Garden - though we were checked for weapons. Yesterday, The News sent this clean-cut reporter - dressed in a white collared shirt adorned with a Bush-Cheney button - to several delegates' hotels to check out whether it was true that credentials were readily available. One helpful delegate told us that plenty of passes had been available Monday and Tuesday, but it was tougher to get one last night, when Cheney was speaking. Others suggested we try the delegation from Guam or Hawaii, because not everyone had showed up. Later, a delegate was going to a party and would be leaving the Garden early. She said she would meet us outside and give us her credentials. But she got cold feet. Someone had warned her not to give credentials away. The police mentioned the previous security breaches, how protesters have managed to get in - in some cases, getting shockingly close to Cheney. But later, at an ice cream parlor three blocks from the Garden, we found someone wearing pro-Bush buttons. We told her we were from Illinois and how we always wanted to witness history - which was the truth. "I really wanted to keep it," she said, pulling a guest pass from her purse. "All right. Go have fun." The last test was Garden security. With the credentials around our neck, we walked into the frozen zone, showing a driver's license to an NYPD cop. Then we walked up to the heavily manned security gate just outside the arena. After a thorough search for weapons, we were allowed in. The reporter noticed a ruckus during Cheney's speech. It was authorities dragging away yet another protester who had gotten through security. From isn at c4i.org Fri Sep 3 06:14:18 2004 From: isn at c4i.org (InfoSec News) Date: Fri Sep 3 06:22:18 2004 Subject: [ISN] Army honors security work Message-ID: Forwarded from: William Knowles http://www.fcw.com/fcw/articles/2004/0830/web-armyawards-09-02-04.asp By Frank Tiboni Sep 2, 2004 FORT LAUDERDALE, Fla. -- The Army this week issued its first awards to service personnel and contractors for excellence in information assurance. Col. Thaddeus Dmuchowski, director of information assurance for the Army, said the honors recognize "innovation that brought security under great duress." He said Army information technology officials also hope the awards call attention to information security servicewide. The information assurance awards, presented at the Directorate of Information Management/Army Knowledge Management conference sponsored by the Army and the Armed Forces Communications and Electronics Association, come in a year in which service IT officials said Army networks experienced daily, persistent cyberattacks. Army IT officials issued individual and unit awards. They include: Military: All IT soldiers deployed in support of the war on terrorism. Civilian: Gregory Bigelow, senior technical expert and network and security program manager for the Corps of Engineers Enterprise Infrastructure Services Program. He designed the security infrastructure for Army Corps of Engineers networks. Honorable Mention: Angela Rhodes, Army Corps of Engineers, Huntington District in West Virginia. She led an effort to accredit all the office's IT assets, started a group to share information assurance tips and developed a system update utility for the patching of identified vulnerabilities. Contractor: James Lynch, senior policy analyst in the Army Common Access Card-Public Key Infrastructure programs division of the Information Assurance Directorate. He developed three policies including the use of digital signatures and encryption, and the purchase and use of personal digital assistant devices. Honorable Mention: Eleanor Brings, senior customer support analyst, Security and Information Assurance Community of Practice, Directorate of Corporate Information, Army Corps of Engineers in Washington, D.C. She implemented the Compliance Reporting Database Version 2. UNIT Huntington District Information Management, Office/Computer Security Team in West Virginia. The unit developed and implemented an automated, multilayered approach to patch, application deployment and verification of information assurance vulnerability alerts. Honorable Mention: Information Assurance Office, Information Support Activity in St. Louis. The unit developed a multimedia information assurance campaign and hosted an information assurance workshop. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Sep 3 06:14:31 2004 From: isn at c4i.org (InfoSec News) Date: Fri Sep 3 06:22:19 2004 Subject: [ISN] New York presents wireless security challenge for RNC Message-ID: http://www.nwfusion.com/news/2004/0902rncwir.html By Dan Verton Computerworld 09/02/04 Transportation Security Administration security checkpoints, hundreds of Secret Service agents, thousands of police on foot, horses and motorcycles, city blocks barricaded by dump trucks filled with tons of sand and an invisible wireless back door that is virtually impossible to monitor and control. That was a snapshop of the security situation at this week's Republican National Convention (RNC) at New York's Madison Square Garden. While physical security was tightened to unprecedented levels -- transforming the city into something unrecognizable to those who call it home -- IT security researchers uncovered an unsettling number of unencrypted wireless devices that they say create a potential information security nightmare for convention organizers and delegates. During a two-hour "war drive" around the site of the RNC as well as Manhattan's financial district, security researchers from Boston-based Newbury Networks discovered more than 7,000 wireless devices, 1,123 of which were located within blocks of the convention, including a network named WirelessForKerry. More important, 67% of those devices were access points that did not have encryption protection. During the war drive, to which Computerworld was granted exclusive access, Newbury technicians set up an unsecured wireless "honeypot" that masqueraded as a Linksys access point. According to log analysis of Newbury's Watchdog system, a wireless device attempted to automatically connect to the honeypot every 90 seconds. The findings underscore that while New York continues to focus on physical security for the convention, the huge numbers of open, unsecured wireless networks represent a serious threat to the city's hard-wired infrastructure, said Newbury CEO Michael Maggio. "A wireless-enabled notebook computer powered up inside Madison Square Garden by a conventioneer or media representative could automatically associate with wireless networks outside of the building," said Maggio, noting that such a security gap could allow an attacker to "hop onto" the wired network inside the facility. "All the security policies in the world can't stop a wireless intruder from accessing an open network signal emanating from a Wi-Fi access point or network card." The two-hour drive around Manhattan also revealed as many as 2,161 access points and 821 client devices broadcasting unique service set identifiers (SSID). "The SSIDs beaconed by clients is really a valuable list for an attacker," said Brian Wangerien, senior product manager at Newbury. "Once the attacker knows that a client is beaconing for a particular SSID, he can change the SSID of his AP and trick the client into connecting to the attacker's access point." Several network administrators in Manhattan's financial district also appeared to use the system's encryption key as the SSID. These security gaps potentially open the entire hard-wired RNC network and other corporate networks to data sabotage, virus and worm infections, denial-of-service bots and spam engines, said Wangerien. Newbury Networks conducted a similar war drive around the Fleet Center in Boston during the Democratic National Convention. Although the company found only half the number of devices that were present in New York, nearly the same percentage were unencrypted. David Shatzkes, vice president of government services delivery at New York-based Computer Horizons Corp., the firm managing the wired network at the convention site, said convention organizers specifically avoided requesting wireless network support due to the security issues and useability issues associated with them. Although the RNC staff did not request wireless network support from Computer Horizons, Shatzkes said it could have been done securely. However, Jose Colon, a spokesman at Hewlett-Packard Co. (HP), said he is "unaware" of any restrictions on the use of wireless at the convention and acknowledged that his company has provided dozens of wireless tablet PCs for use on the convention floor. Although security is always a concern, Colon said the biggest focus has been on coordinating with the Secret Service and providing redundant backup for the wireless systems in use. One of the reasons for redundant wireless support, said Colon, is that when President George W. Bush arrives in the city, the Secret Service and other defense agencies follow the common practice of jamming local communications emanations for security reasons. However, the disconnect between the RNC's main network integrator and HP's deployment of wireless tablet PCs raises a red flag for Maggio. "Apparently nobody at the RNC seems to know what the wireless policy is," said Maggio. "They spend millions of dollars on physical security and they don't have a clue of who's using their airwaves." The fact that the main network integrator was unaware of the deployment of HP's wireless systems is an indication that IT security personnel had not been "sniffing the air" to see where authorized wireless systems were in use and where rogue or intruder systems might be deployed, he said. From isn at c4i.org Fri Sep 3 06:14:48 2004 From: isn at c4i.org (InfoSec News) Date: Fri Sep 3 06:22:21 2004 Subject: [ISN] US government and security firms warn of critical Oracle flaws Message-ID: http://www.techworld.com/security/news/index.cfm?newsid=2172 By Paul Roberts IDG news service 03 September 2004 The US government's Computer Emergency Response Team (US-CERT) and software security companies have issued warnings about a number of security vulnerabilities in versions of Oracle's software. US-CERT has issued an alert citing several security flaws in Oracle products that could be used to shut down or take control of vulnerable systems running the software or to corrupt or steal data from the Oracle Databases. The security holes affect a number of Oracle products, including versions of its 8i, 9i and 10g Database, Application Server and Enterprise Manager software, according to a bulletin posted by Oracle, which also released a patch for the vulnerabilities. Few details of the vulnerabilities were available from Oracle or other companies. Oracle said that the holes in its Database Server and Application Server were rated "high" and that exploiting some required network access, but not a valid database user account. Holes in the Enterprise Manager were rated "medium," by Oracle and required both network access to the vulnerable machine and a valid user account to take advantage of, Oracle said. According to an alert issued by Next Generation Security Software(NGSS) [1], the vulnerabilities include SQL injection attacks, in which attackers inject malicious code into Web-based forms and other features that are used to generate Web content dynamically, denial of service attacks and buffer overflows, in which malicious code is placed on a vulnerable system by exceeding an area of a vulnerable computer's memory that is allocated for use by a software program. NGSS is withholding details about the vulnerabilities for three months to give Oracle database administrators the time to test and patch vulnerable systems. Oracle "strongly" recommends that customers apply the patch, noting that there is no work-around that addresses the new security vulnerabilities. [1] http://www.nextgenss.com/advisories/oracle-01.txt From isn at c4i.org Fri Sep 3 06:15:00 2004 From: isn at c4i.org (InfoSec News) Date: Fri Sep 3 06:22:22 2004 Subject: [ISN] Incheon Airport Vulnerable to Hackers Message-ID: http://times.hankooki.com/lpage/200409/kt2004090317214510230.htm By Yoon Won-sup Staff Reporter 09-03-2004 Incheon International Airport is highly vulnerable to online attacks from hackers and viruses because its computer network is shared by private airlines and tourist agencies located in the airport, according to the state intelligence agency. In a report submitted to Rep. Jung Jang-seon, the National Intelligence Service said that 7,345 computer viruses were detected May 3-4 in 116 firms operating within the international airport, including travel agencies and airline companies. The NIS warned that electronic glitches at the international airport could lead to devastating accidents, including flight crashes. ``There is a high possibility that Incheon International Airport will be exposed to online attacks like computer viruses and direct hacking,???? a source at the NIS said. >From 2001 to July of this year, there have been 2,334 attempts by computer hackers at home and abroad to paralyze the international airport??s online operations. The number of attacks has increased over the past few years, with 587 attempts in 2001, 680 in 2002, and 952 in 2003. Based on the report, the NIS and the lawmaker demanded the airport separate their Internet network from the private companies. ``It is astonishing that the nation??s biggest international airport is exposed to computer viruses and hacking,???? Jung, two-term lawmaker of the Uri Party, said. ``The airport must separate its online network from private companies and take drastic measures to improve airport security.???? In response, officials at the international airport said they will remove private companies from their network as soon as possible in a bid to prevent a reoccurrence of virus attacks. ``However, we are having difficulty separating the systems due to shortages in budget and manpower,???? an official at the airport said. Incheon International Airport had originally planned to finish work on improving its network by 2008. From isn at c4i.org Wed Sep 8 08:47:46 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 8 09:01:59 2004 Subject: [ISN] Top UK companies are failing to develop written security policies Message-ID: http://www.microscope.co.uk/articles/article.asp?liArticleID=133113 by Nick Huber 7 September 2004 Almost half (47%) of the UK's top 350 companies do not have a fully documented information security policy, despite the proliferation of computer viruses and the impact a security breach could have on a company's share price, according to a survey. The IT department is left to develop and enforce a security policy in 71% of FTSE 350 companies, according business executives questioned for the survey. Simon Owen, partner in the technology assurance practice at professional services firm Deloitte, said, "The findings are as alarming as any written security policy. If you fail on security, how confident can management be that controls are strong throughout the organisation? "It could be symptomatic of wider problems throughout the company." Owen said a written policy on an organisation's information security should be no longer than 10 pages and avoid jargon. It should cover internal and external threats and be backed up by training to raise awareness of security issues among staff, he added. UK companies with a casual approach to IT security also risk the anger of shareholders, according to the survey, which was commissioned by IT services company LogicaCMG, which questioned senior executives at 20% of the FTSE 350 companies. A security breach would have an impact on a company's share price, according to 83% of investors, and 68% said that a company's policy on IT security would be a significant factor when deciding whether to buy or sell its shares. Getting it right "UK companies have a misplaced conception that increased spend in IT security will mitigate information violations. Unfortunately, devolving responsibility of information governance away from the board room to the IT department will not safeguard information assets. "Information security governance needs to be embraced throughout the organisation. The best technology in the world cannot alone prevent the implications of negligent human behaviour." From isn at c4i.org Wed Sep 8 08:48:30 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 8 09:02:01 2004 Subject: [ISN] Tech threats: the new front in the War on Terror Message-ID: Forwarded from: Simple Nomad On Thu, 2004-09-02 at 06:50, InfoSec News wrote: > http://www.cbc.ca/news/viewpoint/vp_hughes/20040901.html > > Greg Hughes > September 01, 2004 > > There's little doubt nowadays that the 21st century is shaping up to > be a very unstable era in human history. Non-state actors like > al-Qaeda are stepping up their fight against nation-states, employing > mostly conventional, low-tech solutions to their acts of terrorism. > > Yet there is a new frontier emerging in the War on Terror - cyber > terrorism. As the internet continues to grow in popularity and usage > around the globe, more malevolent forces are using the web as a means > to spark fear and spread their messages of hate and violence. I have yet see a website spark the same level of fear that 9/11 did. This is nothing but fear-mongering. > Cyber terrorism is a diverse set of technologies that ranges from > viruses and denial-of-service attacks to posting messages, pictures > and videos on websites whose purpose is to scare people. By that definition this article is cyberterrorism, as its only purpose seems to be to "scare people". This is the same speculation we've seen for years. Viruses and DoS attacks are not acts of terrorism. > It's particularly effective in the West because westerners are the > most connected people in the world. For terrorists, the web offers the > ability to reach the common people in a way that's uncontrolled and > unnerving. If a website or virus reaches enough people and incites > enough chaos, it's a cheap, easy way to scare people on a level > similar to a "real world" terrorist attack. And you don't even have to > be in a western country to make it all happen. More fear-mongering. I've never seen a computer virus insite chaos. > The most obvious example of cyber terrorism so far has been websites > devoted to westerners held hostage by terrorists in the aftermath of > the war in Iraq. The videos available on these sites have featured > content that includes torture and live beheadings - content not > suitable for any time of day on TV or radio. But online, the curious > will, eventually, find it. Ok, so I think I know why snuff videos are "content not suitable for any time of day" on the radio ;-) but this stuff has been available in one form or another for years -- snuff films have been around for decades. So claiming that terrorists are using snuff films to incite chaos is a bit of a stretch, at best. > More disturbing, however, is that a cyber terrorist attack could, in > theory, help to create more damage than the events of 9/11 could ever > have accomplished. > > Here's a potential scenario. Let's say a major city in the U.S. or > Canada is hit with a terrorist attack similar to the attacks on the > World Trade Center. The casualties are not as high as 9/11, but many > people are injured and need help quickly. > > Under normal circumstances, emergency dispatchers would be sending > medical teams to help the wounded. But what if, at the same time as > the physical attacks were occurring, an army of viruses with > instructions to crash communication networks - emergency radio > frequencies and cellphone radio towers - was deployed from elsewhere? Now we are finally reaching into the realm of bad science fiction, where Internet-based terrorists from the Middle East are able to launch attacks against specific radio frequencies and cell phone towers from across the global -- tied in with a physical attack. Wouldn't it be much easier to have a few extra suicide attackers drive bomb-laden trucks into cell towers and communication centers, since you already have guys here crashing planes into buildings? Much easier to train your terrorists to drive things into immobile objects than to code up what is essentially magic to these terrorists, let alone virtual technological impossibilities to the technical experts. > This isn't an unfeasible scenario; various viruses such as MyDoom have > taken down entire networks with relative ease. Who's to say that an > enterprising, net-savvy terrorist group couldn't make this happen? And > how many more people could be in trouble because our high-tech > communication networks are down after the fallout of a major > explosion? More fear-mongering, by pulling together facts with fiction -- applying the aftermaths of a computer virus with the scenario of communications networks failing. Also, MyDoom did not take down "entire networks with relative ease". It spread from computer to computer across a network via multiple vectors, including email. MyDoom *relied* on an available network. Clearly the author did not even research the facts he is using to draw conclusions, which brings into question the entire article for accuracy. > The United States, the prime target of many terrorist groups, is > charged with the greatest burden in making sure cyber terrorism > scenarios don't actually happen. But it's a tough task, given how > quickly things can spread online. It only takes one downloaded file, > one opened e-mail, to spread a virus worldwide in a matter of days. > > BBC News has reported that in July of this year, a U.S. Department of > Homeland Security internal memo described cyber terrorism as one of > America's top five security threats. A new unit within the DHS, the > National Cyber Security Division, was created explicitly for the > purpose of tackling net security and addressing criticisms that the > U.S. government has not done a good enough job of preventing future > cyber terrorist attacks. > > Some have argued that cyber terrorism is hardly a threat in comparison > to a weapon of mass destruction going off in a major city like Chicago > or London. Perhaps they're right and talk of cyber terrorism is simply > fear mongering. But the tools that could enable terrorists to gain > possession of weapons of mass destruction are already online. And > technology that allows terrorists to gain information required to > create these weapons is only improving as the web continues to evolve. Cite one example of an online weapon of mass destruction. Please. Just one. Bear in mind a weapon of mass destruction is typically thought of as a weapon capable of killing a lot of people at once, like a nuke or chemical weapon. > Quantum encryption - the use of photons as gatekeepers - is one such > example. While still a few years away from being used for mass-market > purposes, quantum encryption could be the most impenetrable form of > encryption ever created. The use of decryption sequences employing > quantum variables known only to the sender and recipient makes the job > of intercepting and cracking encrypted e-mails, instant messages and > websites nearly impossible. This is very worrisome for groups devoted > to preventing terrorist acts, for how do you stop communications you > can't even find a source for? Good god, this has got to be the worse misunderstanding to date of technology by an article writer of technological issues. Where do we start? The range of quantum crypto is just a few miles. Peer-to-peer is basically all you can set up, and you need some serious fiber optic skills to make it happen. I seriously doubt it will ever be used for the last mile from the CO to the home -- ever. Too expensive to maintain, and there are dozens of low-tech solutions. But let's say using oil money two terrorist groups that are within 54 miles of each other (the max limit to date of quantum crypto links) use quantum crypto to create a secure phone line between each other, or a secure communication link for a couple of computers. Is it protected from eavesdropping on the line? You bet. 100% secure. However, this does nothing to secure the computers on either end of the connection, defeat keystroke recorders, Van Eck phreaking, hidden cameras and listening devices near each computer, or secure the data sitting on the hard drives. That is serious money to be spending to make sure the line isn't tapped. > Various websites have for years offered detailed instructions on > bomb-making techniques. So-called "darknets" - intranets that have no > IP addresses listed so they can't be traced - spring up overnight > where terror groups can share information secretly and disappear > without a trace. Does this guy really know what he is talking about? A "darknet" is a term that refers to widely-dispersed P2P networks that essentially ride on the application layer to share information. You know, where you can download all of that free music from. IP addresses that cannot be traced? Not quite. > Should we be worried? Possibly. Is this a reason to minimize our > dependence on the web? Not in the least. The internet is becoming the > tool of choice for many aspects of our lives; abandoning what has > become one of our greatest inventions would be to give in to fear. Yet > like most technology, the web is a double-edged sword: for every > benefit we gain from it, there's an equal trade-off. > > All we can do is be vigilant, be responsible and be educated about the > web - the better informed we are, the less chance cyber terrorists > will succeed. Then what was the point of this article? Explain being vigilant, responsible, and educated about the web in this content. Please. Let me help you with this first piece of education -- any hack, including Greg Hughes, can write an article where buzzwords and various technologies can be used to create a made-up nightmare world of scariness and fear are abound -- and yet the article can still be complete fiction. In other words, when it comes to articles on the Internet about not trusting the Internet, don't believe everything you read. Check the facts. The author of this article didn't. > Greg Hughes is a 26 year-old freelance writer. He has written on > culture and technology for Shift, Silicon Valley North and > globetechnology.com, and he has also contributed to the National Post, > the Queen's Alumni Review and other publications. He holds a Bachelor > of Arts (Honours) from Queen's University in Kingston, Ontario. > > > > _________________________________________ > Donate online for the Ron Santo Walk to Cure Diabetes - http://www.c4i.org/ethan.html -- - Simple Nomad ---- thegnome@nmrc.org ---- thegnome@razor.bindview.com - - "Patriotism means to stand by the country. It does not mean to stand - - by the President or any other public official." - Theodore Roosevelt - From isn at c4i.org Wed Sep 8 08:48:57 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 8 09:02:02 2004 Subject: [ISN] Army rebuilds networks after hack attack Message-ID: Forwarded from: William Knowles http://www.fcw.com/fcw/articles/2004/0906/news-campb-09-06-04.asp [Additional sidebar worth looking at. - WK] By Frank Tiboni Sept. 6, 2004 The Army has launched a massive multimillion-dollar initiative to secure systems at Fort Campbell, Ky., the home base for the Army's elite attack helicopter units, after its systems were hacked, officials familiar with the initiative confirmed. The project, called the Fort Campbell Network Upgrade, which could cost as much as $30 million, follows the service's enterprise management plan to update all of the fort's computers to Microsoft Corp. Active Directory by January because the company will no longer support the Windows NT 4.0 operating system. But industry officials familiar with the update, who requested anonymity because of national security and business concerns, said the two-phase project was launched after systems were penetrated. "There was a total intrusion into the network system," an industry official said. "That's a lot of money to spend on [information technology] at one installation," said another industry official. "Do you know what the Army could do with $30 million for IT servicewide?" Cybersecurity has taken a higher profile within the Defense Department as military officials have stressed network-centric warfare, in which data is put on networks much more quickly, thereby making it more widely available. Under this scheme, however, security becomes more essential because of the warfighter's dependence on this data and the potential ramifications if such information were to fall into enemy hands. The cyberattack on Fort Campbell has spurred Army IT officials to increase their efforts to develop a servicewide information assurance plan and acquisition strategy in preparation for a procurement that could happen as early as next year, industry officials said. "There is consensus among [officials] that they need to implement host-based intrusion detection," the industry official said. Host-based intrusion-detection systems monitor, detect and respond to user and system activity and attacks on a given network. Army officials primarily use intrusion- detection systems in a less central manner. Army officials were reluctant to discuss the cyberattacks, but people familiar with the incidents say the invasion of Fort Cambell's networks apparently took place last fall. A group of individuals from the Army's Computer Emergency Response Team (CERT) at Fort Belvoir, Va., started working at Fort Campbell as a result of the intrusion, the industry official said. Army CERT officials determined that hackers penetrated the Fort Campbell network so they could monitor the daily exchange of information there. "They were actually inside the network and had been there for a couple months," the official said. Army CERT officials followed the hackers' activities for a couple of months to determine their origin and intention. "They let it go on for awhile, [and] then pulled the plug," the industry official said. Fort Campbell IT officials then started updating the network. Maj. Gen. James Hylton, commanding general of the Network Enterprise Technology Command, which includes Army CERT, declined to comment on the intrusion at the fort. "We are a nation at war, and although protection of our networks has always had a high priority, we are even more vigilant now," Hylton said in a written statement. "The less the enemy knows, the better it is for the people [who] protect our networks." "I will not go into specifics on what types of defensive measures we have in place," he wrote. "However, I will say that great emphasis is placed on constant vigilance." Lt. Gen. Steve Boutelle, the Army's chief information officer, also declined to comment on the intrusion at Fort Campbell, explaining that information about investigations related to computer network defense is classified. However, Boutelle made cybersecurity one of the cornerstones of his presentation to Army and industry officials last week at the Directorate of Information Management/Army Knowledge Management conference. "Your systems are being attacked," he said. Officials with the Joint Task Force-Global Network Operations (JTF-GNO), who oversee protection of military networks, also declined to comment on the intrusion. "All intrusions into [DOD] systems are investigated by appropriate investigative agencies," said Tim Madden, task force spokesman, in a statement. "JTF-GNO and the agencies involved do not discuss ongoing operations." JTF-GNO officials, however, have reported gradual increases in the number of attempted intrusions on the military's networks during the past three years. The task force reported 40,076 in 2001, 43,086 in 2002, 54,488 in 2003 and 24,745 as of June 2004, Madden said. "The increase simply reflects the increase in the number of computers and people using them worldwide," he said. Another industry official said Army IT officials will hire 20 people to investigate what happened to systems at Fort Campbell and to look into the significant increase in attempted intrusions into Army networks during the past year, which Boutelle attributes to the current geopolitical climate. During the past five years, DOD systems experienced similar attempted intrusions as military officials began carrying out their new doctrine of net-centric warfare. Department officials believe the intrusions originated in China, Brazil and Lithuania, but the only governments that have developed doctrines for cyberwarfare are China and India, said a military IT official who requested anonymity. The department's new information assurance policies released this summer include the draft, titled "End-to-End Information Assurance Component of the Global Information Grid Integrated Architecture." The policies have resulted from the increase in attempted intrusions into DOD systems, the military official said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Sep 8 08:49:32 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 8 09:02:03 2004 Subject: [ISN] Software pirates not safe at home Message-ID: http://www.nzherald.co.nz/storydisplay.cfm?storyID=3589541 By RICHARD PAMATATAU 07.09.2004 New Zealand software pirates risk extradition to the United States following a ground-breaking ruling against an Australian man accused of pirating software, games and music worth up to US$50 million. Mark Kelly, senior associate at Auckland's Simpson Grierson, said the Hew Raymond Griffiths case in Australia confirmed that people based in one country and accused of software piracy could be brought to justice in another under extradition law. Locally, Microsoft has led the charge against software piracy and brought prosecutions against individuals infringing its copyright. The largest software piracy cases involve hundreds of thousands of dollars. Kelly said the United States was on an international hunt for internet pirates. US crime agencies fought hard to obtain an order to extradite Griffiths following an unsuccessful attempt where an Australian magistrate denied their extradition request. The US appealed against that decision and has now won the right to try Griffiths in the US. Kelly said that ringleader Griffiths, who went under the online name BanDiDo, was an Australian who had never been to the US. He said the case was making Australian legal history because it was the first extradition case under copyright law. "This case confirms that internet pirates based in one country are not always safe from the laws of other countries." Griffiths has been charged in the US with conspiracy to infringe copyright and copyright infringement, for reproducing without authority and distributing software protected by copyright on the internet. The US alleges that Griffiths was the ringleader of an internet group called DrinkorDie which allegedly worked from a computer network at Boston's Massachusetts Institute of Technology. Griffiths helped to control access to the network, though it is not alleged that he made money from his activities. Eleven DrinkOrDie members already have been convicted in the US. Kelly said Griffiths' alleged infringements all took place on his home computer in Australia. Should the extradition and trial proceed he faced up to 10 years in an American jail and a fine of up to US$500,000. Wayne Hudson, Software Exporters Association president, said his organisation would watch the developments with interest. He said the issue of software piracy might have increasing significance in free trade agreements. Copyright infringement was a huge issue globally but especially in China, he said, so the case might have implications there as well. While the copyright offences were "found to have occurred in the US", Griffiths had never been to the US and was not a "fugitive" in the sense that he was fleeing and hiding from the extradition-seeking country, Hudson said. Kelly said: "It means technically that a software pirate in Grey Lynn could end up in an American court, even though copyright infringement or conspiracy to do so are not the usual offences that come before the court." He said It could also mean that Australians infringing New Zealand copyright could be extradited and vice versa. Under New Zealand law, if a person accused or convicted of an "extradition offence" is suspected of being in another country, or on his or her way to another country, New Zealand may request that country to surrender the person under the Extradition Act 1999. The maximum penalty is jail for at least a year. Kelly said New Zealand could seek extradition of copyright pirates and trademark counterfeiters if the actions of those offenders fell within the relevant New Zealand legislation such as the Copyright Act, which carries a five-year maximum prison sentence. Microsoft spokeswoman Carol Leishman said her company preferred to take action in the local jurisdiction. It had already brought successful actions around the world. She said Microsoft would continue to watch developments. Maarten Kleintjes, national manager for the NZ Police electronic crime laboratory, said his group would look at cases of copyright infringement if they were sufficiently serious. From isn at c4i.org Wed Sep 8 08:50:15 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 8 09:02:05 2004 Subject: [ISN] Code Pink Infiltrates RNC Message-ID: [I'm posting this link for a good friend of mine (also in security), not to embarrass the Bush administration and the RNC, just to point out that the best laid multi-layered security plans can go all wrong. We can all count our lucky stars they were peaceful protesters and not some group hell bent on terrorism. - WK] http://www.democracynow.org/article.pl?sid=04/09/03/1457225 Here is a link to the transcripts with the interview with Medea Benjamin and Gael Murphy of Code Pink. Medea Benjamin infiltrated the RNC three nights in a row. This was done without credentials and while wearing a bright pink outfit all three nights. The situation is even more absurd because she is a celebrity protestor, and her photo was distributed to the security people before hand. She also infiltrated the DNC back in July and she was present (and singing) during the hearings where Michael Powell made it possible to form regional media monopolies. Pictures of that even can be found here (although it's referred to as "hacktivism" for some reason): http://www.onlisareinsradar.com/archives/001335.php I think this raises real questions about the way security resources were used during the convention. Everyone agrees that the police presence during the convention was huge, but if the resources were allocated in such a way as to allow these women to get close to the president what exactly were they doing? Was the massive show of force really about protecting the president, or was it about quashing dissent on the streets? From isn at c4i.org Wed Sep 8 08:52:51 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 8 09:02:06 2004 Subject: [ISN] Nasdaq tests everyone's disaster recovery plans Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,95734,00.html By Elana Varon SEPTEMBER 07, 2004 CIO.com Three years ago on Sept. 11, Kamran Rafieyan and his co-workers walked down 83 floors of World Trade Center Tower One to safety. "Miraculously enough, we didn't lose any people," says Rafieyan, CIO of Lava Trading Inc. His then-fledgling company, a service bureau that routes equity orders for brokers, lost its data center when the tower collapsed. "We were in the midst of building our backup site, and we had to scramble for four weeks to get it up and running." Today, Lava Trading counts among its clients 16 of the top 20 investment banks and helps to process 15% of the daily trading volume on Nasdaq -- which is why on two Saturdays earlier this year, Rafieyan joined 49 other brokers and service providers in Nasdaq-sponsored disaster recovery tests. It was the first time that Lava Trading was able to test its disaster plans in an everyday business setting, rather than in a simulated environment. In the first test, Nasdaq had customers test connectivity from their backup sites to Nasdaq's primary site in Connecticut; in the second, customers tested how either their primary or backup trading systems connected to Nasdaq's backup site in Maryland. Steve Randich, Nasdaq's executive vice president and CIO, reports nary a technical hiccup in the entire proceedings. The tests were the first Nasdaq offered to its entire customer base. (In the past, Nasdaq has accommodated individual requests for testing whenever Nasdaq conducted its own.) With 9/11 and the August 2003 Northeast blackout behind them, it's becoming clear to many financial services companies that their survival depends on that of their trading partners. Regulators, meanwhile, are pushing securities traders to have proven disaster recovery plans in place. In April, the Securities and Exchange Commission approved a rule issued by Nasdaq's parent company, the National Association of Securities Dealers, requiring market participants to develop and disclose to its customers such plans by September 2004. Randich says his goal was "to be a host" and to allow customers to confirm their ability to failover to their backup systems.The key benefit, he adds, "is to promote the resilience of the market in terms of investor protection. If there were to be a major event, we can go to bed knowing it's not troublesome to restore operations in the morning." During the tests, participants worked individually with Nasdaq. Each company was asked to test whether it could submit orders, update quotes, submit and receive trade execution reports, and scan the system for executed and unexecuted orders. A few companies also used the opportunity to test their ability to send orders directly to each other (rather than to the market as a whole), just as they would during the course of regular business. Disaster recovery capabilities are often an important selling point for companies like Lava Trading that provide services to brokers. "If you're signing a contract with a large customer for trading systems, it involves sensitive data and mission-critical systems," notes Rafieyan. "They want to view your fault tolerance plans [and] your disaster recovery plans. They might ask to do regular quarterly testing." Through Nasdaq's tests, Rafieyan was able to confirm that his disaster recovery plans work, but he also discovered procedures he could improve. Combining some steps and automating others, he concluded, would enable the company to recover more quickly from a disaster. Restoring service might have taken only a few minutes during a test. In a crisis, "It could take two to three times as long," while the company runs through its escalation procedure to determine whether it needs to invoke its backup plans. "That's hard to simulate," Rafieyan says. Collaboration in business continuity planning may be more widespread in financial services than in other industries because financial institutions are used to collaborating at the transaction level, says Adrian Bowles, principal research fellow with the Robert Frances Group Inc. consultancy. But companies in other industries could benefit from cooperating as well. For instance, says Bowles, most businesses rely on a few large logistics companies to ship packages. "If [they] all go down the same day, business stops. It would make sense from an infrastructure standpoint to look at common failure points." Randich says Nasdaq gives frequent tours of its data centers to visitors from Fortune 100 companies looking for business continuity advice, including a large logistics company. "Their transactions are completely different, but their operation and technology requirements are similar," he says. Ultimately, maintaining business operations depends on cooperating with more than just a company's immediate trading partners. The next challenge, says Randich, is to be able to sustain operations if, say, a blackout extends for 36 hours and leads into a second trading day. "Then telecom companies and brokers start running out of diesel fuel to power their generators. They need transportation to help get deliveries" and a plan for emergency personnel to help make that happen. "The next level of improvement is a broader degree of cooperation from the metro police and service providers." From isn at c4i.org Wed Sep 8 08:46:58 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 8 09:02:08 2004 Subject: [ISN] REVIEW: "Ethics and Computing", Kevin W. Bowyer Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKETHCMP.RVW 20040623 "Ethics and Computing", Kevin W. Bowyer, 2001, 0-7803-6019-2, U$65.96/C$93.99 %A Kevin W. Bowyer kwb@csee.usf.edu %C 10662 Vaqueros Circle, Los Alamitos, CA 90720-1314 %D 2001 %G 0-7803-6019-2 %I IEEE Computer Society Press %O U$65.96/C$93.99 800-2726657 fax 714-8214401 cs.books@computer.org %O http://www.amazon.com/exec/obidos/ASIN/0780360192/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0780360192/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0780360192/robsladesin03-20 %P 429 %T "Ethics and Computing:Living Responsibly in a Computerized World" Chapter one is a mundane outline of concepts in ethics and professional ethics, without getting into the standard theories. The chapter ends with an actual scenario involving whistle-blowing. There are reprints of articles on related issues (at the end of each chapter), and "worksheets" asking some fairly general ethical questions. Critical thinking, in chapter two, concentrates on failures of logic. A number of professional codes of conduct are printed in chapter three, with a bit of discussion. Chapter four describes some blackhat types and activities, without looking much at the ethical issues. (The reprinted articles are more than twice as long as the chapter itself.) Chapter five is a rather confusing amalgam of basic encryption types and US legal cases involving wiretaps. A vague mention of the Therac 25 incident, and the importance of safety critical systems, exhausts the three pages of chapter six, but leads to fifty-five pages of reprints. Whistle- blowing gets more detailed review in chapter seven. Chapter eight outlines US law with regard to intellectual property. Hazardous materials and bad ergonomic design are mentioned briefly in chapter nine. Chapter ten moves back to an arena closer to ethics with the concept of fairness. Some vague advice about managing your career is in chapter eleven. While the assortment of articles might be handy in terms of collecting "real world" scenarios for discussion, the written text of the book, and the discussion of ethical issues, does not provide much in the way of direction or philosophical background. Deborah Johnson's "Computer Ethics" (cf. BKCMPETH.RVW) is far superior and even Schwartau's "Internet and Computer Ethics for Kids" (cf. BKINCMEK.RVW) provides better discussions and explanation, while Tavani's "Ethics and Technology" (cf. BKETHTCH.RVW) contributes significantly more to the formal framework for ethical study. copyright Robert M. Slade, 2004 BKETHCMP.RVW 20040623 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Crossbows don't kill people, quarrels kill people http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Thu Sep 9 06:41:16 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 9 06:56:16 2004 Subject: [ISN] For Wall Street, 9/11 lessons three years in the making Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,95765,00.html By Dan Verton SEPTEMBER 08, 2004 COMPUTERWORLD WASHINGTON -- With the third anniversary of the Sept. 11, 2001, terrorist attacks approaching this weekend, senior Wall Street executives today outlined for Congress unprecedented security measures that continue to be revised and improved to withstand what the government fears is an ongoing effort by al-Qaeda to disrupt the U.S. economy. Appearing at a House Financial Services committee hearing today, senior government officials and executives from key financial institutions in lower Manhattan described in startling detail the efforts that continue to go into bolstering physical and cyber security for the nation's critical financial trading systems. The Department of Homeland Security raised the terrorist threat level to Code Orange on Aug. 1 for financial companies in New York, New Jersey and Washington. Since the 9/11 attacks, the New York Stock Exchange has spent more than $100 million to bolster physical and cyber security and improve redundancy and business continuity, said Robert G. Britz, president and co-chief operating officer of the NYSE. Among the improvements are a new contingency trading floor, an expansion of the emergency command center operated by Securities Industry Automation Corp. (SIAC), a remote network operations center, an ongoing effort to establish a remote national market system data center, and modifications allowing trading systems to accept four-character symbols, thereby providing backup for the Nasdaq stock market. The most far-reaching security precautions, however, were undertaken in the area of physical security for both key personnel and critical data centers, said Britz. In addition to mandating that a certain percentage of personnel work off-site at any given time, the NYSE has worked with New York City officials to reroute bus traffic around its data centers, hired a 24-hour New York Police Department security detail for all data centers and deployed a geographically dispersed fiber-optic routing backbone. That backbone would allow equity brokers to maintain connections to the markets in the event of another 9/11-type of attack. Called the Secure Financial Transaction Infrastructure (SFTI), it connects more than 600 financial services firms. Pronounced "safety," SFTI is a private extranet that provides continuous telecommunications and a secure means of connecting to trading, clearing and settlement, market data distribution and other SIAC services, Britz said. Instead of running circuits directly to SIAC, users connect to multiple access centers via their carrier of choice, eliminating the need to rely on a single telecommunications route, he said All of SFTI's equipment, connections, power supplies, network links and access centers are redundant, and its architecture features independent, self-healing fiber-optic rings making it independent of all other telecommunications circuits and conduits, according to Britz. "Therefore, even if one SFTI fiber pathway is compromised, financial data traffic will continue to move uninterrupted along another pathway, improving the industry's protection against possible threats," Britz said at the hearing. The NYSE and SIAC also recently completed work on a remote network operations center (RNOC) that Britz said will be in operation by the fourth quarter of this year. The RNOC will allow NYSE officials to monitor and operate the data centers and will support the SFTI network as well as the computer systems comprising the Intermarket Trading System, the Consolidated Trade System, the Consolidated Quotation System and the Options Price Reporting Authority. SIAC is also building a remote data center that will be in operation by the second quarter of 2005 and will support of the Consolidated Tape and Consolidated Quotation (CT/CQ) systems and the Options Price Reporting Authority. John R. Mohr, executive vice president of The Clearing House Association LLC (TCH), a global payment systems firm that clears and settles more than $1.5 trillion in trades per day, said his firm hired a contractor to conduct both physical and cyber penetration tests. As a result of those tests, TCH reconfigured one of its key facilities, implemented biometric access-control systems and "all but eliminated visitor access to our operating centers." TCH also developed a tertiary data center in a remote region of the country that is fully equipped to take over operation of its Clearing House Interbank Payments System (CHIPS) within an hour of a simultaneous failure of the other two CHIPS data centers, said Mohr. Using custom mirroring software specially developed by TCH, CHIPS was able to overcome distance limitations of synchronous mirroring technology and achieve recovery times consistent with synchronous mirror sites, he said. Samuel H. Gaer, CIO of the New York Mercantile Exchange, said all essential employees at his organization have been issued cell phones with two-way radio capability, portable two-way e-mail devices -- some of which can be used to make emergency phone calls -- and laptops with remote connection software and cellular modem cards to wirelessly connect to exchange system resources anywhere cellular coverage is available. Despite these efforts to bolster physical security and network redundancy, Wayne A. Abernathy, assistant Treasury secretary for financial institutions, warned Congress that the financial sector is under constant electronic assault by both organized crime and unknown entities. "These assaults have progressed from computer hackers and pranksters into theft and now, we believe, on to schemes to disrupt the operations of our financial systems," he said. "Some of these attacks have their sources in organized crime [and] we believe that, increasingly, still more sinister actors are involved. The threat is not theoretical." From isn at c4i.org Thu Sep 9 06:41:28 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 9 06:56:19 2004 Subject: [ISN] Sasser Worm Creator Charged with Sabotage Message-ID: http://www.eweek.com/article2/0,1759,1644071,00.asp September 8, 2004 By Associated Press BERLIN (AP) - A German teenager who authorities say confessed to creating the Sasser computer worm in May has been charged with computer sabotage. Sven Jaschan, 18, was arrested after telling officials he originally wanted to create a virus, Netsky, to automatically remove two other viruses, Mydoom and Bagle, from infected computers. He had developed several versions of Netsky and, after modifying it, created Sasser. Sasser, which took advantage of a known flaw with Microsoft Corp.'s Windows operating system, snarled tens of thousands of computers and caused Internet traffic to slow. Unlike most outbreaks, Sasser did not require users to activate it by clicking on an e-mail attachment; instead, it automatically scanned the Internet for computers with the security flaw and sent a copy of itself there. Prosecutors said they have been contacted by 143 plaintiffs with total damage claims of $157,000. But because many businesses and individuals never report such damages, prosecutors believe the actual figure is in the millions. In their indictment, prosecutors in Jaschan's home state of Lower Saxony chose the cases of three German city governments and a public broadcaster whose systems were disrupted. Computer sabotage carries a maximum sentence of five years in prison. Authorities who questioned Jaschan said they got the impression his motive was to gain fame as a programmer. He was caught after informants seeking a reward tipped off Microsoft. He was arrested sitting at his computer at the house of his mother, who runs a computer store in the small northern town of Waffensen. Prosecutors are also investigating several of Jaschan's friends as suspected accomplices, though none of them have been charged. No trial date has been set for Jaschan. From isn at c4i.org Thu Sep 9 06:41:39 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 9 06:56:20 2004 Subject: [ISN] Microsoft confident XP update will baffle hackers Message-ID: http://portal.telegraph.co.uk/money/main.jhtml?xml=/money/2004/09/09/cnmicro09.xml&menuId=242&sSheet=/money/2004/09/09/ixcity.html By Richard Tyler Filed: 09/09/2004 Microsoft's UK head Alistair Baker has thrown down the gauntlet to would-be hackers. He said his company's Windows XP operating system update, launched last month by Bill Gates, was the "first big line we have drawn in the sand" to combat security breaches and spam. He challenged hackers: "If you could get through that I would be impressed." Bookies immediately offered punters odds of 2-1 on that the system would be hacked by the end of the year. More generous odds of 6-4 were offered