From isn at c4i.org Wed Aug 3 06:03:45 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 3 06:11:38 2005 Subject: [ISN] Google now a hacker's tool Message-ID: http://www.networkworld.com/news/2005/080205-black-hat-google.html By Robert McMillan IDG News Service 08/02/05 Somewhere out on the Internet, an Electric Bong may be in danger. The threat: a well-crafted Google query that could allow a hacker to use Google's massive database as a resource for intrusion. "Electric Bong" was one of a number of household devices that security researcher Johnny Long came across when he found an unprotected Web interface to someone's household electrical network. To the right of each item were two control buttons, one labelled "on," the other, "off." Long, a researcher with Computer Sciences Corp. and author of the book, "Google Hacking for Penetration Testers," was able to find the Electric Bong simply because Google contains a lot of information that wasn't intended to lie unexposed on the Web. The problem, he said at the Black Hat conference in Las Vegas last week, lies not with Google itself but with the fact that users often do not realize what Google's powerful search engine has been able to dig up. In addition to power systems, Long and other researchers were able to find unsecured Web interfaces that gave them control over a wide variety of devices, including printer networks, PBX (private branch exchange) enterprise phone systems, routers, Web cameras, and of course Web sites themselves. All can be uncovered using Google, Long said. But the effectiveness of Google as a hacking tool does not end there. It can also be used as a kind of proxy service for hackers, Long said. Although security software can identify when an attacker is performing reconnaissance work on a company's network, attackers can find network topology information on Google instead of snooping for it on the network they're studying, he said. This makes it harder for the network's administrators to block the attacker. "The target does not see us crawling their sites and getting information," he said. Often, this kind of information comes in the form of apparently nonsensical information - something that Long calls "Google Turds." For example, because there is no such thing as a Web site with the URL "nasa," a Google search for the query "site:nasa" should turn up zero results. instead, it turns up what appears to be a list of servers, offering an insight into the structure of the U.S. National Aeronautics and Space Administration's (NASA) internal network, Long said. Combining well-structured Google queries with text processing tools can yield things like SQL passwords and even SQL error information. This could then be used to structure what is known as a SQL injection attack, which can be used to run unauthorized commands on a SQL database. "This is where it becomes Google hacking," he said. "You can do a SQL injection, or you can do a Google query and find the same thing." Although Google traditionally has not concerned itself with the security implications of its massive data store, the fact that it has been an unwitting participant in some worm attacks has the search engine now rejecting some queries for security reasons, Long said. "Recently, they've stepped into the game." From isn at c4i.org Wed Aug 3 06:03:29 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 3 06:11:59 2005 Subject: [ISN] CSIA advises feds to promote telework as continuity measure Message-ID: http://www.gcn.com/vol1_no1/daily-updates/36567-1.html By Joab Jackson GCN Staff 08/02/05 Federal agencies should do more to allow their employees to work at home, according to a network security policy group. Should terrorists strike U.S. metropolitan subways or highways, agencies will then be better equipped to continue operations because workers can continue to work from home, according to a report from the Cyber Security Industry Alliance. "Telework will make us a far more resilient. Even if we have a major attack on the infrastructure downtown or on a major transport system, we will still be able to communicate with each other," said Paul Kurtz, executive director of CSIA. Released last week, the report, Making Telework a Federal Priority: Security is Not the Issue, notes that many federal agencies have discouraged teleworking initiatives in the past, citing security concerns about workers tapping into internal networks from afar. Few still list security as a concern however, realizing the technology can be robust enough to handle remote access, Kurtz said. Yet government agencies still lag when it comes to offering employees the option to telework. The recent London bombings show how agency operations could be hindered should terrorists strike public transportation, however. "We are going to have disruptions in our community infrastructure here, whether it will be a bomb threat or a bomb itself, where we could have extended outages," Kurtz said. Telework can help with agency continuity-of-operations plans in such crises, CSIA suggests. The group cites Federal Preparedness Circular 65, issued in 1999, which provides guidance on how to develop disaster contingency plans and specifically encouraged agencies to look at remote locations. Increasing federal teleworking would also reduce traffic congestion and air pollution and, the report claims, increase employee productivity. Despite an abundance of pilot programs, presidential directives, legislative mandates and threats of funding cuts, agencies have been falling behind their commercial counterparts in migrating people toward working at home. The report cites a May 2004 Government Accountability Office study that showed the percentage of federal employees who were eligible to telework did not increase between 2002 and 2003. CSIA contrasted this stagnation with a 7.5 percent increase in the number U.S. home workers from 2003 to 2004, according to a study conducted by the Dieringer Research Group Inc. of Milwaukee. Teleworking barriers are not technology-related, but rather cultural and budgetary, the CSIA report posits. Mid-level managers still prefer to physically watch over their workers, Kurtz said. Also, financial considerations might be thwarting teleworking: Any money saved, such as reducing office space, must be returned to the Treasury. Nor are agencies enthusiastic about providing additional funding for telework training and information. The CSIA suggested that the President's Management Agenda for e-government should include a component to increase teleworking. From isn at c4i.org Wed Aug 3 06:05:51 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 3 06:14:41 2005 Subject: [ISN] Infrared exploits open the door to hotel hacking Message-ID: http://www.theregister.co.uk/2005/08/02/hotel_hacking/ By John Leyden 2nd August 2005 Insecure hotel infra-red systems create a means for hackers to read other guest's emails, watch porno films for free and put false charges onto other guest's accounts. Adam Laurie, technical director at secure hosting outfit The Bunker, was able to demonstrate the attacks to Wired prior to giving a talk on the vulnerabilities at last week's DefCon conference in Las Vegas. Using only a laptop and a USB TV tuner, Laurie was able to use an infrared connection to a hotel's web-enabled TV to tune into data that the backend system is broadcasting but he shouldn't be able to receive. In this way he was able to view premium content, access backend billing systems and view emails of guests who accessed web mail services via their TV. He was also able to access the desktop of backend computers and launch applications. "No one thinks about the security risks of infrared because they think it's used for minor things like garage doors and TV remotes," Laurie said. "But infrared uses really simple codes, and they don't put any kind of authentication (in it)... If the system was designed properly, I shouldn't be able to do what I can do." "As far as the hotel is concerned, you're the only person who can see (your bill). But they're sending your confidential data over the air through a broadcast system. It's the equivalent of running an open wireless access point. If I tune my TV to your channel, then I get to see what you're doing," Laurie told Wired. Infrared systems are used throughout hotels in air conditioning systems, vending machines and many other pieces of equipment but it's their use in hotel TV systems that connect to backend and billing systems that represent the greatest scope for mischief. Laurie said that many hotel infrared systems are rolled out with password controls or back-end authentication that would frustrate exploitation. Data is commonly stored and transmitted in the clear without protection from encryption. Because most hotel use similar systems from a small number of suppliers, Laurie has been able to replicate the attack across the world over the last two years. Laurie discovered the security loophole when he was "mucking about with hotel TVs to get the porn channel without paying for it". Tuning into content that's been broadcast but a hotel TV is not configured to receive is one thing - and might be carried out by tuning in a VCR - but Laurie was able to take this further by deciphering the codes transmitted from a remote control device to a TV. Laurie has created a program to analyse and map the codes and a script to test out their effect when sent to his TV. He did this for research purposes and doesn't plan to release the tools. As more devices become network enabled the scope for hacking increases. Laurie's work shows the issue is not just confined to devices connected to the web. Infra-red (and conceivably Bluetooth) connected systems might also be exploited. ? From isn at c4i.org Wed Aug 3 06:06:08 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 3 06:15:11 2005 Subject: [ISN] Wall of Sheep - I see stupid people Message-ID: http://www.theinquirer.net/?article=25018 By Charlie Demerjian in Las Vegas 30 July 2005 ONE OF THE HIGHLIGHTS of Defcon 13 is the Wall of Sheep. This large projection of stupid people is hard to miss if you are in the chill out room, and it is a lot of fun. What they do is post usernames and enough of a password for the terminally stupid to realise that they are serious, but not enough to give it all away. The sheer number of them at a place where people should know better is really frightening. The places where they log in to, companies that should know better but don't implement the most basic security measures, is more frightening. The WoS is projected on the wall, but the controlling laptop is more photogenic. Now, the last thing you want to see is your name or login up on the WoS, it is embarrassing to say the least. If you get your picture up on it, as a few special people did, you probably should pack up and go home early. We know this guy, a Cisco network engineer had a login of Roland.Dobbins, but we are still trying to figure out who he really is. It would be very embarrassing if it got out, but we do know what he looks like. Other people who were pointed out include a Harvard Law person checking his or her mail, and someone from a big three accounting firm logging into work in the clear. There were Apple people aplenty, and a few people logging into their porn accounts. DOH! Now, I can sympathise a little with smaller network operator and home users not being 100% secure, but Cisco, Harvard and a F100 computer consulting firm? Come on people, you should fire your network staff and get someone marginally competent. Still, if people displayed more common sense than a rotting piece of roadkill, Defcon would not nearly be entertaining, as the t-shirt says, 'I see stupid people'. Well, this time around, you may not see them, but thanks to the good folk at the wall of sheep, you at least know who they are. ? From isn at c4i.org Wed Aug 3 06:06:24 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 3 06:15:48 2005 Subject: [ISN] Legal threats continue over Lynn presentation slides Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=4139 By Robert McMillan IDG News Service & Kieren McCarthy Techworld 02 August 2005 The leak of the controversial Cisco IOS security presentation is continuing to draw legal threats on those hosting a pdf copy on their servers. Security research company Internet Security Systems (ISS), the company at the centre of the saga, has sent a cease-and-desist letter to Richard Forno, a security researcher who just hours earlier had posted the presentation slides to his InfoWarrior.org site. The letter from ISS' lawyers, believed to be but one of many, accused Forno of publishing stolen proprietary information and threatened legal action if he did not remove the ISS material. Forno said in a letter on the site that he decided to pull the slides but added angrily: "Had the two companies involved said nothing about this briefing, it's quite likely that few if any people or news outlets would've given it more than a passing thought. But as a result of their heavy-handed tactics this week, both Cisco and ISS have ended up publicising a serious vulnerability quite significantly and thusly re-ignited the discussion over how the Internet security community handles vulnerability disclosure and product updates." A Cisco spokesman downplayed his company's involvement. "We're not sending out those letters. ISS is doing that through their law firms," he said. ISS declined to comment for this story. The legal threats are unlikely to have much of an impact however. The material is already available on a string of other websites and the ongoing controversy has drawn more and more people to the case. Two versions of the presentation have since appeared, as well as photographs of the actual presentation at the Red Hat conference in Las Vegas. Anyone likely to understand the full import of the slides will easily locate the presentation. Cisco has since produced an advisory on the holes in its IOS software - patched back in April, following wider awareness of the situation. One of the other high-profile hosters of material surrounding the case, Cryptome, was unable to say whether it had received similar legal threats but its administrator, John Young, said it was Cryptome policy to ignore any such threats. The site has since added a page covering discussions of the Lynn presentations. The controversy has ignited debate within the security community about the limits of responsible disclosure and whether companies such as Cisco are helping hackers or users through the public discussion of security flaws. To most Black Hat attendees interviewed last week, Cisco and ISS's actions clearly went too far. One attendee said that companies such as Cisco should embrace this type of disclosure. "I look at it this way: It's free research," said Robert Gregory, an Information Assurance Engineer with Northrop Grumman's TASC division. "You've got the entire IT community doing research for you, and it's not costing you a dime." From isn at c4i.org Wed Aug 3 06:06:37 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 3 06:16:39 2005 Subject: [ISN] Cyber-terrorists copying hackers: US Message-ID: http://www.theage.com.au/news/breaking/cyberterrorists-copying-hackers-us/2005/08/03/1122748669953.html Kuala Lumpur August 3, 2005 Cyber-terrorists are attempting to penetrate government networks using the same methods as hackers and many nations are vulnerable to the threat, a US State Department official claims. Michael Alcorn, branch chief of the State Department's Office of Anti-Terrorism Assistance, said on Tuesday that terrorists were becoming more tech-savvy. "The same technique that a hacker would use, the same technology, will be utilised by somebody with a different political motivation," Alcorn told the closing session of a week-long training workshop on cyber-terrorism. During the course, held in conjunction with the Southeast Asia Regional Centre for Counter-Terrorism, officials from Malaysia, Singapore and the Philippines were trained on assessing weakness in government networks and how to protect them. "The problem we're all facing is a global borderless problem, where attacks can occur anywhere in the world and originate from anywhere else in the world," Alcorn told reporters. "We're starting to see more expertise within the terrorist ranks, so we're reaching out to the countries we have close relationships with and trying to plan a partnership and plan for this type of thing in the future." When asked if many countries were vulnerable to cyber attacks, Alcorn replied: "In many areas of the world, yes." Alcorn said governments were preparing for assaults on networks after past incidents where extremists had looked into such attacks. He said much of the information about such attempts had come from "different types of law enforcement activity around the world." "They are confiscating computers and they're finding evidence on these computers that indicates (militants) have looked into or are researching this type of technology," he said. Alcorn also said militants were increasingly using the internet to communicate and that there was a need to clamp down on this. "They're using the internet and some of the same technology to produce propaganda, recruit online and communicate," he said. "Communication is a real big issue right now, it's how many of the terrorists are plotting their plans so it's something we need to address as well." AFP From isn at c4i.org Wed Aug 3 06:04:07 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 3 06:17:18 2005 Subject: [ISN] Router Flaw Is a Ticking Bomb Message-ID: http://www.wired.com/news/privacy/0,1848,68365,00.html By Kim Zetter Aug. 01, 2005 LAS VEGAS -- Security researcher Mike Lynn roiled the Black Hat conference Wednesday when he resigned from his job at Internet Security Systems to deliver a talk about a serious vulnerability in Cisco IOS, the operating system powering its routers, defying efforts by the router manufacturer and his former employer to block the presentation. In the aftermath, Lynn reached a legal settlement with Cisco and ISS in which he agreed to erase his research material on the vulnerability, to keep secret the details of the attack, and to refrain from distributing copies of his presentation, among other concessions. Now facing an FBI investigation -- and sudden celebrity status in the tech world -- Lynn discusses the events leading up to this week's disclosure, and what he thinks it means for the security of the internet in an exclusive interview with Wired News. Wired News: Can you tell me how all of this started? You were asked by your employer, ISS, to reverse-engineer the Cisco operating system, weren't you? Michael Lynn: I was very specifically told.... It was January 26th and Cisco had just announced a totally different vulnerability than the one I demonstrated. They'd announced a vulnerability for something called "Multiple Crafted IPv6 Packets Cause Router Reload" (as they worded it in their patch message). But that's a very vague term. It just says, "Hey, something is wrong in IP6 with the router reload" ... but it didn't say you could be in control of it. ISS wanted to get protection in their products (against this problem) so that their customers wouldn't be as affected by it. So they called up Cisco to try to get some more details for it ... and Cisco wouldn't give (the information) to them. So (ISS managers) came to me and said, "Can you reverse-engineer ... can you disassemble IOS ... to find out what their vulnerability is?" WN: So this was a different vulnerability from the one you demonstrated at the conference this week? Lynn: Yes, but (Cisco) had (also) found the vulnerability that I demonstrated on stage about two weeks before I (found it). WN: Then what happened? Lynn: So on January 27th, ISS comes out with their response to this vulnerability -- the advice to their customers based on my analysis.... I stayed up all night basically (to research it). I realized in looking at this (that the program) is actually way worse than Cisco said.... So (our guy) calls up ... Cisco and says, "OK, we aren't 100 percent sure that we found the same bug that you're talking about, but it's important we find out because the one we found has much, much greater impact. You said there's (the possibility) of a denial-of-service attack. But the one we found is fully exploitable." Cisco said, "You guys are lying. It is impossible to execute shell code on Cisco IOS." At that point (ISS) management was annoyed.... They were like, "Mike, your new research project is Cisco IOS. Go find out how to exploit bugs on Cisco IOS so we can prove these people wrong." WN: In your speech you said you worked on the reverse engineering with cooperation from Cisco. Lynn: We did, in fact. The cooperation came later. They didn't start that way, and they were not happy to begin with.... They didn't cooperate in the actual reverse engineering itself. They cooperated in the research effort, I would say, in finding vulnerabilities and confirming (them). WN: They didn't stop you. Lynn: They didn't stop us, and at this point there was some back-and-forth communication. (Lynn spent the next month researching the program.) WN: After you came to them with the serious flaw and said, "This is the bug we found...." Lynn: They said, "We don't believe you." And (ISS managers) said ... "come down to Atlanta and we'll show you." And that's never happened, by the way, at ISS. They've never brought somebody, let alone a competitor, into the office just to show them (something).... Mike Caudill, (Cisco's) customer advocate, came out. And they also sent out an engineer ... who described himself as an IOS architect.... I was told he helped design parts of the source code.... And his jaw hit the ground. He was very impressed, he was just (saying), "Wow, that's cool." That was June 14th. WN: Cisco saw your Black Hat presentation long before they decided to pull it. When did they see it? Lynn: Probably June 14th, the day that they came out (to Atlanta). We told them about the vulnerabilities well before (that). WN: So at what point did they get nervous about the talk? Lynn: When they saw the listing of the presentation on the Black Hat site is when they actually called us back and said, "Wait, you guys were serious?" And we said, "Yes, we were serious." Incidentally, it was ISS who submitted (the talk) for Black Hat. I was told (by ISS), "Hey, you want to go to Black Hat? We'd like you to do it." WN: So ISS knew the seriousness of the bug. Lynn: Yes, they did. In fact, at one point ... they apparently didn't get it, and they actually wanted to distribute the full working exploit very widely inside the company.... I was told ... "Give this to all the sales engineers and to all the pen testers." WN: Why would they want you to do that? Lynn: Well, because it bruises Cisco, remember? Mind you, this was something that Cisco hadn't gone public with yet and that's not useful to pen testers because what do they advise their customers to do (to protect themselves if no information about the vulnerability has been released yet)? I told them, "You do realize if you do that, it's going to leak?" And (one of the ISS guys) says, "That's Cisco's problem." And then (another ISS guy) turns to me and says that they need to understand this could be their Witty worm. I was like, Whoa, what meeting did I walk into? (The Witty worm was a particularly aggressive and destructive code released by someone last year that targeted computer systems running a security program made by Internet Security Systems and even more specifically targeted military bases using the software. It infected more than 12,000 servers and computer systems in about an hour. Because of the worm's speed in spreading and its creators' apparent knowledge of who ISS' customers were, some security experts speculated that someone working for or connected to ISS might have been responsible for writing and releasing it.) At that point, I told them all no, and they fought it and I resigned right there on the spot. And this was about a month ago. I thought they were handling this in a non-ethical manner. Because it was just way too fast and loose with who can see this.... I mean, I don't even want people to see it now. (ISS talked him out of the resignation by agreeing to give him control over who could see or have the exploit.) So we start moving forward with the talk and we're working with Cisco, and Cisco seems OK with it. WN: They had already released information about what you found before your speech, right? Lynn: Yes, and the fix. The fix was about six months before the message. WN: So they already knew how serious the problem was. Lynn: If they didn't know, they should have. WN: But they didn't indicate to their customers how serious it was. Lynn: No, they did not. WN: And Cisco saw your Black Hat presentation long before they decided to pull it, right? Lynn: Probably June 14, the day that they came out (to Atlanta). (Then) it was two weeks ago, I was first told that Cisco might want to come onto (the) stage with me and say a couple words. And I said, provided the words aren't something to the effect that "he's a liar," I'm OK with it.... It didn't really matter. It lent credence to my talk. And it's good because I felt my talk really needed to be taken seriously. (However, the plan changed even more and Lynn was told to remove any mention of reverse engineering from his talk or cancel the presentation. If he did neither, he would be fired.) Mind you this is a complete reversal. Like a week or so prior, the night of the close of the fiscal quarter, and they were all celebrating that they hit the numbers, the CEO invited me out for a beer, and he just couldn't say enough awesome things about this talk. WN: Was Cisco threatening them? Lynn: I asked point-blank, "Are you being threatened by Cisco?" They said no.... To be perfectly honest, I don't think there was any legal threat. I think that it was more of a "scratch our back and we'll scratch yours." (Cisco asked him to wait a year until it could release a new version of its operating system. When he didn't back down, Cisco threatened a lawsuit against Lynn and Black Hat. Then with Black Hat's cooperation, Cisco arranged to tear out pages with images of Lynn's slides from the conference book.) WN: You met with the feds after your talk, and someone gave you a challenge coin (a special coin created for members of the military to commemorate challenging missions)? Lynn: Yes, they did, actually. And I didn't know what it was, so I didn't thank him properly.... This was a really funny story. (Right after my talk, this) guy walks up with a very, very impressive badge ... and says, "I need to speak with you. Now." WN: What agency was it? Lynn: Air Force (Office of Special Investigations). NSA, is what I'm told, but he wouldn't show me his credentials. There were a lot of flashy badges around from lots of three-letter agencies. So they take me to a maintenance area and I'm surrounded by people ... and one of them says (to another guy), "You've got the van ready?" I'm going, "Oh my god." And they go, "Just kidding!... Oh, man, you rock! We can't thank you enough." And I'm just sitting there, like still pale white. They all shook my hand. I get the feeling that they were in the audience because they were told that there was a good chance that I was about to do something that would cause a serious problem. And when they realized that I was actually there to pretty much clue them in on ... the storm that's coming ... they just couldn't say enough nice things about me.... Also, US-CERT (Computer Emergency Response Team) asked me if I would come up to D.C. in a week or two and help them formulate the nation's strategy for cybersecurity. WN: So this new version of the operating system that they're coming out with, that's in beta testing. Lynn: It's actually a better architecture ... but it will be less secure.... That's why I felt it was important to make the point now rather than sweep it under the rug. I think it's something that we can fix.... The problem now ... is that if you want to attack something ... you're going to (have to) hack one machine (at a time) and take control of the part of the network (it's on). If you had (the exploit) up running against the new version that's in beta now, you can take everything. That's the difference between something you can make a worm out of and something you can't make a worm out of. (Right now) nobody patches Cisco routers because there's been this culture (that) there's just never anything that can go wrong (with them). So, unless there's some really critical thing that's making it crash, people don't install the patches.... We have to change the public perception about patching now, and that cause is not best served by pretending that there's not a problem and saying maybe you can talk about this next year.... The time to talk about this is before the critical problem comes around. WN: Cisco has said this is not a critical flaw that you found. Lynn: I would agree with them in part and disagree with them. In a way I would say, yes, it's actually not all that exceptional in that all it proved is it's just like any other computer -- they're all hackable. Because in any complicated system, people make mistakes. It's our very nature. But in the sense that the potential impact of something like a router worm (attacking the routers) is no big deal, I would strongly disagree. Unlike most other vulnerabilities or exploits, when you ... take control of another machine, it's very difficult, if at all possible, for you to ... destroy the hardware.... But on a router? This is (a scenario in which) the network is down, and it's down in a way that it's not getting up again. How do you ship the patch when the network won't (be up so you can distribute it)? Are you going to mail out a CD? But there's no CD drive. The real point is there's a ticking clock but we still have plenty of time. I wanted people to be afraid a little bit ... because I needed people to act. But at the same time, now that I think they already are, I will say it's not as bad as you probably think it is. Not yet ... because the version that makes this an unstoppable critical problem is not out yet. From isn at c4i.org Wed Aug 3 06:04:26 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 3 06:18:15 2005 Subject: [ISN] Government-computer hacker sentenced Message-ID: http://www.signonsandiego.com/news/metro/20050802-9999-1m2hack.html By Ray Huard UNION-TRIBUNE STAFF WRITER August 2, 2005 The co-founder of a San Diego computer security firm was sentenced by a federal judge yesterday to 60 days in a work-release program for hacking into government and private computers to show they were vulnerable and to drum up business. U.S. District Judge John S. Rhoades also placed Brett Edward O'Keefe on probation for two years, ordered him to perform 100 hours of community service and instructed him to refrain from doing any work involving computer security while he's on probation. The judge left it to probation officials to determine the specifics of O'Keefe's work-release program and community service. O'Keefe, who has moved to Phoenix, told the judge, "I've learned my lesson far more than you can imagine." As a result of his September 2003 arrest, O'Keefe said, "I was financially and emotionally ruined," adding, "I've lost nearly everything I worked my entire life for." O'Keefe, 38, said he was humiliated by the experience. He said he meant no harm but hacked into government computers "to say that something more needed to be done to protect our country." A co-founder of ForensicTec Solutions, O'Keefe pleaded guilty earlier this year to one misdemeanor count of gaining unauthorized access to U.S. Army computers. In exchange for the guilty plea, Assistant U.S. Attorney John Parmley dismissed six felony counts of gaining unauthorized access to scores of military and government computer systems. Parmley said O'Keefe caused $95,624 in expenses to various government agencies, including the U.S. Army, the National Institutes of Health and NASA, because of the time they spent "trying to figure out what had happened to their computers." Judge Rhoades called O'Keefe's actions "a serious crime" but said the harm O'Keefe caused was partially offset by the value federal agencies gained from learning that their computers were vulnerable. "If he hadn't done what he did or his company did, they'd still be subject to the same sort of intrusions," Rhoades said. "I think the government got something out of it." Defense attorney Matthew Winter said two other ForensicTec principals, Aljosa Medvesek and his wife, Margaret Ann Medvesek, took advantage of O'Keefe and were the ones largely responsible for hacking government computers. The Medveseks each pleaded guilty in September 2003 to one count of conspiracy to gain unauthorized access to computers for financial gain. Parmley said they are scheduled to be sentenced in September and face a maximum penalty of five years in prison. Winter said O'Keefe was "a trusting person" and that hacking into the government computers was out of character for him. In August 2002, O'Keefe revealed to The Washington Post that his company had gained unauthorized access to government computers as a way to expose lax security. Prosecutors said the idea behind seeking publicity was to attract new clients for the security firm and increase profits. From isn at c4i.org Wed Aug 3 06:04:39 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 3 06:18:44 2005 Subject: [ISN] Hackers again hit CU Message-ID: http://www.denverpost.com/news/ci_2906977 By Felisa Cardona Denver Post Staff Writer 08/02/2005 A computer security breach at the University of Colorado at Boulder has left all 29,000 students, some former students and as many as 7,000 staff members vulnerable to identify theft, the school warned Monday evening. Hackers gained access to information on the CU-Boulder identification Buff OneCard used by students. The card contains Social Security numbers, names and photographs. The incident marks the third computer security breach at CU-Boulder since July 21. Although the potential for identity theft exists, there is no evidence that the personal information was stolen or used, and no financial information was affected, campus officials said. The Buff OneCard is used for identification purposes and to gain access to campus buildings, residence halls and laboratories. The breach was reported to the information technology department on Wednesday. The servers were isolated and taken off line. The unauthorized access was detected because IT officials were on high alert after attacks July 21 on computers at the Wardenburg Health Center and the Visual Resource Center of the College of Architecture and Planning, said Dan Jones, IT security coordinator for CU-Boulder. Those incidents affected 42,000 people. A forensic investigation is underway. "It's too early to say that it's the same people," Jones said of the three incidents. "As you can imagine, people were looking at the systems over the last breach and noticed the system had been behaving strangely." Although a major concern is identity theft, it's common for hackers to break into a system such as CU's in order to send spam e-mail without being detected or to use the computer network infrastructure to share pirated movies and software. Matt Martin, a graduate student at CU, says he's not too worried about the incident. "I've had my Social Security number turned in at the top of term papers and never worried about it," Martin said. "If somebody wants my number, they do not have to hack into a system to get it." Several higher-education campuses across the country, including the University of California at Berkeley, Boston University and Georgia Tech, have become targets for computer hackers in recent years. In response to that, CU decided in April to convert all students' identification numbers from Social Security numbers to a new unique student number that cannot be used to obtain or extend credit. However, there are some campus computer systems that still must maintain Social Security numbers, Jones said. Beginning Wednesday, the university will issue Buff OneCard replacements at no cost in Willard Hall, room 182. A hotline was established to respond to individual inquiries about the breach: 303-492-0600. About 6,000 students who live in residence halls will get new access cards. Incoming students who are not scheduled to get their Buff OneCards until the beginning of the fall semester will be given new cards and were not affected by the breach, university officials said. More information on the incident is posted at www.colorado.edu/its/security/buffonecard. Staff writer Christopher Ortiz contributed to this report. From isn at c4i.org Wed Aug 3 06:05:03 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 3 06:19:23 2005 Subject: [ISN] ITL Bulletin for July 2005 Message-ID: Forwarded from: Elizabeth Lennon ITL Bulletin for July 2005 PROTECTING SENSITIVE INFORMATION THAT IS TRANSMITTED ACROSS NETWORKS: NIST GUIDANCE FOR SELECTING AND USING TRANSPORT LAYER SECURITY IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce The protection of sensitive information that is transmitted across interconnected networks is an essential part of an organization's integrated program for the security of information and information systems. Management, operational, and technical controls are needed throughout the organization to protect information and information systems from threats of all kinds. New guidance recently issued by the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) helps federal and private sector organizations select and use technical controls at the transport layer of a layered communications protocol stack. Transport layer security (TLS) can be implemented and used effectively to authenticate network servers and clients, and to protect the confidentiality and integrity of data that is exchanged between two communicating information technology (IT) applications. Background on Transport Layer Security (TLS) Technical controls implemented at the transport layer of a communications protocol stack can protect sensitive information during electronic dissemination across the Internet. The TLS protocol (TSL 1.0) is a voluntary industry standard (RFC 2246) that was developed by the Internet Engineering Task Force. TSL 1.0 is based on the Secure Sockets Layer Version 3.0 (SSL 3.0), which had been developed originally by Netscape Corporation. These protocols are part of the seven-layer model (also known as the seven-layer stack) that provides for communications operations between applications running on disparate computing systems on the Internet. The seven-layer model defines the layers of computer communications services, which are provided by a protocol stack. The transport layer is frequently used to provide connection-oriented services between applications running on hosts that are on interconnected networks. The layering of communications protocols enables systems developers to design new communication systems using already defined services, protocols, and specific communication requirements within each layer of the stack. Each protocol layer of the system that is transmitting information through the network communicates with the corresponding layer of the stack on the system that receives the information. Within the communications stack, the internal mechanisms of each layer generally are independent of each other layer. Placement of security services and the implementation of the security mechanisms within the stack are specific to each individual layer of the stack. The seven-layer model does not explicitly define where security services are to be placed, and there has been considerable discussion about the correct placement of security services and other implementation mechanisms. These discussions will continue as new standards are developed to meet the communications needs of users, local and wide area networking vendors, Internet service providers (ISPs), and World Wide Web (Web) application designers. In this model, the telephone lines, network routers, firewalls, and other network components that comprise the underlying structure of the network are usually not under the control of the end user's client software or of the server's application software. In the typical Internet architecture, the Transmission Control Protocol/Internet Protocol (TCP/IP) stack provides for the transmission of packets through complex arrangements of local, wide, or metropolitan area or globally connected sets of inter-networking or intra-networking technology. Protocols below IP include, for example, local area network (LAN) protocols or other link protocols such as dial up, or directly connected modems, fiber optic links, or satellite links. Security services are needed to protect data privacy and data integrity, and to assure the authentication of the server and the end user. The TSL 1.0 specifications use cryptographic mechanisms, including encryption of data, message authentication codes, and public key cryptography-based digital signatures, to implement the security services and to establish and maintain a secure TCP/IP connection. Secure connections prevent eavesdropping, tampering, or message forgery. Protocol options must be selected and used by both clients and servers in order to achieve communication security at the transport layer. The transport layer is not the only place in this architectural model where these security services can be provided. In overall security design, the transport layer is only a small portion of the network, and it alone cannot provide complete network security. Security involves an integrated and complex set of related properties that work together to protect information and systems. NIST Special Publication (SP) 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations: Recommendations of the National Institute of Standards and Technology NIST has issued new guidelines to help organizations select and implement transport level security, making effective use of Federal Information Processing Standards (FIPS)-approved cryptographic algorithms and open source technology. Written by C. Michael Chernick (NIST), Charles Edington III (Booz Allen Hamilton), Matthew J. Fanto (NIST), and Rob Rosenthal (Booz Allen Hamilton), the guide advises organizations how to use authentication, confidentiality, and integrity mechanisms to protect information at the transport layer. Authentication mechanisms provide assurance of the identity of the sender or receiver of information. The confidentiality mechanisms provide assurance that data is kept secret and prevent eavesdropping. The message integrity mechanisms detect any attempts to modify data and prevent deletions, additions, or modifications of data. NIST SP 800-52 explains the concepts of security in the layered communications architecture in general, and in the transport layer in particular. The security options in selecting an encryption method, or cipher, and communications protocols are explained, and recommended selections are discussed. Tables are provided for mapping the security parts of TLS to FIPS, and for recommended client and server cipher suites. The reference section includes documents, publications, and organizations that provide extensive information on many aspects of transport layer security. While primarily designed to help federal agencies achieve more secure information systems, other activities including state, local and tribal governments, and private sector organizations should find the guide useful in selecting transport layer security implementations. NIST SP 800-52 and other publications dealing with controls and procedures needed for secure systems are available from the NIST Computer Security Resource Center at: http://csrc.nist.gov/publications/nistpubs/index.html. NIST SP 800-52 and FISMA Requirements NIST SP 800-52 is one of the guidelines developed by NIST to help federal agencies implement their responsibilities under the Federal Information Security Management Act (FISMA). FISMA requires that all federal agencies develop, document, and implement agency-wide information security programs to protect the information and information systems that support the operations and assets of the agency, including those systems provided or managed by another agency, contractor, or other source. Under Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, federal managers of publicly accessible information repositories, or of dissemination systems that contain sensitive but unclassified data, are required to ensure that sensitive data is protected. The protection mechanisms used should be in accordance with the risk and magnitude of the harm that would result from the loss, misuse, or unauthorized access to or modification of such data. Security requirements are usually derived from an assessment of the threats or potential attacks that an adversary could mount against a system. Threats to systems take advantage of implementation vulnerabilities found in many system components including computer operating systems, application software systems, and the computer networks that interconnect them. Security within the network is just one consideration in establishing an effective information security program. NIST SP 800-30, Risk Management Guide for Information Technology Systems, describes the management process to analyze and balance the operational and economic costs of protective measures and to protect the IT systems and data that support the organization's mission. Special Publications and Federal Information Processing Standards (FIPS) mentioned in this bulletin are available in electronic format at: http://csrc.nist.gov/publications/nistpubs/index.html. Guidance in Implementing Transport Layer Security NIST recommends that organizations consider the following issues when implementing transport layer security mechanisms, such as web servers and browsers: * Implementation of standards. The interaction between components in transport layer security mechanisms should be through a well-defined communication protocol with no deviations. FIPS-approved algorithms for authentication, encryption, and the generation of message digests should be used in all implementations. * Interoperability. An implementation should promote interoperability among components. The selection of a particular server solution should not prevent the use of any standards-based client or vice versa. * Use of evaluated products. Key components of the implementation should be independently evaluated for conformance to standards, such as FIPS 140-1 and 140-2, Security Requirements for Cryptographic Modules. * Selection of important features. The implementation should include those