to those willing to bet the new update, called service pack two (SP2), would stand up to scrutiny. The update, available free of charge from Microsoft, cost $1billion to develop - a seventh of the firm's total annual R&D budget - and has helped delay the release of a new version of Microsoft's three-year-old XP operating system, called Longhorn. Bill Gates, Microsoft's chairman, warned Windows XP users that they needed the update to ensure their PCs were "better isolated and more resilient in the face of increasingly sophisticated attacks". Mr Baker said the update represented a "transistory phase" for Microsoft users. At present, he admitted, security was a "big risk" because the operating system's "potential weaknesses" were being exploited by hackers. But the arrival of SP2 would mean "we are very much in control of the issue". He added that Microsoft expected 2.5m SP2 downloads a day from its website, with a target of seeing the software installed on 100m desktop computers by November. He advised firms with PCs using the Windows 98 operating system that it was not designed with the internet and e-mail in mind but they could download the upgrades to cut the risk of attack. From isn at c4i.org Thu Sep 9 06:41:59 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 9 06:56:23 2004 Subject: [ISN] Mitnick movie comes to the US Message-ID: http://www.theregister.co.uk/2004/09/09/mitnick_movie_us/ [ http://www.amazon.com/exec/obidos/ASIN/B0002L57YQ/c4iorg - WK] By Kevin Poulsen, SecurityFocus 9th September 2004 Nearly six years after it was filmed, Hollywood's trouble-plagued movie version of the hunt for hacker Kevin Mitnick is headed for video stores in the US Originally titled Takedown, then Cybertraque, the film is set for a September 28th U.S. release on DVD with the new title, Track Down. The movie is from Miramax's horror and sci-fi label Dimension Films, and is based on the book Takedown: The Pursuit and Capture of America's Most Wanted Computer Outlaw - By The Man Who Did It, authored by computer scientist Tsutomu Shimomura and New York Times reporter John Markoff. Shimomura electronically tracked Mitnick to his Raleigh, North Carolina hideout in February, 1995, and sold the book and movie rights for an undisclosed sum amidst the storm of publicity following the fugitive hacker's arrest. Early versions of the screenplay for the movie adaptation of Takedown cast Mitnick - played by Scream star Skeet Ulrich - as violent and potentially homicidal. In July, 1998, supporters of the then-imprisoned cyberpunk rallied against the film outside Miramax's New York City offices. Writers later revised the script, and shooting wrapped on the project in December, 1998. The film then languished without a US release date amid rumors of poor test screenings and a re-shot ending. Perhaps hoping to recoup some of their losses, Miramax finally released the movie to French theatres in March, 2000, as Cybertraque. It was generally panned by critics: a reviewer for the newspaper Le Monde noted the film's problems in translating a virtual manhunt to the action-adventure genre. "Can the repeated image of faces sweating over keyboards renew the principles of the Hollywood thriller?," the paper asked. "It's easy to say that the filmmaker hardly reaches that point, regardless of his saturation of the soundtrack with rock music to defeat the boredom of the viewer." Cybertraque was later released in Europe on DVD with French subtitles, and enjoyed some underground circulation on peer-to-peer networks, often misidentified as the sequel to the 1995 film Hackers. The real-life Mitnick cracked computers at cellphone companies, universities and ISPs. He pleaded guilty in March, 1999, to seven felonies, and was released from prison on 21 January, 2000, after nearly five years in custody. Now a security consultant and author, the ex-hacker says he's not happy to see the movie come to America. "I didn't expect the film would ever be released to the US, so this is kind of shock to me," he says. "I'm kind of disappointed because the film depicts me doing things that are not real." The fictionalized plot of Track Down centers around Shimomura's efforts to capture Mitnick before the hacker can access a terrifying computer program capable of causing blackouts, disabling hospital equipment and scrambling air traffic control systems. Hollywood's Mitnick character is portrayed somewhat sympathetically, but is prone to random outbursts of rage, and suffers a creepy penchant for electronic eavesdropping and a lurking hatred of women. "You wouldn't believe the amount of emails I get from all around the world saying, 'I saw this movie about you, it's great, you're my hero, it was a fantastic movie,'" says Mitnick. "I'm thinking, these guys are a little bit off... It's not an interesting film. I think it was done pretty poorly." From isn at c4i.org Thu Sep 9 06:40:58 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 9 06:56:26 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-37 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-09-02 - 2004-09-09 This week : 58 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia has implemented new features at Secunia.com SECUNIA ADVISORIES NOW INCLUDE "Solution Status": In addition to the extensive information Secunia advisories already include, Secunia has added a new parameter: "Solution Status". This simply means that all Secunia advisories, including older advisories, now include the current "Solution Status" of a advisory, i.e. if the vendor has released a patch or not. IMPROVED PRODUCT PAGES: The improved product pages now include a detailed listing of all Secunia advisories affecting each product. The listings include a clear indication of the "Solution Status" each advisory has ("Unpatched", "Vendor patch", "Vendor workaround", or "Partial fix"). View the following for examples: Opera 7: http://secunia.com/product/761/ Internet Explorer 6: http://secunia.com/product/11/ Mozilla Firefox: http://secunia.com/product/3256/ EXTRA STATISTICS: Each product page also includes a new pie graph, displaying the "Solution Status" for all Secunia advisories affecting each product in a given period. View the following for an example: Internet Explorer 6: http://secunia.com/product/11/#statistics_solution FEEDBACK SYSTEM: To make it easier to provide feedback to the Secunia staff, we have made an online feedback form. Enter your inquiry and it will immediately be sent to the appropriate Secunia department. Ideas, suggestions, and other feedback is most welcome Secunia Feedback Form: http://secunia.com/contact_form/ ======================================================================== 2) This Week in Brief: ADVISORIES: WinZIP released a new version of their very popular packaging program for Windows, which according to the vendor addresses some buffer overflow vulnerabilities and a vulnerability, which is caused due to insufficient command line validation. According to the vendor, all vulnerabilities were discovered during internal review and testing. An updated version is available at the WinZIP website. Reference: http://secunia.com/SA12430 -- Apple has issued a security update for the Mac OS X, which fixes 15 vulnerabilities. A detailed list can be found in the Secunia advisory below. Reference: http://secunia.com/SA12491 -- The Altnet Download Manager is vulnerable to a buffer overflow in an included ActiveX Control, which can be exploited by malicious people to execute arbitrary code on a vulnerable system. What makes this even more critical is that this ActiveX Control, also is shipped with file sharing programs such as Kazaa and Grokster. Most users of these products are not aware that they need to download a patch from Altnet in order to address this problem. Users, who have Kazaa or Grokster installed, should visit Altnet and download the available patch as soon as possible. Reference: http://secunia.com/SA12446 VIRUS ALERTS: Secunia has not issued any virus alerts during the last week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12430] Winzip Unspecified Multiple Buffer Overflow Vulnerabilities 2. [SA12321] Microsoft Internet Explorer Drag and Drop Vulnerability 3. [SA12304] Internet Explorer Address Bar Spoofing Vulnerability 4. [SA12381] Winamp Skin File Arbitrary Code Execution Vulnerability 5. [SA12455] Kazaa Altnet Download Manager Buffer Overflow Vulnerability 6. [SA12446] Altnet Download Manager Buffer Overflow Vulnerability 7. [SA12409] Oracle Products Multiple Vulnerabilities 8. [SA12198] AOL Instant Messenger "Away" Message Buffer Overflow Vulnerability 9. [SA11978] Multiple Browsers Frame Injection Vulnerability 10. [SA12408] Kerberos V5 Multiple Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA12456] Grokster Altnet Download Manager Buffer Overflow Vulnerability [SA12455] Kazaa Altnet Download Manager Buffer Overflow Vulnerability [SA12446] Altnet Download Manager Buffer Overflow Vulnerability [SA12487] Trillian MSN Module Buffer Overflow Vulnerability [SA12453] IMail Multiple Denial of Service Vulnerabilities [SA12460] eZ / eZphotoshare Multiple Connection Denial of Service Vulnerability [SA12468] Kerio Personal Firewall Program Execution Protection Feature Bypass UNIX/Linux: [SA12496] Gentoo update for LHA [SA12494] Fedora update for LHA [SA12489] Gentoo update for ImageMagick/imlib/imlib2 [SA12488] Usermin Shell Command Injection and Insecure Installation Vulnerabilities [SA12483] Mandrake update for imlib/imlib2 [SA12480] Red Hat update for gaim [SA12479] ImageMagick BMP Image Decoding Buffer Overflow Vulnerability [SA12478] mpg123 Mpeg Layer-2 Audio Decoder Buffer Overflow Vulnerability [SA12475] Red Hat update for mod_ssl [SA12457] Gentoo update for krb5 [SA12445] gnubiff POP3 Buffer Overflow and Denial of Service Vulnerabilities [SA12437] Red Hat update for LHA [SA12495] Fedora update for kdelibs / kdebase [SA12491] Mac OS X Security Update Fixes Multiple Vulnerabilities [SA12473] OpenCA Web Frontend Script Insertion Vulnerability [SA12465] Slackware update for KDE [SA12459] Gentoo update for xv [SA12458] Mailworks User Authentication Bypass Vulnerability [SA12452] Gentoo update for Python [SA12449] Gentoo update for eGroupWare [SA12448] Gentoo update for Squid [SA12447] SuSE update for zlib [SA12442] Gentoo update for vpopmail [SA12441] vpopmail SQL Injection Vulnerabilities [SA12454] Fedora update for samba [SA12474] SUSE update for apache2 [SA12451] Gentoo update for Gallery [SA12443] Red Hat update for httpd [SA12499] Gentoo update for samba [SA12485] Gentoo update for star [SA12484] Star Unspecified Privilege Escalation Vulnerability [SA12482] Mandrake update for cdrecord [SA12481] cdrecord Privilege Escalation Vulnerability [SA12476] Net-Acct Insecure Temporary File Creation Vulnerability [SA12462] Gentoo update for Ruby [SA12440] bsdmainutils calender Utility File Content Disclosure Vulnerability [SA12470] Sun Solaris in.named Dynamic Update Denial of Service Vulnerability [SA12477] Gentoo multi-gnome-terminal Potential Exposure of Sensitive Information Other: [SA12461] Dynalink RTA230 Default Username and Password [SA12471] StorageTek D280 Disk System Denial of Service Vulnerability [SA12469] IBM TotalStorage DS4100 Denial of Service Vulnerability [SA12464] Engenio Storage Controllers Denial of Service Vulnerability [SA12450] NetScreen-IDP scp Directory Traversal Vulnerability [SA12472] Brocade SilkWorm Switches Denial of Service Vulnerability Cross Platform: [SA12467] Tutti Nova Unspecified Vulnerabilities [SA12444] Squid NTLM Authentication Denial of Service Vulnerability [SA12439] TorrentTrader "id" SQL Injection Vulnerability [SA12438] phpWebSite Cross-Site Scripting and Script Insertion Vulnerabilities [SA12466] phpGroupWare Unspecified Cross-Site Scripting Vulnerability [SA12486] Emdros Create/Update Object Type Denial of Service Vulnerability [SA12463] Cosminexus Portal Framework Unspecified Cached Content Replacement ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA12456] Grokster Altnet Download Manager Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-03 CelebrityHacker has reported a vulnerability in the Altnet Download Manager included in Grokster, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12456/ -- [SA12455] Kazaa Altnet Download Manager Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-03 CelebrityHacker has reported a vulnerability in the Altnet Download Manager included in Kazaa, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12455/ -- [SA12446] Altnet Download Manager Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-03 CelebrityHacker has discovered a vulnerability in Altnet Download Manager, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12446/ -- [SA12487] Trillian MSN Module Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-09-08 Komrade has reported a vulnerability in Trillian, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12487/ -- [SA12453] IMail Multiple Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-09-03 Various vulnerabilities have been reported in IMail, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12453/ -- [SA12460] eZ / eZphotoshare Multiple Connection Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-06 Dr_insane has reported a vulnerability in eZ and eZphotoshare, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12460/ -- [SA12468] Kerio Personal Firewall Program Execution Protection Feature Bypass Critical: Less critical Where: Local system Impact: Security Bypass Released: 2004-09-06 Tan Chew Keong has reported a vulnerability in Kerio Personal Firewall, which can be exploited certain malicious processes to bypass certain security features provided by the product. Full Advisory: http://secunia.com/advisories/12468/ UNIX/Linux:-- [SA12496] Gentoo update for LHA Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-09 Gentoo has issued an update for LHA. This fixes some vulnerabilities, which can be exploited to compromise a user's system. Full Advisory: http://secunia.com/advisories/12496/ -- [SA12494] Fedora update for LHA Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-09 Fedora has issued an update for LHA. This fixes some vulnerabilities, which can be exploited to compromise a user's system. Full Advisory: http://secunia.com/advisories/12494/ -- [SA12489] Gentoo update for ImageMagick/imlib/imlib2 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-08 Gentoo has issued updates for ImageMagick, imlib, and imlib2. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12489/ -- [SA12488] Usermin Shell Command Injection and Insecure Installation Vulnerabilities Critical: Highly critical Where: From remote Impact: Unknown, System access Released: 2004-09-08 Two vulnerabilities have been reported in Usermin, where the most critical can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12488/ -- [SA12483] Mandrake update for imlib/imlib2 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-08 MandrakeSoft has issued updates for imlib and imlib2. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12483/ -- [SA12480] Red Hat update for gaim Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2004-09-07 Red Hat has issued an update for gaim. This fixes multiple vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12480/ -- [SA12479] ImageMagick BMP Image Decoding Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-08 A vulnerability has been reported in ImageMagick, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12479/ -- [SA12478] mpg123 Mpeg Layer-2 Audio Decoder Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-08 Davide Del Vecchio has reported a vulnerability in mpg123, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12478/ -- [SA12475] Red Hat update for mod_ssl Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-07 Red Hat has issued an update for mod_ssl. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12475/ -- [SA12457] Gentoo update for krb5 Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2004-09-06 Gentoo has issued an update for krb5. This fixes multiple vulnerabilities, where the most critical potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12457/ -- [SA12445] gnubiff POP3 Buffer Overflow and Denial of Service Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-06 Two vulnerabilities have been reported in gnubiff, which potentially can be exploited to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12445/ -- [SA12437] Red Hat update for LHA Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-02 Red Hat has issued an update for LHA. This fixes some vulnerabilities, which can be exploited to compromise a user's system. Full Advisory: http://secunia.com/advisories/12437/ -- [SA12495] Fedora update for kdelibs / kdebase Critical: Moderately critical Where: From remote Impact: Hijacking, Spoofing, Privilege escalation Released: 2004-09-09 Fedora has issued updates for kdelibs and kdebase. These fix multiple vulnerabilities, which can be exploited to perform certain actions on a vulnerable system with escalated privileges, spoof the content of websites, or hijack sessions. Full Advisory: http://secunia.com/advisories/12495/ -- [SA12491] Mac OS X Security Update Fixes Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2004-09-08 Apple has issued a security update for Mac OS X, which fixes various vulnerabilities. Full Advisory: http://secunia.com/advisories/12491/ -- [SA12473] OpenCA Web Frontend Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-09-08 A vulnerability has been reported in OpenCA, which can be exploited by malicous people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12473/ -- [SA12465] Slackware update for KDE Critical: Moderately critical Where: From remote Impact: Privilege escalation, Spoofing, Hijacking Released: 2004-09-06 Slackware has issued updates for kdelibs and kdebase. These fix multiple vulnerabilities, which can be exploited to perform certain actions on a vulnerable system with escalated privileges, spoof the content of websites, or hijack sessions. Full Advisory: http://secunia.com/advisories/12465/ -- [SA12459] Gentoo update for xv Critical: Moderately critical Where: From remote Impact: System access Released: 2004-09-06 Gentoo has issued an update for xv. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12459/ -- [SA12458] Mailworks User Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-09-06 Paul Craig has reported a vulnerability in Mailworks, which can be exploited by malicious people to bypass the user authentication. Full Advisory: http://secunia.com/advisories/12458/ -- [SA12452] Gentoo update for Python Critical: Moderately critical Where: From remote Impact: System access Released: 2004-09-03 Gentoo has issued an update for Python. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12452/ -- [SA12449] Gentoo update for eGroupWare Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-09-03 Gentoo has issued an update for eGroupWare. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/12449/ -- [SA12448] Gentoo update for Squid Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-09-03 Gentoo has issued an update for Squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12448/ -- [SA12447] SuSE update for zlib Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-09-03 SuSE has issued an update for zlib. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12447/ -- [SA12442] Gentoo update for vpopmail Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information, Privilege escalation Released: 2004-09-03 Gentoo has issued an update for vpopmail. This fixes some vulnerabilities, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/12442/ -- [SA12441] vpopmail SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information, Privilege escalation Released: 2004-09-03 Some vulnerabilities have been reported in vpopmail, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/12441/ -- [SA12454] Fedora update for samba Critical: Moderately critical Where: From local network Impact: System access Released: 2004-09-03 Fedora has issued an update for samba. This fixes two vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerability system. Full Advisory: http://secunia.com/advisories/12454/ -- [SA12474] SUSE update for apache2 Critical: Less critical Where: From remote Impact: DoS Released: 2004-09-07 SUSE has issued an update for apache2. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12474/ -- [SA12451] Gentoo update for Gallery Critical: Less critical Where: From remote Impact: System access Released: 2004-09-03 Gentoo has issued an update for Gallery. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12451/ -- [SA12443] Red Hat update for httpd Critical: Less critical Where: From remote Impact: DoS Released: 2004-09-02 Red Hat has issued an update for httpd. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12443/ -- [SA12499] Gentoo update for samba Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-09 Gentoo has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12499/ -- [SA12485] Gentoo update for star Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-08 Gentoo has issued an update for star. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12485/ -- [SA12484] Star Unspecified Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-08 An unspecified vulnerability has been reported in star, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12484/ -- [SA12482] Mandrake update for cdrecord Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-08 MandrakeSoft has issued an update for cdrecord. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12482/ -- [SA12481] cdrecord Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-08 Max Vozeler has reported a vulnerability in cdrecord, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12481/ -- [SA12476] Net-Acct Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-07 Stefan Nordhausen has discovered a vulnerability in net-acct, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12476/ -- [SA12462] Gentoo update for Ruby Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-09-06 Gentoo has issued an update for ruby. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12462/ -- [SA12440] bsdmainutils calender Utility File Content Disclosure Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-09-03 Steven Van Acker has reported a vulnerability in bsdmainutils, which potentially can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12440/ -- [SA12470] Sun Solaris in.named Dynamic Update Denial of Service Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2004-09-06 A vulnerability has been reported in Sun Solaris, which can be exploited by certain malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12470/ -- [SA12477] Gentoo multi-gnome-terminal Potential Exposure of Sensitive Information Critical: Not critical Where: Local system Impact: Exposure of sensitive information Released: 2004-09-07 Gentoo has issued an update for multi-gnome-terminal. This fixes a potential security issue, which may expose sensitive information. Full Advisory: http://secunia.com/advisories/12477/ Other:-- [SA12461] Dynalink RTA230 Default Username and Password Critical: Moderately critical Where: From remote Impact: System access Released: 2004-09-06 fabio has reported a security issue in Dynalink RTA230, which can be exploited by malicious people to gain control of a vulnerable device. Full Advisory: http://secunia.com/advisories/12461/ -- [SA12471] StorageTek D280 Disk System Denial of Service Vulnerability Critical: Moderately critical Where: From local network Impact: DoS Released: 2004-09-07 Frank Denis has reported a vulnerability in StorageTek D280 Disk System, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12471/ -- [SA12469] IBM TotalStorage DS4100 Denial of Service Vulnerability Critical: Moderately critical Where: From local network Impact: DoS Released: 2004-09-07 Frank Denis has reported a vulnerability in IBM TotalStorage DS4100 (formerly FAStT100), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12469/ -- [SA12464] Engenio Storage Controllers Denial of Service Vulnerability Critical: Moderately critical Where: From local network Impact: DoS Released: 2004-09-07 Frank Denis has reported a vulnerability in Engenio Storage Controllers, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12464/ -- [SA12450] NetScreen-IDP scp Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2004-09-03 Juniper Networks has acknowledged an older vulnerability in OpenSSH for Netscreen-IDP, which potentially can be exploited by malicious people to overwrite arbitrary files on a vulnerable device. Full Advisory: http://secunia.com/advisories/12450/ -- [SA12472] Brocade SilkWorm Switches Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-07 Frank Denis has reported a vulnerability in Brocade SilkWork Switches, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12472/ Cross Platform:-- [SA12467] Tutti Nova Unspecified Vulnerabilities Critical: Highly critical Where: From remote Impact: Unknown Released: 2004-09-06 Various unspecified vulnerabilities with an unknown impact have been reported in Tutti Nova. Full Advisory: http://secunia.com/advisories/12467/ -- [SA12444] Squid NTLM Authentication Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-09-03 Marco Ortisi has reported a vulnerability in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12444/ -- [SA12439] TorrentTrader "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, Manipulation of data Released: 2004-09-02 aCiDBiTS has reported a vulnerability in TorrentTrader, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/12439/ -- [SA12438] phpWebSite Cross-Site Scripting and Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-09-03 James Bercegay has reported some vulnerabilities in phpWebSite, allowing malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/12438/ -- [SA12466] phpGroupWare Unspecified Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-09-06 An unspecified vulnerability has been reported in phpGroupWare, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12466/ -- [SA12486] Emdros Create/Update Object Type Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-08 A vulnerability has been reported in Emdros, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12486/ -- [SA12463] Cosminexus Portal Framework Unspecified Cached Content Replacement Critical: Less critical Where: From local network Impact: Exposure of system information, Exposure of sensitive information Released: 2004-09-07 A vulnerability has been reported in Cosminexus Portal Framework, which potentially can be exploited by malicious users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12463/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Mon Sep 13 03:44:28 2004 From: isn at c4i.org (InfoSec News) Date: Mon Sep 13 04:10:51 2004 Subject: [ISN] Four steps for protecting your internal networks Message-ID: http://www.computerworld.com/securitytopics/security/story/0,,95656,00.html Opinion by Mudge Intrusic Inc. SEPTEMBER 09, 2004 COMPUTERWORLD In the sciences, there are general principles that can apply to all environments. The principles of physics (i.e. the general laws) are ubiquitous across disciplines. Why should the information security field be any different? It turns out that it isn't. In my experience, the following general principles have proved beneficial. Companies can apply them with existing internal resources. 1. Map security around business functions In few areas is the relationship of security to business functions more obvious than in comparing electrical utilities with industrial refineries. Both business models use a segmentation structure around Supervisory Control and Data Acquisition and/or distributed control systems. While both electrical utilities and refineries have these environments, the refineries, in general, have a much more secure implementation of this model. Was this due to particular security requirements? No. Upon querying technical experts from both industries, the rationale became clear: One field had to be much more competitive in the business realm than the other. Industrial refineries had to compete in the business market, while utilities were subsidized and regulated by the government. If one company operated at even a fraction of a percentage more efficiently and cost-effectively than a competitor did, that business had an edge in the public markets. Tremendous amounts of effort were spent designing and making networks and systems perform core technical requirements in a way that was as efficient and organized as possible. These efforts resulted in networks with a relatively high security baseline. More important, they provided a solid foundation for future security components that might be desired in the future. Without the economic driver of competition for the electrical utilities, the optimization and maximization of underlying business architectures didn't receive the same attention. As various utilities markets are deregulated, many players find themselves in the position of having to make a profit. However, the underlying infrastructure lacks a foundation solid enough to confidently run critical business tasks, let alone withstand hostile attacks. 2. Define information and data labeling and handling guidelines Although an arduous initial task, implementing data classification, labeling and handling guidelines will pay huge dividends in the long run. Many companies will invest substantial capital toward vulnerability assessments, network intrusion-detection systems and security best-practice guidelines. Unfortunately, few of these companies ever embrace information labeling and classification guidelines. If an engineer comes across a business memo he doesn't understand, what are the odds that this information will be handled in a secure fashion commensurate with the memo's value? Conversely, if a secretary receives an e-mail that carries with it an attachment of source code, will the secretary automatically know whether it's permissible to forward this e-mail to a recipient outside of the corporate network? No matter how perfect the technical security might be within an organization, not understanding what's valuable or sensitive and how to appropriately handle it will negate those technical defenses. While I was working with the U.S. government on the problem of vulnerabilities in critical infrastructure, data labeling and handling guidelines surfaced as one of the most glaring problems. More than 80% of the time, there was no need to break into an organization that was a key player in one of the critical-infrastructure segments to demonstrate key vulnerabilities. Simply engaging in intelligence gathering would invariably yield the information to circumvent their corporate security or gain direct access to back-end networks responsible for the command and control of utility, financial, transportation and communications networks. 3. Learn how your network actually works Many companies lack internal network diagrams altogether, let alone up-to-date ones. While this might not be surprising, the following point very well might be: Of all the "up-to-date" internal network diagrams I have seen, only a small fraction of them are accurate in their representation of what really transpires on the underlying networks. The divergence of actual network routing/flow from many paper mappings put together by internal network operations groups is easy to understand. The introduction or removal of network devices (primarily routers, switches and hubs in this case) without documentation or the knowledge of IT is an obvious culprit. This can be accidental or intentional. While this does happen, it's usually not the greatest contributor to inaccurate network maps. The larger contributor comes in two parts. First is the use of dynamic protocols in an inherently static environment. The second is the willingness to forget the fact that most network infrastructure devices intentionally "fail open." Few internal networks are set up with multiple entry and exit points. There is usually a single router per network or subnet that connects each leg to form the corporate network. Yet it's tremendously common to find internal routers running dynamic routing and discovery protocols. Because of this, normal maintenance of infrastructure components or reconfiguration of individual elements can result in cascading modifications to routes and paths. There are many suboptimal ways of switching and/or routing traffic that will continue to provide base functionality (albeit at a cost of performance and complexity). Why is it that so many organizations have infrastructure devices configured to use dynamic routing and/or discovery protocols? The answer is simple: Vendors ship them by default. Manufacturers of infrastructure devices have to make a choice as to how their equipment will act under unusual or unknown circumstances. Should the expensive switch stop working entirely, or should it revert to broadcast mode where it acts more akin to a repeater/hub? The choice is obvious. Put yourself in their situation and guess which option might be more or less disruptive to the customer's environment. Unfortunately, the customer is usually unaware of the fact that a switch has failed open. The general rule of thumb for both business optimization and security is, "Keep it simple." By configuring infrastructure equipment to be static if it's deployed in a static environment and including periodic promiscuous sampling of network traffic at various locations, you'll maintain an accurate understanding of your network. At the very least, you'll be more aware of when things change. 4. Understand the components in your environment and how they relate to business By following the above recommendations, this final project is much easier. This step allows an organization to engage in detecting and defending against external entities that have gained access to the network, or from internal personnel with ulterior motives. Standard intrusion-detection systems won't identify these threats because they're already inside. They don't attack a system because access is implicitly granted. The activities engaged in won't be detected, nor will they be thwarted by patching vulnerabilities discovered through network vulnerability assessments. One must engage in more classical counterintelligence practices to effectively combat this threat. Let's say that these steps are in place: Business functions have been made as efficient as possible and are realistically mapped through their corresponding optimized network flows; corporatewide information and data classification and guidelines are in place, and network maps are known beyond any doubt to accurately represent how packets and information actually flow. Now it's possible to identify information-gathering and reconnaissance activities, data removal and passive control of systems by covert adversaries. Adversaries have more to gain by maintaining access to internal networks for as long as possible without being discovered. However, to move data outside of this constrained environment, they must engage in activities that bend, if not flat-out violate, the general economics and information-theory principles of soundly designed and run businesses. Soundly run businesses by necessity require soundly understood internal networks and data items. Peiter Mudge Zatko is founding scientist of Waltham, Mass.-based Intrusic Inc. and a division scientist at Cambridge, Mass.-based BBN Technologies. From isn at c4i.org Mon Sep 13 03:43:38 2004 From: isn at c4i.org (InfoSec News) Date: Mon Sep 13 04:10:53 2004 Subject: [ISN] Linux Advisory Watch - September 10th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | September 10th, 2004 Volume 5, Number 36a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for imlib, krb5, and kernel. The distributors include Fedora, Mandrake, and Suse. ----- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 ----- BIOS Security The BIOS is the lowest level of software that configures or manipulates your x86-based hardware. LILO and other Linux boot methods access the BIOS to determine how to boot up your Linux machine. Other hardware that Linux runs on has similar software (OpenFirmware on Macs and new Suns, Sun boot PROM, etc...). You can use your BIOS to prevent attackers from rebooting your machine and manipulating your Linux system. Most PC BIOSs let you set a boot password. This doesn't provide all that much security (the BIOS can be reset, or removed if someone can get into the case), but might be a good deterrent (i.e. it will take time and leave traces of tampering). Similarly, on SPARC/Linux (Linux for SPARC(tm) processor machines), your EEPROM can be set to require a boot-up password. This might slow attackers down. Many PC BIOSs also allow you to specify various other good security settings. Check your BIOS manual or look at it the next time you boot up. For example, most BIOSs disallow booting from floppy drives and some require passwords to access some BIOS features. Note: If you have a server machine, and you set up a boot password, your machine will not boot up unattended. Keep in mind that you will need to come in and supply the password in the event of a power failure. Security Tip Written by Dave Wreski (dave@linuxsecurity.com) Additional tips are available at the following URL: http://www.linuxsecurity.com/tips/ ----- AIDE and CHKROOTKIT Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit. http://www.linuxsecurity.com/feature_stories/feature_story-173.html --------------------------------------------------------------------- An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-171.html ------ --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 9/10/2004 - imlib-1.9.13-15.fc Security update (core1) Several heap overflow vulnerabilities have been found in the imlib BMP image handler. An attacker could create a carefully crafted BMP file in such a way that it would cause an application linked with imlib to execute arbitrary code when the file was opened by a victim. http://www.linuxsecurity.com/advisories/fedora_advisory-4731.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 9/1/2004 - krb5 multiple vulnerabilities A double-free vulnerability exists in the MIT Kerberos 5's KDC program that could potentially allow a remote attacker to execute arbitrary code on the KDC host. http://www.linuxsecurity.com/advisories/mandrake_advisory-4726.html +---------------------------------+ | Distribution: Suse | ----------------------------// +---------------------------------+ 9/1/2004 - kernel vulnerabilities Various signedness issues and integer overflows have been fixed within kNFSd and the XDR decode functions of kernel 2.6. http://www.linuxsecurity.com/advisories/suse_advisory-4728.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Sep 13 03:43:51 2004 From: isn at c4i.org (InfoSec News) Date: Mon Sep 13 04:10:54 2004 Subject: [ISN] Advance Program for the 20th Annual Computer Security Applications Conference Message-ID: Forwarded from: ACSAC announce-admin The 20th ACSAC Conference Committee is pleased to announce that the Advance Program for the 20th Annual Computer Security Applications Conference (ACSAC) is available at our web site at http://www.acsac.org. The conference for our 20th year will be held in Tucson, Arizona, USA, at the Hilton Tucson El Conquistador Golf & Tennis Resort from 6-10 December 2004. The Resort provides a comfortable setting - both indoors and outdoors - for meeting and discussing issues, lessons learned, and possible solutions with presenters, authors, tutorial instructors, and other Conference attendees. This year, the Conference will be providing 6 full-day, pre-conference tutorials for information security novices as well as experienced veterans: Monday, 6 December: - Information System Security Basics - Security Risk Assessment Techniques - Exploring IEEE 802.11i and Providing Secure Mobility Tuesday, 7 December: - Security Policy Modeling - The Worm and Virus Threats - Acquisition and Analysis of Large Scale Network Data. This year, the Conference will also be hosting two free, pre-conference workshops: - Monday, 6 December: Workshop on Security Awareness Programs - Tuesday, 7 December: Workshop on Trusted Computing We are pleased to have Steven B. Lipner, Director of Security Engineering Strategy at Microsoft Corporation, as our 2004 Distinguished Practitioner, and Rebecca Mercuri, a recognized expert and researcher in the field of electronic voting from the Radcliffe Institute of Advanced Study at Harvard University, as our 2004 Invited Essayist. We're sure that their plenary presentations on Wednesday and Thursday morning, respectively, will be of interest to attendees and no doubt inspire discussion during the Conference luncheons and the Thursday evening Conference Dinner. The ACSAC-20 Program (8 - 10 December) will include presentations of 35 refereed papers, a Classic Papers Session that revisits past issues that seem to persist today - "A1 is the Answer: What Was the Question?" and "A Look Back at "Security Problems in the TCP/IP Protocol Suite," 16 Case Studies, 2 panels, and 1 debate. Be sure to check out our web site for details not only about the presentations, workshops, and tutorials but also about the Resort and early Conference and Resort registration discounts. http://www.acsac.org From isn at c4i.org Mon Sep 13 03:44:03 2004 From: isn at c4i.org (InfoSec News) Date: Mon Sep 13 04:10:55 2004 Subject: [ISN] [infowarrior] - Assistance Requested: Rewriting the NISPOM Sec 8 Message-ID: ---------- Forwarded message ---------- Date: Fri, 10 Sep 2004 08:58:16 -0400 From: Richard Forno To: Richard Forno Subject: [infowarrior] - Assistance Requested: Rewriting the NISPOM Sec 8 A new blog has been established to solicit community/contractor feedback and participation on a project to re-evaluate, rewrite, and more effectively automate NISPOM Chapter 8 dealing with IT security, certification/accreditation, etc. (Something long overdue, IMHO!) The director of the NISPOM Chapter 8 rewrite and the director of the initiative to "fix the [C&A] process" is behind this venture and the official project has the spoken approval of the new Acting Director of the DSS. Note: This blog is not an official site of the USG nor is it endorsed or to be considered endorsed by the USG. I'm not involved with the site or project except in helping my senior DSS friend promote it within the security community. Theoretical Industrial Security IS Accreditation: http://nispom.blogspot.com/ -rick Infowarrior.org From isn at c4i.org Mon Sep 13 04:00:30 2004 From: isn at c4i.org (InfoSec News) Date: Mon Sep 13 04:10:57 2004 Subject: [ISN] German hacker finds open Wi-Fi networks in Manila Message-ID: http://news.inq7.net/infotech/index.php?index=1&story_id=10201 By Erwin Lemuel Oliva INQ7.net Sept 10, 2004 DRIVING through the central business district of Makati all the way to Malate in Manila, a German whitehat hacker discovered that only 15 of the 66 wireless access points or wireless local area networks located in these two areas were "encrypted." "The encyrption levels of these access points were not even secure," said the German whitehat hacker known as Van Hauser. Van Hauser was in Manila as one of the experts invited to the third annual Philippine Information Technology Security Conference. Showing the lack of security in the wireless local area networks (WLAN) of corporate firms in the Philippines, Van Hauser disclosed that the "wardriving" he conducted from Makati to Malate easily identified WLANs that were open to anyone armed with a laptop and software who wanted to detect wireless-fidelity (Wi-Fi) hotspots. Wardriving is the process of scanning for wireless access points while driving by certain areas known to have such WLANs, said Van Hauser. Van Hauser said malicious hackers can use open WLANs to launch attacks. But in cases where open WLANs are connected to other networks, hackers would likely access these networks and do more damage. "If it is connected to other networks, then it becomes more interesting for hackers," said Van Hauser. In his wardriving exercise, Van Hauser was able to detect the "open" WLANs of prominent firms located in Makati. He, however, declined to name these companies. "Wardriving is not hacking. I was just scanning for access points in a certain area," he stressed. Wardriving, however, is now being used by malicious hackers to locate public access points to launch attacks. Van Hauser, 29, has been doing ethical hacking for various high-profile companies in Germany. He also works part-time for Suse Linux. From isn at c4i.org Tue Sep 14 05:18:33 2004 From: isn at c4i.org (InfoSec News) Date: Tue Sep 14 05:31:19 2004 Subject: [ISN] Justice Department plans more labs focused on cyber crime Message-ID: http://www.govexec.com/story_page.cfm?articleid=29451 By Sarah Lai Stirland National Journal's Technology Daily September 13, 2004 Attorney General John Ashcroft said on Monday that the Justice Department soon will expand its capabilities for pursuing cyber crimes by broadening its forensic analysis capabilities. The department has five regional centers for such analysis in the prosecution of cyber crimes and will increase the number to 13, he said. He did not provide further details. "We recognize that proper forensic analysis of computer evidence is critical for the successful investigation and prosecution of crime," he said in a keynote address at a conference held by the High Technology Crime Investigation Association. Ashcroft delivered a speech that outlined the growing importance and role of the prosecution of cyber crimes within Justice. In particular, he noted a greater emphasis on prosecuting computer hacking and crimes related to intellectual property. "The cornerstone of the department's prosecutorial effort is the computer crime and intellectual property section ... a highly-trained team of three dozen expert prosecutors who specialize in coordinating all kinds of international computer crime and intellectual property offenses," he said. Ashcroft noted that the number of computer hacking and intellectual property (CHIPS) units that FBI chief Robert Mueller established before Mueller became head of the FBI has been expanded to 13 units within Ashcroft's tenure as attorney general. As part of the current appropriations cycle, Justice has asked Senate appropriators to increase funding of the CHIPs units. Lobbyists for the entertainment and software industry also have asked appropriators to allot more dedicated resources to pursuing intellectual property theft. Ashcroft pointed to Justice's recently announced operations called Websnare and Digital Gridlock as examples of an increasing focus on cyber crime and as examples of successful coordination among law enforcers. "Over the past few decades, we've seen human ingenuity unleash new ideas, new products and new ways of doing business," he said. "Freedom and innovation have produced the personal computer revolution, a revolution that extended the Internet beyond all borders. It increased trade and increased commerce, delivered unimaginable opportunities to new spheres of human aspiration. But with this tremendous boon to human potential, we've seen a small group of predators try to make cyberspace a space where crime and terrorism can be conducted, and it is the duty and privilege of the Justice [Department] to fight these predators." Ashcroft did not take questions after his 40-minute speech. From isn at c4i.org Tue Sep 14 05:12:14 2004 From: isn at c4i.org (InfoSec News) Date: Tue Sep 14 05:31:21 2004 Subject: [ISN] New Royal Security Breach Message-ID: http://news.scotsman.com/latest.cfm?id=3491829 By John-Paul Ford Rojas PA News 13 September 2004 Security chiefs were once again left embarrassed today after a member of protest group Fathers 4 Justice staged a Buckingham Palace protest dressed as Batman. After hurling condoms filled with purple flour at the Prime Minister in the House of Commons they have now managed to strike at the heart of the monarchy. Amid constant warnings of the terrorist threat to the nation this small group of activists has repeatedly made a mockery of high-profile protection arrangements. The protesters, who want better access rights for fathers, have also targeted some of Britain's most well-known landmarks. On Saturday the London Eye was brought to a standstill after it was scaled by another member of the group dressed as Spider-Man. The same man, 37-year-old David Chick, staged a six-day crane-top vigil at London's Tower Bridge last year in protest at being denied access to his daughter. The group also targeted the leadership of the Church of England when they staged a demonstration at the General Synod at York Minster earlier this year. Today's protest will prove especially embarrassing coming four months after after a high-level report recommended better protection for the royals. The overhaul came after Daily Mirror reporter Ryan Parry infiltrated Buckingham Palace to work as a footman and led to the appointment of a new royal security chief, Brigadier General Jeffrey Cook. The Security Commission report called for wider checks on job applicants, guests, visitors and contractors with access to royal residences and warned that weaknesses exploited by the press could equally be exploited by terrorists. But only 12 days after it was published there was a fresh scare when a man was alleged to have been found wandering around the grounds of Windsor Castle impersonating a police officer. That was far from the first time there had been an embarrassing royal security scare with one of the most celebrated recent breaches taking place at Prince William's 21st birthday party at the castle last year. A major investigation was launched after "comedy terrorist" Aaron Barschak gatecrashed the event wearing a dress, beard and sunglasses before kissing the prince on both cheeks. The most serious scare came in March 1982 when Michael Fagan broke into the Queen's bedroom at Buckingham Palace. She woke to find him sitting on her bed. A year earlier, Marcus Sarjeant, 17, fired six blank shots at the Queen at the Trooping the Colour ceremony. Stephen Goulding was jailed for three months after breaking into the grounds of Buckingham Palace in 1990. He claimed he was Prince Andrew Windsor and declared the Queen was his "mum". In July 1992, Kevin McMahon, 25, was arrested inside the grounds for the second time in a week. During his first sortie, he forced a helicopter carrying the Queen and the Duke of Edinburgh to divert as he roamed the grounds. Also in 1992, an intruder walked into St James's Palace and downed a whisky in Princess Alexandra's private apartment. A naked paraglider landed on the roof of Buckingham Palace in 1994. American James Miller was fined ?200 and deported. In 1995, student John Gillard rammed the Palace gates in his car at 50mph, tearing one off its hinges. From isn at c4i.org Tue Sep 14 05:12:46 2004 From: isn at c4i.org (InfoSec News) Date: Tue Sep 14 05:31:23 2004 Subject: [ISN] Linux Security Week - September 13th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | September 13th, 2004 Volume 5, Number 36n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Defending Against Cross-Site Scripting Attacks," "Linux-based Wi-Fi hot spot on CD," and "Dependence, Risks Drive Demand for Network Security." ---- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 ---- LINUX ADVISORY WATCH: This week, advisories were released for imlib, krb5, and kernel. The distributors include Fedora, Mandrake, and Suse. http://www.linuxsecurity.com/articles/forums_article-9785.html AIDE and CHKROOTKIT Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit. http://www.linuxsecurity.com/feature_stories/feature_story-173.html ---- An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-171.html --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Make it & Break It: Defending Against Cross-Site Scripting Attacks. September 13th, 2004 Most Web sites process dynamic content. They take user input from HTTP requests, process the request on the server and then give the user new content. The requests are processed using scripted code (JavaScript, VBScript or Perl, for example) and server components (including CGI, JSP, PHP, COM and ASP.Net). http://www.linuxsecurity.com/articles/security_sources_article-9792.html * Group Policy controls extended to Unix, Linux September 13th, 2004 Microsoft has made no secret of its determination to expand into the data center, but this growth may not happen by the company's own hand. http://www.linuxsecurity.com/articles/vendors_products_article-9795.html * OpenBSDs Theo de Raadt talks software security September 10th, 2004 With security the focus of this year's Australian Unix Users Group (AUUG) conference, OpenBSD founder and project lead Theo de Raadt was invited to speak on exploit mitigation techniques. In an exclusive interview with Computerworld's Rodney Gedda, the man behind an operating system that lays claim to only one remote exploit in the default install in seven years, reveals where we are headed - and how far we have to go - in the search for more secure software http://www.linuxsecurity.com/articles/security_sources_article-9779.html * More big security holes in Linux September 9th, 2004 Open-source developers have warned of serious security holes in two Linux components that could allow attackers to take over a system by tricking a user into viewing a specially-crafted image file or opening an archive. Patches exist for the bugs, which affect LHA and imlib. http://www.linuxsecurity.com/articles/server_security_article-9771.html +------------------------+ | Network Security News: | +------------------------+ * Juniper Incorporates Third-Party Security in SSL VPNs September 8th, 2004 Juniper Networks Inc. is expanding users' security options by opening new interfaces that allow integration of third-party tools with Juniper's line of SSL VPNs Juniper's new Endpoint Defense Initiative works with all NetScreen Secure Sockets Layer VPN appliances, according to officials in Sunnyvale, Calif. http://www.linuxsecurity.com/articles/vendors_products_article-9755.html * Linux-based Wi-Fi hot spot on CD September 8th, 2004 ZoneCD uses a modified version of the Debian Linux distribution called Koppix, which is designed to run from CD and provides automatic hardware detection and configuration. On top of this platform, Public IP provides features needed to run a secure Wi-Fi public hot spot, such as user authentication, a proxy server, content filtering, DNS caching and DHCP and Web server functionality. http://www.linuxsecurity.com/articles/network_security_article-9760.html * Can spammers really exploit wireless networks? September 8th, 2004 A landmark case in America could prove it. A US citizen is thought to have become the first person to be accused of hacking a wireless network in order to send spam. Nicholas Tombros, 37, is charged under the US CAN-SPAM act, which aims to clamp down on unsolicited junk mail. http://www.linuxsecurity.com/articles/network_security_article-9762.html * Dependence, risks drive demand for network security September 8th, 2004 SMALL- to medium-scale enterprises (SMEs), especially those involved in financial and retail services, are being driven by competition and are thus becoming more dependent on the Internet as a business tool. http://www.linuxsecurity.com/articles/network_security_article-9764.html +------------------------+ | General Security News: | +------------------------+ * Hacker communities play cat-and-mouse with security September 10th, 2004 HACKERS worldwide will gradually find it more difficult to hack into computer networks even as their communities continue to grow, according to a German hacker known as Van Hauser. http://www.linuxsecurity.com/articles/network_security_article-9783.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Sep 14 05:16:57 2004 From: isn at c4i.org (InfoSec News) Date: Tue Sep 14 05:31:24 2004 Subject: [ISN] Germans develop nasty case of IE jitters Message-ID: http://www.theregister.co.uk/2004/09/13/german_ie_jitters/ By Jan Libbenga 13th September 2004 Michael Dickopf, spokesman for the German Federal Office for Information Security (BSI), has told the Berliner Zeitung that internet users should switch from Internet Explorer to Mozilla or Opera. Dickopf says Internet Explorer is hazard-prone, attracting too many viruses and worms. BSI already uses a combination of alternative browsers, Dickopf told the paper. Dickopf's comments are bad news for Microsoft. BSI is the central IT security service provider for the German government. Its recommendations are usually taken extremely seriously. The Federation of German Consumer Organisations (Vzbv), a non-governmental organisation acting as an umbrella for 38 German consumer associations, also warns users to be careful when using Internet Explorer. Online banking scams and identity theft are proliferating in Germany due to security exploits in Microsoft's browser or in its email client Outlook (Express). Recently, several customers of Dresdner Bank have fallen victim to a Trojan horse program, which snatched their banking passports. Microsoft Germany denies that Internet Explorer is less safe than other browsers and says that it offers patches as soon as an exploit is discovered. It isn't the first time that governmental agencies issue warnings about Internet Explorer. In 2002 The Department of Homeland Security's US Computer Emergency Readiness Team touched off a storm when it recommended for security reasons using browsers other than Microsoft's Internet Explorer. From isn at c4i.org Tue Sep 14 05:19:57 2004 From: isn at c4i.org (InfoSec News) Date: Tue Sep 14 05:31:26 2004 Subject: [ISN] Virus writers look for work Message-ID: http://www.theinquirer.net/?article=18398 By Nick Farrell 13 September 2004 THE WRITERS of the MyDoom viruses are encoding job applications into the latest variants of the bug. According to Sophos the plea for work was found when its boffins were stripping the code of the MyDoom-U and MyDoom-V variants. "We searching 4 work in AV (anti-virus) industry," read the message, although a CV was not attached. Media friendly Sophos spokesman Graham Cluley said that it was unlikely how serious the writer's were, but there was no way that anyone in the AV industry would 'touch them with a bargepole' The MyDoom-U and MyDoom-V contain a file attachment that, when downloaded, infects a computer with a "back door" that blocks access to most anti-virus websites and turns the computer into a spamming machine, sending out junk emails. However they are not spreading particularly well which might indicate that the mydoom franchise is running out of steam, hence the job application. It is also equally possible is that the writers might have finished their school or university and are thinking about a career. Despite what Cluley said, surely it must be a lot cheaper for the industry to give these kids a job turning over their mates rather than spending a lot of time and effort patching worm variants. From isn at c4i.org Tue Sep 14 05:21:14 2004 From: isn at c4i.org (InfoSec News) Date: Tue Sep 14 05:31:27 2004 Subject: [ISN] Security holes plague Windows Help Message-ID: http://www.pcworld.idg.com.au/index.php/id%3B54090879%3Bfp%3B2%3Bfpid%3B1 Stuart J. Johnston PC World 14/09/2004 As its name implies, the Windows HTML Help system is designed to help PC users by providing graphics, multimedia elements, and hyperlinks to additional information. But it turns out that attackers can use this system to help themselves to your files, and even to take control of your PC. Two newly discovered security holes affect the HTML Help system and the Task Scheduler in Windows XP and 2000. The Help security bug also affects earlier versions of Windows, including 98, 98 SE, and Me. Unfortunately, Microsoft has not yet finished developing patches for the older Windows versions and can't say when they'll be ready. When they are, the company says, users will be able to get the patches through Windows Update. One minor blessing: The older versions of the Windows operating system aren't susceptible to the Task Scheduler bug. (Task Scheduler allows users to set the times when specific jobs, such as system maintenance programs, will run.) Before a malevolent cracker could exploit either security flaw, you would have to visit a Web site that hosted a malicious link, or click a link in an HTML e-mail that took you to the attacker's site. Like many security flaws in Microsoft products, these holes could be exploited by sending the system faulty or excessive information, causing the machine to malfunction. Then the attacker would transmit a program of his or her own to take control of your PC. Microsoft designated the holes as "critical" because a cracker's successful assault could result in the complete takeover of your machine: The evildoer would then have free rein to steal your personal files or even to wipe out the contents of your hard disk. Microsoft has now released patches for both flaws in Windows XP and 2000. If you use XP, I recommend getting Service Pack 2. Though the company hasn't yet posted patches for Windows 98 and Me systems, it has provided workarounds for both bugs. From isn at c4i.org Wed Sep 15 01:58:26 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 15 02:11:58 2004 Subject: [ISN] Online article reveals hacker's ID Message-ID: http://www.thejakartapost.com/detailcity.asp?fileid=20040915.G04&irec=3 Urip Hudiono The Jakarta Post/Jakarta September 15, 2004 Witness Affan Basalamah, a member of the General Elections Committee (KPU) information technology (IT) team, told the Central Jakarta District Court on Tuesday that he had obtained the name of the KPU website hacker through an article he found on the Internet. Testifying during the trial of Dani Firmansyah, who stands accused of hacking into the KPU website, Affan said that he just arrived at the Borobudur Hotel, the KPU tabulation center, on April 17 at around 8 p.m. from Surabaya when a colleague informed him of the "attack". "At the time, all network cables running in and out of the website server had been disconnected," he said. "My colleagues then told me what had happened -- that the website's contents had been altered and that the network cables had been physically unplugged to prevent further attacks." Affan later tried to track down the hacker by analyzing the server's log files -- which contain a record of the Internet Protocol (IP) numbers of computers that had accessed the website -- and found a suspicious IP number under the login name of "xuser". "I was sure it was the hacker because the login name appeared right at the time the break-in occurred," he said. Using the information, he then conducted a search through the Internet and found an online article under a similar name. "The article was written by 'Dani Firmansyah', who used 'xuser' as his nickname," he said. Affan later passed on the information to the Jakarta Police cyber crime unit officers who were handling the case. In the last session of the trial, witness Second Insp. Sugeng Priyadi from the cyber crime unit said he was ordered to follow the lead to a hacker community in Yogyakarta. He then received information from another hacker confirming Dani's identity, which lead to his arrest on April 22. The defense questioned the evidence of the witnesses called by the prosecution as none of them were actual eyewitnesses to the incident. "We object to the fact that witness Affan was still in Surabaya," lawyer Mukhtar Zuhdy said. "Their evidence is redundant and repetitive." Presiding judge Hamdi accepted the defense arguments and asked prosecutor Ramos Horta to better prepare the witnesses, and start calling his expert witnesses. Besides Affan, Monday's session also heard evidence from witnesses R. M. Aryana and Husni Fahmi, both of whom are also members of KPU's IT team. The trial was adjourned until Sept. 22, when more witnesses will be heard. From isn at c4i.org Wed Sep 15 01:56:57 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 15 02:12:00 2004 Subject: [ISN] Virus writers add network sniffer to worm Message-ID: http://www.theregister.co.uk/2004/09/14/network_sniffer_worm/ By John Leyden 14th September 2004 Virus writers have grafted a network sniffer into the latest variant of the SDBot worm series. So far there are no reports of SDBot-UH in the wild but the inclusion of selective network sniffing along with keystroke logging features and other backdoor capabilities has security researchers worried. Sniffers are designed to monitor network traffic. They are widely used for network performance diagnostics but in this instance their function has been turned to malign purposes. Bundling a network sniffer with an auto-propagating worm makes it easier for hackers to harvest usernames and passwords than would otherwise be the case. The sniffing capabilities of SDBot-UH worm focus on phrases associated with network logins and Paypal accounts. It also tries to steal the CD keys of games, according to an advisory by AV firm Trend Micro. Patrick Nolan, a security researcher at the Internet Storm Center, warns: "If the Trojans described by Trend can successfully transmit the filter's packet captures back to the owner, they are going to cause problems well beyond typical bot infestation issues." SDBot-UH uses a variety of well-known Microsoft exploits to spread. It also looks for weak usernames and passwords to gain access to target machines. Malicious sniffers can be difficult to detect but Netcraft points to a number of tools such as Sentinel and AntiSniff that can be used to detect sniffers on a network. Individual users would do well to check that their network card is not set in promiscuous (sniffing) mode. From isn at c4i.org Wed Sep 15 01:57:28 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 15 02:12:02 2004 Subject: [ISN] Major graphics flaw threatens Windows PCs Message-ID: http://news.com.com/Major+graphics+flaw+threatens+Windows+PCs/2100-1002_3-5366314.html By Robert Lemos Staff Writer, CNET News.com September 14, 2004 Microsoft published on Tuesday a patch for a major security flaw in its software's handling of the JPEG graphics format and urged customers to use a new tool to locate the many applications that are vulnerable. The critical flaw has to do with how Microsoft's operating systems and other software process the widely used JPEG image format and could let attackers create an image file that would run a malicious program on a victim's computer as soon as the file is viewed. Because the software giant's Internet Explorer browser is vulnerable, Windows users could fall prey to an attack just by visiting a Web site that has affected images. The severity of the flaw had some security experts worried that a virus that exploits the issue may be on the way. "The potential is very high for an attack," said Craig Schmugar, virus research manager for security software company McAfee. "But that said, we haven't seen any proof-of-concept code yet." Such code illustrates how to abuse flaws and generally appears soon after a software maker publishes a patch for one of its products. The flaw affects various versions of at least a dozen Microsoft software applications and operating systems, including Windows XP, Windows Server 2003, Office XP, Office 2003, Internet Explorer 6 Service Pack 1, Project, Visio, Picture It and Digital Image Pro. The software giant has a full list of affected applications in the advisory on its Web site. Windows XP Service Pack 2, which is still being distributed to many customers' computers, is not vulnerable to the flaw. "The challenge is that (the flawed function) ships with a variety of products," said Stephen Toulouse, security program manager for Microsoft's incident response center. Because so many applications are affected, Microsoft had to create a separate tool to help customers update their computers. Users of Windows Update will also be directed to the software giant's Office Update tool and then to the tool that will find and update imaging and development applications. The tools are a preview of what may come from the company in the future, Toulouse said. "We know one of the most important things that we hear from customers is to make the software update process easier," he said. "A goal of a unified update mechanism is what we are looking at." Out of necessity, Linux distributions have already developed such unified update software, which not only updates the core operating system but also other applications created by the open-source community. The majority of Windows applications, however, are created by companies other than Microsoft, making such a unified update system more politically difficult to create. The JPEG processing flaw enables a program hidden in an image file to execute on a victim's system. The flaw is unrelated to another image vulnerability found in early August. That vulnerability, in a common code library designed to support the Portable Network Graphics, or PNG, format, affected applications running on Linux, Windows and Apple's Mac OS X. Both the JPEG, which stands for Joint Photographic Experts Group, and PNG formats are commonly used by Web sites. As part of a notification program that has been in place since April 2004, any customer that had signed a nondisclosure agreement with Microsoft received a three-day advance warning about the JPEG flaw. "Some customers wanted to get more information, for planning purposes," Toulouse said, responding to media reports that premium customers were getting advanced notice of security issues. He directed interested customers to their Microsoft sales representative to get more information on the program. The information given to participants in the program is limited to the number of flaws, the applications affected and the maximum threat level assigned to the flaws. The JPEG image-processing vulnerability is the latest flaw from Microsoft and the source of the company's 28th advisory this year. Microsoft frequently includes multiple issues in a single advisory; four advisories in April, for example, contained more than 20 vulnerabilities. A second patch released by Microsoft on Tuesday fixes a flaw in the WordPerfect file converter in Microsoft Office, Publisher, Word and Works. That flaw is rated "important," Microsoft's second-highest threat level, just below "critical." The vulnerability would let an attacker take control of the victim's PC, if that user opened a malicious WordPerfect document. More information on the second flaw can be found in the advisory on Microsoft's Web site. The software giant recommends that customers use Office Update to download the fix. From isn at c4i.org Wed Sep 15 01:57:51 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 15 02:12:03 2004 Subject: [ISN] Hackers Join Homeland Security Effort Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A20226-2004Sep14.html By Adam Tanner Reuters Sept 14, 2004 IDAHO FALLS, Idaho -- Jason Larsen types in a few lines of computer code to hack into the controls of a nearby chemical plant. Then he finds an online video camera inside and confirms that he has pumped up a pressure value. "It's the challenge. It's you finding the flaws," he said when asked about his motivation. "It's you against the defenders. It comes from a deep-seeded need to find out how things work." Larsen, 31, who wears his hair long and has braces on his teeth, is a computer hacker with a twist. His goal is not to wreak havoc, but to boost security for America's pipelines, railroads, utilities and other infrastructure, part of a project backed by the Idaho National Engineering and Environmental Laboratory. Sponsored by the U.S. Department of Energy, the Idaho lab last month launched a new cyber security center where expert hackers such as Larsen test computing vulnerabilities. Spread across 890 square miles in a remote area of eastern Idaho, INEEL gives experts access to an entire isolated infrastructure such as the one Larsen hacked into. "I don't think people have an understanding of what could be the impact of cyber attacks," Paul Kearns, director of INEEL, told Reuters. "They don't understand the threat." In recent months, U.S. security officials have warned that the nation is not prepared against cyber terrorism. "I am confident that there is no system connected to the Internet, either by modem or fixed connection, that can't be hacked into," said Laurin Dodd, who oversees INEEL's national security programs. He added that only a computing system totally isolated from the outside, such as that used by the Central Intelligence Agency, would be immune to hacking. Another problem is that many once-isolated systems used to run railroads, pipelines and utilities are now also accessible via the Internet and thus susceptible to sabotage. "More and more of these things are being connected to the Internet, so they can be monitored at corporate headquarters," said Dodd, INEEL's associate lab director. "It is generally accepted that the August blackout last year could have been caused by that kind of activity." "Most people think risk in this area is not going to result in thousands of deaths," he continued. "If somebody could wreak havoc in the financial system by getting into computers and as a result people lost confidence in the financial system, that could be pretty consequential." Added lab director Kearns: "That's what al Qaeda is all about." PUZZLING OUT THE CODE Steve Schaeffer in INEEL's cyber security lab was recently asked to decode a General Electric designed system. "My test was to subvert that guy's system in some manner," he said. "It only took about two months before we had enough information to affect the protocol to affect operations." "If they can dial into the system, guess what, so can I." Lab officials emphasize that such hacking occurs within INEEL's own facilities rather than at real-life entities outside. The Swiss engineering group ABB recently signed an agreement to become INEEL's first cybersecurity customer to test their actual vulnerabilities. INEEL officials tell of a recent visit by an Idaho utility executive who declared his system had no problems. By the end of their demonstration, the shaken executive was asking for a comprehensive review of his firm. In another incident, INEEL's Larsen entered a U.S. agency in Washington D.C. and hacked into its computer system with a simple hand-held computing device, much to the surprise of officials there, a lab official said. Larsen declined to discuss the episode. When it comes to Larsen's background, there is a fair amount that he and his superiors prefer not to discuss. To gain the skills he has, one must have experience in the nebulous world of hacking. "This is one of the few places where it is legal to give people those kind of challenges," said Robert Hoffman, head of INEEL cyber security who hired Larsen. He said he was impressed that Larsen had written his first computer code at age 13. "I learned my hacking back when it was a cool thing," said Larsen as he spoke of computing in the pre-Internet days. He wore a black T shirt with the inscription "Stop laughing, computers are cool now." INEEL officials say the lab would not hire anyone who had committed criminal acts and added they must obtain security clearances. "How do you know that your wife is not going to clean our your bank account?" Schaeffer said. "You just trust people and you do background checks." The Idaho cyber security effort is part of the Department of Homeland Security's efforts to boost defenses against possible attacks of all kinds. INEEL seeks a delicate balance between encouraging key parts of the U.S. economy to boost their cyber security without inspiring any nefarious acts. "What you don't want to do is increase the threat by advertising what you can do. I think dirty bombs is one example," INEEL's national security head Dodd said. From isn at c4i.org Wed Sep 15 01:58:08 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 15 02:12:05 2004 Subject: [ISN] MS Premium Customers Get Early Security Warnings Message-ID: http://www.internetnews.com/security/article.php/3406851 By Ryan Naraine September 10, 2004 Microsoft is giving premium customers advance notice of security bulletins, internetnews.com has learned. The company plans to release two security bulletins, one with a "critical" rating, on Tuesday September 14, in order to plug holes in multiple software products, according to an advance notice sent to select customers. The note, obtained by internetnews.com, said Microsoft's September batch of patches will plug a serious vulnerability in Microsoft Windows, Microsoft Office, Microsoft Home, Microsoft Visual Studio, and Microsoft .NET Framework. A separate patch with an "important" rating will be issued for Microsoft Office customers, the company said in the notice, which was sent only to premier customers. "At this time no additional information on these internal bulletins such as details regarding severity or details regarding the vulnerability will be made available until 14 September 2004," according to the notice. While Microsoft said the number of bulletins, products affected, restart information and severities are subject to change until released, it appears there won't be a patch this month for a "highly critical" bug in Internet Explorer browser's drag-and-drop feature. The bug could put millions of Web surfers at risk of malicious hacker attacks. A public warning for that vulnerability was issued on August 19. In a statement released to internetnews.com, Microsoft confirmed the pre-release of information to premier and other representative customers. "Based on customer feedback, Microsoft started a 'heads-up' security bulletin notification program in November 2003 with Premier and other representative customers. The program was well-received and feedback from participating customers was very positive; consequently, the program was expanded in April 2004 to include all customers who will sign an appropriate non-disclosure agreement," the company added. Microsoft said the program is designed to provide very limited information in a brief e-mail three business days before the anticipated release of monthly security bulletins. It also said the notification is to assist customers with resource planning for the monthly security bulletin release. Microsoft insisted the information provided in the notice was "very basic in nature" and intended only to provide general guidelines concerning the maximum number of bulletins that may be released, the anticipated severity ratings, and an overview of products that may be affected. "The information is purposely not specific and does not disclose any vulnerability details or other information that could put customers at risk." However, the availability of advance notice for high-end customers isn't likely to sit well with most Microsoft customers who must wait for the public release of bulletins on the second Tuesday of every month. The move could also raise the ire of independent security researchers who detect software flaws and work privately with Microsoft ahead of coordinated public disclosure. While Microsoft has typically provided warnings ahead of time to ISVs if a patch will disrupt a specific application, advance notice of specific software patches are never released. In the notice, which was seen by internetnews.com, Microsoft said it was intended to "help our customers plan for the deployment of these security updates more effectively. The goal is to provide our Premier customers with information on soon-to-be released security updates." However, Gartner security analyst John Pescatore described the pre-release of security information to high-end customers only as "an extremely dangerous practice." "I know that Microsoft provides some advance warning to the Department of Homeland Security on things that could affect critical infrastructure. But I've never seen Microsoft give advance information only to customers who pay. That would be a terrible thing to do," Pescatore said. "That should only be allowed when we are talking about vulnerabilities that affect critical infrastructure. Not 'pay me more and I'll tell you earlier'. It's a very bad practice." The Gartner vice president said the notice would be akin to an independent researcher or hacker finding a vulnerability and sharing the information before a patch is available. "If Ford decided to issue recall notices for faulty brakes only to people who paid for extended warranty, that won't fly. That would be a horrible thing to do." The U.S. government's Computer Emergency Readiness Team (US-CERT) has also been heavily criticized for providing security advisories to paying customers ahead of coordinated public release. Last January, research firm Next Generation Security Software (NGSS) severed ties with the federally funded US-CERT and accused the organization of selling early access to vulnerability warnings long before vendor fixes are made available. At the time, NGSS co-founder Mark Litchfield said it was "annoying" that CERT gave early warning on six vulnerabilities to its paid sponsors before vendor patches were created and made available. "The problem became apparent when the vendor we're working with on these vulnerabilities said they were contacted by government departments. CERT notified them ahead of patches being made available. We did not know about this policy to share this information with people who pay for that privilege," Litchfield argued. NGSS at the time vowed that it would cut off CERT from all future bug warnings until the organization signed a binding non-disclosure agreement that it would not share early access with its paid sponsors. From isn at c4i.org Wed Sep 15 01:58:55 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 15 02:12:06 2004 Subject: [ISN] Extortion Online Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=XHCTLPEBU4LVCQSNDBGCKHY?articleID=47204212 By George V. Hulme Sept. 13, 2004 It's the kind of E-mail that grabs you by the collar and doesn't let go. On a Saturday afternoon last January, a message hit the in-box of BetCBSports.com, threatening to knock the online gambling site offline in prime sports-betting season if the company didn't pay up. "You have 3 choices. You can make a deal with us now before the attacks start. You can make a deal with us when you are under attack. You can ignore us and plan on losing your Internet business," the E-mail read. It was no bluff. Within three hours, the site was taken down by what's known as a distributed denial- of-service attack. The first attack lasted five minutes and then ceased. "They were showing us what they could do," says Thomas Burns, who runs the business-technology systems for what's now known as WagerWeb.com, operated by CasaBlanca Gaming. Such threats happen more often than most people realize. A survey by Carnegie Mellon University's H. John Heinz III School of Public Policy, in conjunction with InformationWeek's Summer Research Fellowship, found extortion attacks are surprisingly common: 17% of the 100 companies surveyed say they've been the target of some form of cyberextortion. The study, authored by graduate student Gregory M. Bednarski, queried small and midsize businesses about cyberextortion and other types of computer fraud. The findings come as no surprise to FBI special agent Thomas Grasso, who helped with the study. "The majority of the cybercrimes we investigate involve some type of monetary motivation," Grasso says. "This business of people going out and compromising sites just to prove how much they know is a myth." WagerWeb was knocked offline for about a day, says Dan Johnson, senior VP and senior oddsmaker at the site. Rather than pay off the attackers, the company called on its technical forces to build a defense and enlisted the help of Internet security-services provider Prolexic Technologies Inc. The vendor's services, at about $100,000 a year, aren't cheap. But, "I'd rather pay the $100,000 than pay the extortionists," Johnson says. The gamble paid off. "As soon as we got the service running, the attack stopped," technology manager Burns says. Cyberextortion mostly travels under the radar, but not always. Earlier this year, Myron Tereshchuk, 42, of Maryland, pleaded guilty to one count of attempting to extort $17 million from intellectual-property company MicroPatent LLC. He faces up to 20 years in jail. Tereshchuk threatened to leak confidential information and launch denial-of-service attacks against intellectual-property attorneys worldwide if he wasn't paid. In January, Thomas Ray, 25, of Mississippi, was indicted for allegedly claiming to have found a security flaw in Best Buy Co.'s systems and threatening to expose and exploit that flaw unless he was paid $2.5 million. A trial is expected this fall. And last year, Kazakhstan hacker Oleg Zezev was sentenced to 51 months for illegally entering Bloomberg L.P.'s systems and threatening to disclose the break-in if he wasn't paid $200,000. Most extortion plans fail. According to Carnegie Mellon's survey, 70% of those threatened with extortion say the attempts were unsuccessful. But it's a growing problem nonetheless. Networks with anywhere from a couple of hundred to tens of thousands of compromised systems that can be used to launch distributed denial-of-service attacks have increased sharply this year, says Vincent Weafer, senior director of Symantec Corp.'s Security Response service. The vendor tracks these attack networks, which are set up by "criminals who want to use them for profit," Weafer says. In six months, they've swelled from 2,000 to more than 30,000, he says. Small and midsize businesses often believe cyberextortionists aren't interested in them because they're too small, with 68% of the companies in the Carnegie Mellon survey responding that they're at no or low risk. But Bednarski warns that's false comfort. "Being a small company may actually increase your risk," he says. "The extorters are scanning the Internet for vulnerable systems, and it's no skin off of their nose to send out letters demanding $5,000. If 10% of the companies pay, the extortionist is sitting pretty." Moreover, many companies aren't taking necessary precautions. Only 21% of companies in the Carnegie Mellon study have formal training programs to teach employees how to respond to security breaches, and only 37% have performed security assessments in the past six months. Perhaps more unsettling: 45% of companies express a lack of confidence in their technical department's ability to respond to security incidents. "More companies clearly need to raise their security posture," Symantec's Weafer says. Otherwise, they may find themselves scrambling in the midst of an attack, as WagerWeb did. Now, the online site is better prepared to stand firm against a threat, should one arise. Says Johnson: "We won't give in." From isn at c4i.org Wed Sep 15 01:59:16 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 15 02:12:07 2004 Subject: [ISN] Bill would magnify cybersecurity in DHS Message-ID: Forwarded from: William Knowles http://www.fcw.com/fcw/articles/2004/0913/web-secre-09-14-04.asp By Dibya Sarkar Sep. 14, 2004 House lawmakers introduced two homeland security bills, one that would create an assistant secretary position within the Homeland Security Department to oversee cybersecurity and another that would enhance science and technology. Reps. Mac Thornberry (R-Texas), chairman of the Homeland Security Select Committee's Cybersecurity, Science and Research and Development Subcommittee, and Zoe Lofgren (D-Calif.), the subcommittee's ranking member, are prime sponsors of both bills, which were introduced Sept. 13. The Department of Homeland Security Cybersecurity Enhancement Act of 2004 would elevate the position of cybersecurity director to assistant secretary within the Information Analysis and Infrastructure Protection directorate. DHS has a cybersecurity division led by director Amit Yoran. In effect, the bill would give cybersecurity a bigger spotlight within the department. The assistant secretary would be in a better position to coordinate and influence cybersecurity across different agencies and functions. Under the bill, the assistant secretary's responsibilities would essentially remain the same except for the addition of primary authority of the National Communications System. The move is designed to treat the missions and operations of telecommunications and information technology as one comprehensive mission. The NCS, which was transferred from the Defense Department to the Information Analysis and Infrastructure Protection directorate last year, is an interagency group with representatives from 23 federal departments and agencies. The group coordinates and plans for national security and emergency communications for the federal government during crises. The third component of the bill would be to define cybersecurity to reflect the convergence of emerging technologies, particularly with IT and telecommunications. The lawmakers' second bill, the Department of Homeland Security Science and Technology Enhancement Act, would outline a number of proposals, such as directing the secretary to assess development of science and technology capabilities to address basic scientific research needs; authorizing the secretary to partner with foreign governments, such as Israel and the United Kingdom; identifying geospatial needs; and commercializing technologies. The bill also proposes to expand an existing National Science Foundation program to encourage higher education institutions, including community colleges, to develop cybersecurity professional development programs and expand or establish associate program degrees. The program would include money for equipment, such as creating hands-on virtual laboratories for cybersecurity specialists. The bill proposes $3.7 million for the program next year. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Sep 16 06:11:24 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 16 06:28:06 2004 Subject: [ISN] DHS moves ahead with cybersecurity R&D efforts Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,95942,00.html By Dan Verton SEPTEMBER 15, 2004 COMPUTERWORLD SAN MATEO, Calif. -- The Department of Homeland Security is actively planning several new pilot projects that officials hope will help solve one of the most pressing cybersecurity research problems to date: a lack of real-world attack data. "The cybercommunity has suffered for years from the lack of good data for testing," said Douglas Maughan, security program manager at the Homeland Security Advanced Research Projects Agency, which is part of the DHS's Science and Technology Directorate. That's why the DHS is moving ahead rapidly with a new program called Protected Repository for Defense of Infrastructure Against Cyber Threats (Protect), said Maughan, who spoke at an industry conference here sponsored by the U.S. Secret Service. The Protect program has been under way since February and is aimed at getting large private-sector infrastructure companies to volunteer real-world incident data that researchers can use to test prototype security products. "We're looking to collect large, different types of data," said Maughan. He noted that the government wouldn't hold the data and said those who volunteer for the program can have data "anonymized." Maughan said the program would rely on a trusted access repository process that includes a government-funded but third-party hosted data repository with written agreements with data providers. Researchers can apply to take part in the program, and data owners would be allowed to stop specific researchers from accessing their data, said Maughan. So far, nearly two-dozen enterprises have indicated interest in the program, which is scheduled to go live after Jan. 1. The agency is also spearheading a new vender-neutral cybersecurity test bed, known as DETER for Cyber Defense Technology Experimental Research, that will help develop next-generation security technologies for the nation's critical infrastructure. The goal is to construct a homogeneous emulation cluster based on the University of Utah's Emulab facility, said Maughan. So far, he said, $14 million has been earmarked for the program, which allows researchers to focus on security vulnerability prevention and detection and test the security and trustworthiness of operational systems. The DHS plans to hold an industry day on Sept. 27 to answer questions about the program, and plans to award pilot project contracts in mid-January 2005. Along with the DETECT test bed, the DHS has formed an ad hoc government/industry steering committee to study and develop security pilot projects for the Domain Name System, a critical part of the Internet infrastructure that converts text names of Web sites into Internet Protocol addresses. The goal is to develop pilot projects to study specific threats and vulnerabilities to the DNS, including loss of service due to a denial-of-service attack, hijacking and a loss of coherence due to the existence of unauthorized root servers and top-level domains. Pilot projects are being planned for the .us and .gov domains, Maughan said. The DHS is scheduled to hold its first meeting Monday of its Border Gateway Protocol steering committee, which is preparing research-and-development pilot projects to develop secure protocols for the routing infrastructure that connects Internet service providers and subscriber networks. The current BGP architecture makes it particularly vulnerable to human error as well as malicious attacks against routers, the links between routers and the management stations that control the routers, said Maughan. Specific concerns, said Maughan, include the ability of attacks to reroute traffic to enable passive or active wiretapping. At its first meeting next week, the steering committee plans to discuss plans for a November industry workshop with routing vendors and major ISPs. Maughan, however, warned that solving the problems facing the BGP infrastructure will be a long-term endeavor. "It's a good three-, five- or seven-year problem." From isn at c4i.org Thu Sep 16 06:12:49 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 16 06:28:08 2004 Subject: [ISN] [Vmyths.com ALERT] Hysteria predicted for 'JPEG Processor' vulnerability Message-ID: Forwarded from: Vmyths.com Virus Hysteria Alert Vmyths.com Virus Hysteria Alert Truth About Computer Security Hysteria {15 September 2004, 01:55 CT} CATEGORIES: (1) Misconceptions about a real computer security threat (2) A historical perspective on recent hysteria Microsoft has issued a "critical" alert regarding a "buffer overrun" in software it uses to display JPEG images. In theory, if you try to view a specially crafted JPEG file, it could take over your computer and do whatever it wishes. Microsoft has released a security patch to fix this buffer overrun. Vmyths urges you to download the patch, install it, and get on with your life. Buffer Overrun in JPEG Processing Could Allow Code Execution: http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx Vmyths believes media outlets will POUNCE on this story, because (a) Microsoft announced a "critical" vulnerability in the way its software reads an ubiquitous file type, and (b) computer emergency response teams have issued their own alerts. Watch for breathless speculation and hysteria in the coming days. Some na?ve system administrators may tell reporters they'll delete JPEG files from emails and refuse to let web browsers display JPEG files, "strictly as a precaution." (We don't expect anyone will implement this Draconian measure for very long. We believe too many users will clamor against it.) Remember this when virus hysteria strikes: http://Vmyths.com/resource.cfm?id=31&page=1 Microsoft's "JPEG Processor" vulnerability manifests itself as a buffer overrun in a piece of software. It is NOT caused by the JPEG file format itself. Buffer overruns are extremely common: you'll find them in almost every large software application (even antivirus software). They can create situations where even a filename itself can wreak havoc. By definition, every buffer overrun will eventually join its brothers in the land of obscurity. Buffer overruns in antivirus software: http://zdnet.com.com/2100-11-515441.html The "Code Red" worms successfully exploited a buffer overrun in 2001, and Vmyths believes some reporters will allude to this -- as if to imply a horrific JPEG attack may be just around the corner. Buffer overruns are extremely common, yet they only rarely ever get exploited. Researcher Georgi Guninski, for example, publishes "proof of concept" exploits for many of the "critical" buffer overruns he finds. Guninski's exploits have never made a splash despite his best efforts. A little history -- this isn't the first time an image file format has come under fire. An April Fool's joke targeted JPEG files a decade ago: 1994 April Fool "JPEG virus" alert: http://www.2meta.com/april-fools/1994/JPEG-Virus.html In 2001, researchers claimed a specially crafted GIF file could be used to cause a buffer overrun in Microsoft Outlook. It was purely a coincidence that a GIF file could exploit this threat. In 2002, the "Perrun" virus added software to the computers it infected, then it modified the Windows registry so future viruses could "ride" inside a JPEG file. The virus writer could have chosen to do the same thing with GIF files or even TEXT files. Antivirus vendor Sophos urged restraint over the Perrun virus, saying "some anti-virus vendors may be tempted to predict the end of the world as we know it, or warn of an impending era when all graphic files should be treated with suspicion. Such experts should be ashamed of themselves." McAfee gets slapped in 2002 for "JPEG virus" alert: http://www.sophos.com/virusinfo/articles/perrun.html Vmyths suspects a hoax virus alert will arise with instructions to delete the JPEG registered file type in Windows. (It's practically a self-fulfilling prophesy.) Such a hoax will play on the user's misconception of the threat. Don't take unsolicited advice from people who are NOT experts. Users will self-damage their operating systems if they delete the JPEG registered file type. False Authority Syndrome http://Vmyths.com/fas/fas1.cfm Stay calm. Stay reasoned. And stay tuned to Vmyths. Rob Rosenberger, editor http://Vmyths.com Rob@Vmyths.com (319) 646-2800 Acknowledgements: Phone call from Kevin Poulsen, SecurityFocus CATEGORIES: (1) Misconceptions about a real computer security threat (2) A historical perspective on recent hysteria --------------- Useful links ------------------ Common clich?s in the antivirus world http://Vmyths.com/resource.cfm?id=22&page=1 From isn at c4i.org Thu Sep 16 06:13:11 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 16 06:28:09 2004 Subject: [ISN] Five fired in Los Alamos lab scandal Message-ID: http://www.sfgate.com/cgi-bin/article.cgi?file=/news/archive/2004/09/15/national1839EDT0780.DTL [Here's an article to pin to the bulletin board if you think your organization's security policy is lax about security infractions, you could remind your users they would be fired if they pulled the same kind of antics around a national lab. - WK] MARY PEREA Associated Press Writer September 15, 2004 Five workers have been fired for their roles in a security and safety scandal at Los Alamos National Laboratory, the lab's director said Wednesday. The fired workers were among 23 suspended this summer after two computer disks containing classified information went missing. The discovery July 7 prompted a virtual shutdown of the nuclear lab, idling roughly 12,000 workers. The other 18 workers will retain their jobs but will be reprimanded or demoted from management, Director Pete Nanos told The Associated Press. "It's very important to get this behind us," Nanos said in an interview via cell phone from an airplane after meetings in Washington, D.C. Nanos would not discuss the specific cases of fired employees but said that some were dismissed for "not taking actions that you were supposed to take, or signing off on things that you hadn't done." He said one had not taken the appropriate precautions in a safety area. "We really did fit the punishment to the acts that were done," Nanos said. Three of the workers were fired in connection with the missing computer disks; the other two were involved in an accident in which a laser injured an intern, he said. Nanos also said the northern New Mexico lab has finished its investigation into the two missing disks, also known as "classified removable electronic media," or CREM. Information from the probe has been turned over to federal authorities. Nanos refused to release additional details. He said other agencies are still investigating. Nanos, who held a series of all-hands meetings with lab workers after the scandal broke, added that the "commitment of employees right now is extremely high." Lab spokesman James Fallin emphasized "that today's announcements provide very clear evidence that it's not business as usual at this laboratory. ... Accountability is the order of the day." From isn at c4i.org Thu Sep 16 06:13:39 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 16 06:28:10 2004 Subject: [ISN] 80% of World's Online Hackers and Pedophiles from Brazil Message-ID: http://brazzil.com/mag/content/view/177/2/ [80% sounds a little high... - WK] 14 September 2004 According to the Brazilian Federal Police, Brazil is a significant player in Internet crime. Out of every group of 10 hackers, 8 of them are probably from Brazil. And besides that, two-thirds of all pedophilia pages on the internet originate in Brazil. As might be expected, the survey also found that in Brazil internet crimes, such as financial fraud, are more profitable nowadays than bank robberies. The fight against cybernetic crime has brought together some 500 specialists from 20 countries at an international conference here in Brasilia (1? Confer?ncia Internacional de Per?cias em Crimes Cibern?ticos). The main idea at the event, which runs until September 16, is to provide incentives for research and scientific development to be used in investigating and punishing internet crime. Paulo Quintiliano, a criminal expert who is coordinating the conference, says that Internet crime is a growth industry and that it is not always easy to find the criminals. "Sometimes information can be stored abroad and we have to rely on international cooperation. But we maintain international contacts for this purpose," he said. Quintiliano says there has been a disturbing rise in cases of sexual exploitation of minors on the Internet. Quinitiliano reports that in Brazil a federal Appeals Court has ruled that internet crimes are federal offenses. The subcommission on pedophilia and child pornography at Brazil's Secretatiat of Human Rights is drawing up a national plan to deal with the problem of Internet pedophilia. "We need specific policies so we can coordinate action by the government and civil society to control this problem," says Alexandre Reis, who coordinates the subcommission. One proposal under study is a plan to improve the notification of denouncements so more reliable statistics on the problem of sexual abuse of minors can be obtained. The subcommission consists of representatives of the government, civil society and international organizations. In 2002, the Brazilian business sector invested US$ 102 million to combat hackers. The previous year they had invested US$ 75 million in electronic transaction security. "Investments in computer security rise annually, in direct proportion to the growth of attacks by hackers," an official at Embratel. The Network Studies Center (Cert) reports that in 2000 there were 20,000 hacker attacks, and 50,000 in 2001. From isn at c4i.org Thu Sep 16 06:13:55 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 16 06:28:12 2004 Subject: [ISN] Feds say Lamo inspired other hackers Message-ID: http://www.theregister.co.uk/2004/09/16/feds_on_lamo/ By Kevin Poulsen SecurityFocus 16th September 2004 The final act in the saga of Adrian Lamo's hacking adventures ended with a contrite message from the once brash cyber outlaw, and a grim denunciation from his prosecutor, who blamed the hacker for inspiring other computer intruders. In a hearing in New York last July, Lamo, 23, was sentenced to six months of house arrest followed by two years probation, and ordered to pay $65,000 in restitution, for intruding into the New York Times' internal network and conducting thousands of database searches using the newspaper's Lexis-Nexis account. The hearing was not publicized in advance and no reporters attended. A transcript obtained this month by SecurityFocus shows an apologetic Lamo professing remorse for the actions that made him famous. "Since all this started, I have had a great deal of opportunity and time to see many of the effects of the things that I have done, how they have harmed the companies that I compromised, how they harmed me, how they harmed my family, how really they have harmed so many people around me," Lamo told federal judge Naomi Reice Buchwald. "I've hidden behind a facade of words in some of the statements that I have made and some of the things that I have said, and for me really it's been an alternative between seeming flip or walking around in constant gloom," Lamo said. "This is a process I want no further part in. I want to answer for what I have done and do better with my life." The Homeless Hacker Lamo began publicly exposing security holes at large corporations in May, 2001, when he warned the now-defunct broadband provider ExciteAtHome that its customer list of 2.95 million cable modem subscribers was accessible to hackers. He worked with the company at its California office to close the hole before going public with the hack. He followed that up that with high-profile hacks of Yahoo!, Microsoft, Worldcom, Blogger, and other companies, usually using nothing more than an ordinary web browser, and often offering to help the companies close the holes he exploited. Some of Lamo's victims have even professed gratitude for his efforts: In December, 2001, he was praised by communications giant WorldCom after he discovered, then helped close, security holes in their intranet that threatened to expose the private networks of Bank of America, CitiCorp, JP Morgan, and others. In February, 2002, Lamo penetrated the New York Times, after a two-minute scan turned up seven misconfigured proxy servers acting as doorways between the public Internet and the Times private intranet, making the latter accessible to anyone capable of properly configuring their web browser. Once inside he hacked passwords to broaden his access, eventually browsing such disparate information as the names and Social Security numbers of the paper's employees, logs of home delivery customers' stop and start orders. He capped off the hack by adding himself to a database of 3,000 contributors to the Times op-ed page. Unemployed and frequently found living out of a backpack and traveling the country by Greyhound, Lamo was dubbed "the Homeless Hacker" by the press, and he inspired an online "Free Lamo" movement by his admirers after he was finally hit with a federal indictment for the Times intrusion last year. He pleaded guilty in a deal with prosecutors in January. "Palpable Fear" At Lamo's sentencing, assistant US attorney Joseph DeMarco said Lamo had caused serious financial harm, and was responsible for "a great deal of psychological injury" to his victims. "Until they got to the bottom of what Mr. Lamo had done, they were put in real fear, and I can tell your honor, from speaking to those victims, that it was palpable." The prosecutor then zeroed in on Lamo's Robin Hood image. "For better or worse, Mr. Lamo has become a source of attention not only to the public and press at large, but also to members of his generation and other individuals in the computer community," DeMarco continued. "Whether or not Mr. Lamo sought to inspire those people or was neutral on that subject, the fact remains that we really won't know how many computer hackers Mr. Lamo has inspired by his misdeeds. We won't know what damage those hackers will do." Lamo's attorney, Sean Hecker, told the court that Lamo "has a lot of growing up to continue to do," but emphasized that the hacker had stopped talking to the press, was attending counseling sessions, and was doing well as a journalism student at a local community college. Lamo could have gotten as much as a year in prison under the terms of his plea agreement. In passing down the lighter sentence, Buchwald said it shouldn't be mistaken for slap on the wrist. "Anyone who thinks that this is a light sentence simply because there is a harsher alternative I think is sorely mistaken," said Buchwald. "Mr. Lamo is now I think 22, 23. He will have a felony conviction on his record the rest of his life." From isn at c4i.org Fri Sep 17 07:38:28 2004 From: isn at c4i.org (InfoSec News) Date: Fri Sep 17 08:20:33 2004 Subject: [ISN] AusCERT2005 Call for Presentations and Tutorials (AUSCERT#20044dfa4) Message-ID: Forwarded from: auscert@auscert.org.au -----BEGIN PGP SIGNED MESSAGE----- AusCERT2005 - AusCERT Asia Pacific Information Technology Security Conference 22nd-26th May 2005 - Royal Pines Resort - Gold Coast, Australia Call for Presentations and Tutorials is now open! At the request of previous conference delegates, the AusCERT2005 programme committee has included positions on the programme for speakers accepted through a "Call for Presentations and Tutorials". Accepted presentations will be included in the Business, Technical or Tutorial streams. This call for presentations is open to experts who have a quality presentation for the AusCERT2005 Conference fitting the theme of "Secure by design - the only choice". For details on how to submit your presentation please refer to: http://conference.auscert.org.au/conf2005/cfp2005.html Note that this is not an academic refereed call for papers. A separate refereed stream for research and development is available for this purpose and a call for papers is being held separately. Please refer to the refereed call for papers at http://www.isrc.qut.edu.au/events/auscert2005/ for further details. Kind Regards, Viviani Paz AusCERT2005 Conference Programme Committee Chair AusCERT (Australian Computer Emergency Response Team) Phone: +61 7 3365 4290 Email: auscert2005call@auscert.org.au Incident Response: +61 7 3365 4417 Email: auscert@auscert.org.au Fax: +61 7 3365 7031 Web: http://www.auscert.org.au -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQUfs0yh9+71yA2DNAQH/UAP/eUyw8TSh1mrmLU82WJyofUCaIdo41SyY zIBIUxY1nkGLu4E8z8kfvLpd+VdJ6ZRVR1KhZkdlKC8d4uaDMa1QkEk7chvlOYqt G3ChlOHVEAO22gtzyKVTEPV1d2pE7WIdeuXXGexzPq7R+AhXIb3gu9+6Gg+1nxqB 9Y8Xea8ekXk= =V8I+ -----END PGP SIGNATURE----- From isn at c4i.org Fri Sep 17 07:47:58 2004 From: isn at c4i.org (InfoSec News) Date: Fri Sep 17 08:20:35 2004 Subject: [ISN] German IT agency sets record straight on Explorer Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,95980,00.html By John Blau SEPTEMBER 16, 2004 IDG NEWS SERVICE In response to the growing number of viruses infecting computers, a spokesman for Germany's Federal Office for Information Security (BSI) has suggested that users consider alternatives to Microsoft Corp.'s Internet Explorer Web browser. But the agency didn't recommend that users steer clear of Microsoft products, the spokesman said, refuting a statement issued Tuesday by browser developer Opera Software ASA. "Microsoft products are the target of many virus writers," BSI spokesman Michael Dickopf said in an interview yesterday. "If computer users want to avoid viruses and Trojans, they may want to consider using alternatives to Microsoft software." However, Dickopf said, BSI "did not issue any warning against using Microsoft products." The Opera statement, titled "German Government Computing Security Body Recommends Switch to Opera," was based on a story published Monday by the online news site The Register, according to Opera spokesman Pal Hvistendahl. Opera didn't contact BSI directly in preparing its release, he said. The Register report was based, in turn, on a story published Saturday in the German daily newspaper Berliner Zeitung. In that story, Dickopf was one of several experts interviewed on the topic of computer viruses and worms, and on recent phishing attacks in the country. The BSI spokesman was paraphrased as saying that he "indirectly advised" Internet users to switch from Explorer to Mozilla or Opera. He was directly quoted as saying, "Whoever doesn't use Internet Explorer can't be affected by these viruses and worms." The IT industry is closely monitoring the procurement behavior of governments, which traditionally have been big users of Microsoft products but increasingly are becoming interested in the use of open-source alternatives to save money and reduce security risks. In Europe, the German government has been at the forefront of promoting the use of open-source software in the public sector. Cost has been the key driver for its support of Linux and other open-source products. But over the past year, security has also become an issue. Microsoft has responded to the developments by offering discounts to the country's vast public sector and agreeing to provide special assistance with software security. From isn at c4i.org Fri Sep 17 07:48:27 2004 From: isn at c4i.org (InfoSec News) Date: Fri Sep 17 08:20:36 2004 Subject: [ISN] Symantec Buys Security Consulting Pioneer @stake Message-ID: http://www.eweek.com/article2/0,1759,1646978,00.asp By Dennis Fisher September 16, 2004 Updated: The company says it is acquiring @stake, one of the first digital security consulting firms in the industry, for an undisclosed sum. Symantec Corp. on Thursday announced that is acquiring @stake Inc., perhaps the most well-known security consulting firm in the industry, for an undisclosed sum. The purchase marks the end of an era for @stake, and in a sense, for the security industry at large. Among the first digital security consulting firms to pop up, @stake made its name by assembling an all-star roster of security talent and then turning the researchers and consultants loose on a wide variety of projects, both mainstream and arcane. The company got an early boost when it acquired the hacker collective known as L0pht Heavy Industries, a Boston-based group made up of some of the best-known security researchers in the world, including Peiter Zatko, known as Mudge, and Chris Wysopal, who went by the handle Weld Pond. Wysopal is still with @stake, as the company's director of research and development, but almost all of the other L0pht members have left. A Symantec spokesperson said Wysopal would be staying with Symantec as director of development. James Mobley, @stake CEO, will also stay with Symantec as vice president of global security consulting. The company hopes to keep as many of @stake's 115 employees as it can and will keep the Cambridge, Mass., office open for the time being. The L0pht collective began in 1992 in Boston's South End and many of its members had been active in the security scene for many years by the time @stake acquired the group in 2000. The presence of such high-profile researchers lent an aura of credibility and mystique to @stake in its early days, but as the members began leaving to start their own companies or to go into semi-retirement as Mudge did, the firm took on a more corporate character. Many of the company's former employees cited the more buttoned-down atmosphere and conflicting feelings about doing business with big software vendors such as Microsoft Corp. as their reasons for leaving. For a group best known for writing the L0phtcrack password-cracking tool and telling Congress that its members could take down the Internet within a few minutes, this was a major shift. "It was a little bit surprising that they were bought, but this is the way things are going. You still have some independent companies out there doing research, but the overall feeling is that most of the industry works for the bigger companies now," said Dave Aitel, CEO of Immunity Inc. in New York, and a former @stake consultant. "[@stake has] had a ton of turnover so the people who are there now aren't necessarily the top people. But I don't think it will be much of a change for them. It was never this welcoming little cocoon atmosphere that people thought it was. It's a consulting company. There's not much difference between consulting for @stake and Symantec - maybe better benefits." For Symantec, of Cupertino, Calif., the purchase of @stake gives the company access to a world-class research organization as well as a ready-made roster of high-end consulting clients. The company plans to integrate the @stake employees and offerings into its global services organization. From isn at c4i.org Fri Sep 17 07:48:39 2004 From: isn at c4i.org (InfoSec News) Date: Fri Sep 17 08:20:38 2004 Subject: [ISN] House may act on cybersecurity liability protection Message-ID: http://www.fcw.com/fcw/articles/2004/0913/web-dix-09-16-04.asp By Florence Olsen Sept. 16, 2004 Industry officials who favor cybersecurity liability protection may see action on their recommendations in the next legislative session. Robert Dix, staff chief of the House subcommittee that oversees cybersecurity policy, said subcommittee members might introduce legislation based on recommendations of the Corporate Information Security Working Group, an organization of 25 senior business and academic leaders who advise the subcommittee chairman, Rep. Adam Putnam (R-Fla.), about ways to improve the nation's critical cyberinfrastructure. Dix, speaking at a noon meeting of the Association for Federal Information Resources Management, offered no specific details on possible legislation. The working group, which has made 23 recommendations for improving cybersecurity, will issue its next report in November. Based on the report's findings, members of Putnam's Government Reform Committee's Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee are likely to introduce new legislation, Dix said. "It's difficult to legislate software quality, we don't want to stifle innovation," he said. Putnam favors a market-based approach to fixing the nation's cybersecurity weaknesses, Dix said. "It's our belief that's beginning to happen" ? that companies are bolstering critical infrastructure systems that control water supplies, power plants and communications, he said. But utilities companies, he said, may need some legislative help to upgrade their systems and pass along the costs through changes in their rate structures. Putnam said the nation's weak cybersecurity defenses are a bigger problem than most people realize. "We need a pride in security campaign in this country," he said. "We need to stop kidding ourselves about his problem." From isn at c4i.org Fri Sep 17 07:48:49 2004 From: isn at c4i.org (InfoSec News) Date: Fri Sep 17 08:20:39 2004 Subject: [ISN] Spam most destructive in China's Internet security Message-ID: http://english.peopledaily.com.cn/200409/14/eng20040914_156990.html By People's Daily Online September 14, 2004 The Ministry of Public Security released on September 14 the result of the nation's inaugural survey on the Internet information security and computer virus: the infection rate of the computers of users in China is 87.9 percent and 36 percent of the security incidents are caused by massive spam transmission. Virus-related information of totally 7, 072 departments, including those in governments, finance, education and research, telecommunication, commerce, was collected. Plus, over 8,400 computer users were covered. The survey was launched by the Bureau Public Information and Internet Security Supervision under the Ministry of Public Security and the Professional Committee of Computer Security of China Computer Federation. The survey shows that 87.9-percent infection rate among the computers of users in Chin, 2 percent up from the last year. The most widespread computer viruses are Internet Worm virus and the viruses or vicious codes targeting Internet-browsing software: "Worm.Sasser", "Worm.NetSky", "Worm.Nimda" and "Digispid.B.Worm" etc. Internet-aimed destruction is on a rampant rise. Particularly devastating but less detectable are those computer viruses stealing sensitive information of computer users, e.g. user account and password. 