features that users consider most important to their operating environments. * Open Source Solutions. The implementation should be an open source solution that allows users to choose future implementations that will support interoperability or standards. NIST recommends the use of the TLS 1.0 protocol specifications, which call for cryptographic mechanisms to implement the security services that establish and maintain a secure TCP/IP connection. The secure connection prevents eavesdropping, tampering, or message forgery. Implementing data confidentiality with cryptography prevents eavesdropping; generating a message authentication code with a secure hash function prevents undetected tampering; and authenticating clients and servers with public key cryptography-based digital signatures prevents message forgery. In all of these processes, a key or shared secret is required by the cryptographic mechanism. A pseudorandom number generator and a key establishment algorithm are used to provide for the generation and sharing of these secrets. NIST SP 800-52 provides tables that guide an organization in implementing services to prevent eavesdropping, tampering, or message forgery. The guide identifies the key establishment, confidentiality, digital signature, and hash mechanisms that are Federal Information Processing Standards (FIPS). Recommendations are made for the selection of FIPS-approved ciphers. Some specific implementation details include: * In selecting and procuring transport layer security implementations, officials should ensure that products meet a minimum set of universally accepted tests. Products should provide quality random numbers for key generation, protect the keying material and its storage, and properly implement and test key establishment, encryption, and signature algorithms and hash functions. NIST has published information to help agencies in buying security products in NIST SP 800-23, Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products, and in NIST SP 800-36, Guide to Selecting Information Technology Security Products. * Organizations should follow the vendor's general guidelines, as well as local practices, when installing TLS implementations. For example, a client's local policy might state that server authentication is required. The system administrator should follow the vendor's prescribed methods for enabling client/server authentication. Security services for confidentiality, data integrity, and peer entity authentication for clients and servers should be configured and provided by the TLS implementation. Appropriate cipher suites must also be selected. * In the maintenance phase, administrators should follow local policies and operating procedures. For example, the site system administrator may be required to check for product updates and security patches and to install them as needed. Within the local operating procedures, provisions should be made for checking for and obtaining updated information concerning the issuance and validation of authentication certificates, which are issued by public key infrastructure services. Some Operational Considerations After administrators select cipher suites to support transport layer security within the TLS protocol, applications should be configured only for those selected cipher suites. In addition, the key lengths used in the cipher suites for both clients and servers must be specified. TSL 1.0 and SSL 3.0 use the Hypertext Transfer Protocol (HTTPS), which is an extremely flexible protocol that allows for many uses and implementations and that introduces vulnerabilities. The client should be configured to check all data received and to verify the pathway of the message and the message's integrity. This includes verifying the server's identity at the time the connection is established. Both the server and the client should not base authentication decisions solely upon the Transport Layer Security's mechanism for determining possession of the private key corresponding to the authentication certificate. Rather, the decision should also consider whether or not the authentication certificate is valid or has been revoked. Information on public key infrastructure services is available in NIST SP 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure. Organizations should consult NIST SP 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations, for complete details concerning selection of protocols, cipher suites, client-server issues, generation of random numbers, and other implementation issues. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. NOTE: ITL is seeking a Division Chief for its Computer Security Division. For more information, see http://www.itl.nist.gov/itl-opportunities.html Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 975-2378 From isn at c4i.org Wed Aug 3 06:05:29 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 3 06:19:58 2005 Subject: [ISN] Phrack release #63 is OUT Message-ID: Forwarded from: phrackstaff@phrack.org Hey everyone, The Phrack Staff is proud to announce the FINAL Phrack #63 release. Enjoy the magazine on the Phrack Internet address : .:: http://www.phrack.org ::. PHRACK #63 __^__ __^__ ( ___ )-------------------------------------------------------------( ___ ) | / | 0x01 Introduction phrackstaff 0x07 kb | \ | | / | 0x02 Loopback phrackstaff 0x05 kb | \ | | / | 0x03 Linenoise phrackstaff 0x1c kb | \ | | / | .1 Analysing suspicious binary files | \ | | / | .2 TCP Timestamp to count hosts behind NAT | \ | | / | .3 Elliptic Curve Cryptography | \ | | / | 0x04 Phrack Prophile on Tiago phrackstaff 0x21 kb | \ | | / | 0x05 OSX heap exploitation techniques Nemo 0x24 kb | \ | | / | 0x06 Hacking Windows CE (pocketpcs & others) San 0x33 kb | \ | | / | 0x07 Games with kernel Memory...FreeBSD Style jkong 0x2e kb | \ | | / | 0x08 Raising The Bar For Windows Rootkit Detection 0x4c kb | \ | | / | Jamie Butler & Sherri Sparks | \ | | / | 0x09 Embedded ELF Debugging ELFsh crew 0x5b kb | \ | | / | 0x0a Hacking Grub for Fun & Profit CoolQ 0x2a kb | \ | | / | 0x0b Advanced antiforensics : SELF Ripe & Pluf 0x29 kb | \ | | / | 0x0c Process Dump and Binary Reconstruction ilo 0x69 kb | \ | | / | 0x0d Next-Gen. Runtime Binary Encryption Zvrba 0x45 kb | \ | | / | 0x0e Shifting the Stack Pointer andrewg 0x1a kb | \ | | / | 0x0f NT Shellcode Prevention Demystified Piotr 0xdc kb | \ | | / | 0x10 PowerPC Cracking on OSX with GDB curious 0x1b kb | \ | | / | 0x11 Hacking with Embedded Systems cawan 0x27 kb | \ | | / | 0x12 Process Hiding & The Linux Scheduler Ubra 0x2c kb | \ | | / | 0x13 Breaking Through a Firewall kotkrye 0x1e kb | \ | | / | 0x14 Phrack World News phrackstaff 0x0a kb | \ | |___|_____________[ PHRACK, NO FEAR & NO DOUBT ]_________________|___| (_____)-------------------------------------------------------------(_____) ^ ^ From isn at c4i.org Thu Aug 4 05:59:20 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 4 06:07:53 2005 Subject: [ISN] Secrets locked away in encrypted files Message-ID: http://seattlepi.nwsource.com/local/235030_encrypt03.html By ERIC NALDER AND LEWIS KAMB SEATTLE POST-INTELLIGENCER REPORTERS August 3, 2005 What's in Dan Ring's computer? A lot of people want to know. Some probably do not. His Sheriff's Office laptop was found by investigators to have a section encrypted by a program so secure the manufacturer said it is virtually impossible to crack. The King County Sheriff's Office intelligence detective with an expertise in the sex trade, and in computers, had a habit of checking out people using powerful law enforcement databases. He said he was just testing the system when he ran the names of co-workers and higher-ups in the sheriff's and prosecutor's offices. But people wonder. When Ring was arrested on Jan. 28, 2004, at Sea-Tac Airport, a detective read him his rights and asked for the password. Ring said he didn't know. When internal affairs investigator Capt. Cameron K. Webster questioned Ring on Oct. 1, 2004, he again asked for the password. Ring said he couldn't remember. At a court hearing on Feb. 15, 2005, King County Deputy Prosecutor Barbara Mack asked Ring for the password and his attorney Richard Hansen objected: "It's invasion of his privacy." In October, Webster sat Ring down in front of the laptop computer and told him to try to open the encrypted files. But "he could not recall the password," Webster's report said. "He probably could have come up with the password and he didn't want to," sheriff's spokesman Sgt. John Urquhart said. Ring told Seattle Post-Intelligencer reporters he didn't remember the password but it might be in a list seized during a search of his property after his arrest. Webster's report indicated it couldn't be found. Urquhart said the Sheriff's Office didn't require Ring to produce the password as a condition of his retirement settlement, "because we worked really hard to get that password from him during the investigation." What Ring kept out in the open in his computers was enticing in itself. Investigators copied the hard drive and examined it when Ring turned his laptop in for repairs in the early fall of 2003. He had revealing photographs, calendar items keeping track of his contacts with various girlfriends and escort-service operators, and messages to escort services in Canada. "Dan was our biggest help in this investigation. Talk about obsessive-compulsive," said Robin Ostrum, a King County detective who worked on the Ring investigation but declined to detail what was in the unencrypted portion of the computer. "He kept notes in the computer on everything." They tried opening the encrypted portion, time and again, but with no luck. The man who authored the Safehouse encryption said he can't help. "I personally have no ability to break into this product no matter what kind of gun is pointed to my head," said Peter Avritch, owner of PC Dynamics Inc. Avritch said no law enforcement agency that he knows of has been able to crack it, but, "There's always the rumorville that the NSA (National Security Agency) has secret ways to get into algorithms," he said. A spokeswoman for the secretive agency said last week NSA has "had no dealings with that company and that product." Ring said one other thing to the P-I: He had inside information about top officials in the Sheriff's Office. Now, the hard drive from Ring's computer is under lock and key in the sheriff's fraud unit. What's on it? No one -- except Ring -- knows for sure. -=- MORE IN THIS SERIES Read the complete special report, Conduct Unbecoming [1]. [1] http://seattlepi.nwsource.com/specials/ring/ From isn at c4i.org Thu Aug 4 06:01:47 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 4 06:10:21 2005 Subject: [ISN] Windows 2000 open to IP attack Message-ID: http://software.silicon.com/security/0,39024655,39151021,00.htm By Dawn Kawamoto 4 August 2005 A serious flaw has been discovered in a core component of Windows 2000, with no possible workaround until it gets fixed, a security company said. The vulnerability in Microsoft's operating system could enable remote intruders to enter a PC via its internet protocol address, Marc Maiffret, chief hacking officer at eEye Digital Security, said on Wednesday. As no action on the part of the computer user is required, the flaw could easily be exploited to create a worm attack, he noted. What may be particularly problematic with this unpatched security hole is that a workaround is unlikely, he said. "You can't turn this [vulnerable] component off," Maiffret said. "It's always on. You can't disable it. You can't uninstall." eEye declined to give more details on the flaw or the Windows 2000 component in question. As part of company policy, it does not release technical details of the vulnerabilities it finds until the software's maker has released either a patch or an advisory. A Microsoft representative said the software giant will issue a comment once it has had a chance to review the eEye advisory, which has yet to be posted on the security company's website. The vulnerabilities affect Windows 2000 but Maiffret noted eEye is still conducting tests, and he anticipates other versions of Microsoft's OS are likely to be affected. For Microsoft, this marks the second eEye advisory it's received this week. On Monday, eEye notified the software giant it had found critical vulnerabilities in Internet Explorer. The IE vulnerabilities could allow malicious attackers to launch a remote buffer overflow attack should users click on a malicious website link. The flaw, which is rated as "high" risk, affects IE, Windows XP and SP1, Windows 2003 and Windows 2000. Microsoft confirmed it received the eEye advisory regarding IE through its standard vulnerability reporting system. A Microsoft representative said: "We are investigating the report and will take appropriate action to help protect customers as part of our normal security response process." Microsoft issues a monthly bulletin of patches and also has a programme of security advisories with workarounds for unpatched, reported flaws. From isn at c4i.org Thu Aug 4 06:00:47 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 4 06:10:42 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-31 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-07-28 - 2005-08-04 This week : 55 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Opera Software has released a new version of their popular browser, which corrects several vulnerabilities. Additional details can be found in the referenced Secunia advisories below. Reference: http://secunia.com/SA15756 http://secunia.com/SA15870 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA15870] Opera Download Dialog Spoofing Vulnerability 2. [SA15756] Opera Image Dragging Vulnerability 3. [SA16272] Cisco IOS IPv6 Packet Handling Vulnerability 4. [SA16256] Microsoft Office Insecure Shared Section Permissions 5. [SA16245] Sophos Anti-Virus Unspecified Buffer Overflow Vulnerability 6. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 7. [SA16271] Linksys WRT54G Router Common SSL Private Key Disclosure 8. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 9. [SA16267] Novell eDirectory NMAS Password Challenge Bypass 10. [SA16255] MySQL Eventum PEAR XML_RPC PHP Code Execution Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA16314] Naxtor e-directory Cross-Site Scripting and SQL Injection [SA16308] Sacrifice Format String and Buffer Overflow Vulnerabilities [SA16306] BusinessMail SMTP Denial of Service Vulnerability [SA16282] Business Objects Enterprise / Crystal Reports Denial of Service [SA16268] Thomson Web Skill Vantage Manager SQL Injection [SA16258] nProtect Personal OnlineScan Arbitrary File Download [SA16264] Easy PX 41 CMS Cross-Site Scripting and Information Disclosure [SA16283] Microsoft ActiveSync Denial of Service and Equipment ID Enumeration [SA16289] Trillian Exposure of User Credentials UNIX/Linux: [SA16327] Debian apt-cacher Unspecified Arbitrary Command Execution [SA16326] Mandriva update for mozilla [SA16307] Gentoo update for Compress-Zlib [SA16302] Ubuntu update for mozilla-thunderbird/mozilla-thunderbird-enigmail [SA16296] Conectiva update for clamav [SA16290] Trustix update for multiple packages [SA16284] Gentoo update for emul-linux-x86-baselibs [SA16276] Fedora update for ethereal [SA16257] SUSE Updates for Multiple Packages [SA16324] Gentoo update for nbsmtp [SA16305] Gentoo update for pstotext [SA16304] MySQL Eventum Cross-Site Scripting and SQL Injection [SA16303] Debian update for pdns [SA16293] Slackware update for telnet [SA16291] jabberd "jid.c" Buffer Overflow Vulnerabilities [SA16288] Gentoo update for ProFTPD [SA16279] no-brainer SMTP Client "log_msg" Format String Vulnerability [SA16261] Mandriva update for fetchmail [SA16299] Fedora update for httpd [SA16266] Ubuntu update for libtiff4 [SA16259] HP NonStop Server DCE Core Services Denial of Service [SA16278] Avaya CMS / IR Solaris Runtime Linker Vulnerability [SA16277] Debian update for gopher [SA16275] UMN Gopher Insecure Temporary File Creation [SA16269] Debian update for gaim [SA16265] Gaim libgadu Memory Alignment Weakness [SA16309] UnZip File Permissions Change Vulnerability Other: [SA16272] Cisco IOS IPv6 Packet Handling Vulnerability [SA16271] Linksys WRT54G Router Common SSL Private Key Disclosure Cross Platform: [SA16319] Karrigell Python Namespace Exposure Vulnerability [SA16273] Simplicity oF Upload "language" File Inclusion Vulnerability [SA16260] PHPmyGallery "confdir" File Inclusion Vulnerability [SA16323] nCipher CHIL Random Cache Inheritance Security Issue [SA16318] Metasploit Framework "defanged" Mode Bypass Vulnerability [SA16312] PHPFreeNews Unspecified Vulnerabilities [SA16300] FlexPHPNews Multiple Vulnerabilities [SA16287] Ragnarok Online Control Panel Authentication Bypass Vulnerability [SA16286] Kayako LiveResponse Multiple Vulnerabilities [SA16262] Naxtor Shopping Cart Cross-Site Scripting and SQL Injection [SA16316] BrightStor ARCserve Backup Agents Buffer Overflow Vulnerability [SA16267] Novell eDirectory NMAS Password Challenge Bypass [SA16311] AderSoftware CFBB "page" Cross-Site Scripting [SA16292] ChurchInfo SQL Injection Vulnerabilities [SA16270] UNG "name" and "email" Mail Header Injection [SA16263] Website Baker Cross-Site Scripting and File Upload Vulnerabilities [SA16274] phplist "id" SQL Injection Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA16314] Naxtor e-directory Cross-Site Scripting and SQL Injection Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, System access Released: 2005-08-03 basher13 has reported some vulnerabilities in Naxtor e-directory, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16314/ -- [SA16308] Sacrifice Format String and Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-08-02 Luigi Auriemma has reported two vulnerabilities in Sacrifice, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16308/ -- [SA16306] BusinessMail SMTP Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-08-01 Reed Arvin has discovered a vulnerability in BusinessMail, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16306/ -- [SA16282] Business Objects Enterprise / Crystal Reports Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-08-01 A vulnerability has been reported in Business Objects Enterprise and Crystal Reports Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16282/ -- [SA16268] Thomson Web Skill Vantage Manager SQL Injection Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-07-29 Walter Sobchak has reported a vulnerability in Thomson Web Skill Vantage Manager, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16268/ -- [SA16258] nProtect Personal OnlineScan Arbitrary File Download Critical: Moderately critical Where: From remote Impact: Manipulation of data, System access Released: 2005-08-01 Park Gyu Tae and Neo have reported in a vulnerability in nProtect Personal OnlineScan, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16258/ -- [SA16264] Easy PX 41 CMS Cross-Site Scripting and Information Disclosure Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, Exposure of sensitive information Released: 2005-07-29 FalconDeOro has reported some vulnerabilities in Easy PX 41 CMS, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose various information. Full Advisory: http://secunia.com/advisories/16264/ -- [SA16283] Microsoft ActiveSync Denial of Service and Equipment ID Enumeration Critical: Less critical Where: From local network Impact: Exposure of system information, Exposure of sensitive information, DoS Released: 2005-08-02 Seth Fogie has reported two vulnerabilities in Microsoft ActiveSync, which can be exploited by malicious people to cause a DoS (Denial of Service) and enumerate valid equipment IDs. Full Advisory: http://secunia.com/advisories/16283/ -- [SA16289] Trillian Exposure of User Credentials Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-08-01 Suramya Tomar has discovered a security issue in Trillian, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/16289/ UNIX/Linux:-- [SA16327] Debian apt-cacher Unspecified Arbitrary Command Execution Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-03 Eduard Bloch has reported a vulnerability in apt-cacher, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16327/ -- [SA16326] Mandriva update for mozilla Critical: Highly critical Where: From remote Impact: System access, Spoofing, Cross Site Scripting, Security Bypass Released: 2005-08-03 Mandriva has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and spoofing attacks, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16326/ -- [SA16307] Gentoo update for Compress-Zlib Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2005-08-01 Gentoo has issued an update for Compress-Zlib. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16307/ -- [SA16302] Ubuntu update for mozilla-thunderbird/mozilla-thunderbird-enigmail Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access Released: 2005-08-01 Ubuntu has issued updates for mozilla-thunderbird and mozilla-thunderbird-enigmail. These fix some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, gain knowledge of potentially sensitive information, conduct cross-site scripting attacks and compromise a user's system. Full Advisory: http://secunia.com/advisories/16302/ -- [SA16296] Conectiva update for clamav Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-08-01 Conectiva has issued an update for clamav. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16296/ -- [SA16290] Trustix update for multiple packages Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2005-08-02 Trustix has issued various updated packages. These fix some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges, by malicious users to cause a DoS (Denial of Service), or by malicious people to gain knowledge of sensitive information, conduct HTTP request smuggling attacks, or compromise a vulnerable system, Full Advisory: http://secunia.com/advisories/16290/ -- [SA16284] Gentoo update for emul-linux-x86-baselibs Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-08-01 Gentoo has issued an update for emul-linux-x86-baselibs. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16284/ -- [SA16276] Fedora update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-07-29 Fedora has issued an update for ethereal. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16276/ -- [SA16257] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of sensitive information, DoS, System access Released: 2005-07-29 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), conduct HTTP request smuggling, spoofing and cross-site scripting attacks, bypass certain security restrictions, disclose and manipulate sensitive information, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16257/ -- [SA16324] Gentoo update for nbsmtp Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-08-03 Gentoo has issued an update for nbsmtp. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16324/ -- [SA16305] Gentoo update for pstotext Critical: Moderately critical Where: From remote Impact: System access Released: 2005-08-01 Gentoo has issued an update for pstotext. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16305/ -- [SA16304] MySQL Eventum Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-08-01 James Bercegay has reported some vulnerabilities in MySQL Eventum, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/16304/ -- [SA16303] Debian update for pdns Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-08-01 Debian has issued an update for pdns. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16303/ -- [SA16293] Slackware update for telnet Critical: Moderately critical Where: From remote Impact: System access Released: 2005-08-01 Slackware has issued an update for telnet. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16293/ -- [SA16291] jabberd "jid.c" Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-08-01 Michael has reported some vulnerabilities in jabberd, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16291/ -- [SA16288] Gentoo update for ProFTPD Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2005-08-02 Gentoo has issued an update for ProFTPD. This fixes two vulnerabilities, which can be exploited by malicious users to disclose certain sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16288/ -- [SA16279] no-brainer SMTP Client "log_msg" Format String Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-08-01 A vulnerability has been reported in no-brainer SMTP client, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16279/ -- [SA16261] Mandriva update for fetchmail Critical: Moderately critical Where: From remote Impact: System access Released: 2005-07-29 Mandriva has issued an update for fetchmail. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16261/ -- [SA16299] Fedora update for httpd Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, DoS Released: 2005-08-03 Fedora has issued an update for httpd. This fixes two vulnerabilities, which can be exploited by malicious people to potentially cause a DoS (Denial of Service) and conduct HTTP request smuggling attacks. Full Advisory: http://secunia.com/advisories/16299/ -- [SA16266] Ubuntu update for libtiff4 Critical: Less critical Where: From remote Impact: DoS Released: 2005-07-29 Ubuntu has issued an update for libtiff4. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16266/ -- [SA16259] HP NonStop Server DCE Core Services Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-08-01 A vulnerability has been reported in HP NonStop Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16259/ -- [SA16278] Avaya CMS / IR Solaris Runtime Linker Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-02 Avaya has acknowledged a vulnerability in CMS and IR, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16278/ -- [SA16277] Debian update for gopher Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-01 Debian has issued an update for gopher. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16277/ -- [SA16275] UMN Gopher Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-01 John Goerzen has reported a vulnerability in gopher, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16275/ -- [SA16269] Debian update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-07-29 Debian has issued an update for gaim. This fixes a weakness, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16269/ -- [SA16265] Gaim libgadu Memory Alignment Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2005-07-29 A weakness has been reported in Gaim, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16265/ -- [SA16309] UnZip File Permissions Change Vulnerability Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-08-03 Imran Ghory has reported a vulnerability in unzip, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16309/ Other:-- [SA16272] Cisco IOS IPv6 Packet Handling Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2005-07-29 A vulnerability has been reported in Ciso IOS, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable network device. Full Advisory: http://secunia.com/advisories/16272/ -- [SA16271] Linksys WRT54G Router Common SSL Private Key Disclosure Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2005-07-29 Nick Simicich has reported a security issue in WRT54G, which potentially can be exploited by malicious people to gain knowledge of certain sensitive information. Full Advisory: http://secunia.com/advisories/16271/ Cross Platform:-- [SA16319] Karrigell Python Namespace Exposure Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-08-03 Radovan Garabik has reported a vulnerability in Karrigell, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16319/ -- [SA16273] Simplicity oF Upload "language" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-29 rgod has reported a vulnerability in Simplicity oF Upload, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16273/ -- [SA16260] PHPmyGallery "confdir" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-29 Securitysos Inc. has reported a vulnerability in PHPmyGallery, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16260/ -- [SA16323] nCipher CHIL Random Cache Inheritance Security Issue Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-08-03 A security issue has been reported in nCipher CHIL (Cryptographic Hardware Interface Library), which may result in a program generating the same random bytes in all child processes for a certain period of time. Full Advisory: http://secunia.com/advisories/16323/ -- [SA16318] Metasploit Framework "defanged" Mode Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-08-03 Dino Dai Zovi has reported a vulnerability in Metasploit Framework, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16318/ -- [SA16312] PHPFreeNews Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-08-02 Some unspecified vulnerabilities with unknown impacts have been reported in PHPFreeNews. Full Advisory: http://secunia.com/advisories/16312/ -- [SA16300] FlexPHPNews Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of system information, DoS Released: 2005-08-02 rgod has reported some vulnerabilities in FlexPHPNews, which can be exploited by malicious people to cause a DoS (Denial of Service), or conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/16300/ -- [SA16287] Ragnarok Online Control Panel Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-08-01 VaLiuS has reported a vulnerability in Ragnarok Online Control Panel, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16287/ -- [SA16286] Kayako LiveResponse Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information Released: 2005-08-01 James Bercegay has reported some vulnerabilities in Kayako LiveResponse, which can be exploited by malicious people to conduct cross-site scripting, script insertion, and SQL injection attacks. Full Advisory: http://secunia.com/advisories/16286/ -- [SA16262] Naxtor Shopping Cart Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-08-03 John Cobb has reported some vulnerabilities in Naxtor Shopping Cart, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/16262/ -- [SA16316] BrightStor ARCserve Backup Agents Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-08-03 A vulnerability has been reported in BrightStor ARCserve Backup, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16316/ -- [SA16267] Novell eDirectory NMAS Password Challenge Bypass Critical: Moderately critical Where: From local network Impact: Security Bypass Released: 2005-07-29 A security issue has been reported in Novell eDirectory, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16267/ -- [SA16311] AderSoftware CFBB "page" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-02 rUnViRuS has reported a vulnerability in AderSoftware CFBB, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16311/ -- [SA16292] ChurchInfo SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data, Exposure of system information Released: 2005-08-02 thegreatone2176 has discovered some vulnerabilities in ChurchInfo, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16292/ -- [SA16270] UNG "name" and "email" Mail Header Injection Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-07-29 A vulnerability has been reported in UNG, which can be exploited by malicious people to inject arbitrary mail headers. Full Advisory: http://secunia.com/advisories/16270/ -- [SA16263] Website Baker Cross-Site Scripting and File Upload Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, System access Released: 2005-07-29 thegreatone2176 has discovered some vulnerabilities in Website Baker, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16263/ -- [SA16274] phplist "id" SQL Injection Vulnerability Critical: Not critical Where: From remote Impact: Manipulation of data Released: 2005-07-29 thegreatone2176 has discovered a vulnerability in phplist, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16274/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Thu Aug 4 06:01:04 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 4 06:11:01 2005 Subject: [ISN] CU seeking help to evaluate hacked system Message-ID: http://www.denverpost.com/news/ci_2909173 By Jennifer Brown and John Ingold Denver Post Staff Writers 08/03/2005 The University of Colorado will hire a computer-security company to audit its technology safeguards after hackers broke into the system three times in two weeks, officials said Tuesday. CU also plans to put firewalls on some of its 26,000 computers that are now accessible to the public, said Bobby Schnabel, vice provost for technology. A hacker last week broke into files containing Social Security numbers, names and photographs of 29,000 students, some former students and up to 7,000 staffers. The files related to CU's Buff OneCards, which students use for after-hours access to some campus buildings and to buy meals and snacks. The university isn't sure what the hacker wanted and may never know whether Social Security numbers were stolen. CU did not notify the public of the security breach until Monday because it took a forensics team working through the weekend to confirm that an intruder had cracked the system. "If your house gets robbed, you can pretty much figure out what's gone and what's not," Schnabel said. "On a computer, you can't tell." A team from Boulder-based Applied Trust Engineering, which has been scanning CU files since computer breaches were discovered July 14, noticed some suspicious files July 27, said Larry Drees, Buff OneCard program director. The team created an image of the hard drive that was hacked, and the server was disconnected from the network. Computer scientists continue to analyze the image of the hard drive to see what the hacker might have retrieved. That information could help determine whether the hacker wanted to use the system to store pirated materials, such as movies or pornography, or if the hacker wanted access to sensitive information, said Dan Jones, information-security coordinator. The worst-case scenario is that someone could use the Social Security numbers to get credit cards they never pay off or open bank accounts. "The bad credit report is on you and not on them," Schnabel said. It's also possible, though unlikely, the hacker could use the information to make fake Buff OneCards, Drees said. Just in case, CU began replacing Buff OneCards on Tuesday and plans to replace them all within 30 to 40 days, Drees said. Just knowing the card number won't result in much access because a card swipe is required to get inside buildings and to make purchases, he said. Students are able, however, to make deposits on their Buff OneCards online and access the library online with just their number. CU took Social Security numbers off all Buff OneCards last spring, replacing them with a student-ID number. The file that was hacked was used in the transition and listed people's ID numbers and Social Security numbers, Schnabel said. CU technology officials decided Monday they would look for a private company to audit their system, focusing on 10 to 20 servers with the most sensitive information, Schnabel said. CU has about 6,000 servers. The university also will investigate which of its 26,000 computers that have public access truly need it, he said. Public access to some machines is necessary so people can register for classes online, for example. The rise in identity theft is forcing universities to act more like corporations that must protect their networks, Schnabel said. Across the country, security breaches at universities have become almost commonplace. There have been at least 85 major computer-security breaches in the country this year, said Jay Foley of the Identity Theft Resource Center in San Diego. About half of those have been at universities, he said. Hackers have spared no college, from the small, such as Jackson Community College in Michigan, to the large, such as the University of California at Berkeley. In a two-week span from late May to early June, hackers struck computers on at least five university campuses. "It's an inviting target because the main data they collect is about all who attend and all who work there," Foley said. "They become a rich target environment for identity thieves." Many schools, including CU and the University of Denver, have switched from Social Security numbers to other unique ID numbers. DU built a card-secure building last year to house and protect servers that hold sensitive information, spokesman Warren Smith said. The university also has "physically secured" computers that hold personal student information, said Smith, who declined to go into many specifics. DU also has hired an outside company to regularly test the university's network security. "They try to break in and notify us of any problems," Smith said. Foley said universities struggle to protect their systems, in part because they use in-house staffers rather than outside experts such as corporations. But it's also because university computer networks are typically open environments that promote the sharing of information. He suggests universities start keeping sensitive student information in as few places as possible and secure those computers tightly. CU discovered security breaches July 14 at the Wardenburg Health Center and the College of Architecture. A breach last year in the continuing-education department was the first for the university. -=- Staff writer Jennifer Brown can be reached at 303-820-1593 or jenbrown at denverpost.com. From isn at c4i.org Thu Aug 4 06:01:19 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 4 06:11:19 2005 Subject: [ISN] 'Car Whisperer' Puts Hackers in the Driver's Seat Message-ID: http://www.pcworld.com/news/article/0,aid,122077,00.asp Robert McMillan IDG News Service August 03, 2005 If you happen to hear a disembodied computer voice tell you to "drive carefully" next time you're behind the wheel, you've probably met the Car Whisperer. Released late last week at the What the Hack computer security conference in Liempde, Netherlands, Car Whisperer is software that tricks the hands-free Bluetooth systems installed in some cars into connecting with a Linux computer. Car Whisperer was developed by a group of European wireless security experts, called the Trifinite Group, as a way of illustrating the shortcomings of some Bluetooth systems, said Martin Herfurt, an independent security consultant based in Salzburg, Austria, and a founder of Trifinite. Simple Security? The software takes advantage of the fact that many of these hands-free systems require only a very simple four-digit security key--often a number such as 1234 or 0000--in order to grant a device access to the system. Many car manufacturers use the same code for all their Bluetooth systems, making it easy for Car Whisperer to send and receive audio from the car. Using a special directional antenna that allowed him to extend the normally short range of his Bluetooth connections to about a mile, Herfurt was able to listen and send audio to about 10 cars over a one-hour period recently. "I could hear voices from cars passing by," he said. "If I had been following the car, I would have been able to eavesdrop for a longer time." Blame the Manufacturers Though some Bluetooth users may be shocked to learn that everything they say during their next car ride could be overheard, blame for the problem lies squarely with the Bluetooth system manufacturers, not with Bluetooth itself, Herfut said. "Manufacturers are doing something wrong with this. Bluetooth is a very good thing, once everything is correct." The solution is for makers of the Bluetooth in-car systems to stop using only one security key for all their units, but that would probably cost them money, he said. What's the Harm? Trifinite is currently studying whether unauthorized Bluetooth intruders could do anything more serious than listen in or offer driving tips. Herfut said it's not possible for an attacker to do something really serious such as disabling airbags or brakes, but he believes there may be other implications to his group's hack. It's possible, for example, that an attacker could access a telephone address book once he has connected with the Bluetooth system, but Trifinite will have to conduct more research before it can say for sure whether this could happen, he said. The best way to avoid being "Car Whispered" is to simply connect the in-car system to a Bluetooth phone, because only one such device can be connected at a time, Herfurt said. The Car Whisperer software, which includes an audio clip that says, "Hello there. This is the Trifinite Car Whisperer. Drive carefully," can be found at Trifinite's Web site. From isn at c4i.org Thu Aug 4 06:01:35 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 4 06:11:52 2005 Subject: [ISN] DNS servers -- an Internet Achilles' heel Message-ID: http://news.com.com/DNS+servers--an+Internet+Achilles+heel/2100-7349_3-5816061.html By Joris Evers Staff Writer, CNET News.com August 3, 2005 Hundreds of thousands of Internet servers are at risk of an attack that would redirect unknowing Web surfers from legitimate sites to malicious ones. In a scan of 2.5 million so-called Domain Name System machines, which act as the White Pages of the Internet, security researcher Dan Kaminsky found that about 230,000 are potentially vulnerable to a threat known as DNS cache poisoning. "That is almost 10 percent of the scanned DNS servers," Kaminsky said in a presentation last week at the Black Hat security event in Las Vegas. "If you are not auditing your DNS servers, please start," he said. The motivation for a potential attack is money, according to the SANS Internet Storm Center, which tracks network threats. Attackers typically get paid for each spyware or adware program they manage to get installed on a person's PC. Information lifted from victims, such as social security numbers and credit card data, can also be sold. Additionally, malicious software could be installed on a PC to hijack it and use it to relay spam. The DNS servers in question are run by companies and Internet service providers to translate text-based Internet addresses into numeric IP addresses. The cache on each machine is used as a local store of data for Web addresses. In a DNS cache poisoning attack, miscreants replace the numeric addresses of popular Web sites stored on the machine with the addresses of malicious sites. The scheme redirects people to the bogus sites, where they may be asked for sensitive information or have harmful software installed on their PC. The technique can also be used to redirect e-mail, experts said. As each DNS server can be in use by thousands of different computers looking up Internet addresses, the problem could affect millions of Web users, exposing them to a higher risk of phishing attack, identity theft and other cyberthreats. The poisoned caches act like "forged street signs that you put up to get people to go in the wrong direction," said DNS inventor Paul Mockapetris, chairman and chief scientist at secure DNS provider Nominum. "There have been other vulnerabilities (in DNS) over the years, but this is the one that is out there now and one for which there is no fix. You should upgrade." There are about 9 million DNS servers on the Internet, Kaminsky said. Using a high-bandwidth connection provided by Prolexic Technologies, he examined 2.5 million. Of those, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned. The vulnerable servers run the popular Berkeley Internet Name Domain software in an insecure way and should be upgraded, Kaminsky said. The systems run BIND 4 or BIND 8 and are configured to use forwarders for DNS requests--something the distributor of the software specifically warns against. BIND is distributed free by the Internet Software Consortium. In an alert on its Web site, the ISC says that there "is a current, wide-scale...DNS cache corruption attack." All name servers used as forwarders should be upgraded to BIND 9, the group said. DNS cache poisoning is not new. In March, the attack method was used to redirect people who wanted to visit popular Web sites such as CNN.com and MSN.com to malicious sites that installed spyware, according to SANS. "If my ISP was running BIND 8 in a forwarder configuration, I would claim that they were not protecting me the way they should be," Mockapetris said. "Running that configuration would be Internet malpractice." The new threat--pharming Kaminsky scanned the DNS servers in mid-July and has not yet identified which particular organizations have the potentially vulnerable DNS installations. However, he plans to start sending e-mails to the administrators of those systems, he said in an interview. "I have a couple hundred thousand e-mails to send," he said. "This is the not-fun part of security. But we can't limit ourselves to the fun stuff. We have to protect our infrastructure." The use of DNS cache poisoning to steal personal information from people by sending them to spoofed sites is a relatively new threat. Some security companies have called this technique pharming. Poisoning DNS cache isn't hard, said Petur Petursson, CEO of Icelandic DNS consultancy and software company Men & Mice. "It is very well doable, and it has been done recently," he said. Awareness around DNS issues in general has grown in the past couple of years, Petursson said. Four years ago, Microsoft suffered a large Web site outage as a result of poor DNS configuration. The incident cast a spotlight on the Domain Name System as a potential problem. "It is surprising that you still find tens of thousands or hundreds of thousands vulnerable servers out there," Petursson said. Kaminsky's research should be a wake-up call for anyone managing a DNS server, particularly broadband Internet providers, Mockapetris said. Kaminsky said he doesn't intend to use his research to target vulnerable organizations. However, other, less well-intentioned people could run scans of their own and find attack targets, he cautioned. "This technology is known to a certain set of the hacker community, and I suspect that knowledge will only get more widespread," Mockapetris said. From isn at c4i.org Fri Aug 5 01:05:08 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 5 01:15:31 2005 Subject: [ISN] One in ten law firms suffered security breaches Message-ID: http://www.theinquirer.net/?article=25159 By INQUIRER staff 04 August 2005 ACCORDING TO AN NOP World survey, 50% of law firms in the UK are missing basic security measures and just under half have no budget dedicated to digital security, despite the recently increasing IT security threats. 