58 percent of the surveyed departments have had accidents in cyber security and 36 percent of the incidents are caused by massive transmission of spam. As analyzed the main causes of Internet security incidents are: poor implementation of regulations, low security awareness, ill-trained management staff in security and a lack of effective channel of security information reporting. Moreover security service trades incapable of meeting the needs of the society remain a tough problem. From isn at c4i.org Fri Sep 17 08:09:07 2004 From: isn at c4i.org (InfoSec News) Date: Fri Sep 17 08:20:41 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-38 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-09-09 - 2004-09-16 This week : 42 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia has implemented new features at Secunia.com SECUNIA ADVISORIES NOW INCLUDE "Solution Status": In addition to the extensive information Secunia advisories already include, Secunia has added a new parameter: "Solution Status". This simply means that all Secunia advisories, including older advisories, now include the current "Solution Status" of a advisory, i.e. if the vendor has released a patch or not. IMPROVED PRODUCT PAGES: The improved product pages now include a detailed listing of all Secunia advisories affecting each product. The listings include a clear indication of the "Solution Status" each advisory has ("Unpatched", "Vendor patch", "Vendor workaround", or "Partial fix"). View the following for examples: Opera 7: http://secunia.com/product/761/ Internet Explorer 6: http://secunia.com/product/11/ Mozilla Firefox: http://secunia.com/product/3256/ EXTRA STATISTICS: Each product page also includes a new pie graph, displaying the "Solution Status" for all Secunia advisories affecting each product in a given period. View the following for an example: Internet Explorer 6: http://secunia.com/product/11/#statistics_solution FEEDBACK SYSTEM: To make it easier to provide feedback to the Secunia staff, we have made an online feedback form. Enter your inquiry and it will immediately be sent to the appropriate Secunia department. Ideas, suggestions, and other feedback is most welcome Secunia Feedback Form: http://secunia.com/contact_form/ ======================================================================== 2) This Week in Brief: ADVISORIES: Microsoft issued two security updates, and while the one affecting most of Microsoft's Office programs is pretty straight forward to install and implement, the other is quite a different story. The second security update addresses a JPEG processing vulnerability within a image library, which can be exploited by malicious people to compromise a vulnerable system. However, since the vulnerability exists in a library, which is used by MANY different Microsoft as well as third party programs, it may be required that you update the library in multiple locations on your hard drive with different patches for each affected program. This makes it very hard, especially for larger companies with complex networks, to make a "normal" patch installation. Secunia recommends that you read SA12528 very carefully, and afterwards go to the Microsoft Security Bulletin and locate the patches required for your system. It is also highly recommended that you download and run a special tool from Microsoft, as this should be able locate vulnerable components. Reference: http://secunia.com/SA12529 http://secunia.com/SA12528 -- Mozilla has issued new versions of their popular products Mozilla, Firefox, and Thunderbird. These fix 10 different vulnerabilities, some of which in worst case could be exploited to compromise a vulnerable system. Users are recommended to upgrade their products to the latest versions. Additional details can be found in the referenced Secunia advisory below. In addition, Netscape 7.2 is also vulnerable to several of the same issues described in SA12526. More details about the issues in Netscape can be found in SA12535. Reference: http://secunia.com/SA12526 http://secunia.com/SA12535 VIRUS ALERTS: Secunia has not issued any virus alerts during the last week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12526] Mozilla Multiple Vulnerabilities 2. [SA12304] Internet Explorer Address Bar Spoofing Vulnerability 3. [SA12321] Microsoft Internet Explorer Drag and Drop Vulnerability 4. [SA12528] Microsoft Multiple Products JPEG Processing Buffer Overflow Vulnerability 5. [SA12381] Winamp Skin File Arbitrary Code Execution Vulnerability 6. [SA12535] Netscape Multiple Vulnerabilities 7. [SA11978] Multiple Browsers Frame Injection Vulnerability 8. [SA12455] Kazaa Altnet Download Manager Buffer Overflow Vulnerability 9. [SA12430] Winzip Unspecified Multiple Buffer Overflow Vulnerabilities 10. [SA12403] Mozilla / Mozilla Firefox Apple Java Plugin Tab Spoofing Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA12535] Netscape Multiple Vulnerabilities [SA12528] Microsoft Multiple Products JPEG Processing Buffer Overflow Vulnerability [SA12511] Twin FTP Server Directory Traversal Vulnerability [SA12529] Microsoft Office WordPerfect Converter Buffer Overflow Vulnerability [SA12519] getInternet Multiple SQL Injection Vulnerabilities [SA12510] Gadu-Gadu Buffer Overflow Vulnerability [SA12507] Serv-U FTP Server "STOU" Command Denial of Service Vulnerability [SA12520] getIntranet Multiple Vulnerabilities [SA12506] McAfee VirusScan System Scan Privilege Escalation Vulnerability UNIX/Linux: [SA12548] GTK+ Multiple Image Decoding Vulnerabilities [SA12542] GdkPixbuf Multiple Image Decoding Vulnerabilities [SA12539] Red Hat update for imlib [SA12505] Gentoo update for Webmin / Usermin [SA12503] Conectiva update for krb5 [SA12502] Fedora update for imlib [SA12544] Red Hat update for mc [SA12536] Mandrake update for squid [SA12521] Conectiva update for kde [SA12515] ripMIME MIME Decoding Vulnerabilities [SA12513] Regulus Multiple Vulnerabilities [SA12547] Red Hat update for httpd [SA12541] Mandrake update for apache2 [SA12534] Gentoo update for SUS [SA12552] GNU Radius SNMP String Length Denial of Service Vulnerability [SA12518] Fedora update for samba [SA12517] Gentoo update for samba [SA12516] Samba Denial of Service Vulnerabilities [SA12508] Squid "clientAbortBody()" Denial of Service Vulnerability [SA12546] Red Hat update for openoffice.org [SA12537] Debian update for webmin [SA12532] Gentoo update for cdrtools [SA12530] SUS Logging Format String Vulnerability [SA12501] Fedora update for cdrtools Other: [SA12523] Pingtel Xpressa HTTP Management Interface Denial of Service Cross Platform: [SA12526] Mozilla Multiple Vulnerabilities [SA12509] BBS E-Market Professional Arbitrary File Inclusion Vulnerability [SA12540] Apache apr-util Library and Environment Variable Expansion Vulnerabilities [SA12531] vBulletin "x_invoice_num" SQL Injection Vulnerability [SA12524] BEA WebLogic Multiple Vulnerabilities [SA12504] Halo Client Response Off-By-One Denial of Service Vulnerability [SA12527] Apache "mod_dav" LOCK Request Denial of Service Vulnerability [SA12522] Lexar JumpDrive Secure Password Disclosure Security Issue ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA12535] Netscape Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access Released: 2004-09-15 Multiple vulnerabilities have been reported in Netscape, which can be exploited by malicious people to conduct cross-site scripting attacks, access and modify sensitive information, and compromise a user's system. Full Advisory: http://secunia.com/advisories/12535/ -- [SA12528] Microsoft Multiple Products JPEG Processing Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-14 Nick DeBaggis has reported a vulnerability in multiple Microsoft products, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12528/ -- [SA12511] Twin FTP Server Directory Traversal Vulnerability Critical: Highly critical Where: From remote Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2004-09-13 Tan Chew Keong has reported a vulnerability in Twin FTP Server, which can be exploited by malicious users to access files in arbitrary locations on a vulnerable system. Full Advisory: http://secunia.com/advisories/12511/ -- [SA12529] Microsoft Office WordPerfect Converter Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-09-14 Peter Winter-Smith has reported a vulnerability in various Microsoft Office products, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12529/ -- [SA12519] getInternet Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information, System access Released: 2004-09-14 Criolabs has reported some vulnerabilities in getInternet, which can be exploited by malicious people to conduct SQL injection attacks and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12519/ -- [SA12510] Gadu-Gadu Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-09-14 Lord YuP has reported a vulnerability in Gadu-Gadu, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12510/ -- [SA12507] Serv-U FTP Server "STOU" Command Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-09-13 Patrick has discovered a vulnerability in Serv-U FTP Server, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12507/ -- [SA12520] getIntranet Multiple Vulnerabilities Critical: Moderately critical Where: From local network Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, Privilege escalation, System access Released: 2004-09-14 Criolabs has reported some vulnerabilities in getIntranet, which can be exploited by malicious people to conduct SQL injection and script insertion attacks, access sensitive information, and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12520/ -- [SA12506] McAfee VirusScan System Scan Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-14 Ian Vitek has reported a vulnerability in McAfee VirusScan, which can be exploited by malicious, local users to gain escalated privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/12506/ UNIX/Linux:-- [SA12548] GTK+ Multiple Image Decoding Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-16 Multiple vulnerabilities have been reported in GTK+, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12548/ -- [SA12542] GdkPixbuf Multiple Image Decoding Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-16 Multiple vulnerabilities have been reported in GdkPixBuf, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12542/ -- [SA12539] Red Hat update for imlib Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2004-09-15 Red Hat has issued an update for imlib. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12539/ -- [SA12505] Gentoo update for Webmin / Usermin Critical: Highly critical Where: From remote Impact: Unknown, System access Released: 2004-09-13 Gentoo has issued updates for Webmin / Usermin. These fix two vulnerabilities, where the most critical can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12505/ -- [SA12503] Conectiva update for krb5 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-10 Conectiva has issued an update for krb5. This fixes multiple vulnerabilities, where the most critical potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12503/ -- [SA12502] Fedora update for imlib Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-10 Fedora has issued an update for imlib. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12502/ -- [SA12544] Red Hat update for mc Critical: Moderately critical Where: From remote Impact: System access Released: 2004-09-15 Red Hat has issued an update for mc. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12544/ -- [SA12536] Mandrake update for squid Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-09-15 MandrakeSoft has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12536/ -- [SA12521] Conectiva update for kde Critical: Moderately critical Where: From remote Impact: Hijacking, Spoofing, Privilege escalation Released: 2004-09-14 Conectiva has issued an update for kde. This fixes multiple vulnerabilities, which can be exploited to perform certain actions on a vulnerable system with escalated privileges, spoof the content of websites, or hijack sessions. Full Advisory: http://secunia.com/advisories/12521/ -- [SA12515] ripMIME MIME Decoding Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-09-15 The vendor has acknowledged some vulnerabilities in ripMIME, which potentially can be exploited by malicious people to bypass filters. Full Advisory: http://secunia.com/advisories/12515/ -- [SA12513] Regulus Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2004-09-14 masud_libra has reported some vulnerabilities in Regulus, which can be exploited by malicious people to access sensitive information or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12513/ -- [SA12547] Red Hat update for httpd Critical: Less critical Where: From remote Impact: Privilege escalation, DoS Released: 2004-09-15 Red Hat has issued an update for httpd. This fixes multiple vulnerabilities, which can be exploited to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/12547/ -- [SA12541] Mandrake update for apache2 Critical: Less critical Where: From remote Impact: Privilege escalation, DoS Released: 2004-09-15 MandrakeSoft has issued an update for apache2. This fixes multiple vulnerabilities, which can be exploited to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/12541/ -- [SA12534] Gentoo update for SUS Critical: Less critical Where: From remote Impact: Privilege escalation Released: 2004-09-15 Gentoo has issued an update for SUS. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12534/ -- [SA12552] GNU Radius SNMP String Length Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-15 A vulnerability has been reported in GNU Radius, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12552/ -- [SA12518] Fedora update for samba Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-14 Fedora has issued an update for samba. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12518/ -- [SA12517] Gentoo update for samba Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-14 Gentoo has issued an update for samba. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12517/ -- [SA12516] Samba Denial of Service Vulnerabilities Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-14 Two vulnerabilities have been reported in Samba, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12516/ -- [SA12508] Squid "clientAbortBody()" Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-13 M.A.Young has reported a vulnerability in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12508/ -- [SA12546] Red Hat update for openoffice.org Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-09-15 Red Hat has issued an update for openoffice.org. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12546/ -- [SA12537] Debian update for webmin Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-15 Debian has issued an update for webmin. This fixes a vulnerability, which potentially can be exploited by malicious people to perform certain actions on a system with escalated privileges. Full Advisory: http://secunia.com/advisories/12537/ -- [SA12532] Gentoo update for cdrtools Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-15 Gentoo has issued an update for cdrtools. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12532/ -- [SA12530] SUS Logging Format String Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-15 Leon Juranic has reported a vulnerability in SUS, allowing malicious users to escalate their privileges. Full Advisory: http://secunia.com/advisories/12530/ -- [SA12501] Fedora update for cdrtools Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-10 Fedora has issued an update for cdrtools. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12501/ Other:-- [SA12523] Pingtel Xpressa HTTP Management Interface Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-15 @stake has reported a vulnerability in Pingtel Xpressa, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12523/ Cross Platform:-- [SA12526] Mozilla Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access Released: 2004-09-14 Details have been released about several vulnerabilities in Mozilla, Mozilla Firefox, and Thunderbird. These can potentially be exploited by malicious people to conduct cross-site scripting attacks, access and modify sensitive information, and compromise a user's system. Full Advisory: http://secunia.com/advisories/12526/ -- [SA12509] BBS E-Market Professional Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of system information, System access Released: 2004-09-13 y3dips has reported a vulnerability in BBS E-Market Professional, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12509/ -- [SA12540] Apache apr-util Library and Environment Variable Expansion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2004-09-15 Two vulnerabilities have been reported in Apache, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a system, or by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12540/ -- [SA12531] vBulletin "x_invoice_num" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-09-15 al3ndaleeb has reported a vulnerability in vBulletin, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/12531/ -- [SA12524] BEA WebLogic Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS Released: 2004-09-14 Multiple vulnerabilities have been reported in WebLogic, where the most critical can be exploited by malicious people to access sensitive information. Full Advisory: http://secunia.com/advisories/12524/ -- [SA12504] Halo Client Response Off-By-One Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-09-10 Luigi Auriemma has reported a vulnerability in Halo, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12504/ -- [SA12527] Apache "mod_dav" LOCK Request Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-09-14 A vulnerability has been reported in Apache, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12527/ -- [SA12522] Lexar JumpDrive Secure Password Disclosure Security Issue Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-09-14 @stake has reported a security issue in Lexar Lexar JumpDrive Secure, which can be exploited by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12522/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Mon Sep 20 05:11:53 2004 From: isn at c4i.org (InfoSec News) Date: Mon Sep 20 05:33:22 2004 Subject: [ISN] REVIEW: "Systems Reliability and Failure Prevention", Herbert Hecht Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKSYRLFP.RVW 20040531 "Systems Reliability and Failure Prevention", Herbert Hecht, 2004, 1-58053-372-8, U$79.00 %A Herbert Hecht %C 685 Canton St., Norwood, MA 02062 %D 2004 %G 1-58053-372-8 %I Artech House/Horizon %O U$79.00 800-225-9977 fax: +1-617-769-6334 artech@artech-house.com %O http://www.amazon.com/exec/obidos/ASIN/1580533728/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1580533728/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1580533728/robsladesin03-20 %P 230 p. %T "Systems Reliability and Failure Prevention" Chapter one is a very brief introduction: almost a preface. Basic statistical measures of failure and service are described in chapter two. "Organizational Causes of Failures," in chapter three, tells stories of some major disasters, but provides no structural recommendations. Chapter four looks at analytical approaches to failure prevention, covering the failure modes and effects analysis (FMEA) and fault tree analysis (FTA) methods that should be more widely used in general risk assessment. The discussion of testing types, purposes, and analysis, in chapter five, raises some very interesting questions: if a thousand versions of a part are tested for a thousand hours and only one fails, does this *really* support the vendor's assertion that the mean time between failures (MTBF) is a million hours--or is it equally possible that all of them start failing shortly after a thousand hours, and one failed early? Factors such as partitioning, involved in implementing redundancy in a system, are reviewed in chapter six. The material on software reliability, in chapter seven, is rather disappointing: there is still an evident hardware bias, little deliberation regarding the nature of software, and the techniques for stability are limited to UML (Universal Modeling Language) analysis, which is, itself, only suitable to object-oriented tasks. Chapter eight looks at the project life cycle, the preferred development models, reliability activities in various phases, testing, and reviews. In chapter nine Hecht addresses economic considerations in preventing versus accepting failures with a good deal of math: a more practical illustration is provided in chapter ten. Chapter eleven uses the techniques explained in the book in three example cases. For those involved in risk analysis and operation continuity work, this text is a tutorial for a number of engineering principles that are not widely discussed in the available literature. However, there are a multitude of topics that sound interesting and useful, but are not presented in sufficient detail to be useful to the non-engineering professional. For those in the field, the book will definitely be worth reading, but it probably could have provided much more assistance to those in the safety and security field. copyright Robert M. Slade, 2004 BKSYRLFP.RVW 20040531 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu My parents went to Middle Earth and all I got was a lousy ring. - Marty Helgesen http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Mon Sep 20 05:11:31 2004 From: isn at c4i.org (InfoSec News) Date: Mon Sep 20 05:33:23 2004 Subject: [ISN] Linux Advisory Watch - September 17th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | September 17th, 2004 Volume 5, Number 37a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for wv, kde, zlib, webmin, cupsys, samba, gtk2, gallery, samba, sus, cdrtools, squid, apache2, mod_ssl, httpd, mc, imlib, and multi. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, Slackware, SuSE, and Trustix. ----- SSL123 - New from Thawte Get SSL123 the new full 128-bit capable digital certificate - issued within minutes for US $159.00. Free reissues and experienced 24/5 multi-lingual support included for the life of the certificate. Click Here to Read More: http://ad.doubleclick.net/clk;9216028;9649398;b ----- Security Through Obscurity One type of security that must be discussed is 'security through obscurity'. This means that by doing something like changing the login name from 'root' to 'toor', for example, to try and obscure someone from breaking into your system as root may be thought of as a false sense of security, and can result in very unpleasant and unexpected consequences. However, it can also be used to your benefit if done properly. If you tell all the users who are authorized to use the root account on your machines to use the root equivilent instead, entries in the /var/log/secure for the real root user would surely indicate an attempted break-in, giving you some advance notice. You'll have to decide if this advantage outweighs the additional administration overhead. In most cases, though, any system attacker will quickly see through such empty security measures. Simply because you may have a small site, or relatively low profile does not mean an intruder won't be interested in what you have. We'll discuss what your protecting in the next sections. Excerpt from the LinuxSecurity Administrator's Guide: http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html Written by: Dave Wreski (dave@guardiandigital.com) ----- AIDE and CHKROOTKIT Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit. http://www.linuxsecurity.com/feature_stories/feature_story-173.html --------------------------------------------------------------------- An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-171.html ------ --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 9/10/2004 - wv Fix for buffer overflow vulnerability iDefense discovered a buffer overflow vulnerability in the wv library. http://www.linuxsecurity.com/advisories/conectiva_advisory-4733.html 9/13/2004 - kde Fix for multiple security vulnerabilities This announcement fixes several vulnerabilities. http://www.linuxsecurity.com/advisories/conectiva_advisory-4734.html 9/13/2004 - zlib Fix for denial of service vulnerabilities A denial of service vulnerability was discovered in the zlib compression library versions 1.2.x. http://www.linuxsecurity.com/advisories/conectiva_advisory-4735.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 9/14/2004 - webmin insecure temporary directory Ludwig Nussel discovered a problem in webmin, a web-based administration toolkit. A temporary directory was used but without checking for the previous owner. This could allow an attacker to create the directory and place dangerous symbolic links inside. http://www.linuxsecurity.com/advisories/debian_advisory-4736.html 9/15/2004 - cupsys denial of service Alvaro Martinez Echevarria discovered a problem in CUPS, the Common UNIX Printing System. An attacker can easily disable browsing in CUPS by sending a specially crafted UDP datagram to port 631 where cupsd is running. http://www.linuxsecurity.com/advisories/debian_advisory-4788.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 9/10/2004 - imlib-1.9.13-15.fc Security update (core1) denial of service Several heap overflow vulnerabilities have been found in the imlib BMP image handler. An attacker could create a carefully crafted BMP file in such a way that it would cause an application linked with imlib to execute arbitrary code when the file was opened by a victim. http://www.linuxsecurity.com/advisories/fedora_advisory-4731.html 9/13/2004 - samba DoS (Core 1) Upgrade to 3.0.7, which fixes CAN-2004-0807 and CAN-2004-0808. http://www.linuxsecurity.com/advisories/fedora_advisory-4786.html 9/13/2004 - samba DoS (Core 2) Upgrade to 3.0.7 to close CAN-2004-0807 and CAN-2004-0808. http://www.linuxsecurity.com/advisories/fedora_advisory-4787.html 9/15/2004 - gdk-pixbuf vulnerabilities (Core 1) DoS (Core 2) Several vulnerabilities http://www.linuxsecurity.com/advisories/fedora_advisory-4789.html 9/15/2004 - gtk2 vulnerabilities (Core 2) Several vulnerabilities. http://www.linuxsecurity.com/advisories/fedora_advisory-4790.html 9/15/2004 - gdk-pixbuf vulnerabilities (Core 2) vulnerabilities (Core 2) Several vulnerabilities. http://www.linuxsecurity.com/advisories/fedora_advisory-4791.html 9/15/2004 - gtk2 vulnerabilities (Core 2) Several vulnerabilities. http://www.linuxsecurity.com/advisories/fedora_advisory-4792.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 9/15/2004 - gallery arbitrary command execution An attacker could run arbitrary code as the user running PHP. http://www.linuxsecurity.com/advisories/gentoo_advisory-4759.html 9/15/2004 - Mozilla, Firefox, Thunderbird, Galeon, Epiphany arbitrary command execution Security roll-up. http://www.linuxsecurity.com/advisories/gentoo_advisory-4761.html 9/10/2004 - samba remote printing vulnerability After further verifications, it appears that a remote user can only deny service to himself, so this bug does not induce any security issue at all. http://www.linuxsecurity.com/advisories/gentoo_advisory-4769.html 9/12/2004 - webmin, usermin multiple vulnerabilities remote printing vulnerability There is an input validation bug in the webmail feature of Usermin. Additionally, the Webmin and Usermin installation scripts write to /tmp/.webmin without properly checking if it exists first. http://www.linuxsecurity.com/advisories/gentoo_advisory-4770.html 9/13/2004 - samba denial of service vulnerabilities There is a defect in smbd's ASN.1 parsing. Another defect was found in nmbd's processing of mailslot packets, where a bad NetBIOS request could crash the nmbd process. http://www.linuxsecurity.com/advisories/gentoo_advisory-4771.html 9/14/2004 - sus local root vulnerability Leon Juranic found a bug in the logging functionality of SUS that can lead to local privilege escalation. A format string vulnerability exists in the log() function due to an incorrect call to the syslog() function. http://www.linuxsecurity.com/advisories/gentoo_advisory-4772.html 9/14/2004 - cdrtools local root vulnerability Max Vozeler discovered that the cdrecord utility, when set to SUID root, fails to drop root privileges before executing a user-supplied RSH program. http://www.linuxsecurity.com/advisories/gentoo_advisory-4773.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 9/13/2004 - samba multiple vulnerabilities Two vulnerabilities were discovered in samba 3.0.x. http://www.linuxsecurity.com/advisories/mandrake_advisory-4741.html 9/15/2004 - squid denial of service A vulnerability in the NTLM helpers in squid 2.5 could allow for malformed NTLMSSP packets to crash squid, resulting in a DoS. The provided packages have been patched to prevent this problem. http://www.linuxsecurity.com/advisories/mandrake_advisory-4793.html 9/15/2004 - printer-drivers vulnerability denial of service The foomatic-rip filter, which is part of foomatic-filters package, contains a vulnerability that allows anyone with access to CUPS, local or remote, to execute arbitrary commands on the server http://www.linuxsecurity.com/advisories/mandrake_advisory-4794.html 9/15/2004 - gdk-pixbuf image loading vulnerabilities denial of service A vulnerability was found in the gdk-pixbug bmp loader where a bad BMP image could send the bmp loader into an infinite loop. Chris Evans found a heap-based overflow and a stack-based overflow in the xpm loader of gdk-pixbuf. http://www.linuxsecurity.com/advisories/mandrake_advisory-4795.html 9/15/2004 - apache2 multiple vulnerabilities Two Denial of Service conditions were discovered in the input filter of mod_ssl, the module that enables apache to handle HTTPS requests. http://www.linuxsecurity.com/advisories/mandrake_advisory-4796.html 9/15/2004 - cups denial of service Alvaro Martinez Echevarria discovered a vulnerability in the CUPS print server where an empty UDP datagram sent to port 631 would disable browsing. http://www.linuxsecurity.com/advisories/mandrake_advisory-4797.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 9/15/2004 - mod_ssl security flaw Updated httpd packages that include a security fix for mod_ssl and various enhancements are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4743.html 9/15/2004 - openoffice.org resolve security issue security flaw Secunia Research reported an issue with the handling of temporary files. A malicious local user could use this flaw to access the contents of another user's open documents. http://www.linuxsecurity.com/advisories/redhat_advisory-4798.html 9/15/2004 - gdk-pixbuf security flaws security flaw Several vulnerabilities. http://www.linuxsecurity.com/advisories/redhat_advisory-4799.html 9/15/2004 - cups security vulnerability Alvaro Martinez Echevarria reported a bug in the CUPS Internet Printing Protocol (IPP) implementation in versions of CUPS prior to 1.1.21. http://www.linuxsecurity.com/advisories/redhat_advisory-4800.html 9/15/2004 - httpd security issues Updated httpd packages that include fixes for security issues are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4801.html 9/15/2004 - mc security vulnerabilities An updated mc package that resolves several shell escape security issues is now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4802.html 9/15/2004 - imlib security vulnerability An updated imlib package that fixes several heap overflows is now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4803.html 9/15/2004 - gtk2 security flaws and bugs Updated gtk2 packages that fix several security flaws and bugs are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4804.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 9/13/2004 - samba DoS New samba packages are available for Slackware 10.0 and -current. These fix two denial of service vulnerabilities reported by iDEFENSE. http://www.linuxsecurity.com/advisories/slackware_advisory-4749.html +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ 9/15/2004 - cups remote code execution Alvaro Martinez Echevarria has found a remote Denial of Service condition within CUPS which allows remote users to make the cups server unresponsive. Additionally the SUSE Security Team has discovered a flaw in the foomatic-rip print filter which is commonly installed along with cups. http://www.linuxsecurity.com/advisories/suse_advisory-4805.html 9/15/2004 - apache2 remote denial-of-service The Red Hat ASF Security-Team and the Swedish IT Incident Center within the National Post and Telecom Agency (SITIC) have found a bug in apache2 each. http://www.linuxsecurity.com/advisories/suse_advisory-4806.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 9/14/2004 - multi Multiple bugfixes Security roll-up http://www.linuxsecurity.com/advisories/trustix_advisory-4754.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Sep 20 05:12:08 2004 From: isn at c4i.org (InfoSec News) Date: Mon Sep 20 05:33:25 2004 Subject: [ISN] Cybercrime summit urges international cooperation Message-ID: http://news.com.com/Cybercrime+summit+urges+international+cooperation/2100-7348_3-5372664.html By Dan Ilett Special to CNET News.com September 18, 2004 European officials met Friday in a high-level push to persuade more countries to sign up to an international effort combating cybercrime. At a conference in Strasbourg, France, delegates from governments, police forces and businesses around the world are meeting to discuss the ratification of the Council of Europe's Cybercrime Convention. So far 30 countries have signed the treaty, which aims to align international law on cybercrime, but only eight have actually implemented it in national law. The United Kingdom has signed the convention, but has not yet ratified it. The treaty came into force in July of this year. Signatories include a number of countries outside of Europe, but the treaty's international nature is proving to be a stumbling block. Some governments are said to be wary of potentially being required to make data on their citizens available to other governments. In 2002, the United States announced it wouldn't adhere to the protocol, which it says would be against its Constitution. Cybercrime issues discussed at the conference are to include fraud, copyright and child pornography. There were an estimated 600 million Internet users in 2002, double the number in 1999, according to a Council of Europe report. "Societies need to be protected against cybercrime," the report said. "But there must be freedom to use and develop information and communication technologies properly, and a guarantee that people can be free to express themselves." The council noted that organized crime has become well-established in cyberspace, using the Internet for human trafficking and other crimes. Research from the Internet Fraud Complaints Centre showed that criminals caused between 150 billion euros ($182 billion) and 200 billion euros worth of damage in 2003. On the flip side, international cybercrime law can make things difficult for law-enforcement authorities, the council said. FBI agents who used hacking techniques to find two hackers in Russia were counter-charged with cybercrime offences, the council noted in its report. Dan Ilett of ZDNet UK reported from London. From isn at c4i.org Mon Sep 20 05:12:23 2004 From: isn at c4i.org (InfoSec News) Date: Mon Sep 20 05:33:27 2004 Subject: [ISN] Microsoft Opens Office Source Code to Governments Message-ID: http://www.eweek.com/article2/0,1759,1647567,00.asp By Peter Galli September 19, 2004 Microsoft Corp. will allow governments around the world that use its software to have controlled access to the source code for its pervasive Microsoft Office 2003 desktop offerings for the first time. The Redmond, Wash., software maker on Monday in Europe will detail how it is going to give access to the code, an expansion of the existing Government Security Program, or GSP, via a new Government Shared Source License for Office. Jason Matusow, the director of Microsoft's Shared Source Initiative, told eWEEK that this latest license is a "standard Windows source code license. It is what we call a reference grant and allows customers to look at the code and use it for debugging of custom applications. But they may not modify or redistribute it," he said. The license will cover the Office 2003 code for PowerPoint, Word, Outlook, Excel and the shared application code that creates a consistent user experience across the products and similar functionality?features such as draw, search, print and save, he said. (See Microsoft's list of shared-source licensing options here.) Asked if this was a ploy by Microsoft to get governments to upgrade to Office 2003 given that the company was not offering access to the source for earlier versions such as Office XP, Matusow said the software firm was not using the program as a sales tool and there was no revenue associated with it. "You have to walk before you can run. This is a starting point, a place to begin to understand how they are going to work with the source code and the Office products. But we have no further plans at this time to announce anything other than this. The GSP is built on government feedback, so if they come back and want more, depending on what that 'more' is, we're interested in listening to all of that," he said. Microsoft formed the global initiative to provide governments with access to Windows and Windows CE source code in January 2003. This latest move now offers them access to Office 2003 source code as well. At the time the program was announced Craig Mundie, Microsoft's chief technology officer, said the program was designed to "address the unique security requirements of governments and international organizations throughout the world. We view governments that utilize our software as trusted partners. The GSP will provide governments with the opportunity to assess the security and integrity of the Microsoft products they deploy. "We are also providing technical documentation, methods for troubleshooting, access to cryptographic tools subject to export controls, and access to Microsoft expert support technicians who can collaborate with governments on how they use this source code access," he said. Matusow told eWEEK the GSP in general and this latest Office source-code offering is in response to feedback from governments to see the Windows and Office source code and is in no way related to the competitive threat posed by the open-source Linux operating system, but others see it as a move by Microsoft to try and stem the interest that governments and agencies in the United States and elsewhere are showing in Linux. Matusow said that there were three areas that governments had interest in working on: document interoperability and interchange; long-term archiving of the documents; and access and security issues. These latest moves will now give governments and international organizations access to Office source code, the opportunity to collaborate with Microsoft experts, and access to any technical information they need for greater data interoperability, interchange, portability, ease of communication and archiving. They will also be able to visit the Redmond campus and talk directly with the office engineers, who would also do on-site visits in their home country, Matusow said. The Government Shared Source License for Office will be available to more than 60 global governments and international organizations currently eligible to participate in the GSP. Eligibility is based on many factors, including where Microsoft is doing business and those governments with large IT infrastructures. Some 30 governments and international government agencies, including the United Kingdom, Russia, China (China, NATO and Australia, have already signed up for the GSP. Matusow said that while each of the governments had different levels of usage of the Windows source code available under the program so far, "we have had 11 visits to our Redmond campus over the 18 months the program has been in place and we have had 12 on-site visits where we have sent people over to them to do the training. Those governments interested in the program are actively participating," he said. Last November, Microsoft made a royalty-free license for the Microsoft Office 2003 XML Reference Schemas and accompanying documentation widely available. XML Reference Schemas licensees benefit from more readily available data identification within documents, ease of report generation and document assembly from existing content, and extraction of existing data for automated processing, Matusow said. This, along with adding the Office 2003 source code to the GSP, were "integral to Microsoft's efforts to address data exchange and integration needs of governments throughout the world," he said. Microsoft's Shared Source Initiative was first reported by eWEEK in March 2001, and the Redmond, Wash., software titan has been expanding it since then. Microsoft also gives its Most Valued Professionals (MVPs) access to the source code for the Windows operating system. It recently expanded that program to allow all the MVPs within the Microsoft platforms community and living within the 27 eligible countries worldwide to access Windows source code at no cost. The source code provided under that program covers Microsoft Windows 2000, Windows XP, Windows Server 2003 and future versions of Windows operating systems, including all released versions, service packs, betas and subsequent releases. Asked if Microsoft intended to offer access to the Office source code to its MVPs and partners going forward, Matusow said that while there was no plan to do that at this time, "we are always open to hearing from our MVPs and partners as to what they need and to work with them around this." Earlier this year, Microsoft also released the source code for its Windows Template Library under the open-source Common Public License and posted it on SourceForge, the open-source code repository. The Windows Template Library is a library for developing Windows applications and user interface components. It also extends the Active Template Library and provides a set of classes for controls, dialogs, frame windows, GDI objects and more. That move followed Microsoft's decision the month before to make available on SourceForge an internally developed product called the Windows Installer XML. Microsoft has been losing many high-profile customers to Linux?many of them governments and governmental agencies and departments. The governments of Britain, Brazil, Japan, Israel, South Korea, China, South Africa and Russia are also all exploring open-source alternatives to Microsoft, while federal agencies in Germany, France and China are already using or considering open-source desktops, applications and productivity suites. Microsoft has also admitted it is facing growing pressure from open-source software across every segment of its business: It's a competitive threat that could have significant consequences for its financial future going forward, the software maker said in its latest 10-K filing to the Securities and Exchange Commission earlier this month. Microsoft also made specific reference to the targeting of foreign governments in the filing, saying that "while we believe our products provide customers with significant advantages in security and productivity, and generally have a lower total cost of ownership than open-source software, the popularization of the noncommercial software model continues to pose a significant challenge to our business model, including recent efforts by proponents of open-source software to convince governments worldwide to mandate the use of open-source software in their purchase and deployment of software products." But Microsoft has been fighting back and has been actively lobbying governments around the world to shun open-source applications and Linux. In addition, this January Microsoft launched a new advertising campaign called "Get the Facts," which aims to give customers information about the advantages of using its Windows operating system instead of Linux, its open-source competitor. From isn at c4i.org Mon Sep 20 05:12:34 2004 From: isn at c4i.org (InfoSec News) Date: Mon Sep 20 05:33:28 2004 Subject: [ISN] Beckham computer arrest made Message-ID: http://www.theinquirer.net/?article=18572 By Nick Farrell 20 September 2004 TWO MEN have been arrested after they allegedy tried to flog the contents of the hard drive of footballer David Beckham to a tabloid. While many would be surprised to know that the Beckhams had a computer, let alone any data on it, it would appear that the hard drive was taken from a security company Chase Security Management bought in to protect the celebrity pair. According to the Current Bun, the firm called in the cops after blackmail attempts were made over the contents of files about the Beckhams on the computer's hard drive. The contents were said to include detailed information on the family's security arrangements at home and abroad as well as the positioning of all the cameras and alarms at their Hertfordshire mansion, in southern England. The Sun said that one of its reporters was offered a computer allegedly containing the information, which it handed over to the police. It published a few of the details, such as the Beckhams have had DNA swabs registered with the police. From isn at c4i.org Mon Sep 20 05:12:48 2004 From: isn at c4i.org (InfoSec News) Date: Mon Sep 20 05:33:30 2004 Subject: [ISN] Arrest made in Cisco source code theft Message-ID: http://www.nwfusion.com/news/2004/0917arresmade.html By Paul Roberts IDG News Service 09/17/04 Police in the U.K. have arrested a man in connection with the theft of source code from networking equipment maker Cisco in May, a Scotland Yard spokeswoman confirmed Friday. The Metropolitan Police Computer Crime Unit searched residences in Manchester, U.K. and Darbyshire, U.K. on Sept. 3., confiscated computer equipment and arrested a 20 year-old man suspected of committing "hacking offenses" under that country's Computer Misuse Act of 1990. While authorities could not discuss the specifics of the case, the arrest was linked to the Cisco source code, according to Julie Prinsep, a Yard spokeswoman. The suspect has since been released on bail and is scheduled to appear before authorities at a London police station again in November, Prinsep said. Computer equipment seized in the searches is being forensically examined, she said. Cisco did not immediately respond to requests for comment. The arrest marks a major breakthrough in the case, which involves the posting of more than 800M bytes of source code from Cisco's Internetwork Operating System (IOS) to a Russian Web site in May. IOS is a proprietary operating system that runs on much of the networking hardware that Cisco makes. Malicious hackers made off with code for Versions 12.3 of IOS after the thief compromised a Sun Microsystems Inc. server on Cisco's network, then briefly posted a link to the source code files on a file server belonging to the University of Utrecht in the Netherlands, according to Alexander Antipov, a security expert at Positive Technologies, a security consulting company in Moscow. Antipov said he downloaded more than 15M bytes of the stolen code after an individual using the online name "Franz" briefly posted a link to a 3M-byte compressed version of the files in a private Internet Relay Chat forum on in May. The link provided was only available for approximately ten minutes and pointed to a file on an FTP server, ftp://ftp.phys.uu.nl, which belongs to the University of Utrecht in the Netherlands. That server is open to the public for hosting files of files smaller than 5M bytes, according to the University's Web page. Antipov subsequently posted some of that code on a Russian security Web site, www.securitylab.ru, to call attention to the reported theft, but denied knowing Franz. At the time, Cisco said it was working with the FBI to pursue the hackers. The FBI was not able to comment on the arrest Friday. The arrest in the Cisco theft follows other recent successes in cybercrime cases. In June, the FBI announced arrests in the source code theft for a much-anticipated version of the popular computer game Half-Life from the network of game maker Valve. In May, German police arrested men in connection with creating the Sasser Internet worm and a Trojan horse program called Agobot. On Sept. 9, prosecutors in Verden, Germany, indicted an 18-year-old student in the Sasser worm case. From isn at c4i.org Tue Sep 21 05:30:33 2004 From: isn at c4i.org (InfoSec News) Date: Tue Sep 21 05:45:48 2004 Subject: [ISN] 9/11 overhaul likely to include cybersecurity provision Message-ID: Forwarded from: William Knowles http://www.govexec.com/story_page.cfm?articleid=29495 By Greta Wodele CongressDaily September 20, 2004 House Republican leaders have included provisions to bolster the Homeland Security Department's cybersecurity responsibilities in legislation addressing recommendations made by the 9/11 Commission, according to sources. A congressional aide, who reviewed parts of the 9/11 proposal, said it now includes two smaller bills introduced last week by Reps. Mac Thornberry, R-Texas, and Zoe Lofgren, D-Calif., to elevate the department's cybersecurity director and create a technology transfer program. House Majority Whip Roy Blunt, R-Mo., said last week GOP leaders could have their 9/11 package ready by Tuesday, and House committees could begin marking up the bill next week. The smaller bills were part of the House Homeland Security Committee's authorization measure, but negotiations stalled this summer and sources said it is unlikely the panel will take up an authorization measure this session. "It did not appear that the authorization measure had legs," said an aide. Thornberry and Lofgren, the chairman and ranking member on the Homeland Security Cybersecurity, Science, and Research and Development Subcommittee, have fashioned bipartisan support for the bill. The provision would require the department to promote the department's cybersecurity director in the bureaucracy to increase the focus and resources on protection against a cyberattack. Thornberry and Lofgren have said cybersecurity resources within the department are fragmented and a low priority. Lofgren said the cybersecurity bill has wide support in the technology, education, financial and business sectors. But Larry Clinton, chief operating officer of the Internet Security Alliance, which represents Visa, Verizon and other corporations, said while the group appreciates the notion of promoting cybersecurity, it believes restructuring the department will disrupt ongoing security efforts. "It's taken a long time to get the current momentum," Clinton said. The department also opposes the legislation, arguing that cybersecurity should be part of the efforts to protect physical infrastructure such as transportation systems, financial markets and electricity grids. "We just firmly believe [cybersecurity] should remain integrated" within the infrastructure protection wing, said a Homeland Security Department spokeswoman. On technology, the provision would require the science and technology division to establish a program to transfer and commercialize promising technologies to federal, state and local officials and the private sector. The Senate passed similar legislation late last year. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Tue Sep 21 05:30:14 2004 From: isn at c4i.org (InfoSec News) Date: Tue Sep 21 05:45:51 2004 Subject: [ISN] Linux Security Week - September 20th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | September 20th, 2004 Volume 5, Number 37n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Do's and Don'ts of Forensic Computer Investigations," "SysAdmin to SysAdmin: Service monitoring with Nagios," and "Defending Against Cross-Site Scripting Attacks." ---- >> SSL123 - New from Thawte << Get SSL123 the new full 128-bit capable digital certificate - issued within minutes for US$159.00. Free reissues and experienced 24/5 multi- lingual support included for the life of the certificate. Find out more! http://ad.doubleclick.net/clk;9216032;9649402;i ---- LINUX ADVISORY WATCH: This week, advisories were released for wv, kde, zlib, webmin, cupsys, samba, gtk2, gallery, samba, sus, cdrtools, squid, apache2, mod_ssl, httpd, mc, imlib, and multi. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, Slackware, SuSE, and Trustix. http://www.linuxsecurity.com/articles/forums_article-9859.html AIDE and CHKROOTKIT Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit. http://www.linuxsecurity.com/feature_stories/feature_story-173.html ---- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Solaris 10 Shines in Early Testing September 20th, 2004 The increasing prominence of freely licensed Linux has prompted many to view operating systems in general as a commodity. With Solaris 10, Sun Microsystems hopes to demonstrate that a company's choice of operating system does matter and that the level of innovation Sun has built into Solaris 10 can deliver benefits across a company's infrastructure. http://www.linuxsecurity.com/articles/vendors_products_article-9882.html * Do's and Don'ts of Forensic Computer Investigations September 17th, 2004 Opinion: When "something bad" happens, IT staffs can be called upon to search for possible evidence lurking on a user's desktop, notebook or even PDA. David Coursey says decisions made early in an investigation--or even before it begins--can determine its outcome, and possibly the fates of both the investigation's subject and the IT staff doing the investigating. First of two parts. http://www.linuxsecurity.com/articles/security_sources_article-9868.html * Security for developers III September 17th, 2004 This week we continue to explore common mistakes in the context of application security management. http://www.linuxsecurity.com/articles/documentation_article-9856.html * SysAdmin to SysAdmin: Service monitoring with Nagios September 15th, 2004 Nagios calls itself an "open source host, service and network monitoring program". In reality, though, it's more of a monitoring framework, in that it allows an administrator to quickly fold the one-liners they use to gather information right into the configuration. Add to this the numerous plugins available, and you can easily integrate Nagios with monitoring tools you already use, like RRDTool or MRTG. http://www.linuxsecurity.com/articles/documentation_article-9835.html * Examining a Public Exploit, Part 2 September 15th, 2004 The first part of this article series set out to create an environment that allowed readers to examine a public exploit as it was sent across the network. The purpose of this exercise is to help the reader understand the complex world of intrusion detection and low-level packet analysis, so that he can better secure his network. http://www.linuxsecurity.com/articles/hackscracks_article-9832.html * Safe Databases Are Key to Security September 14th, 2004 Those of you hung over from patching Windows XP SP2 can't sleep in just yet. More than 40 vulnerabilities have been reported for Oracle's flagship software products. Holes in the Database Server and its Listener element can be exploited even without a valid user account. The Portal and iSQL*Plus components of Oracle Application Server are similarly vulnerable. http://www.linuxsecurity.com/articles/server_security_article-9803.html * Make it & Break It: Defending Against Cross-Site Scripting Attacks. September 13th, 2004 Most Web sites process dynamic content. They take user input from HTTP requests, process the request on the server and then give the user new content. The requests are processed using scripted code (JavaScript, VBScript or Perl, for example) and server components (including CGI, JSP, PHP, COM and ASP.Net). When the code runs on the server, it is converted to HTML and sent back to the user's browser. http://www.linuxsecurity.com/articles/security_sources_article-9792.html +------------------------+ | Network Security News: | +------------------------+ * Build It: A Home Linux Server September 17th, 2004 Many of the machines we show you how to build here at ExtremeTech are of the "burn, baby burn" variety. But often those systems are Ferraris when all you need is a Ford. A good example of this is a home server whose main duties are to serve up files and a print queue 24/7 with minimal fuss. As your needs get more sophisticated, it should be able to grow with them. http://www.linuxsecurity.com/articles/documentation_article-9865.html * When it comes to wireless security, good enough is simply not good September 17th, 2004 As security threats increase in quantity and complexity, assuring business continuity means that corporations need to aggressively and proactively protect the entire network infrastructure. http://www.linuxsecurity.com/articles/general_article-9870.html * Passwords Fail To Defend Enterprises September 17th, 2004 Passwords, the dominant form of securing enterprise assets, are a failure, a research firm said Thursday. http://www.linuxsecurity.com/articles/projects_article-9878.html * Intrusion detection with Tripwire September 15th, 2004 A little over two years ago I was hacked. Someone broke into a web server I was administrating that had only Apache and OpenSSH running publically, and all packages were up-to-date. The hacker replaced my ps binary with his own to hide his processes, added a new service that was executed from the binary "/bin/crond " http://www.linuxsecurity.com/articles/documentation_article-9837.html * Wardriving: you can look, but don't touch September 15th, 2004 Wardriving --the practice of driving around with a portable computing device and Wi-Fi antenna, looking for open Wi-Fi networks--is not new. In fact, wardialing, or calling up random phone numbers looking for modem connections, has been going on for at least 20 years. There is, however, a new ethical debate surrounding wardriving, whether it's legal, and whether it serves a larger purpose. http://www.linuxsecurity.com/articles/hackscracks_article-9838.html * Net-Security Appliances Are Popping September 14th, 2004 Enterprise customers last year moved from product trials to in-service deployments of firewall/VPN and secure content management (SCM) security appliances, producing large gains for such vendors` as Cisco and Nokia, according to recent analyst reports. http://www.linuxsecurity.com/articles/vendors_products_article-9811.html +------------------------+ | General Security News: | +------------------------+ * Shuttleworth's Linux vision matures September 20th, 2004 A preview of a new Linux distribution inspired by South African international open source software evangelist, Mark Shuttleworth, is available on the Internet. http://www.linuxsecurity.com/articles/projects_article-9881.html * Workers Want Employers to Take Responsibility for Blocking Offensive Spam September 17th, 2004 Sophos, a world leader in protecting organizations against spam and viruses, conducted a poll of more than 1,000 computer users at small- to medium-sized businesses (SMBs)* regarding the issue of spam. http://www.linuxsecurity.com/articles/documentation_article-9855.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Sep 21 05:30:45 2004 From: isn at c4i.org (InfoSec News) Date: Tue Sep 21 05:45:54 2004 Subject: [ISN] German Security Firm Hires Hacker Awaiting Trial Message-ID: http://www.techweb.com/wire/security/47900348 By TechWeb News September 20, 2004 A German security firm has hired the teen accused of writing the Sasser and Netsky worms, a move that sends a dangerous message to hackers, anti-virus firms said Monday. Firewall provider Securepoint, which is based in a city in northern Germany not far from the hometown of admitted hacker Sven Jaschan, hired the 18-year-old to work on its products because "he has a certain know-how in this field," a company spokesman said in a statement. The rehabilitation didn't go down well with Sophos, the U.K.-based anti-virus vendor. "It's very important that the security community does not send out a message that writing viruses or worms is cool, or a route into employment," said Graham Cluley, senior technology consultant for Sophos, in a statement. Although Finnish security company F-Secure was kinder in its take on Jaschan -- "he wasn't that bad," one of the company executives wrote on the firm's blog -- it, too said the hire was out of line. "We here at F-Secure wouldn't hire him." There's a good chance Jaschan won't work long for Securepoint. The teen will be tried on charges including computer sabotage that could land him in jail for up to five years. Coincidentally, a new variation of the Sasser worm, dubbed Sasser.g by Sophos, appeared Monday. Like earlier editions, it exploits Windows PCs not patched against the LSASS vulnerability, and opens them to further attack by planting a backdoor component on compromised machines. From isn at c4i.org Tue Sep 21 05:31:00 2004 From: isn at c4i.org (InfoSec News) Date: Tue Sep 21 05:45:57 2004 Subject: [ISN] 'Warez lawyer' had double agenda - claim Message-ID: http://www.theregister.co.uk/2004/09/20/german_warez_lawyer/ By Jan Libbenga 20th September 2004 More details have emerged on the arrest of a German lawyer and three businessmen who masterminded an international warez network and grossed .1m. A spokesman for German anti-piracy organisatin GVU told Berlin newspaper Tagesspiegel on Friday (17 Sept) that the crackdown may have been the biggest blow ever against internet pirates anywhere in the world. The main suspect, Bernhard Syndikus, a lawyer, was arrested for criminal breach of copyright,money laundering and membership in a criminal conspiracy. He didn't request a lawyer himself after his custody, a spokesman told press agency DPA. Police last week raided the offices of Gravenreuth & Syndikus, a Munich law firm, of which Syndikus is a partner. According to German reports almost all the funds of the warez site Ftpwelt.com were channeled through an offshore company Internet Payment Systems Ltd, registered on the Caribbean island of Tortola in the British Virgin Islands, and ended up in a small eastern German town, Breitungen. Although hackers discovered the link between Ftpwelt.com and Syndikus, a posting earlier this year already revealed the relationship between the lawyer and several illegal sites, including Ftpwelt.com and what was advertised as Germany's biggest Bittorrent site, Bitfilme.com. A search in Google reveals this site was extremely popular among illegal movie swappers. The domain name Ftpwelt.com was registered by Software Development Consultants Limited on Tortola, which uses the same postbox address as New Internet Businesses Limited, the company behind it that registered Bitfilme.com. Syndikus is also the director of Global Netcom, a German company that developed diallers for pornographic vendors. German anti-dialler internet forums such as Computerbetrug.de (Computerfraud) and Dialerschutz.de (Dialler protection) have often issued warnings against these dialers, many of which are activated by closing a unwanted "pop-up" window. Not surprisingly, anti dialler sites urge victims to ignore bills they receive from rogue dialler companies. However, Syndikus argued that refusing to pay these bills is against the law. Syndikus represents Firstway Medien GmbH, a German firm which released a hobbled version of the open source file sharing program eMule. The hacked eMule was disabled, and could only be activated once you paid for the product. Worse, the program couldn't be removed from Windows without corrupting the internet connection. Earlier this year, Firstway asked Gravenreuth & Syndikus to issue to Marcus Falck - the owner of the German website eMule.de - a cease and desist letter, demanding that the website would give up its domain name. What was considered to be a free name - part of the open source project eMule - had been furtively trademarked by Firstway Medien. Even more remarkable is the reputation of Syndikus's partner G?nther Freiherr von Gravenreuth (real name: G?nter Werner D?rr) who, according to his own biography, advised the European Institute for Computer Anti-Virus Research and German Association for Entertainment Software. von Gravenreuth was behind the much publicised Tanja campaign against software piracy. He tricked mostly adolescent male computer users into sending a list of pirated software to a fictional girl named "Tanja", and subsequently dragged them to court. The teenagers received a cease and desist notice along with a request for payment, in most cases between .1,000 and .5,000. From isn at c4i.org Tue Sep 21 05:31:13 2004 From: isn at c4i.org (InfoSec News) Date: Tue Sep 21 05:46:00 2004 Subject: [ISN] Gartner analysts point out the security you don't need Message-ID: http://www.nwfusion.com/news/2004/0920gartsec.html By Laura Rohde IDG News Service 09/20/04 LONDON - The plethora of security technologies on the market are enough to overwhelm even the most knowledgeable IT managers, but in sorting through all of the options, it may be helpful to look at what is not needed, according to Gartner research detailed Monday in London at its IT Security Summit conference. The list of security items a company probably doesn't need within the next five years includes personal digital signatures, quantum key exchanges, passive intrusion detection, biometrics, tempest shielding (to protect some devices from emanating decipherable data), default passwords, or enterprise digital rights management outside of workgroups, according to Victor Wheatman, vice president and research area director at Gartner, based in Stamford, Conn. "You have to be aware of what the over-hyped technologies are. You don't need personal digital signatures, because in most cases, an electronic signature will be enough and in terms of biometrics, you won't need that unless your company is using airplane pilots or has high-level executives that won't or can't remember passwords," Wheatman said. Wheatman also singled out "500-page security policies" and security awareness posters as things an IT manager would be better off not spending company resources on. "You do need security policies, but not ones so large that no one reads them. It is also important to have a business continuity plan. We got a lot of calls when the hurricanes came through Florida, but for the most part, that was a little too late." IT managers need to be much more proactive about implementing systems that work correctly in the first place, rather than spending the time and money on fixing problems after the fact, Wheatman said. Software need not have flaws, Wheatman stressed, and IT managers need to challenge their vendors to make safer software, otherwise the security costs within the industry will simply continue to grow. "We've been in the biggest beta test in history and this test is still going on: It's called Windows," Wheatman said. "Longhorn will fix some of the problems (within Windows), but it isn't a full solution and flaws will remain. Our studies have found that it is three to five times more expensive to remove software defects after the fact. Why not get it right to begin with?" A company should demand proof that a software product it buys is safe and make sure that the vendor has reviewed the code of the software with security in mind, he said. By 2006, Gartner is projecting that when it comes to software and hardware, a company will be spending 4% to 5% of its IT budget on security. That number could jump as high as 6% to 9% when staff and outsourcing services are factored in. But the IT departments that spend most efficiently on security, even if the expenditure is between 3% and 4% of the IT budget, could actually be the most secure, Wheatman said. Martin Smith, the managing director for the security consultation company, The Security Company (International) Ltd. said in a separate speech that Wheatman may have been too quick to dismiss some basic items such as security awareness posters and security policies, because users need a clear framework that some of those items can provide. But he did agree with Wheatman that IT managers need to establish a roadmap for keeping IT systems secure. "In IT security, do the stuff that's quick and easy: passwords, training and awareness in the areas that matter. The basic half-dozen technologies you need are there," Smith said. Perhaps most importantly, an IT manager needs to demonstrate to the executives within the company how to take better advantage of the systems it already has through the use of security. "We have an appalling absence of basic management metrics for our trade. If you can measure a problem accurately, you have the Holy Grail," Smith said. "But what you also must have is a champion at the board level. Without senior-level support, nothing will ever happen and you are doomed." E.M.F. Coyer, infrastructure consultant with the Dutch company Wegener ICT Kranten, welcomed the advice from both Wheatman and Smith. Coyer said that she spends much of her time trying to sort though the variety of software security options as efficiently as she can, and that one of the primary reasons for attending the Gartner event was to keep up to date on security trends. But another priority was to learn how to speak to the executives within her company in a language that they can understand. "It is important to hear the technical stuff, to know what the trends are, but what I find most useful is the message, and how to deliver that message in a way my bosses and the other non-technical people within the company can understand and can support," Coyer said. From isn at c4i.org Tue Sep 21 05:31:25 2004 From: isn at c4i.org (InfoSec News) Date: Tue Sep 21 05:46:04 2004 Subject: [ISN] Internet security in RP remains dismal, says Filipino hacker Message-ID: http://news.inq7.net/infotech/index.php?index=1&story_id=12273 By Erwin Lemuel Oliva INQ7.net Sept 20, 2004 "The state of Philippine Internet security sucks," said a Filipino whitehat hacker known as PI_Flashbulb during an e-mail interview with INQ7.net. This hacker who maintains a weblog under the same pseudonym claims to have discovered numerous government and private sector websites that were insecure. "I am doing this just for fun. I could deface sites easily but it never ever occurred to me to do it. Black hats immediately deface sites that they found to be vulnerable. I have decided to go further than that. Instead of defacing sites, I inform the site owners about the vulnerability, an action no black hat would dare to do," the hacker replied when asked about his intentions and motivations. He said that he was not alone in his effort to increase Internet security awareness in the country. He said he is currently gathering other hacker friends to "map the Philippine websites for vulnerability." "There are about five people who are helping me map the Philippine websites for vulnerability. Our number will increase in the coming days as there are more e-mails whose senders are volunteering to help me make the Philippine cyberspace more secure," the hacker said. The Filipino hacker claimed he got the ire of local website administrators after informing them of their website's vulnerabilities. "The country has the best Internet administrators. But what hinders them from doing their jobs are their superiors who do not know anything about security; political appointees who cannot do anything but wait for their fat checks. Good thing there are local Internet service providers that are willing to teach Internet security for free," the Filipino hacker added. According to PI_Flashbulb, most of the Philippine websites he found hackable were not using a good patch management system. But other websites were vulnerable because of plain carelessness of the web designers. "Imagine writing the login and password in the source of the HTML file," he said. From isn at c4i.org Wed Sep 22 06:52:33 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 22 07:18:58 2004 Subject: [ISN] Academics get NSF grant for Net security centers Message-ID: http://news.com.com/National+science+group+creates+Net+security+centers/2100-7348_3-5376474.html By Robert Lemos Staff Writer, CNET News.com September 21, 2004 The National Science Foundation announced Tuesday that it has granted more than $12 million to academic researchers for the creation of two centers to investigate infectious code and study the Internet's ecology. The funds set aside for the centers are part of the NSF's Cyber Trust program, through which the foundation has granted a total of $30 million to 33 projects focused on researching ways to provide better information security. The Center for Internet Epidemiology and Defenses, or the CIED, will work to understand how digital diseases such as worms and viruses spread across the Internet, and how epidemics can be defeated. The Security Through Interaction Modeling, STIM, Center will draw parallels with nature's ecology to understand the complex interaction between machines, humans and cyberattacks. "These centers, as well as our other funded activities, are looking not only for new ways to cope with imperfections in today's systems but also for the knowledge and techniques to build better systems in the future," Carl Landwehr, the NSF's program director for Cyber Trust, said in a statement. The Cyber Trust Centers are the latest government-funded efforts to conduct broad studies of the Internet and network security. Last December, the NSF granted $750,000 to two universities to study the problems that could arise from overreliance on a single technology or protocol. The issue, known as a technology monoculture, came to prominence last year, when seven security researchers wrote a paper warning that Microsoft's dominance could have security repercussions. Two other universities received $5.46 million last year to fund networked research centers that would create a distributed model of the Internet and study how attacks affect its operation. The CIED, led by Stefan Savage of the University of California at San Diego and Vern Paxson, a fellow principal investigator at the International Computer Science Institute of the University of California at Berkeley, will receive $6.2 million from the NSF. The center will study ways to quickly analyze self-propagating programs and to develop techniques for stopping outbreaks before they spread worldwide. "It is easy to build a defense against one particular virus or worm; that is what we do now," Paxson said in a statement. "But to stop whole classes of these pathogens requires far more insight into what it means to be an epidemic and how infectious behavior stands apart from legitimate use." The STIM Center, led by Mike Reiter of Carnegie Mellon University, will receive almost $6.4 million in funding from the NSF. The center will classify "healthy" network interactions to determine how to distinguish attacks and will study the interplay between different "species" of applications, such as e-mail and peer-to-peer networks. The Cyber Trust program is unrelated to the merger of TrueSecure and Betrusted, which will form a company that the two participants plan to call CyberTrust. From isn at c4i.org Wed Sep 22 06:51:48 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 22 07:19:00 2004 Subject: [ISN] When outsourcing, don't forget security, experts say Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,96074,00.html By Scarlet Pruitt SEPTEMBER 21, 2004 IDG NEWS SERVICE When it comes to outsourcing IT operations to countries such as India and China, companies often focus on slashing costs and gaining productivity but fail to take into account cultural differences that may affect their security, according to experts attending the Gartner IT Security Summit in London today. "India is seen as an answer when outsourcing applications but is actually a problem in the security space," said Gartner India research vice president Partha Iyengar while moderating a panel on offshoring security. At issue is not so much the security that outsourcing service providers use to protect companies' systems -- such as firewalls and data backup -- as it is the cultural differences, Iyengar said. For instance, standards of privacy are often looser in India because it's a close-knit society where, say, reading someone else's e-mail wouldn't be considered much of an intrusion, Iyengar said. This more relaxed attitude toward privacy could have serious consequences when it comes to protecting corporate data, experts on the panel warned. Companies that outsource operations overseas are advised to train local staff to adhere to the company's global privacy standards and to check into the risk of government interception of sensitive confidential information. "Fifty percent of companies understand that there are security issues with offshoring, but the real issues are cultural and in compliance and regulation," said Lawrence Lerner, senior technical architect of the Advanced Solutions Group at Cognizant Technology Solutions Corp. Lerner said his company advises its clients to document its processes when outsourcing and get all parties involved to sign off on procedures to ensure transparency. He also suggests performing background checks on local staff. As a result of high demand by Western companies looking to reduce costs, some outsourcing service providers in India and China are growing rapidly, hiring thousands of new employees in a month."When you are hiring 5,000 people at a time, you need to make sure that they all adhere to the same standards," Lerner said. R.K. Raghavan, consulting adviser on security at Tata Consultancy Services Ltd., one of India's largest IT services companies, said his firm is feeling the effects of these client demands. "We are bending over backward on security, primarily to cater to our U.S. customers, which are a huge part of our market," Raghavan said. Tata has recently changed the way in which it performs background checks on potential employees amid volume hiring and increased customer demands. Previously, the company required two references from each applicant as a security measure but did not ensure that the applicant had no criminal record. Furthermore, the company found that fingerprinting is considered offensive in the Indian culture, Raghavan said. Finally, Tata decided to outsource security checks to the local police by requiring that applicants have an Indian passport, which can be acquired only by passing vigorous security checks by law enforcement officials, Raghavan said. In addition to shoring up its own security checks, Tata has worked to increase security awareness among staff through training, according to Raghavan. "Employees need to think about security all the time to be competitive," he said. As it turns out, so do the outsourcing providers. "We understand that India is still seen as a mythical place to many people, and we need to assure them that we can provide the same kind of security as they are used to," Raghavan said. But even with the added assurances being given by outsourcing providers, the differences between doing business at home and doing it abroad can't be minimized, said Nigel Balchin, chief architect at Short Hills, N.J.-based The Dun & Bradstreet Corp. "We are all a little naive going in," Balchin said. One way of ensuring that security and regulatory compliance concerns are met is by putting the onus on the outsourcing provider and writing it into the contract, he said. "It pays dividends to have the provider responsible for these issues," Balchin said. "For us, it's a distraction from our core business." Cognizant's Lerner advises clients to take a more hands-on approach, however. "You must physically go and check any outsource center you have," Lerner said. "Do it regularly, and consider these centers as part of your own company." From isn at c4i.org Wed Sep 22 06:52:01 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 22 07:19:01 2004 Subject: [ISN] Windows is the 'biggest beta test in history' - Gartner Message-ID: http://www.theregister.co.uk/2004/09/21/gartner_security_summit/ By John Leyden 21st September 2004 Spending more on security doesn't necessarily make you more secure, Gartner warned yesterday. The analyst firm forecasts that information security spending will drop from an average six-to-nine per cent of IT budgets to between four and five per cent as organisations improve security management and efficiency. Victor Wheatman, Gartner security veep, told delegates at the IT Security Summit in London that the most secure organisations spend less than the average and that the lowest spending organisations are the most secure. The businesses can safely reduce the share of security in their overall IT budget to three or four per cent by 2006, he said. The idea that the most secure organisations spend the most on security was among a number of myths debunked by Wheatman during a keynote before approximately 700 delegates at the Gartner IT security Summit yesterday. He also attacked the popular misconception that "software has to have flaws". Wheatman said this is true only if enterprises continue to buy flawed software, and he singled Microsoft out for particular criticism. He described Windows as ?the biggest beta test in history" and warned warned IT security pros not to expect too much from Microsoft?s vaunted Trustworthy Computing initiative. "Microsoft will try, and there'll be improvement with Longhorn, but it will not solve all your security problems - no matter what the richest man in the world says,? he said. According to Gartner better quality assurance of software is needed before it goes into production. If 50 per cent of vulnerabilities are removed prior to software being put in production then incident response costs would be reduced by 75 per cent, it estimates. Gartner has identified IT security technologies enterprises will need over the next five years - and other technologies most companies probably won't need. On the enterprise shopping list is host-based intrusion prevention, identity management, 802.1X authentication and gateway spam and AV scanning. Security technologies Gartner reckons most companies can safely do without include personal digital signatures, biometrics, enterprise digital rights management and 500-page security policies. From isn at c4i.org Wed Sep 22 06:52:19 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 22 07:19:03 2004 Subject: [ISN] Activists Find More E-Vote Flaws Message-ID: http://www.wired.com/news/evote/0,2645,65031,00.html By Kim Zetter Sep. 21, 2004 Voting activist Bev Harris and a computer scientist say they found more vulnerabilities in an electronic voting system made by Diebold Election Systems, weaknesses that could allow someone to alter votes in the election this November. Diebold said Harris' claims are without merit and that if anyone did manage to change votes, a series of checks and balances that election officials perform at the end of an election would detect the changes. Harris demonstrated the vulnerabilities to officials in the California secretary of state's office several weeks ago and will be showing them to federal legislative staff and journalists Wednesday in Washington, D.C. Harris and another activist have filed a lawsuit against Diebold in California, which the state has joined, maintaining that Diebold engaged in aggressive marketing to sell millions of dollars worth of equipment that it knew was insecure. Harris and the activist stand to make millions from the suit if they and the state win their case. The vulnerabilities involve the Global Election Management System, or GEMS, software that runs on a county's server and tallies votes after they come in from Diebold touch-screen and optical-scan machines in polling places. The GEMS program generates reports of preliminary and final election results that the media and states use to call the winners. David Jefferson, a computer scientist at Lawrence Livermore National Laboratory and a member of the California secretary of state's voting systems panel, agreed with Diebold that election procedures could help prevent or detect changes in votes, but said that election officials and poll workers do not always follow procedures. Therefore, election observers need to know about the vulnerabilities so they can help reduce the risk that someone could use them to rig an election. Jefferson added that he doesn't believe that the vulnerabilities show deliberate malice on Diebold's part to aid fraud, as Harris has sometimes contended in public statements. But the vulnerabilities do show incompetence and indicate that Diebold programmers simply don't know how to design a secure system. Harris said the problem lies in the fact that GEMS creates two tables of data that don't always match. One table consists of rows showing votes for each candidate that were recorded on voting machine memory cards at each precinct. The other table consists of summaries of that precinct data. Officials use the raw precinct data to spot-check accuracy. For example, if all of the machines at a precinct record a total of 620 votes for Arnold Schwarzenegger, then the data in GEMS should show 620 votes for Schwarzenegger for that precinct. The official results that go to the state are based on the vote summaries produced by GEMS. When election officials run a report on GEMS on election night, it creates the vote summaries from the raw precinct data. Then as absentee and provisional ballots get counted after Election Day and added into GEMS, the raw data numbers increase, while the vote summaries remain the same until the next time officials run a summary report and it regenerates totals from the raw precinct data. Harris said it's possible to alter the vote summaries while leaving the raw data alone. In doing so, the election results that go to state officials would be manipulated, while the canvas spot check performed on the raw data would show that the GEMS results were accurate. Officials would only know that the summary votes didn't match precinct results if they went back and manually counted results from each individual polling place and compared them to the vote summaries in GEMS. Diebold said because the two sets of data are coupled in GEMS it would be impossible for someone to change the summaries without changing the precinct data that feeds the summaries. And if they did, the system would flag the change. But Harris said it's possible to change the voting summaries without using GEMS by writing a script in Visual Basic -- a simple, common programming language for Windows-based machines -- that tricks the system into thinking the votes haven't been changed. GEMS runs on the Windows operating system. The trick was uncovered by Herbert Thompson, director of security technology at Security Innovation and a teacher of computer security at the Florida Institute of Technology. Thompson has authored several nonfiction books on computer security and co-authored a new novel about hacking electronic voting systems called The Mezonic Agenda: Hacking the Presidency. After Harris met Thompson at the Defcon hacker conference this year, she asked him to examine the GEMS program. He found he could write a five-line script in the Notepad text editor that would change the vote summaries in GEMS without changing the raw precinct data. The auditing log in GEMS wouldn't record the change because it only tracks changes that occur within GEMS, not changes that occur on the computer outside of GEMS. After writing the script, Thompson saved it as a Visual Basic file (.vbs) and double-clicked it to execute it. The command happens in the background where no one can see it. To verify that the changes occurred, Thompson could write another script to display the vote data in a message box after the change. Once the scripts finished their work, they would go into the Recycle Bin, where Thompson could delete them. When Harris demonstrated the vulnerability to officials in California, she opened the GEMS program to show that the votes changed as the script commanded them to. "You have to know in advance what you want to change," Thompson said, "but it's pretty easy to write a script to find the data that you want to change. If you want Stan Smith to have more votes than he currently has, you write a line of your script that says select everything in the table where candidate equals Stan Smith, and increment the votes. Then you delete the votes from another candidate by the same amount." Thompson acknowledged that the hack would take an insider with knowledge of the voting system and election procedures and access to GEMS. But this could include technical people working for a county or Diebold employees who sometimes assist technically challenged election officials on election night. It's unlikely that unsavvy election officials or observers would notice or understand the significance of someone writing five lines of code in Notepad. Thompson was pretty stunned to find that some of the same vulnerabilities that appear in the Diebold system appear in the fictional voting system he and his co-author created in their recent novel. "When we wrote the book, we thought the election system it described was a bit far-fetched," Thompson said. "We thought it's impossible that any real voting system would have these problems. Then we saw the GEMS software, and it had four of the vulnerabilities that we wrote about in the book." Thompson said Diebold could easily have designed the system to use cryptographic hashes to detect if vote summaries changed when they weren't supposed to change. But he said the company probably never imagined a scenario in which someone would change the vote data through Windows, bypassing the audit logs. There is one way in which changing vote totals in GEMS might not work. If someone changed the summary totals before all precinct votes came in, the altered summary votes would be written over with the new precinct data once election officials ran another summary report. But Harris said that "a hidden program for vote manipulation" exists in GEMS that could allow "any teenager or terrorist with a laptop" or "anyone with an agenda or a profit motive" to trick the system into thinking the votes haven't changed by using what Harris calls a "two-digit code" or trigger in GEMS. Thompson said the "hidden program" is more of a feature in GEMS that is put there for a good reason, but is easily abused. GEMS has a method for flagging whether vote data is old or up-to-date by marking it with a 0 or a -1. Thompson said it's likely that when election officials run a new summary report, the 0 and -1 tell the program which data is old and which is new or updated. But someone could trick the system into thinking that old data is updated data by switching the numbers. Harris was able to do this easily in demonstrations. When asked to comment on this, Diebold sent Wired News an excerpt from a seven-page rebuttal that it distributed to election officials to counter Harris' claims. The excerpt said that the flagging feature is "typically used (for example) to reset any test results that were uploaded as part of any pre-election testing." No further explanation of this feature was forthcoming. But speaking generally on the vulnerabilities Harris mentions, Diebold spokesman David Bear said by phone that no one would risk manipulating votes in an election because it's against the law and carries a heavy penalty. He also said that election "policies and procedures dictate that no (single) person has access or is in control of a (voting) system," so it would be impossible for anyone to change votes on a machine without others noticing it. And even if someone managed to change the votes, auditing procedures would detect it. Diebold spokesman Mark Radke said that after an election, counties are supposed to go back to the memory cards taken from voting machines and manually add vote totals stored on the cards as well as vote totals on a paper printout that poll workers take from each machine at the close of the polls. Officials compare these totals to the GEMS summary totals and if there is a discrepancy, Radke said, the totals from the memory cards take precedence over the GEMS totals. Jefferson, the Lawrence Livermore computer scientist, agreed that election procedures usually indicate that there should not be one person operating the counting software. He also agreed with Bear that officials could catch discrepancies in vote totals if they went back and manually added up the results from every individual polling place and compared the totals with the tallies in the summary report. But Jefferson said that election officials and poll workers don't always follow procedures. In the California March primary, he pointed out, several counties refused to follow procedures that were requested by the secretary of state's office and others failed to follow procedures that are mandated under California election law. Rather than creating a system that relies on the "perfect execution of (poll worker) procedures," Jefferson said, Diebold should have designed the system to better prevent fraud. "You don't want to make up for poor design by adding more burden to beleaguered poll workers and election officials who don't understand the reasons for all of the rules that they have to obey and (are therefore) likely to cut corners," Jefferson said. As for why Diebold would have designed such a poor system, Jefferson thinks the company simply didn't know how to do it any better. "There are a lot of reasons why you might want parallel tables of vote totals," Jefferson said. "But there are better designs that avoid (these vulnerabilities) entirely. If you are not a world-class designer, if you're making it up as you go along and not deeply educated in data management, this is the kind of design you might come up with. "I think the designers of the Diebold system never seriously understood what it would take to prevent vote manipulation by insiders," Jefferson said. "I consider that to be inexcusable." From isn at c4i.org Thu Sep 23 03:15:55 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 23 03:53:43 2004 Subject: [ISN] Bill would narrow intruder surveillance Message-ID: http://www.securityfocus.com/news/9565 By Kevin Poulsen SecurityFocus Sept 22, 2004 A proposal in the U.S. Senate would scale back a federal surveillance law that permits law enforcement agencies to electronically monitor a computer trespasser without a warrant with the consent of the victim. Under a provision of the 2001 USA Patriot Act intended to give system owners the ability to work with officials to combat intruders, the FBI and other agencies can surveil the communications of an electronic trespasser to, from or through a computer, provided the "owner or operator of the protected computer authorizes the interception." But in addition to intruders, the provision - called Section 217 -- leaves legitimate users of public computers at libraries, Internet cafes, business lounges and hotels vulnerable to warrantless surveillance, based only on a suspicion that the user is engaged in some kind of unauthorized activity, argues senator Russ Feingold, who introduced the Computer Trespass Clarification Act earlier this month. "The computer owner authorizes the surveillance, and the FBI carries it out," said Feingold, in introducing the bill. "There is no warrant, no court proceeding, no opportunity even for the subject of the surveillance to challenge the assertion of the computer owner that some unauthorized use of the computer has occurred." Section 217 protects users who have a contract with the computer's owner granting them access; Feingold's bill would expand that protection to users who have any authorized access to the computer, even without a contract. The proposal would also narrow the range of cases qualifying for warrantless law enforcement surveillance to those in which the computer's owner or operator "is attempting to respond to communications activity that threatens the integrity or operation of such computer and requests assistance to protect rights and property of the owner or operator." Additionally, it would permit officials to conduct the surveillance for only 96 hours before they'd have to go to court and get a warrant, and it would require the Justice Department to report annually to Congress on its use of the provision. "I strongly supported the goal of giving computer system owners the ability to call in law enforcement to help defend themselves against hacking," said Feingold. "Unfortunately, the drafters of the provision made it much broader than necessary." Enacted in response to the September 11, 2001 terrorist attacks, the 132-page USA Patriot Act passed in the Senate 98 to 1, with Feingold casting the only dissenting vote. It passed in the House 356 to 66. Section 217 is among the provisions set to expire, or "sunset," in December, 2005, unless it's renewed by Congress. In a July report arguing the importance of USA Patriot, attorney general John Ashcroft wrote that Section 217 merely "places cyber-intruders on the same footing as physical intruders." "Hacking victims can seek law-enforcement assistance to combat hackers just as burglary victims can invite police officers into their homes to catch burglars," wrote Ashcroft. From isn at c4i.org Thu Sep 23 03:14:58 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 23 03:53:45 2004 Subject: [ISN] Update: Credit card firm hit by DDoS attack Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,96099,00.html By Jaikumar Vijayan SEPTEMBER 22, 2004 COMPUTERWORLD Credit card processing firm Authorize.Net has been the target of an "intermittent" and "large scale" distributed denial-of-service attack since last Wednesday that has resulted in "periodic disruptions" of service for some customers. Bellevue, Wash.-based Authorize.Net is owned by Burlington, Mass.-based Lightbridge Inc. and provides payment processing services for more than 91,000 small to medium-size e-commerce firms. David Schwartz the company's marketing director, said Authorize.Net has been the subject of a massive DDoS attack that targeted the company's payment gateway service and resulted in periods of "brief disruptions" for customer. The company received an extortion note a few days before the attacks began asking for a "substantial amount of money," Schwartz said. He did not elaborate on how the money was to have been delivered or whether the note came from someone inside the U.S. "It was something that was sent to our general mailbox," Schwartz said. Law enforcement authorities, including the FBI, are now investigating, he said. This is not the first time Authorize.Net has been the subject of such attacks, Schwartz said. "We have been attacked in the past, but not on this scale and with such tenacity," he said. The attack has resulted in an extremely high number of calls to the company's customer support center, the company said in a statement on its Web site. The attack is the latest example of a growing trend, said Tom Corn, a vice president at Mazu Network Inc., a Cambridge, Mass.-based vendor of DoS-mitigation technologies. "We are seeing a big escalation of attacks involving extortion" targeted at e-commerce companies, Corn said. Such attacks have typically tended to increase during busy periods such as the upcoming holiday season or around major events such as the Super Bowl, he said. From isn at c4i.org Thu Sep 23 03:15:15 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 23 03:53:46 2004 Subject: [ISN] SpamAssassin sports new open-source license Message-ID: http://news.com.com/SpamAssassin+sports+new+open-source+license/2100-7344_3-5378375.html By Stephen Shankland Staff Writer, CNET News.com September 22, 2004 Programmers on Wednesday released the new version 3.0 of SpamAssassin, open-source software for filtering out unwanted e-mail, but the changes are as much legal as technological. Project leaders for the widely used software chose to enter the fold of the Apache Software Foundation to take advantage of the nonprofit group's legal and technical resources. To make the move, SpamAssassin had to adopt the Apache License. Previously, the software was available under a choice of two licenses: the General Public License (GPL) that governs Linux and many other open-source programs and the Perl Artistic License. Open-source software advocates tout the fact that their programming philosophy permits large numbers of people to contribute to a project. But making the license change illustrated a difficulty of that broad collaboration: Project leaders had to secure the permission from all programmers who had contributed to SpamAssassin. "It was fairly difficult and took us about four months to do the brunt of the work," Dan Quinlan, one of the lead programmers, said via e-mail. "We had to contact about 100 contributors, get their explicit permission to relicense the code, and in some cases where we could not contact a contributor, we had to remove their code and reimplement it." The work was worth it, though, he said. The previous dual-license situation was confusing for handling software contributions, and the Apache License has "some nice and very reasonable properties," Quinlan said. "For example, if someone contributes code that is itself encumbered by their own patent, they can't later sue us over it." Apache is the most widely used software for hosting Web sites, with 68 percent market share, according to monitoring firm NetCraft. The Apache Software Foundation is broader, though, governing several projects including software to process XML messages and run Java programs. The Apache Software Foundation owns the SpamAssassin source code copyright, Quinlan said. Technical changes, too Version 3.0 of SpamAssassin includes technical changes as well. One major feature is support for Sender Policy Framework (SPF), a mechanism to accurately trace e-mail origins to help identify possible spam. Apache has rejected a broader proposal called Sender ID that incorporates SPF and a comparable Microsoft technology called Caller ID for E-mail. Apache objected to Microsoft's licensing terms. The new SpamAssassin also has a more modular design intended to let others add new features more easily. "It makes it really easy to integrate new antispam techniques and other features into SpamAssassin," Quinlan said. "We hope this will result in the much wider proliferation of third-party add-ons, and we expect the best of those to be contributed and added to future SpamAssassin releases." SpamAssassin is used in McAfee's SpamKiller software. From isn at c4i.org Thu Sep 23 03:15:34 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 23 03:53:48 2004 Subject: [ISN] U.S. Cybersecurity Office May Relocate Message-ID: Forwarded from: William Knowles http://www.washingtonpost.com/wp-dyn/articles/A43001-2004Sep22.html By TED BRIDIS The Associated Press September 22, 2004 WASHINGTON - The House will propose moving cybersecurity offices from the Department of Homeland Security to the White House as part of the intelligence reorganization, according to draft legislation obtained Wednesday by The Associated Press. The bill, expected to be introduced Thursday, would place cybersecurity into the White House budget office. The change reflects frustration among some Republican lawmakers about what they view as a lack of attention paid to cybersecurity by the Department of Homeland Security (DHS). Some technology companies also have expressed similar concerns, but industry lobbyists reacted cautiously Wednesday to the proposal. "DHS deserves the opportunity to demonstrate its effectiveness before taking this step," said Tom Galvin, a vice president at Verisign Inc., an information security firm. But he said he understood the frustration among some in the industry and in Congress. The Department of Homeland Security considers equally important the protection of the nation's physical structures, such as bridges and buildings, and computer networks, which regulate the flow of electricity, phone calls, finances and other information. Many leading technology companies have urged the Bush administration to pay greater attention to cybersecurity, arguing that a shutdown of vital networks could lead to sustained power outages and other serious disruptions. "The fact that this is even being discussed reveals an incredible level of unhappiness and frustration over how DHS has handled cybersecurity," said Roger Cressey, a former White House cybersecurity adviser. The government's cybersecurity chief, Amit Yoran, works at least three steps beneath Homeland Security Secretary Tom Ridge. Yoran, who is well regarded by the technology industry, effectively replaced a position in the White House National Security Council once held by Richard Clarke, a special adviser to President Bush. The new proposal would create a new Office of Critical Infrastructure Information Protection at the Office of Management and Budget. Its new administrator would be responsible for analyzing electronic threats from hackers and terrorists against vital networks, issuing warnings about attacks, reducing weaknesses and coordinating with private companies and organizations. Those are currently responsibilities of the National Cyber Security Division, run by Yoran inside the Infrastructure Assurance and Information Protection directorate at Homeland Security. The White House budget office already has ties to cybersecurity issues; the government's council of chief information officers, which coordinates federal computer issues, works out of OMB. The office also has worked extensively on "e-government" issues, such as compelling federal agencies to offer citizens electronic copies of paperwork. Still, the Republicans' proposal - and the sudden decision to include it in fast-moving legislation to reform the U.S. intelligence bureaucracy - surprised some technology industry leaders. "We weren't consulted," said Harris Miller, head of the Information Technology Association of America, the industry's leading trade group in Washington. "It's not saying it's a bad idea, but it's out of the blue." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Sep 23 03:16:11 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 23 03:53:49 2004 Subject: [ISN] Students hack into computer and steal tests Message-ID: http://www.theage.com.au/articles/2004/09/23/1095651427237.html September 23, 2004 A computer system at a Gold Coast Catholic high school is being upgraded after students broke into a password-protected server about a dozen times and stole several third-term tests. Students used home computers for the break in, which is believed to be the first of its type in Queensland. Queensland Catholic Education Communications Manager, Tom Cranitch, said Year 12 students at Mary Mount College will have to take their Maths A and B tests again next term to validate the original test results. "It's a pretty severe issue, cheating, at the best of times, but suddenly in the later stages of people's Year 12 careers, it's certainly something that is very severe," Cranitch said yesterday. "We wouldn't be taking it very lightly if we were able to determine the extent and those involved." A Year 12 English test was also accessed by the hackers but the break-in was revealed by an anonymous tipoff in time for the tests to be rewritten. It is unclear whether a staff password was stolen or guessed, or whether a more elaborate hacking method was used to infiltrate the computer. Cranitch said there were as many as a dozen different unauthorised users. "This may not be one off, it could occur again in the future and our aim is to ensure it doesn't," he said. "We're looking at a number of different options to secure that server in the future." From isn at c4i.org Fri Sep 24 03:34:49 2004 From: isn at c4i.org (InfoSec News) Date: Fri Sep 24 04:05:00 2004 Subject: [ISN] Microsoft: To secure IE, upgrade to XP Message-ID: http://news.com.com/Microsoft+To+secure+IE%2C+upgrade+to+XP/2100-1032_3-5378366.html By Paul Festa Staff Writer, CNET News.com September 23, 2004 If you're one of about 200 million people using older versions of Windows and you want the latest security enhancements to Internet Explorer, get your credit card ready. Microsoft this week reiterated that it would keep the new version of Microsoft's IE Web browser available only as part of the recently released Windows XP operating system, Service Pack 2. The upgrade to XP from any previous Windows versions is $99 when ordered from Microsoft. Starting from scratch, the operating system costs $199. That, analysts say, is a steep price to pay to secure a browser that swept the market as a free, standalone product. "It's a problem that people should have to pay for a whole OS upgrade to get a safe browser," said Michael Cherry, analyst with Directions on Microsoft in Redmond, Wash. "It does look like a certain amount of this is to encourage upgrade to XP." Microsoft affirmed that its recent security improvements to IE would be made available only to XP users. "We do not have plans to deliver Windows XP SP2 enhancements for Windows 2000 or other older versions of Windows," the company said in a statement. "The most secure version of Windows today is Windows XP with SP2. We recommend that customers upgrade to XP and SP2 as quickly as possible." The Internet's security mess has proved profitable for many companies, particularly antivirus firms. Microsoft has declared security job No. 1. By refusing to offer IE's security upgrades to users of older operating systems except through paid upgrades to XP, Microsoft may be turning the lemons of its browser's security reputation into the lemonade of a powerful upgrade selling point. That lemonade comes in the midst of a painfully dry spell for the company's operating system business. Three years have passed since Microsoft introduced its last new operating system, and its upcoming release, code-named Longhorn, has been plagued by delays. Microsoft last month scaled back technical ambitions for Longhorn in order to meet a 2006 deadline. While Wall Street anxiously awaits an operating system release that can produce revenues until Longhorn appears, Microsoft is eyeing the nearly half of the world's 390 million Windows users who have opted to stick with operating systems older than XP, including Windows versions 2000, ME, 98 and 95. "Ancient history" Microsoft denied it was deliberately capitalizing on the Internet's security woes to stimulate demand for XP. "Microsoft is not using security issues or any security situation to try to drive upgrades," said a company representative. "But it only makes sense that the latest products are the most secure." Microsoft has maintained that the browser is part of the operating system, a point of contention in its antitrust battle with the U.S. government. Last year, the company ruled out future releases of IE as a standalone product. This week, the company reiterated that stance. "IE has been a part of the operating system since its release," said the Microsoft representative. "IE is a feature of Windows." When asked about IE's origin as a free, standalone product, the representative said, "You're talking in software terms that might be considered ancient history." Microsoft promised "ongoing security updates" for all supported versions of Windows and IE. The ongoing security updates do not, as Microsoft points out, include the latest security fixes with Service Pack 2, released last month. Those include a new pop-up blocker and a new system of handling ActiveX controls and downloaded content. And it's those more substantial changes, rather than the bug fixes that come with routine upgrades for supported products, that security organizations have lauded for addressing IE's graver security concerns. Now it's unclear whether even half the Windows world will have access to the shored up IE. "It's particularly bothersome if a product is in mainstream support, because what does mainstream support mean then?" said Directions on Microsoft's Cherry. Microsoft currently commands about 94 percent of the worldwide operating system market measured by software shipments, according to IDC. (That number factors in revenue-producing copies of the open-source Linux operating system, but not free ones). Of Microsoft's approximately 390 million operating system installations around the world, Windows XP Pro constitutes 26.1 percent, Windows XP Home 24.7 percent, IDC said. The remaining 49.2 percent is composed of Windows 2000 Professional (17.5 percent), Windows 98 (14.9 percent), Windows ME (6.5 percent), Windows 95 (5.4 percent), and Windows NT Workstation (4.9 percent). That 49.2 percent of Windows users are left out in the cold when it comes to significant updates to IE and other software. People running Internet Explorer without SP2 face an array of security scenarios, many of them linked to lax security associated with the ActiveX API, or application programming interface. SP2 also brought IE up to date with its competitors with a robust pop-up blocker. "Although I can understand the reasons why Microsoft would like to simplify its internal processes, I'm not in favor of bundling security patches, bug fixes and new features into one package," said IDC Vice President Dan Kusnetsky. "Organizations wanting only security-related updates or just a specific new feature are forced to make an all-or-nothing choice." Firefox in the hunt While organizations and individuals weigh the merits of all and nothing with respect to Windows and IE, a competing open-source browser may benefit from Microsoft's decision to reserve SP2's browser upgrades for XP users. The Mozilla Foundation's Firefox browser is potentially eroding Microsoft's overwhelming market share even prior to its final version 1.0 release. Last week's release of the first preview release of Firefox 1.0 blew past its 10-day goal of 1 million downloads in just more than 4 days. Firefox, Apple Computer's Safari browser and Opera Software's desktop browser together command a mere sliver of market share. But features such as tabbed browsing and earlier adoption of pop-up controls have won them adherents among potentially influential early adopters and technology buffs. Even some Microsoft bloggers have admitted to liking Firefox. With Longhorn still years away, Microsoft is feeling the heat to produce a browser. That heat has come in many forms, from grassroots campaigns by Web developers urging people to switch from IE to Firefox and other alternatives, to Mozilla's own marketing push, to a steady drumbeat of lacerating Web log and newsgroup posts decrying IE's years of stagnation. "I've always wondered what the problem is with the IE team," one respondent wrote in a feedback thread on IE evangelist Dave Massy's blog. "I mean, it's just a browser. You need to render a page based on well-documented standards...and that's it! You've opted to not have tabbed browsing or any other personalization. It's just a window shell and the browser content...I wonder if there are only like four people who work on IE or something? I seriously don't get it." Massy and others have defended the company by explaining that recent development efforts have been geared at security improvements. A representative for Firefox, which will face security scrutiny of its own should it make good on its competitive threat to IE, said any pressure it was exerting on Microsoft to update IE was evidence of its success. "IE users need all the help they can get," said Mozilla Foundation spokesman Bart Decrem. "And we're trying to help them. If Microsoft will help them, all the better. At the end of the day, the mission of the Mozilla Foundation is to provide meaningful choice, and the reason there hasn't been a lot of innovation from the dominant provider is because of their monopoly position. So if they are forced to innovate and respond to the success of Firefox, we are achieving our mission." Some analysts say Microsoft's reluctance to issue SP2's browser security features to non-XP users has as much to do with being shorthanded as wanting to drive XP adoption. "Their main focus now is on Longhorn IE," said Matt Rosoff, another analyst with Directions on Microsoft. "It's a staffing and a cost issue." Rosoff agreed that Firefox and other second-tier browsers might benefit from Microsoft's IE distribution policies, but he noted that the vast majority of consumers are far less likely to download a browser than the typical Firefox early adopter. "From a consumer standpoint, I think evaluating other browsers makes sense," Rosoff said. "And Microsoft is going to face more and more users who are on dual platforms, who won't see any reason to upgrade once they see that Firefox offers the pop-up blocker and other features they'd have to pay for in IE. But most consumers don't download anything if they can avoid it." From isn at c4i.org Fri Sep 24 03:34:01 2004 From: isn at c4i.org (InfoSec News) Date: Fri Sep 24 04:05:02 2004 Subject: [ISN] SSH Bouncing - How to get through firewalls easily, Part 2. Message-ID: +------------------------------------------------------------------+ | Linux Security: Tips, Tricks, and Hackery 23-September-2004| | Published by Onsight, Inc. Edition | | | | http://www.hackinglinuxexposed.com/articles/20040923.html | +------------------------------------------------------------------+ This issue sponsored by Beginning Perl, Second Edition Hacking Linux Exposed author James Lee's most recent book, Beginning Perl Second Edition, emphasizes the cross-platform nature of Perl. Throughout the book, Lee promotes Perl as a legible, sensible programming language and dispels the myth that Perl is confusing and obscure. Perfect for the beginning Perl user looking to gain a quick and masterful grasp on the language, this concise and focused book begins with the basics and moves on to more advanced features of Perl, including references, modules, and object-oriented programming. For reviews and purchasing information, go to http:// www.hackinglinuxexposed.com/books/ -------------------------------------------------------------------- SSH Bouncing - How to get through firewalls easily, Part 2. By Brian Hatch Summary: Often you'll have firewalls or other network equipment that doesn't allow direct SSH access to machines behind it. Using a bit of trickery, you can get through without seemingly jumping through any hoops. ------ Want to win a free copy of Hacking Linux Exposed, Third Edition? Go to the very bottom of this newsletter to find out how. Last time I showed you a trick to seamlessly SSH 'through' firewalls or other devices that don't allow direct SSH access to the machines behind them, by 'bouncing' off that device. It requires that you have SSH access to the intermediate host, and what happens is that you set up your ~/.ssh/config to use a ProxyCommand. This ProxyCommand makes an SSH connection to the middleman host and runs netcat as follows to get you connected to the real SSH server: nc -w 1 target_host 22 My goal was to be able to be at a command prompt and type 'ssh hostname' and have it magically reach the endpoint. Many people pointed out that I could have first established an SSH connection to the intermediate host with an SSH forward set up, and then ssh to the local SSH forward port. While I've used that system many times before, I prefer the netcat solution I detailed last time. If you want to know why or how the portforward version works, see the bottom of this article. So, let's optimise and secure our setup. Right now, you need to have shell access to the middle-man machine, and the ability to run any command you want. Plus, you either need to type the password for it, or you need to have key-based trust enabled. What I'd prefer is that you can execute the netcat command and only the netcat command, nothing else. The easiest way to do that is to use key-based authentication, utilising the ability for the SSH server to force a command to run when that key is used. If you look back at my previous articles (http://www.hackinglinuxexposed.com/ articles/20021211.html), you'll see how to create SSH PubKeys/ Identities, including how to use the 'command=' option. So let's take a look at my $HOME/.ssh/authorized_keys file on the firewall: $ grep ncssh $HOME/.ssh/authorized_keys command="/home/bri/bin/ncssh" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAp8 r5qo11NpKSRig6nDXpxgDl2AAkc92HXhorRo0ubgvNpnVbUiXquSZ8VdPMiShOuTe1bc jQgIrFuFIASLMa2UMk21msyv9FDG59FCZ4Efr8zTXl1y+vG1TgwynenwiMDekPqcz/Z0 kJbrWjIF0PIpSVdm3aqGSMOgQ7Pm1X87iz2nV1uQV4hMt06= ncssh-proxy-key You'll note the command="/home/bri/bin/ncssh" line precedes the public key itself - this forces the /home/bri/bin/ncssh program to run when this key is used for authentication, regardless what the user wanted to do. Assuming your key (on your desktop) doesn't have a passphrase, you'll be able to log into this machine without a password, and the ncssh program will run automatically. Here's the ncssh program: #!/usr/bin/perl # # ncssh # # Server-side program to allow clients to run ncssh-proxy # or simply 'ssh ... nc -w 1 ipaddr 22' and 'bounce' off # this host. # # BUGS: # Only allows IP addresses. If that annoys you, # change $IPADDR pattern below. # # Ditto for the destination port. # # Copyright 2003,2004 Brian Hatch # # Released under the GPL # Likely paths for netcat - let's be paranoid and not # fall back on just any old thing we find. # Bonus points to anyone who knows why /usr/local/lib/pingers is in there. my @nc = qw( /usr/bin/nc /usr/local/bin/nc /usr/local/lib/pingers/nc ); my $nc; for my $bin ( @nc ) { $nc = $bin if -x $bin } my $IPADDR = '\d+\.\d+\.\d+\.\d+'; my $SSHPORT = '22'; # Change '22' to '\d+' if you want to allow any # destination port, not just port 22. # The original command (nc -w 1 ip.ad.dr.es 22) is stored by # the SSH server in the environment variable SSH_ORIGINAL_COMMAND. my $orig = $ENV{SSH_ORIGINAL_COMMAND}; # If command is just the IP address to which it should connect if ( $orig =~ /^ \s* $IPADDR \s* $/x ) { $ipaddr = $orig; # If command is a 'nc -w ... host 22' style command } elsif ( $orig =~ /^ \S* (netcat|nc) \s .*? ($IPADDR) \s $SSHPORT \s* $/x ) { $ipaddr = $2; } # Time to actually run netcat if ( $ipaddr ) { $nc or print STDERR "No netcat found\n" and exit 1; exec $nc, '-w', '1' , $ipaddr, 22; die "Unable to exec netcat '$nc': $? $!"; } print STDERR "You're not allowed to execute '$orig'\n"; exit 1; This program is very simple[1] -- it takes the original command (supplied by the ssh client) and determines where the IP address of the target is within it. By accepting commands of the form 'nc ... ip.ad.dr.es 22', it should work unchanged with any ProxyCommand you already have, meaning you can just drop it in and your intermediate host will be more paranoid instantly.[2] Your $HOME/.ssh/config can still look exactly the same as before, as seen here: $ head $HOME/.ssh/config Host machine1 Hostname machine1 HostKeyAlias machine1 Identity /path/to/ncssh-proxy-key ProxyCommand netcat-proxy-command firewall.my_network.com 192.168.1.1 Host machine2 Hostname machine2 HostKeyAlias machine2 Identity /path/to/ncssh-proxy-key ProxyCommand netcat-proxy-command firewall.my_network.com 192.168.1.2 ... (This configuration uses the netcat-proxy-command script shown last time.) So, using this system, you have the following situation: * Client can type 'ssh machinename' and not worry about any of the underlying magic. * Local $HOME/.ssh/config file details the middleman and destination, listing the identity to use (if necessary), and causing the netcat-proxy-command to run. * Local netcat-proxy-command is responsible for SSHing to the middleman and running netcat. * Server's authorized_keys file forces the ncssh command to run, preventing anyone from actually accessing the server's shell account at all. * Server's ncssh program verifies supplied IP address and makes actual connection to the target. All told, a paranoid and yet functional solution. Next time we'll do one more enhancement - make it possible to have any user on the client machine get access to the Identity/PubKey that's necessary to bounce off the middleman. This will allow anyone to log into this machine, and without setting up any keys or configuration, log into the target machines transparently. ------ My response to the LocalForward Solution It's possible to use an SSH LocalForward to tunnel through the firewall device. You run ssh twice, once to set up the tunnel, and once to connect to the server behind it: $ ssh -f intermediatehost -L 9999:destinationhost:22 sleep +1d $ ssh localhost -p 9999 This is a completely legitimate way to do it. The first command logs into intermediatehost, and sets up a LocalForward using the -L option. /usr/bin/ssh binds local port 9999, and when you connect to this port it gets tunnelled inside the SSH connection to destinationhost's port 22. The next ssh line connects to that port, and you're hitting the target server. Naturally you need HostKeyAlias commands to keep the keys happy, as is the case with my netcat solution. What's the problem with using the forwarding method? Well, it requires you run the tunnel command first, or set up a daemon to keep it running all the time. You don't get the benefit of simplicity - running one command that contains all the setup that's necessary. ------ Want a free copy of Hacking Linux Exposed, Third Edition? HLEv3 doesn't exist yet. We haven't written it. But it's time to get started. Do you have anything new you'd like to see covered in more detail, or removed entirely? Anything new and interesting you'd like to see? If you have ideas you'd like to share, email me[3]. I'll send out a copy of the book, once it's down in dead-tree format, to one lucky person picked at random from the useful suggestions. NOTES: [1] Simple, and well commented, I hope. [2] I had a few folks complain that I should not assume your SSH server runs on port 22, so please change the $SSHPORT value in the script as appropriate. [3] Send me email directly at bri@hackinglinuxexposed.com, don't reply to this mailing list. ------------- Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He's simply too tired to write anything interesting down here right now. Brian can be reached at brian@hackinglinuxexposed.com. -------------------------------------------------------------------- This newsletter is distributed by Onsight, Inc. The list is managed with MailMan (http://www.list.org). You can subscribe, unsubscribe, or change your password by visiting http://lists.onsight.com/ or by sending email to linux_security-request@lists.onsight.com. Archives of this and previous newsletters are available at http://www.hackinglinuxexposed.com/articles/ -------------------------------------------------------------------- Copyright 2004, Brian Hatch. From isn at c4i.org Fri Sep 24 03:34:13 2004 From: isn at c4i.org (InfoSec News) Date: Fri Sep 24 04:05:04 2004 Subject: [ISN] Symantec Holes Open Up Firewalls to Attacks Message-ID: http://www.eweek.com/article2/0,1759,1650425,00.asp By Matthew Broersma September 23, 2004 Symantec Corp. has warned of a string of security holes in its Firewall/VPN Appliance and Gateway Security products, less than a month after its last firewall security problems. Three new bugs could allow a remote attacker to shut down a firewall appliance, identify active services in the WAN (wide area network) interface and alter the firewall's configuration, Symantec said in a Wednesday advisory. [1] All three flaws, which Rigel Kent Security & Advisory Services discovered, affect Symantec Firewall/VPN Appliance 100, 200 and 200R models; Gateway Security 320, 360 and 360R are vulnerable to all but one, a denial-of-service bug. An attacker could cause the firewall products to stop responding by exploiting an error within the connection handling via a port scan of all WAN interface ports, according to security researcher Secunia, which ranked the flaws as "highly critical." The second bug is found in the firewall's default rule set, which allows an attacker to listen for and identify UDP services, if a particular port is used. The second flaw can be exploited together with a third bug involving the SNMP (Simple Network Management Protocol) service to disclose and manipulate the firewall's configuration, effectively bypassing firewall security, researchers said. As companies have grown ever more security-conscious and reliant on complex protection systems, researchers have subjected products such as VPNs and firewalls to increasing scrutiny. Last month, Symantec warned of a flaw in its VPN and firewall server products that could allow an attacker to take over affected systems and gain access to corporate networks. That vulnerability lay in LibKmp, which Entrust provides to third parties for use in VPN products, meaning any LibKmp-based VPN was potentially affected. In July, Internet Security Systems warned of a vulnerability in a wide range of Check Point Software Technologies' VPN products, including versions of VPN-1, FireWall-1, Provider-1 and SSL Network Extender. Check Point's enterprise security products are among the most widely used on the Internet. Similar Check Point VPN holes also appeared in February and May. In April, Cisco Systems disclosed a number of bugs in its products, including its VPN hardware and software. A serious bug in the Kerberos authentication system, revealed earlier this month, also could have allowed access to protected corporate networks. [1] http://www.sarc.com/avcenter/security/Content/2004.09.22.html From isn at c4i.org Fri Sep 24 03:35:07 2004 From: isn at c4i.org (InfoSec News) Date: Fri Sep 24 04:05:05 2004 Subject: [ISN] Wireless tip: Don't hide from risk Message-ID: http://www.fcw.com/fcw/articles/2004/0920/web-wireless-09-23-04.asp By Michael Hardy Sept. 23, 2004 The best wireless network security is to not have a wireless network, according to Defense and intelligence experts who spoke today at a conference in Washington, D.C., sponsored by E-Gov, which is part of FCW Media Group. But because that is not always a practical solution, they offered other tips to keep intruders out of the network and to keep data safe. Perhaps the most important safety precaution is acknowledging the risk, said Kevin Marlowe, acting director of systems network engineering at the Joint Systems Integration Command, a subcommand of the U.S. Joint Forces Command. "Calculate the risk, figure out whether you can accept that risk and mitigate it," he said. "Risk doesn't have to be zero for us to use a product," said Timothy Havighurst, a systems architect at the National Security Agency. "Sometimes the convenience of these systems outweighs the risks." No wireless device or network can ever be completely secure, said Atul Prakash, a professor at the University of Michigan's electrical engineering and computer sciences division. Ask a vendor representative if a product is completely secure, he said. "If they say yes, you're probably talking to a marketing guy or a salesman," he said. "If you're talking to a security expert, they will hedge." Agency officials must deal with the real world of commercial technology, Havighurst added. "Soon you will not be able to buy a laptop without" wireless connectivity, he said. "Soon you will not be able to buy a [wireless] phone without a camera. These are things we disallow, but industry is moving on." Agency employees sometimes push their bosses to move faster in technology adoption, he said. When managers set a policy forbidding some wireless devices, employees will often argue that operational need justifies changing the rules. "Sometimes those are legitimate reasons," Havighurst said. "Sometimes they're not. Sometimes they just want something because it's really cool." Marlowe offered a list of tips for making wireless networks safer, including: * Change factory settings in the routers. Hackers know the common default passwords and other information that makes intrusion easy if they're not changed. * Enable the router's session timeout feature so that if no data passes through it after a set period of time, it shuts down. * Set routers to the lowest feasible power, so they keep the network devices connected without opening the door wider than necessary. From isn at c4i.org Fri Sep 24 03:35:20 2004 From: isn at c4i.org (InfoSec News) Date: Fri Sep 24 04:05:10 2004 Subject: [ISN] For an infosecurity career, get the technical basics first Message-ID: http://www.computerworld.com/securitytopics/security/story/0,,96090,00.html Opinion by Peter H. Gregory SEPTEMBER 22, 2004 COMPUTERWORLD A reader recently asked me a thought-compelling question. He wrote, "I took up the Cisco Academy, thinking this will give me a strong foundation of networks and some security. Is this a good move in order to get to were I want to go?" My reader's question made me think of my own career and how I got into information security, years before security was cool or even recognized as a discipline at all. I'll take the rest of the space in this month's column to discuss this. Learn technology, then security The more training you can put on your resume, the more marketable you will become. Cisco Systems Inc.'s certification program supports this assertion. Only the upper crust of the world's network engineers is skilled enough to pass Cisco's highest certifications. And so it should be. But this isn't my main point. To truly understand security at the technology level, you must first gain expertise with the underlying technology. In order to thoroughly understand the security issues of networks, you must first thoroughly understand how networks -- and attached devices -- work. For instance, how is someone lacking any working knowledge of TCP/IP supposed to understand a syn flood or smurf attack? Let me also illustrate this with an analogy. Years ago, I was in the banking industry and received training on the makeup of U.S. paper currency -- how it is made and composed. How is this supposed to help bank tellers discern genuine currency from a counterfeit? If a teller is deeply familiar with genuine currency, when he receives a counterfeit bill, that teller will look at it and think, "Something's not right here." And so it is with security in the technology world. Without a deep understanding of the inner workings of networks, operating systems, databases, applications or whatever technology floats your boat, you can't become a security expert in any of those fields. Security experts are teachers Back to my reader's question about wanting to become a security expert in networks. I reassert that he, like others, must first become a network expert before he can become a network security expert. How else will he be able to understand -- at the lowest levels of greatest detail -- the real issues and what (if anything) can be done? How else can he truly understand a new threat and its consequences for his networks? How can he explain these concepts to other network experts with any degree of credibility? This touches another point: credibility. Good security experts are still relatively rare. In my opinion, a good security expert is one who can explain -- and even debate -- a security issue with a fellow technologist. Only an expert can spar with, not to mention persuade, another expert. A good network engineer probably won't be persuaded to embrace a concept if the person on the other side of the conversation doesn't understand the craft. Would you, a technologist, put much credence in arguments made by a so-called security expert who is the jack of all trades and the master of none, even if he had letters such as "CISSP" behind his name? I didn't think so. Let me end with another example. In the field of medicine, there are experts such as virologists who have the deepest understanding of biological viruses and how they work. If a virologist is to reasonably discuss or debate any issue with any other medical specialist -- or even a generalist for that matter -- the virologist had better have baseline expertise and knowledge on par with the other specialists. Otherwise, his arguments will be passed off as heresy. Here is the message to all aspiring security experts out there: You must first master the craft in the area that inspires you, whether that's networks, operating systems, databases, languages, whatever. Do your apprenticeship, get to journeyman level, and be excellent. This may take a few years. Along the way, read the security books, grasp the concepts. But there are no shortcuts if you want the credibility that is so necessary to make a positive difference in this world. From isn at c4i.org Fri Sep 24 03:36:18 2004 From: isn at c4i.org (InfoSec News) Date: Fri Sep 24 04:05:12 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-39 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-09-16 - 2004-09-23 This week : 70 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia has implemented new features at Secunia.com SECUNIA ADVISORIES NOW INCLUDE "Solution Status": In addition to the extensive information Secunia advisories already include, Secunia has added a new parameter: "Solution Status". This simply means that all Secunia advisories, including older advisories, now include the current "Solution Status" of a advisory, i.e. if the vendor has released a patch or not. IMPROVED PRODUCT PAGES: The improved product pages now include a detailed listing of all Secunia advisories affecting each product. The listings include a clear indication of the "Solution Status" each advisory has ("Unpatched", "Vendor patch", "Vendor workaround", or "Partial fix"). View the following for examples: Opera 7: http://secunia.com/product/761/ Internet Explorer 6: http://secunia.com/product/11/ Mozilla Firefox: http://secunia.com/product/3256/ EXTRA STATISTICS: Each product page also includes a new pie graph, displaying the "Solution Status" for all Secunia advisories affecting each product in a given period. View the following for an example: Internet Explorer 6: http://secunia.com/product/11/#statistics_solution FEEDBACK SYSTEM: To make it easier to provide feedback to the Secunia staff, we have made an online feedback form. Enter your inquiry and it will immediately be sent to the appropriate Secunia department. Ideas, suggestions, and other feedback is most welcome Secunia Feedback Form: http://secunia.com/contact_form/ ======================================================================== 2) This Week in Brief: ADVISORIES: Chris Evans has found several image related vulnerabilities in GdkPixbuf and libXpm, which can be exploited to compromise vulnerable systems. Many Linux distributions have already issued updated packages addressing these vulnerabilities. Please view secunia.com for information about updated packages. Reference: http://secunia.com/SA12549 http://secunia.com/SA12542 -- Two vulnerabilities have been reported in PHP, which can be exploited to expose system information or to upload files in arbitrary locations. However, in order to upload files in arbitrary locations, PHP has to be used in a special way. Updated versions of PHP are available in the CVS repository. Please refer to the Secunia advisory below for details. Reference: http://secunia.com/SA12560 -- Apple has issued a security update for iChat, which addresses a vulnerability that can be exploited to compromise a vulnerable system. Please read Secunia advisory below for details about the update. Reference: http://secunia.com/SA12575 VIRUS ALERTS: Secunia has not issued any virus alerts during the last week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12526] Mozilla Multiple Vulnerabilities 2. [SA12528] Microsoft Multiple Products JPEG Processing Buffer Overflow Vulnerability 3. [SA12304] Internet Explorer Address Bar Spoofing Vulnerability 4. [SA12580] Mozilla / Mozilla Firefox Cross-Domain Cookie Injection Vulnerability 5. [SA12542] GdkPixbuf Multiple Image Decoding Vulnerabilities 6. [SA12321] Microsoft Internet Explorer Drag and Drop Vulnerability 7. [SA12581] Internet Explorer Cross-Domain Cookie Injection Vulnerability 8. [SA12535] Netscape Multiple Vulnerabilities 9. [SA11978] Multiple Browsers Frame Injection Vulnerability 10. [SA12575] Apple Mac OS X Security Update Fixes iChat Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA12616] Emulive Server4 Security Bypass and Denial of Service Vulnerabilities [SA12589] Lords of the Realm III Username Handling Denial of Service [SA12587] WebIntelligence Document Deletion and Cross-Site Scripting Vulnerabilities [SA12578] Whatsup Gold Reserved DOS Device Name HTTP Request Denial of Service [SA12611] VP-ASP Shopping Cart Database Connection Denial of Service [SA12595] DNS4Me Web Server Cross-Site Scripting and Denial of Service [SA12581] Internet Explorer Cross-Domain Cookie Injection Vulnerability [SA12612] Pop Messenger Invalid Character Denial of Service Vulnerability [SA12585] Pigeon Server Login Denial of Service Vulnerability UNIX/Linux: [SA12630] Conectiva update for qt3 [SA12629] Gentoo update for xine-lib [SA12628] Mandrake update for mpg123 [SA12625] Mandrake update for ImageMagick [SA12623] Debian update for imlib2 [SA12615] Gentoo update for gtk+ / gdk-pixbuf [SA12608] Debian netkit-telnet-ssl Buffer Overflow Vulnerability [SA12607] Gentoo update for Mozilla/Firefox/Thunderbird/Epiphany [SA12602] xine-lib Multiple Buffer Overflow Vulnerabilities [SA12599] Sun Java Enterprise System NSS Library Vulnerability [SA12598] FreeBSD update for CVS [SA12588] SuSE update for gtk2 and gdk-pixbuf [SA12586] Debian update for gtk+2.0 [SA12583] Mandrake update for XFree86 [SA12579] SuSE update for XFree86 [SA12575] Apple Mac OS X Security Update Fixes iChat Vulnerability [SA12574] OpenBSD update for Xpm [SA12573] Debian update for imlib [SA12568] Red Hat update for gtk2 [SA12565] Gentoo update for mpg123 [SA12564] Debian update for gdk-pixbuf [SA12563] Debian update for imagemagick [SA12619] Gentoo update for freeradius [SA12614] Debian update for lukemftpd [SA12592] Debian update for wv [SA12582] Gentoo update for snipsnap [SA12570] FreeRADIUS Multiple Unspecified Denial of Service Vulnerabilities [SA12562] Gentoo update for heimdal [SA12584] sdd Unspecified RMT Client Vulnerability [SA12624] Conectiva update for spamassassin [SA12577] Gentoo update for apache2 and mod_dav [SA12576] Gentoo update for phpGroupWare [SA12572] Fedora update for apr-util [SA12632] Red Hat redhat-config-nfs Incorrect Share Permissions Security Issue [SA12631] Red Hat update for samba [SA12626] Slackware update for CUPS [SA12617] OpenBSD Radius Authentication "login_radius" Security Bypass [SA12603] Gentoo update for CUPS [SA12571] Red Hat update for CUPS [SA12566] Debian update for cupsys [SA12627] Mandrake update for webmin [SA12610] Fedora update for foomatic [SA12600] RsyncX Privilege Escalation Vulnerabilities [SA12596] sudo Arbitrary File Reading Vulnerability [SA12594] getmail Privilege Escalation Vulnerability [SA12591] Gentoo update for foomatic [SA12567] Mandrake update for printer-drivers Other: [SA12601] SMC Broadband Routers Session Handling Security Bypass Cross Platform: [SA12633] Apache "Satisfy" Directive Access Control Bypass Security Issue [SA12606] TUTOS SQL Injection and Cross-Site Scripting Vulnerabilities [SA12597] ReMOSitory "filecatid" SQL Injection Vulnerability [SA12593] YaBB Cross-Site Scripting and Security Bypass Vulnerabilities [SA12590] Snitz Forums 2000 HTTP Response Splitting Vulnerability [SA12569] SnipSnap HTTP Response Splitting Vulnerability [SA12561] MyServer Directory Traversal Vulnerability [SA12560] PHP Memory Leak and Arbitrary File Location Upload Vulnerabilities [SA12621] Subversion "mod_authz_svn" Unreadable Path Information Disclosure [SA12609] YaBB Input Validation Vulnerabilities [SA12580] Mozilla / Mozilla Firefox Cross-Domain Cookie Injection Vulnerability [SA12604] Symantec ON Command CCM Default Database Administrator Accounts [SA12620] CA UniCenter Management Portal Username Disclosure Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA12616] Emulive Server4 Security Bypass and Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2004-09-22 James Bercegay has reported a vulnerability in Emulive Server4, which can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12616/ -- [SA12589] Lords of the Realm III Username Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-09-20 Luigi Auriemma has reported a vulnerability in Lords of the Realm III, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12589/ -- [SA12587] WebIntelligence Document Deletion and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2004-09-18 Corsaire has reported two vulnerabilities in WebIntelligence, which can be exploited by malicious people to delete sensitive information and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12587/ -- [SA12578] Whatsup Gold Reserved DOS Device Name HTTP Request Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-09-18 A vulnerability has been reported in WhatsUp Gold, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12578/ -- [SA12611] VP-ASP Shopping Cart Database Connection Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2004-09-22 A vulnerability has been reported in VP-ASP, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12611/ -- [SA12595] DNS4Me Web Server Cross-Site Scripting and Denial of Service Critical: Less critical Where: From remote Impact: Cross Site Scripting, DoS Released: 2004-09-20 James Bercegay has reported two vulnerabilities in DNS4Me Web Server, which can be exploited by malicious people to conduct cross-site scripting attacks and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12595/ -- [SA12581] Internet Explorer Cross-Domain Cookie Injection Vulnerability Critical: Less critical Where: From remote Impact: Hijacking Released: 2004-09-18 WESTPOINT has reported a vulnerability in Internet Explorer, which potentially can be exploited by malicious people to conduct session fixation attacks. Full Advisory: http://secunia.com/advisories/12581/ -- [SA12612] Pop Messenger Invalid Character Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-22 Luigi Auriemma has reported a vulnerability in Pop Messenger, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12612/ -- [SA12585] Pigeon Server Login Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-17 Luigi Auriemma has reported a vulnerability in Pigeon Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12585/ UNIX/Linux:-- [SA12630] Conectiva update for qt3 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-23 Conectiva has issued an update for qt3. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12630/ -- [SA12629] Gentoo update for xine-lib Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-23 Gentoo has issued an update for xine-lib. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12629/ -- [SA12628] Mandrake update for mpg123 Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-23 MandrakeSoft has issued an update for mpg123. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12628/ -- [SA12625] Mandrake update for ImageMagick Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-23 MandrakeSoft has issued an update for ImageMagick. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12625/ -- [SA12623] Debian update for imlib2 Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2004-09-23 Debian has issued an update for imlib2. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12623/ -- [SA12615] Gentoo update for gtk+ / gdk-pixbuf Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-22 Gentoo has issued updates for gdk-pixbuf and gtk+. These fix multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12615/ -- [SA12608] Debian netkit-telnet-ssl Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-21 A very old vulnerability reportedly still affects the netkit-telnet-ssl package for Debian Linux, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12608/ -- [SA12607] Gentoo update for Mozilla/Firefox/Thunderbird/Epiphany Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access Released: 2004-09-21 Gentoo has issued updates for Mozilla, Firefox, Thunderbird, and Epiphany. These fix multiple vulnerabilities, which potentially can be exploited by malicious people to conduct cross-site scripting attacks, access and modify sensitive information, and compromise a user's system. Full Advisory: http://secunia.com/advisories/12607/ -- [SA12602] xine-lib Multiple Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-20 Multiple vulnerabilities have been reported in xine-lib, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12602/ -- [SA12599] Sun Java Enterprise System NSS Library Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-20 Sun has acknowledged a vulnerability in the NSS library included with Sun Java Enterprise System, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12599/ -- [SA12598] FreeBSD update for CVS Critical: Highly critical Where: From remote Impact: Exposure of system information, DoS, System access Released: 2004-09-21 FreeBSD has issued an update for CVS. This fixes multiple vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service), compromise a vulnerable system, or gain knowledge of certain system information. Full Advisory: http://secunia.com/advisories/12598/ -- [SA12588] SuSE update for gtk2 and gdk-pixbuf Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-17 SuSE has issued updates for gdk-pixbuf and gtk2. These fix multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12588/ -- [SA12586] Debian update for gtk+2.0 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-17 Debian has issued an update for gtk+2.0. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12586/ -- [SA12583] Mandrake update for XFree86 Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-17 MandrakeSoft has issued an update for XFree86. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12583/ -- [SA12579] SuSE update for XFree86 Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-18 SuSE has issued an update for XFree86. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12579/ -- [SA12575] Apple Mac OS X Security Update Fixes iChat Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-17 Apple has issued a security update for Mac OS X iChat client. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12575/ -- [SA12574] OpenBSD update for Xpm Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-17 OpenBSD has issued an update for Xpm. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12574/ -- [SA12573] Debian update for imlib Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-16 Debian has issued an update for imlib. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12573/ -- [SA12568] Red Hat update for gtk2 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-16 Red Hat has issued an update for gtk2. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12568/ -- [SA12565] Gentoo update for mpg123 Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-16 Gentoo has issued an update for mpg123. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12565/ -- [SA12564] Debian update for gdk-pixbuf Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2004-09-16 Debian has issued an update for gdk-pixbuf. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12564/ -- [SA12563] Debian update for imagemagick Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-20 Debian has issued an update for ImageMagick. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12563/ -- [SA12619] Gentoo update for freeradius Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-09-23 Gentoo has issued an update for freeradius. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12619/ -- [SA12614] Debian update for lukemftpd Critical: Moderately critical Where: From remote Impact: Privilege escalation, System access Released: 2004-09-22 Debian has issued an update for lukemftpd. This fixes some vulnerabilities, which potentially can be exploited by malicious users to gain escalated privileges or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12614/ -- [SA12592] Debian update for wv Critical: Moderately critical Where: From remote Impact: System access Released: 2004-09-21 Debian has issued an update for wv. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12592/ -- [SA12582] Gentoo update for snipsnap Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-09-20 Gentoo has issued an update for snipsnap. This fixes a vulnerability, which can be exploited by malicious people to conduct script insertion and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12582/ -- [SA12570] FreeRADIUS Multiple Unspecified Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-09-20 Multiple unspecified vulnerabilities have been reported in FreeRADIUS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12570/ -- [SA12562] Gentoo update for heimdal Critical: Moderately critical Where: From remote Impact: System access, Privilege escalation Released: 2004-09-16 Gentoo has issued an update for heimdal. This fixes some vulnerabilities, which potentially can be exploited by malicious users to gain escalated privileges or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12562/ -- [SA12584] sdd Unspecified RMT Client Vulnerability Critical: Moderately critical Where: From local network Impact: Unknown Released: 2004-09-18 A vulnerability with an unknown impact has been reported in sdd. Full Advisory: http://secunia.com/advisories/12584/ -- [SA12624] Conectiva update for spamassassin Critical: Less critical Where: From remote Impact: DoS Released: 2004-09-23 Connectiva has issued an update for spamassassin. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12624/ -- [SA12577] Gentoo update for apache2 and mod_dav Critical: Less critical Where: From remote Impact: Privilege escalation, DoS Released: 2004-09-17 Gentoo has issued updates for apache2 and mod_dav. These fix multiple vulnerabilities, which can be exploited to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/12577/ -- [SA12576] Gentoo update for phpGroupWare Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-09-17 Gentoo has issued an update for phpGroupWare. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12576/ -- [SA12572] Fedora update for apr-util Critical: Less critical Where: From remote Impact: DoS Released: 2004-09-16 Fedora has issued an update for apr-util. This fixes a vulnerability which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12572/ -- [SA12632] Red Hat redhat-config-nfs Incorrect Share Permissions Security Issue Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-09-23 John Buswell has reported a security issue in redhat-config-nfs, which may result in users having more permissions than expected on exported resources. Full Advisory: http://secunia.com/advisories/12632/ -- [SA12631] Red Hat update for samba Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-23 Red Hat has issued an update for samba. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12631/ -- [SA12626] Slackware update for CUPS Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-23 Slackware has issued an update for CUPS. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12626/ -- [SA12617] OpenBSD Radius Authentication "login_radius" Security Bypass Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-09-22 Eilko Bos has reported a vulnerability in OpenBSD, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12617/ -- [SA12603] Gentoo update for CUPS Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-21 Gentoo has issued an update for CUPS. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12603/ -- [SA12571] Red Hat update for CUPS Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-16 Red Hat has issued an update for CUPS. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12571/ -- [SA12566] Debian update for cupsys Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-16 Debian has issued an update for cupsys. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12566/ -- [SA12627] Mandrake update for webmin Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-23 MandrakeSoft has issued an update for webmin. This fixes a vulnerability, which potentially can be exploited by malicious, local user to perform certain actions on a system with escalated privileges. Full Advisory: http://secunia.com/advisories/12627/ -- [SA12610] Fedora update for foomatic Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-22 Fedora has issued an update for foomatic. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12610/ -- [SA12600] RsyncX Privilege Escalation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-20 Matt Johnston has reported two vulnerabilities in RsyncX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12600/ -- [SA12596] sudo Arbitrary File Reading Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-09-20 Reznic Valery has reported a vulnerability in sudo, which can be exploited by malicious, local users to read arbitrary files. Full Advisory: http://secunia.com/advisories/12596/ -- [SA12594] getmail Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-20 David Watson has reported a vulnerability in getmail, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12594/ -- [SA12591] Gentoo update for foomatic Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-21 Gentoo has issued an update for foomatic. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12591/ -- [SA12567] Mandrake update for printer-drivers Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-16 MandrakeSoft has issued an update for printer-drivers. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12567/ Other:-- [SA12601] SMC Broadband Routers Session Handling Security Bypass Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-09-20 Jimmy Scott has reported a vulnerability in SMC broadband routers, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12601/ Cross Platform:-- [SA12633] Apache "Satisfy" Directive Access Control Bypass Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-09-23 A security issue has been reported in Apache, which may allow malicious people to bypass configured access controls. Full Advisory: http://secunia.com/advisories/12633/ -- [SA12606] TUTOS SQL Injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-09-21 Joxean Koret has reported some vulnerabilities, which can be exploited to conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12606/ -- [SA12597] ReMOSitory "filecatid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-09-20 khoai has reported a vulnerability in the ReMOSitory add-on for Mambo, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/12597/ -- [SA12593] YaBB Cross-Site Scripting and Security Bypass Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2004-09-21 GulfTech Security has discovered two vulnerabilities in YaBB, which can be exploited by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12593/ -- [SA12590] Snitz Forums 2000 HTTP Response Splitting Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-09-20 Maestro has reported a vulnerability in Snitz Forums 2000, which can be exploited by malicious people to conduct script insertion and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12590/ -- [SA12569] SnipSnap HTTP Response Splitting Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-09-20 Maestro De-Seguridad has reported a vulnerability has been reported in SnipSnap, which can be exploited by malicious people to conduct script insertion and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12569/ -- [SA12561] MyServer Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-09-16 Arnaud Jacques has reported a vulnerability in MyServer, which can be exploited by malicious people to access sensitive information. Full Advisory: http://secunia.com/advisories/12561/ -- [SA12560] PHP Memory Leak and Arbitrary File Location Upload Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2004-09-18 Two vulnerabilities have been reported in PHP, which can be exploited by malicious people to disclose sensitive information or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12560/ -- [SA12621] Subversion "mod_authz_svn" Unreadable Path Information Disclosure Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-09-23 A security issue has been reported in Subversion, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/12621/ -- [SA12609] YaBB Input Validation Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-09-22 Two vulnerabilities have been reported in YaBB, which can be exploited to conduct cross-site scripting attacks and manipulate certain files. Full Advisory: http://secunia.com/advisories/12609/ -- [SA12580] Mozilla / Mozilla Firefox Cross-Domain Cookie Injection Vulnerability Critical: Less critical Where: From remote Impact: Hijacking Released: 2004-09-18 WESTPOINT has reported a vulnerability in Mozilla / Mozilla Firefox, which potentially can be exploited by malicious people to conduct session fixation attacks. Full Advisory: http://secunia.com/advisories/12580/ -- [SA12604] Symantec ON Command CCM Default Database Administrator Accounts Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-09-22 Jonas Olsson has reported a security issue in ON Command CCM, which can be exploited by malicious people to access sensitive information. Full Advisory: http://secunia.com/advisories/12604/ -- [SA12620] CA UniCenter Management Portal Username Disclosure Weakness Critical: Not critical Where: From local network Impact: Exposure of system information Released: 2004-09-22 Thomas Adams has reported a weakness in UniCenter Management Portal, which can be exploited by malicious people to disclose system information. Full Advisory: http://secunia.com/advisories/12620/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Sep 24 03:36:31 2004 From: isn at c4i.org (InfoSec News) Date: Fri Sep 24 04:05:15 2004 Subject: [ISN] Hackers tap server at Cal State Hayward Message-ID: http://www.trivalleyherald.com/Stories/0,1413,86~10671~2420984,00.html By Ricci Graham STAFF WRITER September 23, 2004 HAYWARD -- A computer hacker somehow gained access to the records of about 2,000 Cal State Hayward students earlier this month, prompting campus officials to send out letters warning students that their personal information may have been compromised. Kim Huggett, director of public affairs at Cal State Hayward, said on Wednesday that officials have not determined how the hacker was able to "briefly gain unauthorized access" to student records through one of the campus servers. The computer security breach was brought to the attention of the university's Information Security Office on Sept. 7, Huggett said. Cheryl Walton-Washington, the school's chief information security coordinator, said the New York-based Office of Cyber Security and Critical Infrastructure Coordination discovered that a campus Web page had been defaced on or about Sept. 7. The cyber intruder had also placed two unauthorized files on the server, she said. Officials there in turn contacted the California State Office of Information Privacy, which notified university administrators of the computer breach, Walton-Washington said. "I can't share with you what they saw, because the server had been taken offline to begin the appropriate task of investigation," Walton-Washington said. Walton-Washington said her office has concluded its investigation, although she concedes that it will be virtually impossible to determine who the responsible party is. "That is actually going to be terribly difficult," Walton-Washington said. "We can't identify who. The most we have is a very benign Web address, and it's not a person." The university has taken a number of steps to put additional fire-walls in place to prevent someone from hacking into the server again, Walton-Washington said. Asked what they were, Walton-Washington said: "Action has been taken, but I'd rather not go into detail to encourage someone else. But we have taken steps to secure this (server)." Dick Metz, the school's vice president of administration and business, said his office shipped an estimated 2,000 letters to students whose personal information may have been accessed. Some of the potentially compromised information includes names, Social Security numbers, addresses and telephone numbers, Metz said. "While there is no evidence that the intruder accessed any private information, we are notifying every student who might be affected so they can alert a credit reporting agency should they choose to do so," Metz said. In his letter to students, Metz issued an apology on behalf of the university, saying, "We consider any breach of our computer security a serious matter, so please accept our apologies." Cal State Hayward is the latest campus to have its server illegally tapped into. Earlier this year, officials at Cal Poly, San Luis Obispo had to issue a warning to about 700 students after an online break-in. The same occurred at San Diego State, requiring officials there to notify more than 178,00 current, former and prospective students. From isn at c4i.org Mon Sep 27 04:22:35 2004 From: isn at c4i.org (InfoSec News) Date: Mon Sep 27 05:02:11 2004 Subject: [ISN] Hackers use Google to access photocopiers Message-ID: http://news.zdnet.co.uk/internet/security/0,39020375,39167848,00.htm [The Google Hacking Database (GHDB) @ http://johnny.ihackstuff.com/ will fill in any blanks this story is missing. - WK] Dan Ilett ZDNet UK September 24, 2004 Hackers are using search engines to watch what people photocopy. Using Google hacks -- requests typed into the search engine that bring up cached information on networks -- hackers are discovering and using login details for networked photocopiers so they can watch what is being copied. "You don't have to be a genius to do this," said Jason Hart, security director at Whitehat UK. "You can see what people are photocopying on your monitor. You just have to search for online devices on Google." Google stores billions of Web URLs and information sent from Web servers. Some Web servers, if configured incorrectly or left to default, can accidentally broadcast network information, such as IP addresses, login details and device information. Google, like many other search engines, stores this information, which can be recalled at any time. "Essentially Google caches everything on the Web," said Hart. "By inputting commands into Google you can extract information and use it as a reverse-engineering tool." Hackers have been using Google hacks for some time -- exploiting photocopiers is only a recent example of compromising online devices. Hackers also use the search engine to view logged conversations on the Google computer groups list. In these, techies often share network information, such as logins, and their company domain name when they post their email address with a message. Hart added: "If you look at a firm's domain you can see all their security questions which means you can see their network infrastructure. [Hackers] wait for people to come along and say: 'I've been put in charge of security but don?t know much. Can you help me?' The hacker helps out and gets their trust until they get the passwords to the firewalls." Hart advised that security staff should regularly check Google for cached information on their firms' domain names. He said that if using public forums to solve problems, participants should sign in using an anonymous e-address. "You can ask Google to take certain information off its site," said Hart. "It's always worth taking a look at. It's a simple check, but worthwhile." From isn at c4i.org Mon Sep 27 04:23:14 2004 From: isn at c4i.org (InfoSec News) Date: Mon Sep 27 05:02:15 2004 Subject: [ISN] JPEG/GDIplus vulnerability Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" If you have not been living under a rock (in security terms), you will likely have heard something about the GDI+ vulnerability in the past few days. JPEGs and other files that may be handled in the same way are now potentially "dangerous" data files. In 1994 a graphics file was spread via Usenet that contained oddities in the header, and at about the same time a virus warning hoax was created that warned of a viral JPEG file. Neither of these was, in fact, related to actual malicious software, but I did some study on the subject and found header structures in both formats that could, potentially, have been used as malware vectors, under certain conditions. The specifics of the current JPEG/GDI+ vulnerability are very difficult to obtain, even when you have copies of the various "exploits" that have been released. However, it does seem to be simply your common or garden buffer overflow. As I write I am not aware of any specific exploits that have been released with the intent to use them maliciously. However, given the number of "exploit" samples that have been released I dare say that it will not be long before we see the real ones come out. It is unlikely that viruses will be created using this vulnerability, but it is quite probable that viruses will be created that carry graphics files (likely pornographic) that will use the vulnerability to open links to malware on Web sites, or simply open backdoors on machines for exploitation and amalgamation into botnets of various types. Microsoft security bulletin MS04-028 (http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx) has some links that, if you manage to follow them all the way through, will lead you to a patch. The Windows and Office Update sites will also provide you with the patches, but not always easily. (For example, Windows Update seems to insist that you install SP2 first, although there is a way around this.) Affected systems use certain versions of the gdiplus.dll file. The most widespread of the affected versions of the file come with Microsoft Windows and Office, 2003 and XP versions. Other Microsoft (and other vendors) products also have vulnerable versions of the file. The file is fairly ubiquitous. I've got eleven copies (and two compressed copies) of five different versions of gdiplus.dll on my machine. (Versions of it also exist with different file names.) The Microsoft site does provide details of which version numbers are vulnerable or not--but no information about file sizes or dates that might allow you to determine which versions are which. If you follow links through from that page there is also a "detection" tool--but it only tells you that you *are* vulnerable, rather than identifying specific instances. SANS also has provided a scanning tool, at http://isc.sans.org/gdiscan.php. (Actually two, a GUI version and a command line version. The GUI version, as provided, seems to want a disk in drive F:, but if you tell it to continue seems to function.) This tool identifies which versions are vulnerable and which are not, and also scans other filenames which are, in fact, renamed copies of the gdiplus.dll file, such as: C:\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL Version: 5.1.3097.0 <-- Vulnerable version C:\Program Files\ArcSoft\Software Suite\PhotoImpression 5\Share\gdiplus.dll Version: 5.1.3097.0 <-- Vulnerable version C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL Version: 11.0.6360.0 C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only) C:\Program Files\Microsoft Office\OFFICE11\GDIPLUS.DLL Version: 6.0.3264.0 Banning JPEGs is unlikely to be effective as a security measure. Untrained users will probably not know how to turn off the relevant functions, or be willing to so "cripple" their Web browsing. In any case, graphics files of various types can be renamed, and Windows will still identify them from internal structures, and run them through GDI+. Using firewalls to block .jpeg, .jpg, and the various other normal file extensions would therefore also probably be ineffective in some cases. Microsoft has provided some new patches (patches for Office and Windows apparently have to be installed separately), and others will possibly do so as well. It may be difficult to find the appropriate patches for all applications. One would assume that all versions of gdiplus.dll could simply be replaced by the latest (safe) version, but, knowing the industry, one would probably be wrong. ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Success is to be measured not so much by the position that one has reached in life as by the obstacles which he has overcome while trying to succeed. - Booker T. Washington http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Mon Sep 27 04:24:00 2004 From: isn at c4i.org (InfoSec News) Date: Mon Sep 27 05:02:19 2004 Subject: [ISN] Linux Advisory Watch - September 24th 2004 (fwd) Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | September 24th, 2004 Volume 5, Number 38a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for lukemftpd, cvs, Heimdal, mpg123, SnipSnap, Foomatic, CUPS, and login_radius. The distributors include Debian, FreeBSD, Gentoo, Mandrake, OpenBSD, and Suse. ----- SSL123 - New from Thawte Get SSL123 the new full 128-bit capable digital certificate - issued within minutes for US $159.00. Free reissues and experienced 24/5 multi-lingual support included for the life of the certificate. Click Here to Read More: http://ad.doubleclick.net/clk;9216013;9649389;v ----- SSL, S-HTTP, HTTPS and S/MIME Often times users ask about the differences between the various security and encryption protocols, and how to use them. While this isn't an encryption document, it is a good idea to explain briefly what each are, and where to find more information. SSL: SSL, or Secure Sockets Layer, is an encryption method developed by Netscape to provide security over the Internet. It supports several different encryption protocols, and provides client and server authentication. SSL operates at the transport layer, creates a secure encrypted channel of data, and thus can seamlessly encrypt data of many types. This is most commonly seen when going to a secure site to view a secure online document with Communicator, and serves as the basis for secure communications with Communicator, as well as many other Netscape Communications data encryption. More information can be found at http://www.consensus.com/security/ssl-talk-faq.html. Information on Netscape's other security implementations, and a good starting point for these protocols is available at http://home.netscape.com/info/security-doc.html. S-HTTP: S-HTTP is another protocol that provides security services across the Internet. It was designed to provide confidentiality, authenticity, integrity, and non-repudiability (cannot be mistaken for someone else, and I cannot deny my actions later) while supporting multiple key management mechanisms and cryptographic algorithms via option negotiation between the parties involved in each transaction. S-HTTP is limited to the specific software that is implementing it, and encrypts each message individually. [ From RSA Cryptography FAQ, page 138] S/MIME: S/MIME, or Secure Multipurpose Internet Mail Extension, is an encryption standard used to encrypt electronic mail, or other types of messages on the Internet. More information on S/MIME can be found at http://home.netscape.com/assist/security/smime/overview.html. Excerpt from the LinuxSecurity Administrator's Guide: http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html Written by: Dave Wreski (dave@guardiandigital.com) ----- AIDE and CHKROOTKIT Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit. http://www.linuxsecurity.com/feature_stories/feature_story-173.html --------------------------------------------------------------------- An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-171.html ------ --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 9/21/2004 - lukemftpd fix arbitrary code execution Przemyslaw Frasunek discovered a vulnerability in tnftpd or lukemftpd respectively, the enhanced ftp daemon from NetBSD. An attacker could utilise this to execute arbitrary code on the server. http://www.linuxsecurity.com/advisories/debian_advisory-4837.html +---------------------------------+ | Distribution: FreeBSD | ----------------------------// +---------------------------------+ 9/20/2004 - cvs number of vulnerabilities A number of vulnerabilities were discovered in CVS by Stefan Esser, Sebastian Krahmer, and Derek Price. http://www.linuxsecurity.com/advisories/freebsd_advisory-4826.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 9/19/2004 - Heimdal ftpd root escalation Several bugs exist in the Heimdal ftp daemon which could allow a remote attacker to gain root privileges. http://www.linuxsecurity.com/advisories/gentoo_advisory-4828.html 9/21/2004 - mpg123 Buffer overflow vulnerability mpg123 decoding routines contain a buffer overflow bug that might lead to arbitrary code execution. http://www.linuxsecurity.com/advisories/gentoo_advisory-4829.html 9/17/2004 - SnipSnap HTTP response splitting SnipSnap is vulnerable to HTTP response splitting attacks such as web cache poisoning, cross-user defacement, and cross-site scripting. http://www.linuxsecurity.com/advisories/gentoo_advisory-4832.html 9/20/2004 - Foomatic Arbitrary command execution The foomatic-rip filter in foomatic-filters contains a vulnerability which may allow arbitrary command execution on the print server. http://www.linuxsecurity.com/advisories/gentoo_advisory-4833.html 9/20/2004 - CUPS Denial of service vulnerability A vulnerability in CUPS allows remote attackers to cause a denial of service when sending a carefully-crafted UDP packet to the IPP port. http://www.linuxsecurity.com/advisories/gentoo_advisory-4834.html 9/20/2004 - Mozilla, Firefox, Thunderbird, Epiphany New releases fix vulnerabilities Denial of service vulnerability New releases of Mozilla, Epiphany, Mozilla Thunderbird, and Mozilla Firefox fix several vulnerabilities, including the remote execution of arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4835.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 9/17/2004 - gdk-pixbuf/gtk+2 image loading vulnerabilities Denial of service vulnerability A vulnerability was found in the gdk-pixbug bmp loader where a bad BMP image could send the bmp loader into an infinite loop (CAN-2004-0753). http://www.linuxsecurity.com/advisories/mandrake_advisory-4824.html 9/17/2004 - gdk-pixbuf/gtk+2 image loading vulnerabilities Denial of service vulnerability A vulnerability was found in the gdk-pixbug bmp loader where a bad BMP image could send the bmp loader into an infinite loop (CAN-2004-0753). http://www.linuxsecurity.com/advisories/mandrake_advisory-4825.html +---------------------------------+ | Distribution: OpenBSD | ----------------------------// +---------------------------------+ 9/21/2004 - login_radius security flaw Eilko Bos has reported that radius authentication, as implemented by login_radius(8), was not checking the shared secret used for replies sent by the radius server. http://www.linuxsecurity.com/advisories/openbsd_advisory-4838.html +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ 9/17/2004 - gtk2, gdk-pixbuf remote code execution security flaw Chris Evans has discovered a heap based, a stack based and an integer overflow in the XPM and ICO loaders of those libraries. http://www.linuxsecurity.com/advisories/suse_advisory-4813.html 9/17/2004 - XFree86-libs, xshared remote command execution security flaw Chris Evans reported three vulnerabilities in libXpm which can be exploited remotely by providing malformed XPM image files. http://www.linuxsecurity.com/advisories/suse_advisory-4814.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Sep 27 04:24:41 2004 From: isn at c4i.org (InfoSec News) Date: Mon Sep 27 05:02:21 2004 Subject: [ISN] Microsoft: To secure IE, upgrade to XP Message-ID: Forwarded from: matthew patton > Microsoft has maintained that the browser is part of the operating > system, a point of contention in its antitrust battle with the U.S. > government. and what a WONDERFUL piece of integration it is. Purhaps my Citrix admins are clueless but all I'm supposed to be able to use is IE - they've removed File/Open|Save, the address bar, the GO button, Internet Settings and maybe another thing or two but I can STILL get a command prompt. I can run control panel, task manager, any app I want to as well as a FULL desktop ala Start Menu and the whole works. I *love* this browser integration!! It's a massive security hole for me to do whatever I want on the Citrix box. And to think we have lots of Citrix accounts out there with unmolested IE settings so the hurdles aren't very high at all. > Last year, the company ruled out future releases of IE as a > standalone product. This week, the company reiterated that stance. If I were Gartner and Co. I'd be forcibly reiterating my "abandon the IE ship" message. $99 may not seem like a lot and corporate volume pricing can probably 1/2 that but it's still rediculous for companies to be left deliberately vulnerable by their #1 software provider because the latest point releases of an OS are not and have not been compelling. What's that say to you oh Redmondian giant? Maybe scrap Longhorn altogether and actually work on getting a version that works and isn't filled with a zillion security holes? Win2K works just *()*) fine for me and 30,000 other users in the company. Why on earth do I want to chase M$ product for no tangible benefits and plenty of UI and driver headaches? A compelling upgrade would be one that broke the OS into a zillion independant pieces and a kernel functionality breakout ala RPM and Solaris/Linux with choice of loadable modules. I'm sick and tired of having this gargantuan behemoth with 90% unnecessary and unasked for "features" with all the entailing security problems shoved down my throat. > And it's those more substantial changes, rather than the bug fixes > that come with routine upgrades for supported products, that > security organizations have lauded for addressing IE's graver > security concerns. oh geez and Mozilla/Opera etc have had these features for how many YEARS? > That 49.2 percent of Windows users are left out in the cold when it > comes to significant updates to IE and other software. Come on Microsoft, you know you want to ship a utility to eradicate IE from every facet of Win2K on down, right? Well at least the cursed WinME and the older but more stable/better 98/95. These people aren't going to switch to XP even if you gave it to them. Maybe if you sent out a MCSE to their house with a free PC to run the latest bloatware and migrated all their applications and data they'd consider it. Yet here I am a technologist supposedly interested in pursuing the cutting edge and all that. I run Win98 until quite recently on a 500mhz AMD. The only thing my 1.7Ghz CPU gives me now is a faster rate of cracking distributed.net key blocks. I've had years of reading Cringley and other chaps at Byte etc. who have documented their frustrations with OS after OS after OS. No thank you. Win98 just plain works. Win2000 just plain works. Get used to it Redmond, it takes you guys at least 3 versions of a product before you make one that actually works well enough to justify thinking about migrating. So that means XP is not it. Longhorn isn't it. Featuritis is not what matters - FIXING stuff is. > features they'd have to pay for in IE. But most consumers don't > download anything if they can avoid it." sad but true. And we wonder why Windoze boxes get owned and why there are so many of them. From isn at c4i.org Mon Sep 27 04:27:25 2004 From: isn at c4i.org (InfoSec News) Date: Mon Sep 27 05:02:23 2004 Subject: [ISN] Microsoft: To secure IE, upgrade to XP Message-ID: Forwarded from: Gary Hinson > http://news.com.com/Microsoft+To+secure+IE%2C+upgrade+to+XP/2100-1032_3-5378366.html > If you're one of about 200 million people using older versions of > Windows and you want the latest security enhancements to Internet > Explorer, get your credit card ready ... Spot the difference: 1. Software is inevitably released with quality failures, some of which create information security vulnerabilities. 2. The supplier warns people about bugs and offers to fix them, for a price. 3. People who value security have little choice but to pay for the fixes, and hope that they work. 4. Those who don't value or cannot afford security live with the bugs, increasing the number of potential Internet zombies. 5. The whole Internet community suffers. vs. 1. Motor vehicles are inevitably released with quality failures, some of which create safety issues. 2. Legal, regulatory and market pressures force the manufacturer to solve trivial issues at the first free service, and issue free recall notices for serious safety issues that occur later. 3. Most people comply with recall safety notices because they fear for their own safety. 4. Service centers resolve issues before too many people suffer. Dr Gary Hinson CISSP CISM CISA MBA Chief Executive, IsecT Ltd. www.isect.com and www.NoticeBored.com From isn at c4i.org Tue Sep 28 05:13:25 2004 From: isn at c4i.org (InfoSec News) Date: Tue Sep 28 05:45:05 2004 Subject: [ISN] Linux Security Week - September 27th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | September 27th, 2004 Volume 5, Number 38n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Sawing Linux Logs with Simple Tools," "Open source wireless tools emerge," and "Security Still A Worry As WLANs Expand." ---- >> Crypto Challenge VI has begun << Be the first to crack the code and win a Sony DCRHC40 MiniDV Digital Handycam Camcorder. More prizes in the weekly Lunch Hour Challenge - make sure you check the site regularly. CLICK HERE to sign up NOW http://ad.doubleclick.net/clk;10740242;10262156;m ---- LINUX ADVISORY WATCH: This week, advisories were released for lukemftpd, cvs, Heimdal, mpg123, SnipSnap, Foomatic, CUPS, and login_radius. The distributors include Debian, FreeBSD, Gentoo, Mandrake, OpenBSD, and Suse. http://www.linuxsecurity.com/articles/forums_article-9931.html AIDE and CHKROOTKIT Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit. http://www.linuxsecurity.com/feature_stories/feature_story-173.html ---- An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-171.html ---- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Hardening the PAM framework September 25th, 2004 In yesterday's article we began looking at how PAM can securely authenticate Windows users. Today we'll check the PAM framework, harden the basic services that we expect to authenticate to, and look at new PAM modules that might make our systems more secure. http://www.linuxsecurity.com/articles/documentation_article-9939.html * Sawing Linux Logs with Simple Tools September 24th, 2004 So there you are with all of your Linux servers humming along happily. You have tested, tweaked, and configured until they are performing at their peak of perfection. Users are hardly whining at all. Life is good. You may relax and indulge in some nice, relaxing rounds of TuxKart. After all, you earned it. http://www.linuxsecurity.com/articles/documentation_article-9930.html * Hardening Linux authentication and user identity September 23rd, 2004 PAM is an authentication mechanism that originated on Solaris, but is used on various systems, including Linux. The Linux PAM implementation allows a system administrator to choose how users authenticate to various services. New modules can be added by an administrator at any time, offering overall flexibility in how authentication happens. http://www.linuxsecurity.com/articles/documentation_article-9922.html * SpamAssassin sports new open-source license September 23rd, 2004 Project leaders for the widely used software chose to enter the fold of the Apache Software Foundation to take advantage of the nonprofit group's legal and technical resources. To make the move, SpamAssassin had to adopt the Apache License. http://www.linuxsecurity.com/articles/vendors_products_article-9927.html +------------------------+ | Network Security News: | +------------------------+ * Open source wireless tools emerge September 23rd, 2004 The wireless development landscape differs from the wired world in a number of ways. For one thing, the dominance of handheld device manufacturers and proprietary OS makers has meant that open source projects for wireless connectivity have been slow to take off. But now this sector is showing some signs of life. http://www.linuxsecurity.com/articles/security_sources_article-9924.html * Are Firewalls Useful? And Another Thing... September 23rd, 2004 If you ever feel in need of a lesson in humility, try reading through the TCP/IP RFCs and related literature. I have two questions I have no idea how to answer but rather naively expected that reading this material would help. It didn't, in truth because I didn't understand most of it; so now I'm asking you to explain the issues to me. http://www.linuxsecurity.com/articles/firewalls_article-9919.html * Security Still A Worry As WLANs Expand: Survey September 22nd, 2004 About half the companies responding to the survey said that security was the chief concern preventing growth of WLANs. However, about 84 percent of the companies that have deployed WLANs said they have not suffered from security breaches. http://www.linuxsecurity.com/articles/network_security_article-9904.html +------------------------+ | General Security News: | +------------------------+ * Open Source VoIP Ready For Its Close Up September 25th, 2004 Open Source Voice over IP (define) is ready for its close up. Asterisk, a popular Voice over IP PBX (define), has released version 1.0.0. http://www.linuxsecurity.com/articles/forums_article-9938.html * European Companies Join In Boosting Linux Security September 24th, 2004 A consortium of European companies, including Linux-distributor Mandrakesoft, has been awarded a three-year, $8.6 million contract to boost security of the open-source Linux operating system, the companies said Thursday. http://www.linuxsecurity.com/articles/projects_article-9934.html * Insiders Weigh Law Banning Wireless Spam September 24th, 2004 In less than a month, it will be illegal to send commercial messages to any Internet domain associated with wireless messaging subscription services. http://www.linuxsecurity.com/articles/network_security_article-9929.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Sep 28 05:13:39 2004 From: isn at c4i.org (InfoSec News) Date: Tue Sep 28 05:45:07 2004 Subject: [ISN] U.N. warns of nuclear cyber attack risk Message-ID: http://www.securityfocus.com/news/9592 By Kevin Poulsen SecurityFocus Sept 27 2004 The United Nations' nuclear watchdog agency warned Friday of growing concern about cyber attacks against nuclear facilities. The International Atomic Energy Agency (IAEA) announced in a statement that it was developing new guidelines aimed at combating the danger of computerized attacks by outside intruders or corrupt insiders. "For example, software operated control systems in a nuclear facility could be hacked or the software corrupted by staff with insider access," the group said. The IAEA's new guidelines on "Security of Information Technology Related Equipment and Software Based Controls Against Malevolent Acts" are being finalized now, said the agency. The announcement came out of the agency's 48th annual general conference attended by 137 nations. Last year the Slammer worm penetrated a private computer network at Ohio's idled Davis-Besse nuclear plant and disabled a safety monitoring system for nearly five hours. The worm entered the plant network through an interconnected contractor's network, bypassing Davis-Besse's firewall. News of the Davis-Besse incident prompted Rep. Edward Markey (D-MA) last fall to call for U.S. regulators to establish cyber security requirements for the 103 nuclear reactors operating in the U.S., specifically requiring firewalls and up-to-date patching of security vulnerabilities. By that time the U.S. Nuclear Regulatory Commission (NRC) had already begun working on an official manual to guide plant operators in evaluating their cybersecurity posture. But that document, finalized this month, "is not directive in nature," says Jim Davis, director of operations at the Nuclear Energy Institute, an industry association. "It does not establish a minimum level of security or anything like that. That isn't the purpose of the manual." A related industry effort will establish management-level cyber security guidelines for plant operators, says Davis, who believes industry efforts are sufficient. "I think we are taking it seriously... and I think if the industry doesn't go far enough in this area we'll see more attention from regulators." Neither the NRC manual nor the industry guidelines will be made public. Separately, the NRC is working on a substantial revision of its regulatory guide, "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants," which sets security and reliability criteria for installing new computerized safety systems in plants. It would replace the current guide, written in 1996, which is three pages long. A working draft of the NRC guide reviewed by SecurityFocus would encourage plant operators to consider the effect of each new safety system on the plant's cyber security, and to develop response plans to deal with computer incidents. Additionally, it would urge vendors to maintain a secure development environment, and to probe their products for backdoors and logic bombs before shipping. From isn at c4i.org Tue Sep 28 05:13:51 2004 From: isn at c4i.org (InfoSec News) Date: Tue Sep 28 05:45:09 2004 Subject: [ISN] Hackers go after Lundy site Message-ID: http://www.thecouriermail.news.com.au/common/story_page/0,5936,10901111%255E15306,00.html James Riley 28sep04 LABOR IT spokeswoman Kate Lundy has become the first politician targeted by hackers in the federal election campaign. Hackers attacked Senator Lundy's personal website at the domain level through her internet service provider, Virtual Communities Austar, directing users to a garbled message in Portuguese and Latin. Senator Lundy, who prides herself as having built and maintained the site herself as one of the first politicians to delve into the internet, says the integrity of her site at katelundy.com.au/index.htm remained intact and that the hacker attacked the ISP. The attack is thought to have occurred in the morning yesterday. The Senator Lundy said the problem would be resolved as soon as she was able to get someone from the ISP on the telephone. "Like a lot of users who experience problems getting through to their ISP, I'm having trouble getting through the labyrinth to the help desk to tell them what happened," the Senator said. From isn at c4i.org Tue Sep 28 05:14:03 2004 From: isn at c4i.org (InfoSec News) Date: Tue Sep 28 05:45:13 2004 Subject: [ISN] E-mail firm baits hackers with security challenge Message-ID: http://news.zdnet.com/2100-1009_22-5383988.html By Dan Ilett ZDNet (UK) September 27, 2004 A small British e-mail company is lining itself up for a possible challenge by inviting Internet users to break into its product. Avecho has offered $18,056 (10,000 pounds) to anyone who can sneak a virus past its GlassWall product, and it has even opened up the challenge to its developers. "Lots of people have already tried to do this," said Mark Elliott, vice president of international marketing for Avecho. "I think this is something we are able to do. The only condition is that people must be willing for us to publicize their failure as well as their success." In order to take part, contestants need to sign up for an Avecho e-mail account and then send a virus to that address or try to receive one from it. If the virus gets through, the contestant will win the prize, Elliott said. Currently, Avecho is the only party able to see the virus traffic traveling through its network. Elliott said he would like a third party to judge the contest, but no one has come forward to volunteer for the job yet. "We are struggling to find a third-party arbiter," Elliott said. "We would like to get a media company (to judge the competition), but as yet we don't have one." Avecho's GlassWall product has been shrouded in mystery for some time. The company still refuses to detail how the product works, saying only that it is "a software-based, siliconizable malware protection solution." In the past, Avecho executives have said the company was keeping the mechanics secret because it was unable to patent its products. Elliott declined to comment on the company's plans or its financial backers but said that there were "some changes in progress at the top level." Many companies have crashed and burned with hacker challenges. In 2001, Argus Systems failed to pay a Polish ethical hacking group, called the Last Stage of Delirium, prize money for cracking its Pit Bull server. Korean Digital Works also suffered embarrassment in 2002, when suspicion arose over the running of its hacking competition. The company had offered $100,000 to anyone who could break its Web server, but instead, hackers decided to break the registration server to control who entered the contest. From isn at c4i.org Wed Sep 29 03:53:27 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 29 04:48:40 2004 Subject: [ISN] REVIEW: "Minding the Machines", William M. Evan/Mark Manion Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKMNDMCH.RVW 20040527 "Minding the Machines", William M. Evan/Mark Manion, 2002, 0-13-065646-1, U$29.99/C$46.99 %A William M. Evan mindingthemachines@wharton.upenn.edu %A Mark Manion mindingthemachines@drexel.edu %C One Lake St., Upper Saddle River, NJ 07458 %D 2002 %G 0-13-065646-1 %I Prentice Hall %O U$29.99/C$46.99 +1-201-236-7139 fax: +1-201-236-7131 %O http://www.amazon.com/exec/obidos/ASIN/0130656461/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0130656461/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0130656461/robsladesin03-20 %P 485 p. %T "Minding the Machines: Preventing Technological Disasters" Part one is an introduction. It is ironic, both in terms of the title of the chapter; "Technological Disasters: an Overview"; and particularly the title of the book, that although the authors list four categories of disaster causes, the examples given overwhelmingly indicate human error, if not outright malfeasance. The classifications provided are also confusing: what difference is there between human, organizational, and socio-cultural factors? The comparison of natural and man-made disasters, and the supporting tables, in chapter two raise more questions than they answer: why are both types increasing at almost identical rates (in glaring contrast to the stated conclusion)? Part two looks at the prevalence of technological disasters. (I thought we just did that?) Chapter three says nothing new about Y2K. The theories of technological disasters, in chapter four, are flawed by an overly simplistic view of systems, one which completely ignores the inherent tendency of complex systems in general, and digital systems in particular, to catastrophic failure modes. As noted, the book is heavily larded with tables and figures, most of which have little apparent relevance to the text, and some of which actually seem to contradict the written material. One example in this chapter points out that the figures are, themselves, unexplained and poorly captioned: a diagram with six numbered interrelationships is followed by a numbered list--for a completely different set of factors. In chapter five the authors set up an odd, and poorly explained, matrix of "systemic dimensions" underlying disasters. "Human Factors Factors" (sic) are technological (as opposed to social) systems and external (as opposed to internal) systemic factors. The reporting of details in the examples in this and other chapters is suspect: despite specific and itemized accounts of the Therac 25 tragedy in at least two of the references listed for this chapter, the authors insist that somehow the type of radiation was at fault, rather than the flawed user interface that allowed incorrect dosage settings to be retained by the device, even after the operator believed the error had been rectified. Part three supposedly looks at technological disasters since the industrial revolution. Chapter six meanders through a wide variety of industrial "revolutions," and then delves briefly into future biotech, nanotech, and robotics/artificial intelligence. A terse and bemusing expansion of the earlier four part matrix into twelve goes on in chapter seven. Part four provides an "Analysis of Case Studies of Technological Disasters." Chapter eight insists on fitting a number of tragedies into the matrix from chapter seven. The reasons for the choices are not obvious: the authors insist throughout the book that the Bhopal poison gas release was due to "socio-cultural factors" when it is clearly, as far as the book recounts, due to greed and a lack of provision for safety equipment and procedures. (Another table maintains that Bhopal was an "accident" while the sinking of the Titanic, with far less impact in deaths and injuries, was a disaster and a tragedy.) Chapter nine lists one "lesson learned" from each of the "case studies": actually, what all of them have in common is the fact that technological disasters have *numerous* causes, not just a single one. The Tenerife airliner crash, as only one example, was caused by overloading of a backup situation, fear of regulations that made no provision for emergencies, miscommunications, failure to verify communications, pressure of overloading of facilities, and other failures. Part five talks about strategic responses. Chapter ten states that scientists need to stress professional education and safety. Now, I can sympathize with that attitude in large measure: as a virus researcher I've been crying in the wilderness about malware for many years, and have recently been exhorting corporations to support free public security awareness training as a benefit to the enterprise by reducing overall levels of risk. I think it a bit unfair, though, to put all the weight for safety on the shoulders of the professionals, when the rest of society is completely obsessed with time-to-market and dancing pigs. Chapter eleven tacitly admits this fact, with case studies that demonstrate that in many instances of corporate wrongdoing the executives were warned of the dangers in advance. No recommendations for specific responses are made. The four legal branches of the United States government, and their relationships to technology, are listed in chapter twelve: again, no suggestions are forthcoming. A fairly standard overview of risk analysis is given in chapter thirteen, which, I suppose, might be some kind of endorsement of and recommendation for risk analysis itself. Chapter fourteen assumes that "democratic" decision making is better than "technical," without ever examining the dangers of social and political influences forcing the bad public policy rulings that the case studies in the work truly demonstrate. This book actually says very little about either technology or technological disasters: most of the evidence points out fraud, avarice, and other social factors that create most any kind of disasters. For those who really do want to know how to make technology safer, it would be best to look elsewhere. copyright Robert M. Slade, 2004 BKMNDMCH.RVW 20040527 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Subscribe to the techbooks list at techbooks-subscribe@egroups.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed Sep 29 03:54:10 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 29 04:48:42 2004 Subject: [ISN] Cybersecurity measures not likely in intelligence reform Message-ID: Forwarded from: William Knowles http://www.govexec.com/story_page.cfm?articleid=29593 By William New National Journal's Technology Daily September 28, 2004 After a week of at times acrimonious turf fighting about cybersecurity, it appears there will be only a small mention of the issue in a larger bill to reform the government's intelligence structure, congressional and private-sector sources said Tuesday. The bill being considered by various committees contains a provision that requires agencies to include cybersecurity in their planning, but two larger cyber-security measures will not be included. Over the past week or so, GOP leaders gave consideration to inclusion of a House Homeland Security Committee bill to elevate the status of cybersecurity within the Homeland Security Department two levels, from a director to an assistant secretary, and to strengthen the agency's responsibilities. At the same time, the House Government Reform Committee introduced legislation that would clarify and enhance the cyber-security oversight of the White House Office of Management and Budget. The Homeland Security bill does not have the clear support of the department and was seen by some critics as a move by the committee to strengthen its case for being made permanent next year. The Government Reform bill ruffled feathers as some interpreted it as moving too much oversight to OMB, though committee staff argue the agency already has the policy oversight and Homeland Security would be left with operational oversight. Both bills have been put off to next year to get agreement, aides said. Government Reform does not plan to attach its cybersecurity bill when it votes on the intelligence reform bill on Wednesday. The House Science Committee, which has jurisdiction loosely over cybersecurity research and development and standards, does not support either bill in their current forms but will continue negotiating on the language of the Homeland Security Committee bill, according to committee Chief of Staff David Goldston. Industry generally supports elevating cybersecurity within Homeland Security. Dexter Ingram, director of information security policy at the Business Software Alliance (BSA), said the group "looks forward to working with the Government Reform Committee on strengthening OMB's information-sharing coordination capacity within the federal government, as well as working with the House Select Homeland Security Committee on strengthening cyber security within the Department of Homeland Security." One of the main reasons the new department was created was because security operations cannot be done out of the White House, said Frank Cilluffo, former special assistant to the president for homeland security. In addition, policymakers didn't want to separate physical and cyber security and instead sought to "marry up" these two issues, he added. Elevation of cybersecurity within Homeland Security would separate them and should not be pursued, he said. Cilluffo noted that there is a senior director for cyber security on the White House Homeland Security Council who "rides shepherd" on cybersecurity policy within the White House. Cilluffo said OMB always "gets a bite at the apple" through managing agency budgets. He said Homeland Security should have more flexibility in its budget to address the rapid pace of technological advances. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Sep 29 03:54:24 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 29 04:48:44 2004 Subject: [ISN] Terrorists grow fat on email scams Message-ID: http://www.theregister.co.uk/2004/09/28/terrorist_email_scams/ By Jan Libbenga 28th September 2004 Organisations such as al-Qaeda, ETA en PKK are copying Nigerian scams to fund terrorism, two Dutch experts told Dutch daily De Telegraaf this week. Harald Koppe, head of the Dutch Unusual Transactions Reporting Office (MOT), and Harry Jongbloed of the Dutch criminal investigation department, say there is "strong evidence" from international crime fighting organisations such as the FBI that at least some of the terrorist funding is coming from advanced fee fraud (such as Nigerian-style scam emails) and the sale of pirated software, including CDs and DVDs. Using the internet to raise funds is fairly risk free, experts say. According to an Interpol report prepared for the US House Committee on International Relations earlier this year, intellectual property crimes are indeed a growing resource for terrorist groups from Northern Ireland to the Arab world, including al-Qaeda and Hizbullah. Last year Interpol already called for a global crackdown (http://www.news24.com/News24/Technology/News/0,,2-13-1443_1388359,00.html) on software and music piracy. A couple of months ago the Recording Industry Association of America (RIAA) said it had evidence that illegal CD plants in Pakistan were financed by international terrorist Dawood Ibrahim (http://www.ustreas.gov/press/releases/js909.htm), although some people have downplayed these claims as blatant propaganda. But what about Nigerian scams? Could these seriously be a source of funding for terrorism? Or are terrorists merely copying their tactics? To date, solid evidence for such claims hasn't been presented publicly. In fact, the supposed link between Nigerian scammers and terrorists is still a matter of debate (http://www.fraudaid.com/ScamSpeak/Nigerian/adaora/419ter.htm) among experts. Some believe the cultural background of the perpetrators makes terrorism funding highly improbable. Others, such as Rachel Ehrenfeld, author of the book Funding Evil (http://www.bonusbooks.com/bookpage.asp?BookID=1268), say that as 50 per cent of the Nigerian population is Muslim, there is an ideological affiliation (http://edition.cnn.com/TRANSCRIPTS/0312/01/ltm.17.html) with some terrorist organisations. Hmm. A recent survey found that the proportion of Nigerian Muslims who view the United States favorably fell from more than 70 per cent to less than 40 per cent last year. Ehrenfeld stresses that in many cases the collaboration is just financially motivated. "People who buy fake Gucci bags and Swiss watches sold by Nigerians on the sidewalks of Fifth Avenue in Manhattan contribute to terrorism," she claims. The Dutch Unusual Transactions Reporting Office (MOT) believes there are some disturbing trends. Suspicious money transfers emanating from the European countries these days can often be linked to West African criminal networks, MOT concludes in its annual report (http://www.justitie.nl/mot/images/Nieuws/MOT_annual_report_2003.pdf). There also appear to be connections with the drugs trade. Under the code name "Hyena", the Dutch criminal investigation department managed to freeze a total of 1m in bank accounts linked to Nigerian scams in the past couple of months, but it admits it is still only a very small part. From isn at c4i.org Wed Sep 29 03:56:06 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 29 04:48:46 2004 Subject: [ISN] Hackers use porn to target Microsoft JPEG flaw Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,96227,00.html By Paul Roberts SEPTEMBER 28, 2004 IDG NEWS SERVICE Malicious hackers are seeding Internet newsgroups that traffic in pornography with JPEG images that take advantage of a recently disclosed security hole in Microsoft Corp.'s software, according to warnings from antivirus software companies and Internet security groups. The reports are the first evidence of public attacks using the critical flaw, which Microsoft identified and patched on Sept. 14 (see story). Users who unwittingly download the poison images could have software installed on their computers that gives remote attackers total control over the machine, experts said. The images were posted in a variety of Internet newsgroups where visitors post and share pornographic images, or "binaries." The altered JPEG images were posted to groups such as "alt.binaries.erotica.breasts" yesterday by someone using the e-mail address "Power-Poster@power-post.org," according to the online security discussion group BugTraq and information posted on Easynews.com, a Web portal for Usenet, the global network of news servers. The corrupted JPEG images are indistinguishable from other images posted in the group but contain a slightly modified version of recently released exploit code for the JPEG vulnerability called the "JPEG of Death" exploit, which appeared over the weekend, said Johannes Ullrich, chief technology officer of the SANS Institute's Internet Storm Center (ISC). The ISC has also posted information about the exploit online. Like other exploits for the vulnerability that have appeared since Microsoft released its patch, the JPEG of Death uses a JPEG file formatted to trigger an overflow in a common Windows component called the GDI+ JPEG decoder. That decoder is used by Windows, Internet Explorer, Outlook and many other Windows applications, Ullrich said. When opened by users, the infected JPEGs try to install a copy of Radmin, a legitimate application that allows users to remotely control their computers. In this case, however, the program is being used by the remote attacker as a Trojan horse program. Infected Windows machines are also programmed to report back to an Internet Relay Chat channel, Ullrich said. The images work only on computers running Windows XP, although some of the attack features don't appear to work on all machines running that operating system, Ullrich said. The ISC and antivirus companies cautioned that the newly posted attack images can't spread and aren't, technically, a "virus." However, the exploit code could easily be modified to download a virus engine with e-mail capability that would spread when images are opened, Ullrich said. As with Sasser and other recent worms that target common Windows components, security experts said they worry that the JPEG vulnerability in GDI+ could spawn another major worm outbreak. The vulnerability is remotely exploitable and can be accessed through a long list of popular Windows applications, including Internet Explorer, the Outlook e-mail program and Microsoft's Office applications. In addition to GDI+ being a standard component of Windows, different Windows applications frequently distribute their own versions of GDI+. Those versions might reside in folders used by the applications and be out of reach of the Windows patch, or they could be installed after the Microsoft patch was applied, undoing that patch, Ullrich said. Currently, most major antivirus software programs can spot corrupted JPEG images. Ullrich added that antivirus software, in combination with the Windows patch, is the only known protection from attacks that use the GDI+ vulnerability. From isn at c4i.org Wed Sep 29 03:56:18 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 29 04:48:47 2004 Subject: [ISN] When staff can be more dangerous than hackers Message-ID: http://straitstimes.asia1.com.sg/techscience/story/0,4386,275155,00.html By Chua Hian Hou SEPT 29, 2004 COMPANIES here more concerned with preventing computer viruses from attacking them, are neglecting their biggest information security threats - their employees and business partners. Mr John Ho Chi, principal of Ernst & Young's security and technology risk service, said insiders are dangerous because they 'know where your most valuable information is, already have trusted access to your system, and may even know how to get away with it or cover their tracks'. For example, an unhappy business partner with access to a company's price lists can share this access with the company's competitor, allowing him to see the prices. Or a disgruntled employee can change the details of customers' orders, causing havoc to the company's operations, he said. While a virus or a hacker may cause damage to a company, it cannot do so undetected and certainly not to the extent a malicious insider with intimate knowledge of the company can. Findings from Ernst & Young's Global Information Security Survey 2004, which included 43 local companies, showed Singapore firms know security is important. Many invest heavily in firewalls and anti-virus software to guard against external threats such as viruses and hackers. However, these firms pay less attention to internal threats, said Mr Ho. According to the survey, nine out of 10 local companies rank external threats such as viruses and hackers, loss of customer data and confidentiality breaches as their most important threats, compared to seven in 10 which are concerned about breaches by disgruntled employees or business partners. Mr Ho said publicity given to virus outbreaks and hacker attacks has highlighted external threats and made them appear more dangerous than internal threats. What local companies don't realise is, 'when it comes to employees and business partners, the only thing standing between the company and fraud is... trust'. Woo World, a 10-man mobile games distributor, experienced a malicious breach last year, said its technology manager Chai Swee Kheat. An employee had deliberately deleted files he was not supposed to modify. Fortunately, there were back-up copies and the company did not suffer too badly in this case. Lest companies believe their staff are made of sterner stuff, a global fraud study by Ernst & Young found that one in five employees knew personally of incidents where colleagues had stolen from their employer. 