100 UK law firms were included in the NOP World survey commissioned by security specialists Evolution Security Systems. According to the survey, one in ten firms had suffered digital security breaches over the past year - showing absolutely no sign of improvement with exactly the same odds the year before. Over half of the firms believe that digital threats are increasing, yet have failed to take appropriate prevention steps. The survey found that even though there is a one in ten chance of a UK law firm suffering from digital security breaches, over half of those surveyed still asked co-workers to check their e-mails, while one quarter have never changed their e-mail passwords. Perhaps more worryingly, four out of ten firms that were questioned had absolutely no idea what to do in case of a serious IT malfunction, having no disaster recovery plans, or even having thought of such things. Ritchie Jeune, chief executive of Evolution Security Systems said that it's clear UK firms understand the kind of damage malicious IT breaches or criminal activity can do to them, but are still failing to take essential security measures which could protect against the problems. "This is particularly worrying," he said, "since most law firms, driven by Lexel and other accreditations, will clearly be required to have security and disaster recovery documents policies in place over time." Firms are really going to have to tighten up their security if they want to survive, Jeunes reckons: "Client information and company reputation are in jeopardy unless security is tightened and basic security software implemented." ? From isn at c4i.org Fri Aug 5 01:05:22 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 5 01:16:15 2005 Subject: [ISN] Big Blue security report highlights 'spear phishing' threat Message-ID: http://www.itbusiness.ca/index.asp?theaction=61&sid=59627 By Neil Sutton 8/3/2005 A report published this week from IBM Corp. suggests that phishing schemes are growing in sophistication, allowing would-be Internet criminals to target their victims by name. A targeted or "spear phishing" attack is designed to extract data from a specific individual or organization, maximizing damage caused and financial gain. IBM estimates that these types of attacks have grown ten-fold this year alone. According to the company, they can be used for identity theft, extortion, fraud and to steal specific intellectual property. "We're seeing it as a targeted security threat within financial institutions as well as government regulatory bodies," said Michael Small, security practice leader for IBM Canada. "It's very targeted with a specific purpose to ensure that they try to get access to privileged information for, usually, profit. Its concerns are linked to cyberterrorism as well as obviously organized crime." Until now, the most common form of phishing attacks were those that attempt to disguise themselves as e-mail from banks or common consumer Internet services like eBay or its payment arm PayPal. They aren't addressed to a specific person but are sent out as widely as possible in an attempt to snare a few unfortunates who are willing to part with bank account information or their eBay identities. Mary Kirwan, CEO of Toronto-based security firm Headfry Inc., said that these types of attacks may be on the decline but agreed with IBM that spear phishing is a growing concern. "These are higher payoff crimes, so it's in their interest to follow the money, essentially," she said. "There's no real consensus among the global banks as to how to deal with that right now. Some of the banks are acknowledging that you don't have to be a dummy to fall for these scams." This isn't the first time banks have been identified as a lucrative target. In 2003, Symantec Corp. noted that a virus called Win32.Bugbear.B was sent by likeminded criminals to financial institutions such as J.P. Morgan Chase, Citibank and American Express. Security experts believed that Bugbear was designed to scan an inbox for any indication that it belonged to a bank employee. Recovery from targeted attacks and malware in general costs a Canadian organization an average of $30,000 to $40,000, said Small. He added that IBM is sharing its research with customers, partners and vendors to help them prevent such attacks. Nuisance e-mail like spam appears to be leveling off, according to the IBM report. In January of this year, spam accounted for 83 per cent of global e-mail. That number had fallen to 67 per cent by June. There are new problems on the horizon, however. In March, a new threat called Domain Name Service (DNS) cache poisoning was discovered. Cache poisoning can hijack a user's browser and direct them towards a specific site or advertisement by corrupting a DNS server's ability to map machine host names to a correct IP address. Variations of these types of attacks have been around for years, but cache poisoning is becoming more sophisticated and a DNS server that isn't configured properly is particularly susceptible. From isn at c4i.org Fri Aug 5 01:05:39 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 5 01:16:49 2005 Subject: [ISN] Security researchers problematic bunch? Message-ID: http://www.zdnet.com.au/insight/security/soa/Security_researchers_problematic_bunch_/0,39023764,39204741,00.htm By Mary Ann Davidson Special to ZDNet 05 August 2005 There's a myth about security researchers that goes like this: Vendors are made up of indifferent slugs who wouldn't fix security vulnerabilities quickly -- if at all -- if it weren't for noble security researchers using the threat of public disclosure to force them to act. The reality is that most vendors are trying to do better in vulnerability handling. Most don't need threats to do so, and some researchers have become the problem. In so stating, I thank those researchers who are genuinely motivated by the public good, most of whom never get the headlines of their more notorious brethren. I also acknowledge that the vendor community needs to improve the quality of commercial software so we have far fewer vulnerabilities. Here's a rundown of some of the notions that play into this myth about how security researchers interact with software makers. 1. You should be able to fix this in two days Some researchers think they can push vendors to work faster by threatening to "tell all," and that if vendors really tried, they could meet the researchers' arbitrary 5-day, 15-day or 30-day "fix window." In reality, many of the best researchers aren't the ones you hear a lot about, because discretion is their stock in trade. In reality, when a researcher reports a vulnerability, the fix might be a two-line code change and take 20 minutes to do. However, getting the fix in customers' hands often takes weeks. Remediation may require the vendor to analyse whether the bug is specific to a particular version/platform or all versions/all platforms or analyse whether related code has a similar problem (to fix the problem everywhere). Vendors may also need to provide fixes on multiple versions/platforms or bundle multiple security fixes together to minimise patching costs to customers, not to mention various testing on the products shipped to ensure the fix does not break anything else. As an example, Oracle has done 78 fixes for a single vulnerability, which took more than five days to complete. We also release bundled fixes quarterly on dates tied to financial reporting calendars (e.g., many customers will not touch their production systems during quarter-end). A two-line code change can take five minutes, but getting a fix into customers' hands in such a way that they will apply it takes way more than a few minutes. 2. The more notorious I am, the more business I will get Many researchers think that the more vulnerabilities they disclose publicly, the more vendors will hire them as consultants. Some engage in explicit threats ("Pay me $X or I sell this to iDefense") or implicit threats ("Fix it in the next three weeks because I am giving a paper at Black Hat"). Not all researchers are noble-minded, and not all vendors are indifferent slugs. In reality, many of the best researchers aren't the ones you hear a lot about, because discretion is their stock in trade. They are often far better than the "look what I did" researchers who run to the press with their latest vulnerability pronouncements. The circumspect researchers are the only ones we hire and the only ones we recommend to our customers. Also, notoriety can backfire: I've known customers to terminate contracts with researchers for releasing exploit code. Researchers, you might get applause from hackers when you show off at Black Hat, but businesses will not pay you to slit their throats. With knowledge comes responsibility. 3. I should always get credit for vulnerabilities I find Most vendors credit researchers who report vulnerabilities so that researchers will continue to work with them. Also, saying "Thank you for working with us" is just good manners. The myth is that researchers are always entitled to credit. In reality, when a researcher puts customers at risk by releasing exploit code for a vulnerability before the vendor has had a chance to fix it, it's ridiculous to expect the vendor to say, "Thank you for putting our customers at risk." I've never had a customer ask us for exploit code or exploit details, though they do want enough information to do a risk assessment. In some cases, vendors may actually be giving more credit than the researcher deserves. For example, Oracle finds more than 75 percent of significant security vulnerabilities in-house. Yet if a researcher finds an issue that we already found internally but may not have completed the fixes for, we typically still give that person credit, anyway. The reality is that not all researchers are noble-minded, and not all vendors are indifferent slugs. The other reality is that the highest purpose of everybody in this game should be protecting customers who use these products from harm. -=- biography Mary Ann Davidson is the chief security officer at Oracle, responsible for security evaluations, assessments and incident handling. From isn at c4i.org Fri Aug 5 01:05:52 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 5 01:17:28 2005 Subject: [ISN] Microsoft to release six patches, some 'critical,' next week Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,103683,00.html By Elizabeth Montalbano AUGUST 04, 2005 IDG NEWS SERVICE Microsoft Corp. will release six software patches next Tuesday covering flaws in its Windows operating system, along with an updated version of its Microsoft Windows Malicious Software Removal Tool and a nonsecurity update for Windows, Microsoft announced today. The patches, which Microsoft calls "updates," are part of the company's regular monthly patch release cycle. Microsoft releases most software patches on the second Tuesday of each month, a date that has come to be known as "Patch Tuesday" by security professionals. The company didn't release any details on the specific nature of the patches, except to say that some of them will be rated "critical," meaning that flaws could allow malicious code to be installed on an affected computer without user action. The updates will require a restart on the patched computer and are detectable using the Microsoft Baseline Security Analyzer, Microsoft said. The company also noted that while the software removal tool update will be available on Windows Update, Microsoft Update, Windows Server Update and Download Center, it will not be distributed using Software Update Services. Last month, Microsoft released three patches on Patch Tuesday. From isn at c4i.org Fri Aug 5 01:04:52 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 5 01:19:03 2005 Subject: [ISN] Annual hacking game teaches security lessons Message-ID: http://online.securityfocus.com/news/11269 Robert Lemos SecurityFocus 2005-08-04 LAS VEGAS -- The weekend-long Capture the Flag tournament stressed code auditing as a measure of hacking skill this year, a move that emphasized more real-world skills, but not without controversy. The annual Capture the Flag tournament at DEF CON has always attracted participants from a variety of background, looking to try their hands at online attack and defense. Under a new set of organizers this year, the game pitted teams and individuals against each other to find and exploit vulnerabilities in their opponents' systems to score points. The game, dubbed "WarGamez" this year, put more emphasis on real-world skills compared to previous years, said Giovanni Vigna, associate professor of computer science at the University of California at Santa Barbara and the leader of team Shellphish, which won the event. "The game required skills that are also required by both security researchers and hackers, such as ability to analyze attack vectors, understanding and automating attacks, finding new, unpredictable ways to exploit things," Vigna said. "It's about analyzing the security posture of a system that is given to you and about which you initially know nothing." The latest incarnation of the game--run by a group of security professionals who asked to only be identified by their group name, Kenshoto--attracted students, military computer experts, security professionals and hobbyist hackers. For the teams, the controversy surrounding security researcher Michael Lynn's outing of a high-profile vulnerability in Cisco Systems' routers, mattered little. Finding vulnerabilities in each other's servers became the focus of their world. In previous years, the game allowed each side to run their own server, and required that certain services be available. This year, the organizers ran a central server on which each team's virtual server ran. The move was not without controversy, however, as it removed from the contest any teams that concentrated on defending their systems by using a specialized operating system, said Crispin Cowan, director of software engineering for Novell's Linux division, SUSE. "Prior games involved both attackers and defenders working on the problem, but because Kenshoto took total control of the reference servers to be defended, there is very little defense that can be deployed," Cowan said. "Their scoring system also made defense essentially worthless other than to deny other teams points." Cowan competed for several years as the leader of a team fielded by secure Linux operating system vendor Immunix, which was bought by Novell in May. Porting services over to its security-enhanced operating system became a signature strategy of the team. The Capture the Flag game is suppose to measure security researchers and hackers abilities to attack and defend systems, said one of the organizers, not necessarily be a test of products. "We did intentionally de-emphasize defense, because it is a hacking competition, after all," said the organizer. By agreement, the group that ran the game adopted the name Kenshoto and would only speak anonymously. "However, defensive skills were tested." Some teams had success deploying Tripwire, a data-integrity checker that can find changed files, and monitoring traffic with an intrusion detection system, he said. A knowledgeable defender could also lockdown the systems, further hardening them. Moreover, the amount of uptime for each service directly affected the score, so defending the applications that ran the services became a key strategy, the organizers said. In the end, however, the game focused on finding and exploiting vulnerabilities. "What it takes to be an elite hacker is to find vulnerabilities in custom software," said the Kenshoto member. "It is not code auditing per se. They have to reverse engineer, and we have made it difficult to reverse engineer." The Kenshoto group ran all the teams' virtual servers on a single machine using a technique known as "jailing," which limits each team or individual to separate directories on the master system. The computer ran the FreeBSD operating system and utilities and services were written in Python, Java and C. The group also ran an in-game auction site known as eDay. Each team's authentication token, or totem, was placed on the bottom of a can of Tab, which the team was expected to guard. While a few individuals and teams used the eDay auction site, most of the deals for items were done behind the scene, according to one member of Kenshoto. One team's can of Tab, which held the team's secret code on the bottom, went for 101 beers, the organizer said. The teams each sought to score points by keeping services running, stealing or overwriting digital tokens on each server, and producing advisories with working exploit code. Rooting the main Kenshoto mainframe would earn massive points, according to the rules, but a failed attempt would penalize the team "back into the stone age." Auditing did play a big role in the game's strategy, said the Kenshoto organizers, because finding flaws is a major factor in attack and defense in the real online world. "The auditing people did as part of the game was similar to the job of anyone trying to find risks in third party software, be it a black hat or someone trying to determine whether third-party software is safe to integrate with an existing system," said one organizer. Notable differences, however, include the time pressure, the fact that participants not only had to find a vulnerability but exploit the flaw, and that the teams did not have access to any source code. The winning strategy balanced finding flaws with hardening the systems services, said Vigna of the winning team Shellphish. "On the defense side, we had people responsible for monitoring--both manually and using automated tools--incoming traffic and running processes to find out how we were attacked," he said. "We also had people that make sure that our services were up an running ... Finally, we had people who would choose a service and try to find exploitable vulnerabilities." In the end, however, Novell's Cowan remained unconvinced that focusing on finding flaws in arbitrary systems had much to do with real-world network security. "The Kenshoto game is not invalid, it just focuses specifically on code auditing to the exclusion of all else," Cowan said. "If Kenshoto's game of this year persists, then ... anyone else with any significant interest in defense (will not participate), and the game will be entirely dominated by code analysis players." -=- Correction: The original article incorrectly identified the programming languages used to write the applications for the Capture the Flag game. The languages are Python, Java, and C. From isn at c4i.org Fri Aug 5 01:06:06 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 5 01:19:26 2005 Subject: [ISN] Virus writer targets new Microsoft scripting tool Message-ID: http://news.com.com/Virus+writer+targets+new+Microsoft+scripting+tool/2100-7349_3-5819428.html By Joris Evers Staff Writer, CNET News.com August 4, 2005 Virus writers are targeting a new Microsoft tool that will be part of Windows and is set to ship as part of the next Exchange e-mail server release. A virus writer has published the first examples of malicious code that targets Microsoft's upcoming command-line shell, code-named Monad, according to Finnish antivirus maker F-Secure. If the technology is included in Windows Vista, these could be one of the first viruses to target the new operating system formerly known as Longhorn, F-Secure said Thursday. Monad, also known as MSH, is the replacement for the simple command shell in the current versions of Windows. A shell, also called a command line interface, allows a user to give a computer textual commands either from a keyboard or from a script. Monad has much more functionality, after the shells in competing products such as Bash in Unix. However, by adding the ability to run more-complex scripts, Microsoft may also be opening another door to attackers. Monad will support Windows Server 2003, Windows XP and Windows Vista, Microsoft representatives said in a Web chat late last year. However, the software maker has not disclosed how it will deliver the tool. The examples that made it to the Web would cause little harm but could be modified, according to Mikko Hypponen, director of antivirus research at F-Secure. Hypponen warned that if Microsoft ships Monad with Vista and it is enabled by default this could lead to an "outbreak of scripting viruses." Microsoft may choose to ship the tool as an add-on or disable it by default to reduce the risk, he added. Microsoft initially planned to include Monad in Vista, formerly known by its Longhorn code-name. However, company representatives have said the tool would first ship as a feature of Exchange 12, due in the second half of 2006. Monad will ship in Windows after that, they said. Monad is available to testers but is not part of the first Windows Vista beta, which Microsoft released last week, a company representative said Thursday. The shell tool also is not included in the beta of Windows Server 2003 R2, an update to Windows Server due later this year, the representative said. "At this time, these reports pose no risk for Microsoft customers," the Microsoft representative said. Previous Next Microsoft has yet to announce how it will deliver Monad in the Windows operating system. A source familiar with Microsoft's plans said it is too early to say whether the new shell will make it into later beta versions of Windows Vista or the final product. Windows Vista is due on store shelves by the end of 2006. Microsoft could also offer Monad as a downloadable add-on for Windows. In the December chat, Microsoft representatives specifically addressed the topic of script attacks. The company is taking measures to prevent those. For example, Monad will run only scripts that are digitally signed by a trusted person. Additionally, it won't be possible to double click on a script and have it run, according to a transcript of the chat. The possibility of viruses being aimed at Microsoft's new shell was discussed at the Virus Bulletin event last year. Eric Chien of Symantec said at the antivirus industry event that the new tool could allow the creation of both classic viruses as well as e-mail worms. Ingrid Marson of ZDNet UK contributed to this story. From isn at c4i.org Fri Aug 5 01:04:30 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 5 01:19:58 2005 Subject: [ISN] Hackers Give Back Message-ID: http://www.lasvegasweekly.com/2005/08/04/awsi3.html By Patty Walsh Aug. 4 - Aug. 10 2005 The rain had somewhat subsided as Deviant, M and I pulled into the parking lot of Sushi Factory at 21:00 hours. Indeed, we were somewhat tardy for the events that were about to unfold inside a small, local restaurant - for we were attending SushiCon - one of the unofficial events of DefCon, the world's largest underground hackers convention. Had I not known better, I may have fallen into the dark abyss of stereotypes and sensationalism that is so prevalent from the mainstream media and society in general. After all, I was surrounded by roughly 20 hackers in an unassuming location, with an abundance of raw fish and miso soup. The stakes were high, and the consequences could have been brutal. They could have hacked into my soul, into my cell phone, into my .... Unagi and California rolls! Yet, there is always more lurking beneath the surface, and the reality of DefCon 13 and hackers in general would drive that point home as I embarked on a weekend of dynamic proportions that would expand my horizons and leave me with more than I ever thought possible. For 13 years, DefCon has served as a gathering of computer hackers worldwide for a weekend of exchanging ideas, socializing, intellectual debate, partying and ruthless debauchery. All of these elements combined at the Alexis Villas resort and a myriad of activities that accompany it (lock-picking contest, beer cooling contest, QueerCon and Spot the Fed, to name a few) leave much for the mind to ponder. At any given moment, something completely fascinating or absolutely ridiculous is occurring. There are different parties going on at the pools of the resort, and speakers giving talks on many topics, including how to hack into Google, gender differences in hacking, legal issues in computer security, question-and-answer forum for "Meet the Fed," asymmetrical digital warfare and cartography and hacking. On Thursday, July 28, local hacker organization DC702 put on a fundraising event called the DC702 Summit at the Ice House in order to contribute to the Electronic Frontier Foundation, a nonprofit organization dedicated to protecting and defending the digital rights of the public. According to Robert Imhoff-Dursham, member of DC702 and organizer of the Summit, "For DC702, the Summit was a serious role in DefCon and the positive things that we can do for the computer security industry and for digital rights and freedoms ... We wanted to get all these great security minds together ... for people to learn more about what they do," he said. The result was $4,200 raised that evening at the Ice House, including $2,200 in online contributions, $1,000 from a security network organization known as the Shmoo Group, and the rest made at the door. Another fundraising occasion was at DefCon called the Dunk Tank. Basically, individuals would sign up for the tank, and attendees could pay anywhere from $1 for a faraway shot to $25 to hit the button and "dunk the geek." Frank Sanborn, organizer for the Dunk Tank and fellow attendee since DefCon 2, said that the Tank accumulated about $5,500 for EFF. Formerly affiliated with Microsoft, Sanborn discussed the aspects of technological advances in developing countries that he traveled to, where some of the villages had no running water but had a satellite in the middle of the village. "The American westernized culture has expanded worldwide in ways that most people never even comprehend. As you start looking at what our digital freedoms mean here in the United states, you really need to look at it as what it means for the entire world," he said. Although hackers generally receive a bad rap in more ways than one, The Hacker Foundation is an example of hackers acting in a positive manner and contributing to the community both nationally and internationally, working on a project called Hackers For Humanity (H4H). Treasurer of the Hacker Foundation Nick Farr, as well as Regional East Africa Coordinator Jim Schuyler have collaborated with others for H4H. The Hacker Foundation has done significant work with projects, including the neighborhood Boys and Girls Club in Chicago that barely had Internet access and possessed dilapidated and obsolete software and hardware. The Hacker Foundation quickly went to work, and managed to succeed beyond their expectations by even setting up Wi-Fi Internet access outside for the kids to play. Also, if a parent and/or guardian missed a game due to work, he/she could log onto the Internet with a special password and watch the kids at the game live from their computer. Recently, Schuyler has been on location in Uganda in a project called Ugandan Computer Initiative (UCI). UCI is an umbrella organization of the Hacker Foundation, and Schuyler has spent time in Uganda with Internally Displaced Persons in villages, refugee camps and schools, teaching children and adults how to type, how to use Microsoft Excel, and how to use databases, among many other skills. "We are trying to promote positive advocacy and public awareness for the hacker community, and we are using every available independent way to get funding. It is a struggling, uphill battle," said Schuyler. From isn at c4i.org Mon Aug 8 01:02:39 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 8 01:14:03 2005 Subject: [ISN] Linux Advisory Watch - August 5th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 5th, 2005 Volume 6, Number 32a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for gaim, gopher, pdns, apt- catcher, ethereal, im-sdk, selinux-policy-targeted, gamin, pam, netpbm, mkinitrd, kde, arts, NetworkManager, labraw, ckermit, httpd, gphoto, coreutils, iiimf, yum, gimp, redhead, zlib, fetchmail, sandbox prsotext, proftpd, nbsmtp, dump, and SquirrelMail. The distributors include Debian, Fedora, Gentoo, and Red Hat. --- ## Internet Productivity Suite: Open Source Security ## Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more! http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- Network Intrusion Prevention Systems . When They.re Valuable, and When They.re Not: Part II By: Daniel Miessler The true benefit of network IPS lies in what it can do for companies that can.t keep their systems patched. This may sound negative, but it.s almost as if the request for NIPS technology is analogous to the requestor admitting that they cannot stay on top of system administration. For anyone willing to make this admission, however, the benefits of network IPS are quite significant. Consider a medium to large sized company where upper management doesn.t see the need for additional (see enough) systems and/or security administrators. (This shouldn.t require much imagination, by the way). In an environment like this, vulnerabilities are likely to go unpatched for weeks, months, or even years . even in the Internet- facing areas. Many things can lead to machines not getting patched in these sorts of companies . developers claiming that the main bread-winning app will break if the patches are applied, administrator fear of being the cause of downtime, apathy, stupidity . take your pick. The point is, a strategically-placed network IPS . say in front of the Internet-facing environment . can do something absolutely magical for an systems/security staff -- it can buy them time. Consider a site passing a ton of traffic into their DMZ via multiple protocols to dozens or hundreds of machines, and let.s say several of the applications being interfaced with have known vulnerabilities. If the person in charge knows that they lack the ability to patch all the vulnerable systems (inexcusable, I agree), then the NIPS system can effectively serve as a multi-patch gateway. If the NIPS product has a signature for 34 of the 42 exploits that could potentially root 180 machines, then putting a network IPS at the bottleneck becomes an alternative to 1. getting cracked, and 2. patching. Make no mistake, though . patching is the better solution, but I recognize that there are sometimes circumstances that prevent good admins from doing their jobs. There are also situations where someone who knows the risks lacks the funding to bring admins aboard that can help them keep their systems in top shape. For either of these cases, network IPS seems like an acceptable evil. Read Entire Article: http://www.linuxsecurity.com/content/view/119888/49/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New gaim packages fix denial of service 29th, July, 2005 Updated package. http://www.linuxsecurity.com/content/view/119944 * Debian: New gopher packages fix insecure temporary file creation 29th, July, 2005 Update package. http://www.linuxsecurity.com/content/view/119954 * Debian: New pdns packages fix denial of service 1st, August, 2005 Updated package. http://www.linuxsecurity.com/content/view/119988 * Debian: New apt-cacher package fixes arbitrary command execution 3rd, August, 2005 Updated package. http://www.linuxsecurity.com/content/view/120011 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 3 Update: ethereal-0.10.12-1.FC3.1 28th, July, 2005 Updated package. http://www.linuxsecurity.com/content/view/119939 * Fedora Core 3 Update: im-sdk-12.1-10.FC3.1 28th, July, 2005 Updated package. http://www.linuxsecurity.com/content/view/119940 * Fedora Core 4 Update: selinux-policy-targeted-1.25.3-6 28th, July, 2005 Updated package. http://www.linuxsecurity.com/content/view/119941 * Fedora Core 3 Update: gamin-0.1.1-3.FC3 29th, July, 2005 This should fix the problem where monitoring desktop files works initially but sometimes fails after a while. This is a safe update from 0.1.1-1.FC3 http://www.linuxsecurity.com/content/view/119955 * Fedora Core 4 Update: gamin-0.1.1-3.FC4 29th, July, 2005 This should fix the problem where monitoring desktop files works initially but sometimes fails after a while. This is a safe update from 0.1.1-1.FC4 http://www.linuxsecurity.com/content/view/119956 * Fedora Core 4 Update: pam-0.79-9.4 29th, July, 2005 This update fixes a regression of pam_userdb against FC3 pam and links to shared audit library as audit-libs-devel is now fixed. http://www.linuxsecurity.com/content/view/119957 * Fedora Core 4 Update: netpbm-10.28-1.FC4.1 29th, July, 2005 Update package. http://www.linuxsecurity.com/content/view/119958 * Fedora Core 3 Update: netpbm-10.28-1.FC3.1 29th, July, 2005 Updated package. http://www.linuxsecurity.com/content/view/119959 * Fedora Core 4 Update: ethereal-0.10.12-1.FC4.1 29th, July, 2005 Updated package. http://www.linuxsecurity.com/content/view/119960 * Fedora Core 3 Update: mkinitrd-4.1.18.1-1 29th, July, 2005 This update should fix the issue a number of people saw after the recent kernel update where various modules would fail to load during boot, making systems unbootable. After updating this package, remove, and reinstall the recent kernel update, and the initrd will be recreated correctly. http://www.linuxsecurity.com/content/view/119961 * Fedora Core 4 Update: kdeaddons-3.4.2-0.fc4.1 29th, July, 2005 KDE 3.4.2 update http://www.linuxsecurity.com/content/view/119963 * Fedora Core 4 Update: kdesdk-3.4.2-0.fc4.1 29th, July, 2005 KDE 3.4.2 update http://www.linuxsecurity.com/content/view/119964 * Fedora Core 4 Update: kdepim-3.4.2-0.fc4.2 29th, July, 2005 KDE 3.4.2 update http://www.linuxsecurity.com/content/view/119965 * Fedora Core 4 Update: kdemultimedia-3.4.2-0.fc4.1 29th, July, 2005 KDE 3.4.2 update http://www.linuxsecurity.com/content/view/119966 * Fedora Core 4 Update: kdelibs-3.4.2-0.fc4.1 29th, July, 2005 KDE 3.4.2 update http://www.linuxsecurity.com/content/view/119967 * Fedora Core 4 Update: kdewebdev-3.4.2-0.fc4.1 29th, July, 2005 KDE 3.4.2 update http://www.linuxsecurity.com/content/view/119968 * Fedora Core 4 Update: kdebase-3.4.2-0.fc4.1 29th, July, 2005 KDE 3.4.2 update http://www.linuxsecurity.com/content/view/119969 * Fedora Core 4 Update: kdevelop-3.2.2-0.fc4.1 29th, July, 2005 KDE 3.4.2 update http://www.linuxsecurity.com/content/view/119970 * Fedora Core 4 Update: kdeutils-3.4.2-0.fc4.1 29th, July, 2005 KDE 3.4.2 update http://www.linuxsecurity.com/content/view/119971 * Fedora Core 4 Update: kdenetwork-3.4.2-0.fc4.1 29th, July, 2005 KDE 3.4.2 update http://www.linuxsecurity.com/content/view/119972 * Fedora Core 4 Update: kde-i18n-3.4.2-0.fc4.1 29th, July, 2005 KDE 3.4.2 update http://www.linuxsecurity.com/content/view/119973 * Fedora Core 4 Update: kdegraphics-3.4.2-0.fc4.1 29th, July, 2005 KDE 3.4.2 update http://www.linuxsecurity.com/content/view/119974 * Fedora Core 4 Update: kdegames-3.4.2-0.fc4.1 29th, July, 2005 KDE 3.4.2 update http://www.linuxsecurity.com/content/view/119975 * Fedora Core 4 Update: kdeedu-3.4.2-0.fc4.1 29th, July, 2005 KDE 3.4.2 update http://www.linuxsecurity.com/content/view/119976 * Fedora Core 4 Update: kdebindings-3.4.2-0.fc4.1 29th, July, 2005 KDE 3.4.2 update http://www.linuxsecurity.com/content/view/119977 * Fedora Core 4 Update: kdeartwork-3.4.2-0.fc4.1 29th, July, 2005 KDE 3.4.2 update http://www.linuxsecurity.com/content/view/119978 * Fedora Core 4 Update: kdeadmin-3.4.2-0.fc4.1 29th, July, 2005 KDE 3.4.2 update http://www.linuxsecurity.com/content/view/119979 * Fedora Core 4 Update: kdeaccessibility-3.4.2-0.fc4.1 29th, July, 2005 KDE 3.4.2 update http://www.linuxsecurity.com/content/view/119980 * Fedora Core 4 Update: arts-1.4.2-0.fc4.1 29th, July, 2005 KDE 3.4.2 update http://www.linuxsecurity.com/content/view/119981 * Fedora Core 4 Update: NetworkManager-0.4-20.FC4.1 29th, July, 2005 Network Manager passes logging messages straight to syslog as the format string. http://www.linuxsecurity.com/content/view/119982 * Fedora Core 4 Update: libraw1394-1.2.0-1.fc4 31st, July, 2005 Updated package. http://www.linuxsecurity.com/content/view/119986 * Fedora Core 4 Update: selinux-policy-targeted-1.25.3-9 1st, August, 2005 Updated package. http://www.linuxsecurity.com/content/view/119994 * Fedora Core 4 Update: ckermit-8.0.211-2.FC4 1st, August, 2005 Updated package. http://www.linuxsecurity.com/content/view/119995 * Fedora Core 4 Update: httpd-2.0.54-10.1 2nd, August, 2005 This update security fixes for CVE CAN-2005-2088 and CVE CAN-2005-1268, along with some minor bug fixes. http://www.linuxsecurity.com/content/view/120003 * Fedora Core 4 Update: kdegames-3.4.2-0.fc4.2 2nd, August, 2005 Updated package. http://www.linuxsecurity.com/content/view/120004 * Fedora Core 3 Update: httpd-2.0.53-3.2 2nd, August, 2005 This update includes version 2.0.53 of the Apache HTTP server, and also adds security fixes for CVE CAN-2005-2088 and CVE CAN-2005-1268. http://www.linuxsecurity.com/content/view/120005 * Fedora Core 4 Update: gphoto2-2.1.6-1.1 2nd, August, 2005 Updated to new release. http://www.linuxsecurity.com/content/view/120006 * Fedora Core 4 Update: coreutils-5.2.1-48.1 2nd, August, 2005 This updated package fixes "who -r" and "who -b". http://www.linuxsecurity.com/content/view/120007 * Fedora Core 4 Update: iiimf-12.2-4.fc4.2 2nd, August, 2005 Updated package. http://www.linuxsecurity.com/content/view/120008 * Fedora Core 3 Update: yum-2.2.2-0.fc3 2nd, August, 2005 This update fixes a few minor problems. http://www.linuxsecurity.com/content/view/120010 * Fedora Core 3 Update: ethereal-0.10.12-1.FC3.2 3rd, August, 2005 To reduce the risk of future vulnerabilities in Ethereal, the ethereal and tethereal programs in this update have been compiled as Position Independant Executables (PIE). http://www.linuxsecurity.com/content/view/120018 * Fedora Core 4 Update: ethereal-0.10.12-1.FC4.2 3rd, August, 2005 To reduce the risk of future vulnerabilities in Ethereal, the ethereal and tethereal programs in this update have been compiled as Position Independant Executables (PIE). http://www.linuxsecurity.com/content/view/120019 * Fedora Core 3 Update: gimp-2.2.8-0.fc3.2 3rd, August, 2005 Updated package. http://www.linuxsecurity.com/content/view/120020 * Fedora Core 4 Update: gimp-2.2.8-0.fc4.2 3rd, August, 2005 Updated package. http://www.linuxsecurity.com/content/view/120021 * Fedora Core 4 Update: readahead-1.1-1.16_FC4 3rd, August, 2005 This update should fix a inverted case where readahead would be triggered on boxes that have less than 384MB of memory, and would not occur if the box had more than 384MB of memory. http://www.linuxsecurity.com/content/view/120023 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Ethereal Multiple vulnerabilities 28th, July, 2005 Ethereal is vulnerable to numerous vulnerabilities potentially resulting in the execution of arbitrary code or abnormal termination. http://www.linuxsecurity.com/content/view/119934 * Gentoo: Shorewall Security policy bypass 29th, July, 2005 A vulnerability in Shorewall allows clients authenticated by MAC address filtering to bypass all other security rules. http://www.linuxsecurity.com/content/view/119945 * Gentoo: zlib Buffer overflow 29th, July, 2005 zlib is vulnerable to a buffer overflow which could potentially lead to execution of arbitrary code. http://www.linuxsecurity.com/content/view/119946 * Gentoo: fetchmail Buffer Overflow 29th, July, 2005 fetchmail is susceptible to a buffer overflow resulting in a Denial of Service or arbitrary code execution. http://www.linuxsecurity.com/content/view/119947 * Gentoo: Kopete Vulnerability in included Gadu library 29th, July, 2005 Kopete is vulnerable to several input validation vulnerabilities which may lead to execution of arbitrary code. http://www.linuxsecurity.com/content/view/119948 * Gentoo: Mozilla Suite Multiple vulnerabilities 29th, July, 2005 Several vulnerabilities in the Mozilla Suite allow attacks ranging from the execution of javascript code with elevated privileges to inormation leakage. http://www.linuxsecurity.com/content/view/119949 * Gentoo: Clam AntiVirus Integer overflows 29th, July, 2005 Clam AntiVirus is vulnerable to integer overflows when handling several file formats, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/119950 * Gentoo: sandbox Insecure temporary file handling 29th, July, 2005 The sandbox utility may create temporary files in an insecure manner. http://www.linuxsecurity.com/content/view/119951 * Gentoo: AMD64 x86 emulation base libraries Buffer overflow 30th, July, 2005 The x86 emulation base libraries for AMD64 contain a vulnerable version of zlib which could potentially lead to execution of arbitrary code. http://www.linuxsecurity.com/content/view/119983 * Gentoo: pstotext Remote execution of arbitrary code 31st, July, 2005 pstotext contains a vulnerability which can potentially result in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/119984 * Gentoo: Compress:Zlib: Buffer overflow 1st, August, 2005 Compress::Zlib is vulnerable to a buffer overflow which could potentially lead to execution of arbitrary code. http://www.linuxsecurity.com/content/view/119987 * Gentoo: ProFTPD Format string vulnerabilities 1st, August, 2005 Under specific circumstances, ProFTPD is vulnerable to format string vulnerabilities, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/119996 * Gentoo: ProFTPD Format string vulnerabilities 1st, August, 2005 Under specific circumstances, ProFTPD is vulnerable to format string vulnerabilities, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/119997 * Gentoo: nbSMTP Format string vulnerability 2nd, August, 2005 nbSMTP is vulnerable to a format string vulnerability which may result in remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/120002 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Low: dump security update 3rd, August, 2005 Updated dump packages that address two security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120016 * RedHat: Moderate: SquirrelMail security update 3rd, August, 2005 An updated squirrelmail package that fixes two security issues is now available. This update has been rated as having moderate security impact by the Red Hat Security Response T am. http://www.linuxsecurity.com/content/view/120017 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Aug 8 01:03:57 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 8 01:14:16 2005 Subject: [ISN] Re: When security researchers become the problem Message-ID: Forwarded from: security curmudgeon : : : When security researchers become the problem : July 27, 2005, 12:03 PM PT : By Mary Ann Davidson : : There's a myth about security researchers that goes like this: Vendors : are made up of indifferent slugs who wouldn't fix security : vulnerabilities quickly--if at all--if it weren't for noble security : researchers using the threat of public disclosure to force them to act. A myth born out of a lot of (perceived) truth. Trying to broadly paint this as a myth is a disservice to all the security researchers out there. : The reality is that most vendors are trying to do better in : vulnerability handling. Most don't need threats to do so, and some : researchers have become the problem. Most implies 'more than half' to me. That was not the case back when I was a POC between security company and vendors on new found vulnerabilities. Sun, HP, and IBM were atrocious at the time, only responded to threats, were slugs, and wouldn't fix it quickly even after the threat of public disclosure. The second it *did* hit the mail list, oh-my-god-its-amazing how fast they could patch *and* regression test. : 1. You should be able to fix this in two days Some researchers think : they can push vendors to work faster by threatening to "tell all," and : that if vendors really tried, they could meet the researchers' arbitrary : 5-day, 15-day or 30-day "fix window." In reality, many of the best : researchers aren't the ones you hear a lot about, because discretion is : their stock in trade. How about the arbitrary 650 day "fix window"? Some big vendors will release an entirely new version of their OS in two years! While you are babbling the corporate line, care to comment on 650 days elapsing without a patch after a researcher shares a vulnerability with Oracle? Make sure you word your response carefully in context of this article. : In reality, when a researcher reports a vulnerability, the fix might be : a two-line code change and take 20 minutes to do. However, getting the : fix in customers' hands often takes weeks. Remediation may require the Weeks?! *Years* you ignorant pop tart. : A two-line code change can take five minutes, but getting a fix into : customers' hands in such a way that they will apply it takes way more : than a few minutes. And explaining this to researchers is a good start. explaining it without being condescending or assuming they won't understand is even better. Most only ask that the vendor keep them in the loop on patch progress. Every week or so hearing "we're still working on it, bear with us" is enough for most. : Also, notoriety can backfire: I've known customers to terminate : contracts with researchers for releasing exploit code. Researchers, you : might get applause from hackers when you show off at Black Hat, but : businesses will not pay you to slit their throats. With knowledge comes : responsibility. I call bullshit. Releasing exploit code != slitting a customer throat. To me, slitting a customer throat means releasing information in violation of an NDA. For the few who *do* this, yes, it no doubt negatively impacts their career and hurts their reputation. However, I believe this to be a very tiny minority as described above. : 3. I should always get credit for vulnerabilities I find Most vendors : credit researchers who report vulnerabilities so that researchers will : continue to work with them. Also, saying "Thank you for working with us" : is just good manners. The myth is that researchers are always entitled : to credit. As much as vendors are entitled to early warning of the vulnerability =) : In reality, when a researcher puts customers at risk by releasing : exploit code for a vulnerability before the vendor has had a chance to : fix it, it's ridiculous to expect the vendor to say, "Thank you for : putting our customers at risk." I've never had a customer ask us for : exploit code or exploit details, though they do want enough information : to do a risk assessment. Read full-disclosure or bugtraq pop tart. There have been a dozen posts from admins that manage Oracle installations that specifically ask for more details and/or a PoC so they can adequately and accurately assess the risk to their environment. To think this is unreasonable is a joke given the vague nature of the Oracle advisories. Often times they list multiple distinct vulnerabilities (based on the Oracle ID assigned), and give NO other way to distinguish them. April 2005 for example: OCS18 - Calendar - Network (CALENDAR) - None - Difficult - Limited OCS19 - Calendar - Network (CALENDAR) - None - Difficult - Wide OCS20 - Calendar - Network (CALENDAR) - None - Difficult - Limited OCS21 - Calendar - Network (CALENDAR) - None - Difficult - Limited OCS23 - Calendar - Network (CALENDAR) - None - Difficult - Wide Gee, thanks! And the ones that specifically say "trivial" to exploit? You expect any admin or security researcher to be able to figure out if that is accurate or just how wide the impact might be? You think they should immediately patch production machines over such notices? Of course they do anyway, but that is because every single advisory contains multiple remote code execution type bugs, but I digress.. : The reality is that not all researchers are noble-minded, and not all : vendors are indifferent slugs. The other reality is that the highest : purpose of everybody in this game should be protecting customers who use : these products from harm. And releasing software with Oracle's track record is a good indication that customer protection is a distant second concern over bottom line. -- http://archives.cnn.com/2002/TECH/industry/01/21/oracle.unbreakable.idg/ Oracle Corp. Chairman and Chief Executive Officer Larry Ellison said Thursday that Oracle software remains unbreakable and mocked a memo sent this week by arch rival Bill Gates stressing to Microsoft Corp.'s employees the importance of security in the company's products. http://www.osvdb.org/searchdb.php?action=search_title&vuln_title=oracle&Search=Search "Microsoft isn't good at security. We're good at that.." -- Larry Ellison, CEO Oracle From isn at c4i.org Mon Aug 8 01:01:23 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 8 01:14:34 2005 Subject: [ISN] One in ten law firms suffered security breaches Message-ID: Forwarded from: Mark Bernard Dear Associates, How about the handling of private information? Here in Canada privacy rights are rescinded when someone is caught committing a crime, so likely law firms maintain records including email relevant to cases. What happens to these records when a person is found not guilty or punished for a crime? This appears to be a grey area in the data retention law and now we are seeing that law firms are also vulnerable to exploits. Best regards, Mark. Mark E. S. Bernard, CISM, CISSP, PM, e-mail: Mark.Bernard@TechSecure.ca; Web: http://www.TechSecure.ca; Phone: (506) 325-0444 ----- Original Message ----- From: "InfoSec News" To: Sent: Friday, August 05, 2005 2:05 AM Subject: [ISN] One in ten law firms suffered security breaches > http://www.theinquirer.net/?article=25159 > > By INQUIRER staff > 04 August 2005 > > ACCORDING TO AN NOP World survey, 50% of law firms in the UK are > missing basic security measures and just under half have no budget > dedicated to digital security, despite the recently increasing IT > security threats. > > 100 UK law firms were included in the NOP World survey commissioned > by security specialists Evolution Security Systems. > > According to the survey, one in ten firms had suffered digital > security breaches over the past year - showing absolutely no sign of > improvement with exactly the same odds the year before. Over half of > the firms believe that digital threats are increasing, yet have > failed to take appropriate prevention steps. > > The survey found that even though there is a one in ten chance of a > UK law firm suffering from digital security breaches, over half of > those surveyed still asked co-workers to check their e-mails, while > one quarter have never changed their e-mail passwords. Perhaps more > worryingly, four out of ten firms that were questioned had > absolutely no idea what to do in case of a serious IT malfunction, > having no disaster recovery plans, or even having thought of such > things. [...] From isn at c4i.org Mon Aug 8 01:01:51 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 8 01:14:50 2005 Subject: [ISN] Government computers top target for cyberattacks Message-ID: http://www.govexec.com/dailyfed/0805/080505p1.htm By Daniel Pulliam dpulliam@govexec.com August 5, 2005 Cyberattacks on computer systems escalated in the first half of 2005 and government agencies were targeted more than any other business sector, according to a new report. Attacks on the government, financial services, manufacturing and health care industries have risen 50 percent since the beginning of the year, according to IBM's Global Business Security Index Report [1]. In the first half of 2005, there were more than 237 million security attacks worldwide, with 54 million directed at the U.S. government. The manufacturing sector received about 36 million attacks, followed by the financial services industry with 34 million and health care with 17 million. Attacks considered to be relatively harmless - such as spam or basic computer viruses - declined. IBM analysts concluded that for-profit attacks are becoming dominant, particularly those involving phishing - the use of e-mail to try to fraudulently obtain personal information. The percentage of spam in total e-mail traffic dropped from 83 percent in January to 67 percent in June, but e-mails containing viruses increased by 50 percent during the same period, the report stated. In December 2004, one in every 52 e-mails contained a malicious security threat, such as a virus. By January 2005, the ratio had jumped to one of every 35 e-emails. By June, the number reached one in every 28 e-emails. IBM analysts believe the majority of cyberattacks now are carried out by criminal gangs, which have become smarter. In the first half of 2005, MessageLabs, a security and management firm that partnered with IBM in writing the report, recorded more than 35 million phishing attempts. In 2004, MessageLabs recorded about 25 million such efforts. One type of phishing, known as spear phishing--which involves coordinated attacks on specific organizations or individuals for the purposes of getting important data--has grown more than tenfold since the beginning of the year, the report stated. Alan Paller, director of research at the security group SANS Institute, said that spear phishing is turning into an epidemic. But despite the growing extent of the problem, Paller says that the federal government has been ineffective in responding to the threat. "This is a huge problem," Paller said. "They need to have a strategy for dealing with it, and I don't mean a go-to-meetings strategy, but an actual action strategy that they can undertake." Paller criticized the 2002 Federal Information Security Management Act, which requires agencies to publish reports certifying and accrediting major systems and applications for security risks--a time- and resource-consuming process. "Agencies are spending significantly more [time and money] writing reports and less protecting their networks," Paller said. "Let's stop writing reports and get the stuff fixed." The United States was the source of the most attacks in the period studied, with 12 million, followed by New Zealand with 1.2 million and China with 1 million. Attacks were most likely to occur on Fridays and Sundays and between 1 a.m. and 6 a.m. [1] http://www.govexec.com/dailyfed/0805/pdfs/ibmsecurityindex.doc From isn at c4i.org Mon Aug 8 01:04:24 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 8 01:15:08 2005 Subject: [ISN] Hackers infiltrate Cal Poly Message-ID: http://www.whittierdailynews.com/Stories/0,1413,207~12026~2996765,00.html By Kenneth Todd Ruiz Staff Writer August 04, 2005 POMONA -- Computer hackers added Cal Poly Pomona to a growing list of schools from which personal information has been accessed illegally. Notices went out on Thursday to 31,077 people informing them that their records might have been stolen after Cal Poly Pomona discovered two computer servers were compromised in late June. "We got hit by a hacker,' said Debra Brum, interim vice president of instructional and information technology. Personal data, including names and Social Security numbers of university applicants and of current and former faculty, staff and students were accessed in the security breach. Recent graduate Robert Pedraza, 26, said he is troubled by the intrusion. "If you break into a system, you went in there deliberately to do harm,' Pedraza said. "It sounds like there was something they were after.' Cal Poly is unable to determine whether any of the records were copied or downloaded, said university spokesman Ron Fremont. The school discovered the breach during routine network monitoring on June 29, which university officials said is likely the day the attack occurred. Systems compromised included student transfer records, a system for scanning in applications and a limited amount of payroll data that Brum said did not include financial information. Shahnaz Lotfipour, a professor of multimedia productions, said she immediately called credit agencies and put a fraud alert on her account. She said Internet insecurity is an issue worldwide. "I hope the global community (will) do something about this problem ... I don't think anybody's safe,' Loftipour said. Fremont said they delayed announcing the attack to investigate the incident and determine the extent of information compromised. The attack on Cal Poly is among several recent incidents at California colleges. Also in June, hackers absconded with more than a quarter-million applicant records from USC. It was enough to prompt USC officials to urge former applicants to check their credit for fraudulent activity. On July 26 Cal State Dominguez Hills discovered three-quarters of its student records had been compromised. The same occurred with 59,000 Cal State Chico student records in March. "We're in an ongoing battle with hackers and intruders on the Internet,' said Dan Manson, Cal Poly computer and information systems professor. "We build up better defenses; they build up better attacks.' Fremont said the school is still investigating the incident and does not rule out the possibility it is related to others. "We're considering all options,' he said. So far, Brum said, they have been unable to trace the source of the cyber-assault. Internet infiltrators gained access to the system through a security hole in a particular application, Brum said. She would not name the vulnerable program for fear the attack could be replicated by others. "The vendor found out about this vulnerability in their software the same week this incident happened,' Brum said. "It's a real challenge. If you let more people know how the vulnerability works, you have more bad guys who are going to use it.' Every day, numerous exploits emerge from the "black-hat' hacking community, according to Web sites that post security notices. The "black-hat' hackers are so named by computer security experts for their malicious intent. Advocates for "open-source' software the programming code of which is freely available fault the reluctance of software companies to acknowledge security holes for the ongoing success of digital rogues. "If we control the distribution of information, we're essentially making sure only the bad guys have it,' said Bruce Perens, senior research scientist for George Washington University and vice president of SourceLabs, Inc. In most cases, system administrators only learn of a vulnerability after it has been exploited and a developer has had time to produce a fix. With the California Security Information Breach Act, which went into effect in 2003, companies and institutions are now compelled to inform people when their personal information might have been compromised. In the past two years, Cal Poly has notified 400 students that their personal information, such as Social Security numbers, was posted online, Brum said. The U.S. Senate is working on the Personal Data Privacy and Security Act, which would extend provisions similar to California's law across the nation. School officials are urging those possibly affected to visit www.csupomona.edu/notices/security to find information about identity theft, as the information could be used for fraudulent purposes. By calling (909) 979-6100, individuals can learn if their information is at risk. "This isn't the first time this happened at a campus, and it won't be the last, but we're taking every step to make sure this won't happen again,' Fremont said. -=- Staff writer Esther Chou contributed to this report. Kenneth Todd Ruiz can be reached at (909) 483-8555 or by e-mail at todd.ruiz at dailybulletin.com From isn at c4i.org Mon Aug 8 01:05:26 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 8 01:15:30 2005 Subject: [ISN] Terrorists Turn to the Web as Base of Operations Message-ID: Forwarded from: William Knowles http://www.washingtonpost.com/wp-dyn/content/article/2005/08/05/AR2005080501138.html By Steve Coll and Susan B. Glasser Washington Post Staff Writers August 7, 2005 In the snow-draped mountains near Jalalabad in November 2001, as the Taliban collapsed and al Qaeda lost its Afghan sanctuary, Osama bin Laden biographer Hamid Mir watched "every second al Qaeda member carrying a laptop computer along with a Kalashnikov" as they prepared to scatter into hiding and exile. On the screens were photographs of Sept. 11 hijacker Mohamed Atta. Nearly four years later, al Qaeda has become the first guerrilla movement in history to migrate from physical space to cyberspace. With laptops and DVDs, in secret hideouts and at neighborhood Internet cafes, young code-writing jihadists have sought to replicate the training, communication, planning and preaching facilities they lost in Afghanistan with countless new locations on the Internet. Al Qaeda suicide bombers and ambush units in Iraq routinely depend on the Web for training and tactical support, relying on the Internet's anonymity and flexibility to operate with near impunity in cyberspace. In Qatar, Egypt and Europe, cells affiliated with al Qaeda that have recently carried out or seriously planned bombings have relied heavily on the Internet. Such cases have led Western intelligence agencies and outside terrorism specialists to conclude that the "global jihad movement," sometimes led by al Qaeda fugitives but increasingly made up of diverse "groups and ad hoc cells," has become a "Web-directed" phenomenon, as a presentation for U.S. government terrorism analysts by longtime State Department expert Dennis Pluchinsky put it. Hampered by the nature of the Internet itself, the government has proven ineffective at blocking or even hindering significantly this vast online presence. Among other things, al Qaeda and its offshoots are building a massive and dynamic online library of training materials -- some supported by experts who answer questions on message boards or in chat rooms -- covering such varied subjects as how to mix ricin poison, how to make a bomb from commercial chemicals, how to pose as a fisherman and sneak through Syria into Iraq, how to shoot at a U.S. soldier, and how to navigate by the stars while running through a night-shrouded desert. These materials are cascading across the Web in Arabic, Urdu, Pashto and other first languages of jihadist volunteers. The Saudi Arabian branch of al Qaeda launched an online magazine in 2004 that exhorted potential recruits to use the Internet: "Oh Mujahid brother, in order to join the great training camps you don't have to travel to other lands," declared the inaugural issue of Muaskar al-Battar, or Camp of the Sword. "Alone, in your home or with a group of your brothers, you too can begin to execute the training program." "Biological Weapons" was the stark title of a 15-page Arabic language document posted two months ago on the Web site of al Qaeda fugitive leader Mustafa Setmariam Nasar, one of the jihadist movement's most important propagandists, often referred to by the nom de guerre Abu Musab Suri. His document described "how the pneumonic plague could be made into a biological weapon," if a small supply of the virus could be acquired, according to a translation by Rebecca Givner-Forbes, an analyst at the Terrorism Research Center, an Arlington firm with U.S. government clients. Nasar's guide drew on U.S. and Japanese biological weapons programs from the World War II era and showed "how to inject carrier animals, like rats, with the virus and how to extract microbes from infected blood . . . and how to dry them so that they can be used with an aerosol delivery system." Jihadists seek to overcome in cyberspace specific obstacles they face from armies and police forces in the physical world. In planning attacks, radical operatives are often at risk when they congregate at a mosque or cross a border with false documents. They are safer working on the Web. Al Qaeda and its offshoots "have understood that both time and space have in many ways been conquered by the Internet," said John Arquilla, a professor at the Naval Postgraduate School who coined the term "netwar" more than a decade ago. Al Qaeda's innovation on the Web "erodes the ability of our security services to hit them when they're most vulnerable, when they're moving," said Michael Scheuer, former chief of the CIA unit that tracked bin Laden. "It used to be they had to go to Sudan, they had to go to Yemen, they had to go to Afghanistan to train," he added. Now, even when such travel is necessary, an al Qaeda operative "no longer has to carry anything that's incriminating. He doesn't need his schematics, he doesn't need his blueprints, he doesn't need formulas." Everything is posted on the Web or "can be sent ahead by encrypted Internet, and it gets lost in the billions of messages that are out there." The number of active jihadist-related Web sites has metastasized since Sept. 11, 2001. When Gabriel Weimann, a professor at the University of Haifa in Israel, began tracking terrorist-related Web sites eight years ago, he found 12; today, he tracks more than 4,500. Hundreds of them celebrate al Qaeda or its ideas, he said. "They are all linked indirectly through association of belief, belonging to some community. The Internet is the network that connects them all," Weimann said. "You can see the virtual community come alive." Apart from its ideology and clandestine nature, the jihadist cyberworld is little different in structure from digital communities of role-playing gamers, eBay coin collectors or disease sufferers. Through continuous online contact, such communities bind dispersed individuals with intense beliefs who might never have met one another in the past. Along with radical jihad, the Internet also has enabled the flow of powerful ideas and inspiration in many other directions, such as encouraging democratic movements and creating vast new commercial markets. Since the U.S. invasion of Iraq more than two years ago, the Web's growth as a jihadist meeting and training ground has accelerated. But al Qaeda's move into cyberspace is far from total. Physical sanctuaries or unmolested spaces in Sunni Muslim-dominated areas of Iraq, in ungoverned tribal territories of Pakistan, in the southern Philippines, Africa and Europe still play important roles. Most violent al Qaeda-related attacks -- even in the most recent period of heavy jihadist Web use -- appear to involve leaders or volunteers with some traditional training camp or radical mosque backgrounds. But the Web's growing centrality in al Qaeda-related operations and incitement has led such analysts as former CIA deputy director John E. McLaughlin to describe the movement as primarily driven today by "ideology and the Internet." The Web's shapeless disregard for national boundaries and ethnic markers fits exactly with bin Laden's original vision for al Qaeda, which he founded to stimulate revolt among the worldwide Muslim ummah , or community of believers. Bin Laden's appeal among some Muslims has long flowed in part from his rare willingness among Arab leaders to surround himself with racially and ethnically diverse followers, to ignore ancient prejudices and national borders. In this sense of utopian ambition, the Web has become a gathering place for a rainbow coalition of jihadists. It offers al Qaeda "a virtual sanctuary" on a global scale, Rand Corp. terrorism specialist Bruce Hoffman said. "The Internet is the ideal medium for terrorism today: anonymous but pervasive." In Afghanistan, the Taliban banned television and even toothbrushes as forbidden modern innovations. Yet al Qaeda, led by educated and privileged gadget hounds, adapted early and enthusiastically to the technologies of globalization, and its Arab volunteers managed to evade the Taliban's screen-smashing technology police. Bin Laden used some of the first commercial satellite telephones while hiding out in Afghanistan. He produced propaganda videos with hand-held cameras long before the genre became commonplace. Bin Laden's sons played computer games in their compound in Jalalabad, recalled the journalist Abdel Bari Atwan, who interviewed bin Laden late in 1996. Today, however, bin Laden and his deputy, Ayman Zawahiri, have fallen well behind their younger followers worldwide. The two still make speeches that must be recorded in a makeshift studio and couriered at considerable risk to al-Jazeera or other satellite stations, as with Zawahiri's message broadcast last week. Their younger adherents have moved on to Web sites and the production of short videos with shock appeal that can be distributed to millions instantly via the Internet. Many online videos seek to replicate the Afghan training experience. An al Qaeda video library discovered on the Web and obtained by The Washington Post from an experienced researcher showed in a series of high-quality training films shot in Afghanistan how to conduct a roadside assassination, raid a house, shoot a rocket-propelled grenade, blow up a car, attack a village, destroy a bridge and fire an SA-7 surface-to-air missile. During a practice hostage-taking, the filmmakers chuckled as trainees herded men and women into a room, screaming in English, "Move! Move!" One of al Qaeda's current Internet organizations, the Global Islamic Media Front, is now posting "a lot of training materials that we've been able to verify were used in Afghanistan," said Givner-Forbes, of the Terrorism Research Center. One recent online manual instructed how to extract explosive materials from missiles and land mines. Another offered a country-by-country list of "explosive materials available in Western markets," including France, Germany, Italy, Japan, the former Soviet Union and Britain. These sites have converted sections of the Web into "an open university for jihad," said Reuven Paz, who heads the Project for the Research of Islamist Movements in Israel. "The main audience are the younger generation in the Arab world" who now can peruse at their own pace "one big madrassa on the Internet." From One Site to Many Al Qaeda's main communications vehicle after Sept. 11 was Alneda.com, a clearinghouse for new statements from bin Laden's leadership group as his grip on Afghan territory crumbled. An archive of the site, also obtained by The Post from the researcher, includes a library of pictures from the 2001 Afghan war, along with a collage of news accounts, long theological justifications for jihad, and celebrations of the Sept. 11 hijackers. The webmaster and chief propagandist of the site has been identified by Western analysts as Yusuf Ayiri, a Saudi cleric and onetime al Qaeda instructor in Afghanistan. In the summer of 2002, U.S. authorities and volunteer campaigners who were trying to shut him down chased him across multiple computer servers. At one point, a pornographer