'In other words, there are a lot of untrustworthy employees out there,' warned Mr Ho. From isn at c4i.org Wed Sep 29 03:56:37 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 29 04:48:49 2004 Subject: [ISN] Hacker caused $400,000 damage - businessman Message-ID: http://www.stuff.co.nz/stuff/0,2106,3048122a28,00.html 29 September 2004 An American businessman has told the Dunedin District Court he had no reason to believe a former employee who attacked his company's computer system late last year would not do so again. Robert Lee, the Oregon-based chief executive of internet music and video stores, Buy Music Here (BMH), told Judge Gary MacAskill the entire code for the company's system had to be rewritten to at a cost of over $400,000 to protect the company from further "back door" attacks. Mr Lee was giving evidence about the extent of damages incurred by his company as a result of attacks by a 37-year-old Dunedin academic, previously employed by the company, both in America and in New Zealand. The man, described by Mr Lee as "the most skilled programmer we've ever employed", had written core parts of the code. The company believed the only way for the system to be safe in the future was for the entire code to be rewritten by a software engineer of the same high capability level as the defendant. A damages report, updated for the disputed facts hearing, lists the total cost to the company at $441,122.50. But Judith Ablett-Kerr QC, counsel for the accused who has earlier admitted attacking BMH's system, said her client, who has temporary name suppression, believed the damage amounted to about $1500. Under cross-examination, Mr Lee agreed the company had not yet replaced the system "in a comprehensive way", but it had built some defence mechanisms. Ms Ablett-Kerr said a code replacement calculation of $156,000, contained in the company's costs, was the cost of an engineer working 300 eight-hour days on an hourly rate of $65 . To a suggestion from her it was not necessary to replace the code at all, Mr Lee said his information was the company would be foolish not to replace it if they wanted to protect itself from further attacks by the defendant. The defendant has already admitted three representative charges of unlawfully attacking BMH systems and deleting and interfering with data. He has been on bail awaiting sentence but that cannot take place until the extent of the damages has been determined. Mr Lee will continue his evidence tomorrow. From isn at c4i.org Wed Sep 29 04:40:58 2004 From: isn at c4i.org (InfoSec News) Date: Wed Sep 29 04:48:51 2004 Subject: [ISN] Laser injures Delta pilot's eye Message-ID: http://washingtontimes.com/national/20040928-111356-3924r.htm [Not really information security related, but I found this article interesting since laser warfare and hacking is mentioned quite often in Chinese information operations reports. - WK] By Bill Gertz THE WASHINGTON TIMES September 29, 2004 A pilot flying a Delta Air Lines jet was injured by a laser that illuminated the cockpit of the aircraft as it approached Salt Lake City International Airport last week, U.S. officials said. The plane's two pilots reported that the Boeing 737 had been five miles from the airport when they saw a laser beam inside the cockpit, said officials familiar with government reports of the Sept. 22 incident. The flight, which originated in Dallas, landed without further incident at about 9:30 p.m. local time. A short while later, however, the first officer felt a stinging sensation in one eye. A doctor who examined the pilot determined that he had suffered a burned retina from exposure to a laser device, the officials said. Transportation Security Administration (TSA) spokeswoman Yolanda Clark confirmed the incident, but declined to provide details. "TSA is aware of the incident, and we are working with the airline in conducting an investigation to try and determine the cause of the incident," Miss Clark said. She would not say whether TSA considers the incident a possible security threat to commercial aircraft. Other officials said the incident was serious enough that the pilot will be unable to fly for at least a week. "So far, it doesn't sound like there will be permanent [eye] damage," one official said. The identity of the pilot could not be learned, and Delta spokesman Anthony Black declined to comment. Officials were unsure of the source of the laser and could not determine whether the exposure was deliberate or accidental. John Mazor, a spokesman for the Air Line Pilots Association, said commercial pilots have been exposed to laser illumination. "The Air Line Pilots Association has received reports in the past of incidents where lasers penetrated cockpits and, in at least one case, caused injury," Mr. Mazor said. Several years ago, a pilot flying into a Western airport was hit by a light from a laser light show. The causes of the other incidents are not known, he said. Asked whether a laser aimed at pilots could cause a plane to crash, Mr. Mazor said: "I think that's highly improbable. In every case in the past, the flights landed safely." Military personnel also have suffered eye damage from laser illumination. In one case, Naval Lt. Cmdr. Jack Daly and Canadian helicopter pilot Capt. Pat Barnes suffered eye injuries hours after an aerial surveillance mission to photograph a Russian merchant ship that had been shadowing the ballistic-missile submarine USS Ohio in Washington state's Strait of Juan de Fuca. The Navy recently turned down an appeal from the Defense Department inspector general to award Cmdr. Daly a Purple Heart for the incident. Cmdr. Daly, who retired from the service last year, continues to suffer eye pain and deteriorating vision. During congressional testimony in 1999, he warned of laser threats to pilots. "Numerous documented cases regarding the use of lasers against aircraft, civilians and military personnel exist, as well as does an all-too-lengthy list of the injuries that have resulted from the accidental and intentional misuse of these devices," Cmdr. Daly told a House Armed Services subcommittee. He noted that incidents of lasers being directed at commercial airliners during takeoff and landings have raised fears that "this in fact may be a new form of terrorism." "Lasers are easily obtainable and can be self-manufactured weapons in the terrorist arsenal, which essentially can effect a soft-kill solution and leave virtually no detectable evidence," he said. From isn at c4i.org Thu Sep 30 06:22:06 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 30 06:44:18 2004 Subject: [ISN] Quick note: Ron Santo/JDRF Walk this weekend! Message-ID: Forwarded from: William Knowles Our family and friends are preparing for the Juvenile Diabetes Research Foundation (JDRF) "Ron Santo Walk to Cure Diabetes" which will occur on Sunday, October 3rd, 2004. Our walk team is called Ethan's Crew and this is our fifth year of participation. Everyone is doing their best to help find a cure. Of every dollar raised at the JDRF/Ron Santo Walk, 85 cents goes toward research to find a cure. If you would like to make a donation, please check out the link below. http://walk.jdrf.org/walker.cfm?id=85820962 I am walking because of my little nephew who is 5 years old and was diagnosed with Type 1, or Juvenile Diabetes just 11 days after his first birthday. He now wears an insulin pump which at this time is his best chance for a more flexible and healthy lifestyle. Wearing the pump means that he does not get the 5 to 6 insulin shots daily, although he still must endure the pain of moving the tubing site every 3 days and as many as 8 finger sticks daily. He is also still at risk for developing devasting complications such as kidney failure, heart disease and blindness. He must wear the pump 24/7 even in the bathtub and the swimming pool. As a member of Ethan's Crew, I am asking for your support. I would hope that you would sponsor me. Ethan's Crew would appreciate any contribution, no matter how small. With deep appreciation, William Knowles wk@c4i.org http://walk.jdrf.org/walker.cfm?id=85820962 *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Sep 30 06:23:11 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 30 06:44:21 2004 Subject: [ISN] Activists Find More E-Vote Flaws Message-ID: Forwarded from: Steven Moshlak Okay, my two cents- Disenfranchised or Disrespected? I was a Judge and a Deputy Registrar-Recorder when I lived in Los Angeles, California for nearly 15 years. Eligible voters were required to do three things; register at least thirty days before the election, when voting, use a template that contained a "job card," and make sure that the "chips" were cleaned off of the back of the card. There is no excuse for non-registration. The purpose is to verify and validate that the individual meets the criteria and has does have the right to vote. At one point, all ballots were in English, since English is our native tongue and the understanding of English is a prerequisite for U.S. Citizenship. Since 1974, the ballots are issued in Korean, Vietnamese, Spanish, Chinese, ad nauseum, in order not to "disenfranchise" people, U.S citizens or non-U.S Citizens. That's right, people who are non-U.S. Citizens vote in elections, in California (illegally, of course). Now comes people who offer a technological revolution, with e-voting. The blind feel they have been left out, the individual in the wheelchair feels left out, the elderly can't understand ballots and supposedly punch the wrong hole, and so the story goes, on and on. Please, have some cheese and crackers, with your whine. In the United States, if one is unable to comprehend the ballot, there is something known as "non-compis mentis." If you have earned your U.S. Citizenship, you should have a basic understanding of the English language. In the event of physical impairment, spouses or a representative of the voter has been allowed in the polling booth to aid and assist in the voting process or they can vote in abstentia, in the privacy of their own home, if they so choose. Anybody who cannot register, due to laziness (motor voter, police station, fire station, by mail, etc.), has abrogated his/her right to vote and forget "provisional ballots." Can't read or comprehend the English Language? We have schools who would look forward to helping you in learning the English Language. All some people have to do is make the effort. Anybody who is too lazy to verify that the chips have been cleaned-off of the back of the card or to look at the card to verify that they indeed punched the holes in a clean matter, after being repeatedly warned to clean the card and verify the punch, respectively, abrogates his/her right to vote. "Them's the rules." I am tired of hearing about "voter intent," since it is obvious that one must be mentally competant to vote and exercise such due care. I say, go back to the "job card" method, since we know it works and have people take a novel idea as "responsibility" for their own actions. Folks, there isn't a perfect system or will one ever come about, on a magnitude of this scale. Steven Moshlak ---------------------------------------------------------------------------- This email and any files transmitted with it are private and is intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. This footnote also confirms that this email message and any attachments, have been swept by the latest version of Norton Anti-Virus 2004, for the presence of computer viruses. ----- Original Message ----- From: "InfoSec News" To: Sent: Wednesday, September 22, 2004 6:52 AM Subject: [ISN] Activists Find More E-Vote Flaws > http://www.wired.com/news/evote/0,2645,65031,00.html > > By Kim Zetter > Sep. 21, 2004 > > Voting activist Bev Harris and a computer scientist say they found > more vulnerabilities in an electronic voting system made by Diebold > Election Systems, weaknesses that could allow someone to alter votes > in the election this November. > > Diebold said Harris' claims are without merit and that if anyone did > manage to change votes, a series of checks and balances that > election officials perform at the end of an election would detect > the changes. > > Harris demonstrated the vulnerabilities to officials in the > California secretary of state's office several weeks ago and will be > showing them to federal legislative staff and journalists Wednesday > in Washington, D.C. Harris and another activist have filed a lawsuit > against Diebold in California, which the state has joined, > maintaining that Diebold engaged in aggressive marketing to sell > millions of dollars worth of equipment that it knew was insecure. > Harris and the activist stand to make millions from the suit if they > and the state win their case. > > The vulnerabilities involve the Global Election Management System, > or GEMS, software that runs on a county's server and tallies votes > after they come in from Diebold touch-screen and optical-scan > machines in polling places. The GEMS program generates reports of > preliminary and final election results that the media and states use > to call the winners. From isn at c4i.org Thu Sep 30 06:23:48 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 30 06:44:23 2004 Subject: [ISN] Hackers attack Al Qaeda-linked websites Message-ID: Forwarded from: Jei http://www.abc.net.au/news/newsitems/200409/s1209349.htm September 29, 2004 Hackers have attacked a website of an Al Qaeda-linked group, that beheaded two US hostages in Iraq, re-routing visitors to a page showing a penguin toting a machine gun and warning against hosting such sites. The site of the Tawhid and Jihad Group of Al Qaeda ally Abu Musab al-Zarqawi, set up on a site providing free web hosting, last week carried a tape of British hostage Kenneth Bigley appealing for his life as well as videos of the decapitation of the two US hostages. "Host them and your next!" was the message left on the site by the hackers, calling themselves TeAmZ USA, who have already attacked several Islamist and pro-Al Qaeda websites. Zarqawi's group has threatened to kill Bigley next if women prisoners in Iraq are not released, but has not set a deadline. Al Qaeda and other militant groups have widely used the Internet to spread their message, often using sites providing free web hosting and frequently moving after their sites have been taken down. From isn at c4i.org Thu Sep 30 06:24:23 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 30 06:44:24 2004 Subject: [ISN] ITL Bulletin for September 2004 Message-ID: Forwarded from: Elizabeth Lennon ITL BULLETIN FOR SEPTEMBER 2004 INFORMATION SECURITY WITHIN THE SYSTEM DEVELOPMENT LIFE CYCLE By Annabelle Lee and Tanya Brewer-Joneas Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce Many System Development Life Cycle (SDLC) models exist that can be used by an organization to effectively develop an information system. A traditional SDLC is a linear sequential model. This model assumes that the system will be delivered near the end of its life cycle. Another SDLC model uses prototyping, which is often used to develop an understanding of system requirements without developing a final operational system. More complex models have been developed to address the evolving complexity of advanced and large information system designs. The SDLC model is embedded in any of the major system developmental approaches: * Waterfall - the phases are executed sequentially. * Spiral - the phases are executed sequentially with feedback loops to previous phases. * Incremental development - several partial deliverables are constructed and each deliverable has incrementally more functionality. Builds are constructed in parallel, using available information from previous builds. The product is designed, implemented, integrated, and tested as a series of incremental builds. * Evolutionary - there is re-planning at each phase in the life cycle based on feedback. Each phase is divided into multiple project cycles with deliverable measurable results at the completion of each cycle. Security should be incorporated into all phases, from initiation to disposition, of an SDLC model. There are several NIST documents that are applicable to every phase of the SDLC, including Special Publications (SPs) 800-27 and 800-64 (see reference list at the end of this bulletin). The following questions are some high-level starting points that should be addressed in determining the security controls/countermeasures that will be required for a system: * How critical is the system in meeting the organization's mission? * What are the security objectives required by the system, e.g., integrity, confidentiality, and availability? * What regulations and policies are applicable in determining what is to be protected? * What are the threats that are applicable in the environment where the system will be operational? * Who selects the protection mechanisms that are to be implemented in the system? A general SDLC includes five phases. Each of the five phases includes a minimum set of information security tasks needed to effectively incorporate security into a system during its development. The following illustrates the information security tasks applicable to each SDLC phase and the relevant references. Listed below are the five phases with the information security tasks performed in each phase and the applicable references. At the end of the phase and task descriptions is a complete listing of all the references. (See http://www.itl.nist.gov/lab/bulletns/bltnsep04.pdf for full-page graphic on page 2.) Phase 1: Initiation Key Tasks: 1. Business partner engagement (Key Documents: SP 800-35, 800-27; Additional References: Federal Information Processing Standard [FIPS] 191, SP 800-65, SP 800-47, SP 800-33) 2. Document enterprise architecture (Key Document: SP 800-47; Additional References: SP 800-58, SP 800-48, SP 800-46, SP 800-45, SP 800-44, SP 800-43, SP 800-41, SP 800-40, SP 800-36, SP 800-33, SP 800-31, SP 800-28) a. Security environment b. Interconnections to external systems 3. Identification/specification of applicable policies and laws (Key Documents: SP 800-14, SP 800-12) 4. Development of Confidentiality, Integrity, and Availability objectives (Key Documents: FIPS 199, SP 800-60) 5. Information and information system security categorization (Key Documents: FIPS 199, SP 800-60; Additional Reference: SP 800-59) 6. Procurement specification development (Key Documents: SP 800-36, SP 800-23; Additional References: SP 800-66, SP 800-49, SP 800-47, SP 800-27) a. FIPS 140-2 validated cryptographic algorithms and modules (Additional References: FIPS 140-2; FIPS 46-3, FIPS 81, FIPS 180-2, FIPS 185, FIPS 186-2, FIPS 197, FIPS 198, SP 800-67, SP 800-38A, SP 800-38B, SP 800-38C, 800-22, SP 800-21, SP 800-20, SP 800-17) b. Common Criteria (CC) evaluated products (Additional Reference: CC) 7. Preliminary Risk Assessment (Key Document: SP 800-30) Phase 2: Acquisition/ Development Key Tasks: 1. Risk assessment (Key Document: SP 800-30; Additional References: SP 800-14, SP 800-12) 2. Selection of initial baseline of security controls (Key Document: SP 800-53) a. System specific controls b. Agency common controls 3. Refinement - security control baseline (Key Document: SP 800-53; Additional References: SP 800-36, SP 800-35, SP 800-31) 4. Security control design (Key Documents: SP 800-36, SP 800-23; Additional References: FIPS 181, FIPS 190, FIPS 196, SP 800-70, SP 800-66, SP 800-64, SP 800-58, SP 800-49, SP 800-48, SP 800-46, SP 800-45, SP 800-44, SP 800-43, SP 800-41, SP 800-35, SP 800-33, SP 800-31, SP 800-28) 5. Cost analysis and reporting (Key Documents: SP 800-64, SP 800-36; Additional References: SP 800-65, SP 800-35, SP 800-12) 6. Security planning (Key Document: SP 800-55; Additional References: SP 800-65, SP 800-26, SP 800-12) a. Security plan (Additional Reference: SP 800-18) b. Configuration management (CM) plan (Additional Reference: SP 800-64) c. Contingency plan (including continuity of operations plan) (Additional References: FIPS 87, SP 800-34, SP 800-12, SP 800-14) d. Training plan (Additional References: SP 800-50, 800-16, SP 800-14, SP 800-12) e. Incident response plan (Key Document: SP 800-61; Additional References: SP 800-40, SP 800-14, SP 800-12) 7. Unit/integration security test and evaluation (ST&E) (Key Documents: CC, FIPS 140-2; Additional Reference: SP 800-37) Phase 3: Implementation/ Assessment Key Tasks: 1. Product/component inspection and acceptance (Key Documents: SP 800-64, SP 800-51; Additional References: CC, FIPS 140-2) 2. Security control integration (Key Document: SP 800-64) 3. User/administrative guidance (Key Documents: SP 800-61; SP 800-36, SP 800-35; SP 800-56, SP 800-57) a. Procedures (Additional Reference: SP 800-14) b. Security checklists and configuration (Additional References: FIPS 181, FIPS 190, FIPS 196, SP 800-70, SP 800-68, SP 800-58, SP 800-49, SP 800-48, SP 800-47, SP 800-46, SP 800-45, SP 800-44, SP 800-43, SP 800-41, SP 800-40, SP 800-33, SP 800-31, SP 800-28) c. Key management 4. System ST&E plan (Key Document: SP 800-55; Additional References: SP 800-47, SP 800-46, SP 800-45, SP 800-44, SP 800-42, SP 800-41) 5. Security certification (Key Document: SP 800-37, SP 800-53A; Additional References: SP 800-42, SP 800-41, SP 800-26) 6. Statement of residual risk (Key Document: SP 800-37) 7. Security accreditation (Key Document: SP 800-37) Phase 4: Operations/ Maintenance Key Tasks: 1. CM change control and auditing (Key Document: Handbook [HB] 150; Additional References: HB 150-17, HB 150-20) 2. Continuous monitoring (Key Document: SP 800-26; Additional References: SP 800-51, SP 800-42, SP 800-41, SP 800-40, SP 800-36, SP 800-35, SP 800-28) a. Installation of patches (Additional References: SP 800-40) b. FIPS 140-2 crypto module revalidation (Additional References: FIPS 140-2, FIPS 46-3, FIPS 81, FIPS 180-2, FIPS 185, FIPS 186-2, FIPS 197, FIPS 198, SP 800-67, SP 800-38A, SP 800-38B, SP 800-38C, SP 800-22, SP 800-21, SP 800-20, SP 800-17) c. CC product reevaluation (Additional References: CC) d. Assessment of operational controls i. Administrative/personnel (Additional Reference: SP 800-35) ii. Physical (Additional Reference: SP 800-35) 3. Recertification (Key Documents: SP 800-37, SP 800-53A; Additional References: SP 800-42, SP 800-41) 4. Reaccreditation (Key Document: SP 800-37) 5. Incident handling (Key Document: SP 800-61; Additional References: SP 800-40, SP 800-14, SP 800-12) 6. Auditing (Key Documents: HB 150, SP 800-55; Additional References: HB 150-17, HB 150-20) 7. Intrusion detection and monitoring (Key Documents: SP 800-61, SP 800-31) 8. Contingency plan testing (including continuity of operations plan) (Key Document: SP 800-34; Additional References: FIPS 87, SP 800-14, SP 800-12) Phase 5: Disposition (Sunset) Key Tasks: 1. Transition planning (Key Document: SP 800-64; Additional References: SP 800-47, SP 800-46, SP 800-45, SP 800-44, SP 800-43, SP 800-41, SP 800-35, SP 800-27, SP 800-14, SP 800-12) 2. Component disposal (Key Document: SP 800-35; Additional Reference: SP 800-14) 3. Media sanitization (Key Document: SP 800-36) 4. Information archiving (Key Documents: SP 800-14, SP 800-12) a. Confidentiality b. Integrity References: Statutes and Regulations Federal Information Security Management Act of 2002 (FISMA), H.R. 2458, Title III [Public Law 107-347], 107th U.S. Congress, December 17, 2002. Cyber Security Research and Development Act, H.R. 3394 [Public Law 107-355], 107th U.S. Congress, November 27, 2002. U. S. Office of Management and Budget, Circular No. A-130, Appendix III, Security of Federal Automated Information Resources, February 1996. Special Publications (For current status of NIST publications (draft or final), go to http://csrc.nist.gov.) SP 800-70, The NIST Security Configuration Checklists Program SP 800-68, Guidance for Securing Microsoft Windows XP Systems for IT Professionals: a NIST Security Configuration Checklist SP 800-67, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule SP 800-65, Integrating Security into the Capital Planning and Investment Control Process SP 800-64, Security Considerations in the Information System Development Life Cycle SP 800-61, Computer Security Incident Handling Guide SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories SP 800-59, Guideline for Identifying an Information System as a National Security System SP 800-58, Security Considerations for Voice Over IP Systems SP 800-57, Recommendation on Key Management SP 800-56, Recommendation on Key Establishment SP 800-55, Security Metrics Guide for Information Technology Systems SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems SP 800-53, Recommended Security Controls for Federal Information Systems SP 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme SP 800-50, Building an Information Technology Security Awareness and Training Program SP 800-49, Federal S/MIME V3 Client Profile SP 800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices SP 800-47, Security Guide for Interconnecting Information Technology Systems SP 800-46, Security for Telecommuting and Broadband Communications SP 800-45, Guidelines on Electronic Mail Security SP 800-44, Guidelines on Securing Public Web Servers SP 800-43, Systems Administration Guidance for Windows 2000 Professional SP 800-42, Guideline on Network Security Testing SP 800-41, Guidelines on Firewalls and Firewall Policy SP 800-40, Procedures for Handling Security Patches SP 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality SP 800-38B, Recommendation for Block Cipher Modes of Operation: the CMAC Authentication Mode SP 800-38A, Recommendation for Block Cipher Modes of Operation - Methods and Techniques SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems SP 800-36, Guide to Selecting Information Security Products SP 800-35, Guide to Information Technology Security Services SP 800-34, Contingency Planning Guide for Information Technology Systems SP 800-33, Underlying Technical Models for Information Technology Security SP 800-31, Intrusion Detection Systems (IDS) SP 800-30, Risk Management Guide for Information Technology Systems SP 800-28, Guidelines on Active Content and Mobile Code SP 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security) SP 800-26, Security Self-Assessment Guide for Information Technology Systems SP 800-23, Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products SP 800-22, A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications SP 800-21, Guideline for Implementing Cryptography in the Federal Government SP 800-20, Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures SP 800-18, Guide for Developing Security Plans for Information Technology Systems SP 800-17, Modes of Operation Validation System (MOVS): Requirements and Procedures SP 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems SP 800-12, An Introduction to Computer Security: The NIST Handbook FIPS FIPS 46-3, Data Encryption Standard (DES) FIPS 81, DES Modes of Operation FIPS 87, Guidelines for ADP Contingency Planning FIPS 140-2, Security requirements for Cryptographic Modules FIPS 180-2, Secure Hash Standard (SHS) FIPS 181, Automated Password Generator FIPS 185, Escrowed Encryption Standard FIPS 186-2, Digital Signature Standard (DSS) FIPS 190, Guideline for the Use of Advanced Authentication Technology Alternatives FIPS 191, Guideline for The Analysis of Local Area Network Security FIPS 196, Entity Authentication Using Public Key Cryptography FIPS 197, Advanced Encryption Standard FIPS 198, The Keyed-Hash Message Authentication Code (HMAC) FIPS 199, Standards for Security Categorization of Federal Information and Information Systems Handbooks NIST Handbook 150: 2001, NVLAP Procedures and General Requirements NIST Handbook 150-17, NVLAP Cryptographic Module Testing NIST Handbook 150-20, NVLAP Information Technology Security Testing - Common Criteria Miscellaneous CC, Common Criteria for Information Technology Security Evaluation, Version 2.2 Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 840-1357 From isn at c4i.org Thu Sep 30 06:25:02 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 30 06:44:26 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-40 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-09-23 - 2004-09-30 This week : 42 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia has implemented new features at Secunia.com SECUNIA ADVISORIES NOW INCLUDE "Solution Status": In addition to the extensive information Secunia advisories already include, Secunia has added a new parameter: "Solution Status". This simply means that all Secunia advisories, including older advisories, now include the current "Solution Status" of a advisory, i.e. if the vendor has released a patch or not. IMPROVED PRODUCT PAGES: The improved product pages now include a detailed listing of all Secunia advisories affecting each product. The listings include a clear indication of the "Solution Status" each advisory has ("Unpatched", "Vendor patch", "Vendor workaround", or "Partial fix"). View the following for examples: Opera 7: http://secunia.com/product/761/ Internet Explorer 6: http://secunia.com/product/11/ Mozilla Firefox: http://secunia.com/product/3256/ EXTRA STATISTICS: Each product page also includes a new pie graph, displaying the "Solution Status" for all Secunia advisories affecting each product in a given period. View the following for an example: Internet Explorer 6: http://secunia.com/product/11/#statistics_solution FEEDBACK SYSTEM: To make it easier to provide feedback to the Secunia staff, we have made an online feedback form. Enter your inquiry and it will immediately be sent to the appropriate Secunia department. Ideas, suggestions, and other feedback is most welcome Secunia Feedback Form: http://secunia.com/contact_form/ ======================================================================== 2) This Week in Brief: ADVISORIES: RealNetworks has issued a new versions of their players. This fixes some vulnerabilities, which can be exploited to compromise a vulnerable system. Patches are available from the vendor, please refer to the Secunia advisory for a link to the vendor advisory. Reference: http://secunia.com/SA12672 -- Vulnerabilities have been reported in several Symantec firewalls, which allows malicious people to cause a DoS (Denial of Service), identify active services, and manipulate the firewall configuration. Symantec has issued new firmwares for all affected versions. Reference: http://secunia.com/SA12635 VIRUS ALERTS: During the last week, Secunia issued one MEDIUM RISK virus alert. Please refer to the grouped virus profiles below for more information: BAGLE.AM - MEDIUM RISK Virus Alert - 2004-09-29 03:04 GMT+1 http://secunia.com/virus_information/12351/bagle.am/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12526] Mozilla Multiple Vulnerabilities 2. [SA12304] Internet Explorer Address Bar Spoofing Vulnerability 3. [SA12321] Microsoft Internet Explorer Drag and Drop Vulnerability 4. [SA12635] Symantec Firewall/VPN Products Multiple Vulnerabilities 5. [SA12528] Microsoft Multiple Products JPEG Processing Buffer Overflow Vulnerability 6. [SA12633] Apache "Satisfy" Directive Access Control Bypass Security Issue 7. [SA11978] Multiple Browsers Frame Injection Vulnerability 8. [SA12542] GdkPixbuf Multiple Image Decoding Vulnerabilities 9. [SA12672] RealOne Player / RealPlayer / Helix Player Multiple Vulnerabilities 10. [SA12381] Winamp Skin File Arbitrary Code Execution Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA12684] dBpowerAMP Audio Player / Music Converter Playlist Handling Buffer Overflow [SA12666] Icecast Server HTTP Headers Buffer Overflow Vulnerability [SA12658] BroadBoard Instant ASP Message Board SQL Injection Vulnerability [SA12651] aspWebCalendar SQL Injection Vulnerability [SA12650] MegaBBS HTTP Response Splitting and SQL Injection Vulnerabilities [SA12642] ActivePost Standard Multiple Vulnerabilities [SA12665] Chatman Broadcast Denial of Service Vulnerability [SA12639] Computer Associates Unicenter Common Services Password Disclosure [SA12661] Intellipeer Email Server User Account Enumeration Weakness UNIX/Linux: [SA12677] AIX libXm.a Multiple Vulnerabilities [SA12675] Conectiva update for imlib/imlib2 [SA12653] Gentoo update for xorg-x11/xfree [SA12652] LessTif XPM Library Image Decoding Vulnerabilities [SA12682] SGI IRIX update for kernel [SA12667] Debian sendmail sasl-bin Mail Relaying Security Issue [SA12646] Conectiva update for apache [SA12644] Fedora update for httpd [SA12641] Gentoo update for apache [SA12648] fprobe "change user" Feature Unspecified Security Issue [SA12643] Fedora update for subversion [SA12681] Fedora update for cups [SA12663] Conectiva update for kernel [SA12668] Mandrake update for openoffice.org [SA12664] IBM Products ctstrtcasd Local File Corruption Vulnerability [SA12657] Debian update for getmail [SA12645] Gentoo update for getmail Other: [SA12659] Canon imageRUNNER E-mail Printer Denial of Service Weakness Cross Platform: [SA12679] @lex GuestBook "chem_absolu" Arbitrary File Inclusion Vulnerability [SA12672] RealOne Player / RealPlayer / Helix Player Multiple Vulnerabilities [SA12678] ParaChat Server Directory Traversal Vulnerability [SA12674] PeopleSoft HRMS Page Manipulation and Identity Spoofing [SA12673] Serendipity SQL Injection and Cross-Site Scripting Vulnerabilities [SA12662] PHP-Fusion "homepage address" Script Insertion Vulnerability [SA12649] Baal Smart Forms "Admin Change Password" Security Bypass [SA12647] ColdFusion MX Sensitive Information Disclosure and Denial of Service [SA12640] MyServer HTTP POST Request Processing Denial of Service [SA12638] Macromedia JRun Server Multiple Vulnerabilities [SA12660] YPOPs! POP3 and SMTP Service Buffer Overflow Vulnerabilities [SA12683] Wordpress Cross-Site Scripting Vulnerabilities [SA12676] Vignette Application Portal Diagnostic Utility Information Disclosure [SA12654] PHP-Fusion Cross-Site Scripting and Identify Spoof Vulnerabilities [SA12655] HP StorageWorks Command View XP Security Bypass ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA12684] dBpowerAMP Audio Player / Music Converter Playlist Handling Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-29 James Bercegay has reported a vulnerability in dBpowerAMP Music Converter and Audio Player, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12684/ -- [SA12666] Icecast Server HTTP Headers Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-29 Luigi Auriemma has reported a vulnerability in Icecast, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12666/ -- [SA12658] BroadBoard Instant ASP Message Board SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-09-27 pigrelax has reported a vulnerability in BroadBoard Instant ASP Message Board, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/12658/ -- [SA12651] aspWebCalendar SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information Released: 2004-09-27 Pedro Sanches has reported a vulnerability in aspWebCalendar, which can be exploited by malicious people to conduct SQL injection attacks and determine valid usernames. Full Advisory: http://secunia.com/advisories/12651/ -- [SA12650] MegaBBS HTTP Response Splitting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-09-27 pigrelax has reported a vulnerability in MegaBBS, which can be exploited by malicious people to conduct script insertion, cross-site scripting, and SQL injection attacks. Full Advisory: http://secunia.com/advisories/12650/ -- [SA12642] ActivePost Standard Multiple Vulnerabilities Critical: Moderately critical Where: From local network Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, DoS Released: 2004-09-24 Luigi Auriemma has reported multiple vulnerabilities in ActivePost Standard, which can be exploited by malicious people to cause a DoS (Denial of Service), upload files to arbitrary locations, or gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12642/ -- [SA12665] Chatman Broadcast Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-28 Luigi Auriemma has reported a vulnerability in ChatMan, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12665/ -- [SA12639] Computer Associates Unicenter Common Services Password Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-09-29 A security issue has been reported in Computer Associates Unicenter Common Services, which may disclose sensitive information to malicious, local users. Full Advisory: http://secunia.com/advisories/12639/ -- [SA12661] Intellipeer Email Server User Account Enumeration Weakness Critical: Not critical Where: From local network Impact: Exposure of system information Released: 2004-09-27 Ziv Kamir has reported a weakness in Intellipeer Email Server, which can be exploited by malicious people to determine valid usernames. Full Advisory: http://secunia.com/advisories/12661/ UNIX/Linux:-- [SA12677] AIX libXm.a Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-29 IBM has acknowledged some vulnerabilities in AIX, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12677/ -- [SA12675] Conectiva update for imlib/imlib2 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-28 Conectiva has issued updates for imlib and imlib2. These fix some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12675/ -- [SA12653] Gentoo update for xorg-x11/xfree Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-27 Gentoo has issued updates for xorg-x11 and xfree. These fix multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12653/ -- [SA12652] LessTif XPM Library Image Decoding Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-27 Multiple vulnerabilities have been reported in LessTif, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12652/ -- [SA12682] SGI IRIX update for kernel Critical: Moderately critical Where: From remote Impact: Spoofing, Manipulation of data, DoS Released: 2004-09-29 SGI has issued patches for IRIX. These fix multiple vulnerabilities in the kernel, which can be exploited to cause a DoS (Denial of Service), inject data into a TCP stream, and conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/12682/ -- [SA12667] Debian sendmail sasl-bin Mail Relaying Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-09-28 Debian has issued an update for sendmail. This fixes a security issue, which can be exploited by malicious people to use a vulnerable system as an open mail relay. Full Advisory: http://secunia.com/advisories/12667/ -- [SA12646] Conectiva update for apache Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2004-09-24 Conectiva has issued an update for apache. This fixes multiple vulnerabilities, which can be exploited to cause a DoS (Denial of Service), gain escalated privileges, and potentially compromise a system. Full Advisory: http://secunia.com/advisories/12646/ -- [SA12644] Fedora update for httpd Critical: Moderately critical Where: From remote Impact: Security Bypass, Privilege escalation, DoS Released: 2004-09-24 Fedora has issued an update for httpd. This fixes some vulnerabilities, which can be exploited to gain escalated privileges, cause a DoS (Denial of Service) or access restricted resources. Full Advisory: http://secunia.com/advisories/12644/ -- [SA12641] Gentoo update for apache Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-09-24 Gentoo has issued an update for apache. This fixes a security issue, which may allow malicious people to bypass configured access controls. Full Advisory: http://secunia.com/advisories/12641/ -- [SA12648] fprobe "change user" Feature Unspecified Security Issue Critical: Moderately critical Where: From local network Impact: Unknown Released: 2004-09-27 A security issue with an unknown impact has been reported in fprobe. Full Advisory: http://secunia.com/advisories/12648/ -- [SA12643] Fedora update for subversion Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-09-24 Fedora has issued an update for subversion. This fixes a security issue, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/12643/ -- [SA12681] Fedora update for cups Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-29 Fedora has issued an update for CUPS. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12681/ -- [SA12663] Conectiva update for kernel Critical: Less critical Where: From local network Impact: Manipulation of data Released: 2004-09-27 Conectiva has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12663/ -- [SA12668] Mandrake update for openoffice.org Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-09-28 MandrakeSoft has issued an update for openoffice.org. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12668/ -- [SA12664] IBM Products ctstrtcasd Local File Corruption Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2004-09-28 iDEFENSE Labs has reported a vulnerability in various IBM products, which can be exploited by malicious, local users to conduct certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12664/ -- [SA12657] Debian update for getmail Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-27 Debian has issued an update for getmail. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12657/ -- [SA12645] Gentoo update for getmail Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-24 Gentoo has issued an update for getmail. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12645/ Other:-- [SA12659] Canon imageRUNNER E-mail Printer Denial of Service Weakness Critical: Not critical Where: From local network Impact: DoS Released: 2004-09-28 Andrew Daviel has reported a weakness in Canon imageRUNNER, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12659/ Cross Platform:-- [SA12679] @lex GuestBook "chem_absolu" Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2004-09-29 Himeur Nourredine has reported a vulnerability in @lex GuestBook, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12679/ -- [SA12672] RealOne Player / RealPlayer / Helix Player Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Manipulation of data, System access Released: 2004-09-29 Multiple vulnerabilities have been reported in RealOne Player, RealPlayer, and Helix Player, which can be exploited by malicious people to compromise a user's system and delete files. Full Advisory: http://secunia.com/advisories/12672/ -- [SA12678] ParaChat Server Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-09-30 Donato Ferrante has reported a vulnerability in ParaChat Server, which can be exploited by malicious people to access sensitive information. Full Advisory: http://secunia.com/advisories/12678/ -- [SA12674] PeopleSoft HRMS Page Manipulation and Identity Spoofing Critical: Moderately critical Where: From remote Impact: Spoofing, Manipulation of data Released: 2004-09-29 A security issue has been reported in PeopleSoft Human Resources Management System (HRMS), which can be exploited by malicious people to modify certain pages and spoof their identity. Full Advisory: http://secunia.com/advisories/12674/ -- [SA12673] Serendipity SQL Injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-09-28 aCiDBiTS has reported two vulnerabilities in Serendipity, which can be exploited by malicious people to conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12673/ -- [SA12662] PHP-Fusion "homepage address" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-09-27 Espen Andersson has reported a vulnerability in PHP-Fusion, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12662/ -- [SA12649] Baal Smart Forms "Admin Change Password" Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-09-27 A vulnerability has been reported in Baal Smart Forms, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12649/ -- [SA12647] ColdFusion MX Sensitive Information Disclosure and Denial of Service Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS Released: 2004-09-24 Two vulnerabilities have been reported in ColdFusion MX Server, which can be exploited by malicious people to disclose sensitive information and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12647/ -- [SA12640] MyServer HTTP POST Request Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-09-27 badpack3t has reported a vulnerability in MyServer, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12640/ -- [SA12638] Macromedia JRun Server Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Hijacking, Cross Site Scripting, Exposure of sensitive information, DoS Released: 2004-09-24 Multiple vulnerabilities have been reported in JRun Server, which can be exploited by malicious people to hijack an authenticated user's session, conduct cross-site scripting attacks, disclose sensitive information, and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12638/ -- [SA12660] YPOPs! POP3 and SMTP Service Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From local network Impact: System access Released: 2004-09-28 Nima Majidi has discovered some vulnerabilities in YPOPs!, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12660/ -- [SA12683] Wordpress Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-09-29 Thomas Waldegger has reported some vulnerabilities in Wordpress, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12683/ -- [SA12676] Vignette Application Portal Diagnostic Utility Information Disclosure Critical: Less critical Where: From remote Impact: Exposure of system information Released: 2004-09-29 @stake has reported a security issue in Vignette Application Portal, which can be exploited by malicious people to gain knowledge of various system information. Full Advisory: http://secunia.com/advisories/12676/ -- [SA12654] PHP-Fusion Cross-Site Scripting and Identify Spoof Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Spoofing Released: 2004-09-27 Two vulnerabilities have been reported in PHP-Fusion, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially perform an identity spoof. Full Advisory: http://secunia.com/advisories/12654/ -- [SA12655] HP StorageWorks Command View XP Security Bypass Critical: Not critical Where: Local system Impact: Security Bypass Released: 2004-09-27 A vulnerability has been reported in HP StorageWorks Command View XP, which can be exploited by malicious, local users to bypass certain access restrictions. Full Advisory: http://secunia.com/advisories/12655/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Thu Sep 30 06:25:13 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 30 06:44:28 2004 Subject: [ISN] Warspammer guilty under new federal law Message-ID: http://www.securityfocus.com/news/9606 By Kevin Poulsen SecurityFocus Sept 29 2004 A Los Angeles man who used other people's wi-fi networks to send thousands of unsolicited adult-themed e-mails from his car pleaded guilty to a single felony Monday, in what prosecutors say is the first criminal conviction under the federal CAN-SPAM Act. In a plea agreement with prosecutors, Nicholas Tombros, 37, faces a likely sentencing range stretching from probation to six months in custody, assuming he has no prior criminal convictions. Sentencing is set for December 27th. Tombros drove around the Los Angeles beachfront suburb of Venice with a laptop and a wi-fi antenna sniffing out unsecured residential access points, which he then used to send thousands of untraceable spam messages advertising pornography sites. An FBI spokesperson said earlier this month that Tombros obtained the e-mail addresses from a credit card aggregation company where he used to work, but officials have not revealed how they caught the spammer. The CAN-SPAM Act, which took effect January 1st, doesn't criminalize unsolicited bulk commercial e-mail, but it does prohibit most of the deceptive practices used by spammers. Tombros was charged under a provision that prohibits breaking into someone else's computer to send spam. Also outlawed is the practice of deliberately crafting spammy messages to disguise the origin; materially falsifying the headers in spam; spamming from five or more e-mail accounts established under fake names; or hijacking five or more IP addresses and spamming from them. A first-time violator face up to one year in federal stir for a small-time operation-- three years if he or she meets one of several minimum standards of bad behavior, like leading a spam gang of at least three people, sending over 2,500 messages in one day, or using 10 or more falsely-registered domain names. Assistant U.S. attorney Wesley Hsu, who prosecuted Tombros, says he believes the spammer is the first to be convicted under CAN SPAM. "It is my understanding that it is, in fact, the first," said Hsu. But even without the spam-fighting legislation, Tombros' drive-by spamming technique would likely have put him afoul of existing computer crime laws, said David Sorkin, an associate professor at the John Marshall Law School. "It sound to me like this could very well have been prosecuted under other statutes." The Tombros case is one of a handful of wireless hacking convictions federal prosecutors reeled in this year. In June, a Maryland man with a grudge against a Connecticut-based patent firm pleaded guilty to using unsecured wireless networks at homes and businesses in the Washington D.C. area to penetrate the company's computers and deliver anonymous threats and extortion demands. The same month, two Michigan men, Brian Salcedo and Adam Botbyl, pleaded guilty to conspiracy charges stemming from a scheme to steal credit card numbers from the Lowe's home improvement chain through an unsecured wi-fi network at a suburban Detroit store. A third man later pleaded guilty to a misdemeanor for using the same access point to check his e-mail. From isn at c4i.org Thu Sep 30 06:25:23 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 30 06:44:29 2004 Subject: [ISN] JPEG flaw gets instant messaging worm Message-ID: http://www.theinquirer.net/?article=18770 By Nick Farrell 30 September 2004 VIRUS WRITERS have released an Internet worm that propagates using instant messages and exploits the JPG flaw in Microsoft. Researchers at The SANS Institute's Internet Storm Center (ISC) have had two reports of a worm being installed using AOL messenger. The victims complained that they received messages on America Online's AOL Instant Messenger service that lured them to Web sites containing a JPEG that contained the malicious code. The messages told the users to "Check out my profile, click GET INFO!" But when they visited the site, the malicious code would attempt to install backdoor software. Additionally, messages containing a link to the site would be sent out to all contacts on the victim's instant messenger contacts list. The ISC said the attempts failed but showed that hackers were starting to build code using the JPEG vulnerability. From isn at c4i.org Thu Sep 30 06:25:35 2004 From: isn at c4i.org (InfoSec News) Date: Thu Sep 30 06:44:31 2004 Subject: [ISN] Healthcare CIO gets tough on net policy violators Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,96253,00.html By Bob Brown SEPTEMBER 29, 2004 NETWORK WORLD CareGroup Healthcare System is serious about its security and privacy policies, and those employees and business partners not adhering to them pay a huge price, according to the Boston healthcare organization's CIO. Dr. John Halamka kicked off the HealthSec 2004 Conference & Expo in Boston this week with a keynote address titled: "You're Fired! Security Breaches, Pink Slips and Public 'Executions.' " Halamka has made a name for himself in IT circles partly because of his decision to go public following a network outage at one CareGroup hospital back in November 2002 in an effort to help others avoid similar fates. Halamka shared examples, with names changed to protect the guilty, of CareGroup employees or associates who have been canned for violating security or privacy policies, which they had to agree to upon joining CareGroup or starting to do business with it. One doctor was found to be getting abusive in online chat sessions, a violation confirmed by packet sniff tracing. Another doctor, who wound up leaving before having the chance to get fired, violated policy by peeking into a spouse's psychiatric drug records. "It's important to have sanctions to have a policy that has teeth," said Halamka, who emphasized that CareGroup's termination policies apply equally to everyone from clerks up to head surgeons. One way that CareGroup stresses its policy compliance message is by making public, within the organization, when and why someone is axed for violating policy. If a policy is broken by a business partner employee, that organization needs to discipline its employee or CareGroup will cut off access privileges for the entire organization, said Halamka, who is an emergency doctor in addition to being an IT professional. But in order to fire anyone based on security or privacy policy violations, he said those policies need to be carefully crafted and supported throughout the organization, such as by the human resources department. The need for airtight security and privacy at health-care organizations, especially one the size of CareGroup, is obvious. CareGroup boasts 12,000 employees who serve some 9 million patients. The privately held organization moves some 70TB of data a day over a network infrastructure that includes 15,000 Cisco Systems Inc. equipment ports and 200 servers, mostly Unix. The organization also provides secure Web access to patients, employees and business partners. One huge security and privacy challenge for Halamka is that there are a lot of good medical reasons for doctors and others in a health-care organization to have access to a wide collection of patient and other data. "Every doctor has access to every patient's data," he said. The organization runs audits to keep inappropriate access in check, plus makes employees and patients privy to an audit trail regarding their data in case they have concerns about who is accessing it. To ensure that employees know what they are getting into when they sign a letter confirming that they will comply with the policies, they go through training. Halamka conducts training for medical students and researchers. CareGroup system users are also reminded about training when security keys are renewed at every 50th logon attempt. CareGroup's network security system includes use of username/password, Web surfing control, antivirus software, intrusion detection system products and VPNs. The VPNs are largely for business partners since the technology is a pain to deal with, Halamka said, especially when employees start asking questions about using the VPN from home PCs loaded up with all sorts of programs. CareGroup is strict about which systems are allowed access to its network and won't approve devices until they have the appropriate antivirus and Microsoft patch distribution software installed, Halamka said. One thing that CareGroup keeps a watchful eye out for is rogue WLANs, though the organization is in the midst of making wireless available to all corners of its facilities. The 802.11 net will support not only data transfer, but voice and RFID-based location-tracking applications, Halamka said. CareGroup will look at 802.1x to secure its integrated wired and wireless nets, he said. One ongoing frustration for Halamka is that despite the best efforts of his team to secure CareGroup's network, some vendors still don't understand what customers really need. He recounted having lunch several weeks ago with Microsoft Corp. CEO Steve Ballmer. He told Ballmer that Microsoft should refocus on making its software less feature rich and more secure and reliable. But Ballmer insisted that "customers want these features," according to Halamka. "The folks creating the systems don't get it," Halamka said.