gained control of the Alneda.com domain name, and the site shifted to servers in Malaysia, then Texas, then Michigan. Ayiri died in a gun battle with Saudi security forces in May 2003. His site ultimately disappeared. Rather than one successor, there were hundreds. Realizing that fixed Internet sites had become too vulnerable, al Qaeda and its affiliates turned to rapidly proliferating jihadist bulletin boards and Internet sites that offered free upload services where files could be stored. The outside attacks on sites like Alneda.com "forced the evolution of how jihadists are using the Internet to a more anonymous, more protected, more nomadic presence," said Ben N. Venzke, a U.S. government consultant whose firm IntelCenter monitors the sites. "The groups gave up on set sites and posted messages on discussion boards -- the perfect synergy. One of the best-known forums that emerged after Sept. 11 was Qalah, or Fortress. Registered to an address in Abu Dhabi, the United Arab Emirates, the site has been hosted in the U.S. by a Houston Internet provider, Everyone's Internet, that has also hosted a number of sites preaching radical Islam. Researchers who follow the site believe it may be connected to Saad Faqih, a leading Saudi dissident living in exile in Britain. They note that the same contact information is given for his acknowledged Web site and Qalah. Faqih has denied any link. On Qalah, a potential al Qaeda recruit could find links to the latest in computer hacking techniques (in the discussion group called "electronic jihad"), the most recent beheading video from Iraq, and paeans to the Sept. 11 hijackers and long Koranic justifications of suicide attacks. Sawt al-Jihad, the online magazine of al Qaeda in Saudi Arabia, was available, as were long lists of "martyrs" who had died fighting in Iraq. The forum abruptly shut down on July 7, hours after a posting asserted responsibility for the London transit bombings that day in the name of the previously unknown Secret Organization of al Qaeda in Europe. Until recently, al Qaeda's use of the Web appeared to be centered on communications: preaching, recruitment, community-building and broad incitement. But there is increasing evidence that al Qaeda and its offshoots are also using the Internet for tactical purposes, especially for training new adherents. "If you want to conduct an attack, you will find what you need on the Internet," said Rita Katz, director of the SITE Institute, a group that monitors and tracks the jihadist Internet sites. Jarret Brachman, director of research at West Point's Combating Terrorism Center, said he recently found on the Internet a 1,300-page treatise by Nasar, the Spanish- and English-speaking al Qaeda leader who has long trained operatives in poison techniques. The book urged a campaign of media "resistance" waged on the Internet and implored young prospective fighters to study computers along with the Koran. The Nasar book was posted anonymously on the hijacked server of a U.S. business, a tactic typical of online jihadist propagandists, whose webmasters steal space from vulnerable servers worldwide and hop from Web address to Web address to evade the campaigners against al Qaeda who seek to shut down their sites. The movement has also innovated with great creativity to protect its most secret communications. Khalid Sheik Mohammed, a key planner of the Sept. 11 attacks later arrested in Pakistan, used what four researchers familiar with the technique called an electronic or virtual "dead drop" on the Web to avoid having his e-mails intercepted by eavesdroppers in the United States or allied governments. Mohammed or his operatives would open an account on a free, public e-mail service such as Hotmail, write a message in draft form, save it as a draft, then transmit the e-mail account name and password during chatter on a relatively secure message board, according to these researchers. The intended recipient could then open the e-mail account and read the draft -- since no e-mail message was sent, there was a reduced risk of interception, the researchers said. Matt Devost, president of the Terrorism Research Center, who has done research in the field for a decade, recalled that "silverbullet" was one of the passwords Mohammed reportedly used in this period. Sending fake streams of e-mail spam to disguise a single targeted message is another innovation used by jihadist communicators, specialists said. Al Qaeda's success with such tactics has underscored the difficulty of gathering intelligence against the movement. Mohammed's e-mails, once discovered, "were the best actionable intelligence in the whole war" against bin Laden and his adherents, said Arquilla, the Naval Postgraduate School professor. But al Qaeda has been keenly aware of its electronic pursuers and has tried to do what it can to stay ahead -- mostly by using encryption. Building Cells on the Web In the last two years, a small number of cases have emerged in which jihadist cells appear to have formed among like-minded strangers who met online, according to intelligence officials and terrorism specialists. And there are many other cases in which bonds formed in the physical world have been sustained and nurtured by the Internet, according to specialists in and outside of government. For example, Royal Canadian Mounted Police officers burst into the Ottawa home of Mohammed Momin Khawaja, a 24-year-old computer programmer, on March 29, 2004, arresting him for alleged complicity in what Canadian and British authorities described as a transatlantic plot to bomb targets in London and Canada. Khawaja, a contractor with Canada's Foreign Ministry, met his alleged British counterparts online and came to the attention of authorities only when he traveled to Britain and walked into a surveillance operation being conducted by British special police, according to two Western sources familiar with the case. British prosecutors alleged in court that Khawaja met with his online acquaintances in an Internet cafe in London, where he showed them images of explosive devices found on the Web and told them how to detonate bombs using cell phones. The first person jailed under a strict new Canadian anti-terrorism law passed after Sept. 11, Khawaja is not scheduled to have a preliminary hearing on his case until January. The transit attacks in London may also have an Internet connection, according to several analysts. They appear to be successful examples of "al Qaeda's assiduous effort to cultivate and train professional insurgents and urban warfare specialists via the Internet," wrote Scheuer, the former CIA analyst. In a posting not long after the London attacks, a member of one of the al Qaeda-linked online forums asked how to take action himself. A cell of two or three people is better, replied another member in an exchange translated by the SITE Institute. Even better than that is a "virtual cell, an agreement between a group of brothers over the Internet." It is "safe," extolled the anonymous poster, and "nobody will know the identity of each other in the beginning." Once "harmony and mutual trust" are established, training conducted and videos watched, then "you can meet in reality and execute some operation in the field." Staff researcher Julie Tate contributed to this report. ? 2005 The Washington Post Company *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Aug 8 01:05:58 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 8 01:15:55 2005 Subject: [ISN] The Rise of the Digital Thugs Message-ID: http://www.nytimes.com/2005/08/07/business/yourmoney/07stalk.html By TIMOTHY L. O'BRIEN August 7, 2005 EARLY last year, the corporate stalker made his move. He sent more than a dozen menacing e-mail messages to Daniel I. Videtto, the president of MicroPatent, a patent and trademarking firm, threatening to derail its operations unless he was paid $17 million. In a pair of missives fired off on Feb. 3, 2004, the stalker said that he had thousands of proprietary MicroPatent documents, confidential customer data, computer passwords and e-mail addresses. Using an alias of "Brian Ryan" and signing off as "Wounded Grizzly," he warned that if Mr. Videtto ignored his demands, the information would "end up in e-mail boxes worldwide." He also threatened to stymie the online operations of MicroPatent's clients by sending "salvo after salvo" of Internet attacks against them, stuffing their computers so full of MicroPatent data that they would shut down. Another message about two weeks later warned that if he did not get the money in three days, "the war will expand." Unbeknownst to the stalker, MicroPatent had been quietly trying to track him for years, though without success. He was able to mask his online identity so deftly that he routinely avoided capture, despite the involvement of federal investigators. But in late 2003 the company upped the ante. It retained private investigators and deployed a former psychological profiler for the Central Intelligence Agency to put a face on the stalker. The manhunt, according to court documents and investigators, led last year to a suburban home in Hyattsville, Md., its basement stocked with parts for makeshift hand grenades and ingredients for ricin, one of the most potent and lethal biological toxins. Last March, on the same day that they raided his home, the authorities arrested the stalker as he sat in his car composing e-mail messages he planned to send wirelessly to Mr. Videtto. The stalker has since pleaded guilty to charges of extortion and possession of toxic materials. What happened to MicroPatent is happening to other companies. Law enforcement authorities and computer security specialists warn that new breeds of white-collar criminals are on the prowl: corporate stalkers who are either computer-savvy extortionists, looking to shake down companies for large bribes, or malicious competitors who are trying to gain an upper hand in the marketplace. "It's definitely a growing issue and problem, and it's something we think will definitely increase in both the numbers and severity," said Frank Harrill, an agent with the Federal Bureau of Investigation who specializes in computer crimes and who has investigated corporate stalkers and online extortionists. The reason, he said, is that "the Internet is ceasing to be a means for communication and commerce and is becoming the means for communication and commerce." Though the number of corporate stalkers appears to be growing - along with the number of payoffs to online extortionists - quantifying the dimensions of the threat is difficult. Last fall, a researcher at Carnegie Mellon University in Pittsburgh published a study of online extortion involving small and medium-sized businesses, saying that the Internet's global reach had produced "a profound change in the nature of crime, as the existence of information systems and networks now makes criminal acts possible that were not before, both in increased scope and ease." THE study also concluded that while the threat of cyberextortion was real and mounting, data and research about the subject were scant. That is because most businesses, particularly blue-chip companies, are concerned about negative publicity from computer security breaches and do not want to report digital bullying and intrusions to law enforcement officials. "Cyberextortion was the main threat I identified that I thought corporations were overlooking," said Gregory M. Bednarski, the author of the Carnegie Mellon study, who now works at PricewaterhouseCoopers as a computer security consultant. "Unfortunately, I think that's still the issue - most companies are still not taking cyberextortion seriously enough. They just don't see themselves as vulnerable." MicroPatent, based in East Haven, Conn., realized firsthand how vulnerable its data was. The company was also an exception in the world of cyberextortion victims: it chose not only to fight back and to contact the authorities, but it also assembled its own team of specialists familiar with the strategies and weaponry of cybercriminals. Even so, MicroPatent's stalker, using hijacked Internet accounts and pirated wireless networks, was remarkably elusive. "What this means is that the criminals are getting smarter," said Scott K. Larson, a former F.B.I. agent and a managing director of Stroz Friedberg, a private investigation firm that helped hunt down MicroPatent's stalker. "There's an arms race going on in cyberspace and in cybercrimes." MicroPatent, a business that court papers describe as one of the world's largest commercial depositories of online patent data, first came under attack four years ago. Someone penetrated the company's databases and began transmitting phony e-mail messages to its customers. The messages were what are known as "spoofs," online communications - embroidered with pilfered company logos or names and e-mail addresses of MicroPatent employees - that are meant to trick recipients into believing that the messages were authorized. The spoofs, according to court papers and investigators, contained derogatory comments about MicroPatent in the subject lines or text. Some included sexually explicit attachments, such as sex-toy patents that a computer hacker had culled from the company's online files. MicroPatent and its parent company, the Thomson Corporation, did not respond to several phone calls seeking comment. But others with direct knowledge of the hunt for the company's stalker said MicroPatent, which had grown rapidly through acquisitions, had a computer network containing stretches of online turf that were once used by acquirees but were abandoned after the takeovers. Those digital back alleys offered access to the entire MicroPatent network to people with old passwords. Once inside, they could inhabit the network undetected - in much the same way that anyone with a key to one abandoned house on a block of abandoned houses can live in a populous city without anyone knowing he is there. And MicroPatent's stalker was lurking on one of its network's nether zones. By 2003, MicroPatent had become so frustrated with its unknown stalker that it reached out to the F.B.I. for help. But with its resources spread thin, the F.B.I. could not pin down the stalker's identity, his motivations or how he managed to trespass on MicroPatent's electronic turf. A year later, MicroPatent hired Stroz Friedburg and secured the services of Eric D. Shaw, a clinical psychologist who had once profiled terrorists and foreign potentates for the C.I.A. The first order of business, investigators said, was to narrow the field of MicroPatent's potential stalkers and to try to isolate the perpetrator. "You need to take the temperature of the person on the other side and determine how seriously you need to take them," said Beryl Howell, who supervised the MicroPatent investigation for Stroz Friedburg. "Is it a youngster or is it someone who's angry? Is it someone who's fooling around or someone who's much more serious?" Investigators said their examination of the stalker's communications indicated that he was much more than a hacker on a joy ride. That would be consistent with what law enforcement authorities and computer security specialists describe as the recent evolution of computer crime: from an unstructured digital underground of adolescent hackers and script-kiddies to what Mr. Bednarski describes in his study as "information merchants" representing "a structured threat that comes from profit-oriented and highly secretive professionals." STEALING and selling data has become so lucrative, analysts say, that corporate espionage, identity theft and software piracy have mushroomed as profit centers for criminal groups. Analysts say cyberextortion is the newest addition to the digital Mafia's bag of tricks. "Generally speaking, it's pretty clear it's on the upswing, but it's hard to gauge how big of an upswing because in a lot of cases it seems companies are paying the money," said Robert Richardson, editorial director of the Computer Security Institute, an organization in San Francisco that trains computer security professionals. "There's definitely a group of virus writers and hackers in Russia and in the Eastern European bloc that the Russian mob has tapped into." Mr. Richardson is a co-author of an annual computer-security study that his organization publishes with the F.B.I. The latest version said that while corporate and institutional computer break-ins increased slightly last year from 2003, average financial losses stemming from those intrusions decreased substantially in all but two categories: unauthorized access to data and theft of proprietary information. Among 639 of the survey's respondents, the average loss from unauthorized data access grew to $303,234 in 2004 from $51,545 in 2003; average losses from information theft rose to $355,552 from $168,529. The respondents suffered total losses in the two categories of about $62 million last year. While many cyberextortionists and cyberstalkers may be members of overseas crime groups, several recent prosecutions suggest that they can also be operating solo and hail from much less exotic climes - like the office building just down the street. In March, a federal judge in San Francisco sentenced a Southern California businessman, Mark Erfurt, to five months in prison, followed by three and a half years of home detention and supervised release, for hacking into the databases of a competitor, the Manufacturing Electronic Sales Corporation, and disrupting its business. In June, the F.B.I. in Los Angeles arrested Richard Brewer, a former Web administrator for a trade show company, accusing him of disabling his employer's Web site and threatening further damage unless he was paid off. And last month in New York, the Westchester County district attorney's office charged a Tarrytown businessman, Gerald Martin, with hacking into a competitor's computer network in order to ruin its business by tampering with its phone system. Small-fry stuff, some of this, except that even local law enforcement officials say the episodes are multiplying. "We have 590,000 people in our county, but we're seeing lots of examples of lax or lackadaisical computer security," said Sgt. Mike Nevil, head of the computer crimes unit of the Ocean County, N.J., prosecutor's office. "We've seen lots of examples of people going onto a competitor's computer network and clearing out whatever information they can get." For its part, MicroPatent initially believed that its problems were the work of a competitor. It sued one company that it suspected but later dropped that lawsuit. After Ms. Howell's team joined the fray in late 2003, MicroPatent and its consultants began to isolate the stalker, using a small list of candidates distilled from earlier investigative work. Dr. Shaw's analysis of e-mail messages led them to believe that they were tracking a technologically sophisticated man, older than 30, with a history of work problems and personal conflicts, who was compulsively obsessed with details and who might own weapons. The stalker was extremely angry and "holding a grudge," Dr. Shaw recalled. "People like that can be very dangerous. He referred to himself as a soldier behind enemy lines." Within a few weeks, Dr. Shaw's analysis led the investigative team to focus on Myron Tereshchuk, a 43-year-old Maryland entrepreneur who ran his own patent business and had once been rebuffed by MicroPatent when he applied to the company for a job. And Mr. Tereshchuk was indeed their man. Members of Ms. Howell's investigative team all said that Dr. Shaw's profiling was a breakthrough in the pursuit, but that without the subsequent involvement of local and federal law enforcement officials, Mr. Tereshchuk would not have been captured. "It's about grinding out a lot of data; it's not about intuition - though years of working clinically with patients is certainly important," Dr. Shaw said. "The Myron case involved a fair amount of case management because we needed to keep him talking, we needed to keep him engaged, so we could set him up for an arrest." Indeed, the detective work that led to his arrest offers a revealing glimpse into how the new cat-and-mouse game is played in cyberspace - especially when the cloak of secrecy offered by newfangled wireless devices makes digital criminals so hard to track. In early 2004, private investigators began corresponding with the stalker, sending spoofed e-mail back to him in the "voice" of a MicroPatent lawyer. At the same time, federal authorities began physically tracking Mr. Tereshchuk's comings and goings in the real world. By February, the stalker had also become an active e-mail correspondent with Mr. Videtto, the MicroPatent president. It was then that the stalker made a series of mistakes. Among them, he began to brag. In an e-mail message titled "Fire them all," he informed Mr. Videtto that he had found valuable MicroPatent documents by going "Dumpster diving to the Dumpster and recycle bins located in a parking lot on Shawnee Road" in Alexandria, Va., where the company maintained a branch office. That allowed investigators to zero in on his location, further buttressing the notion that Mr. Tereshchuk, who lived nearby, was the author of the scheme. In the same message, the stalker wrote angrily that staff members at the United States Patent and Trademark Office in northern Virginia had snubbed him and given preferential treatment to MicroPatent employees. Several years earlier, a patent office worker accused Mr. Tereshchuk of threatening to bomb the agency. A computer forensics expert embedded a Web bug, a kind of digital tracking device, in one of the e-mail messages that Mr. Videtto sent to the stalker. But the stalker screened his e-mail with decoding devices that included a hex editor, software that allows users to preview the contents of incoming files, and he uncovered the bug. "Was it a script to capture my IP address?" the stalker wrote tauntingly to Mr. Videtto after finding the Web bug, referring to his Internet Protocol address. "I'll look at it later with a hex editor." Investigators said the failed bug worried them because they thought it might scare off the stalker, but by this point Mr. Tereshchuk had already demanded his $17 million extortion payment. He also clumsily revealed his identity by demanding that the money be sent to the person accused of threatening to bomb the patent office. And he kept sending e-mail messages telling Mr. Videtto that he had MicroPatent's customer lists, patent applications, customer credit card numbers and the Social Security numbers of some employees, as well as the employees' birth dates, home addresses and the names of their spouses and children. The stalker also threatened to flood the computer networks of MicroPatent clients with information pilfered from the company, overwhelming the customers' ability to process the data and thereby shuttering their online operations - a surreptitious digital attack known as distributed denial of service, or D.D.O.S. Such assaults, analysts and law enforcement officials say, have become a trademark of cyberextortionists. Federal prosecutors in Los Angeles are currently investigating a group of possible cyberextortionists linked to a television retailer indicted there last August. The retailer was accused of disrupting competitors' online operations, and prosecutors have called suspects in that case the "D.D.O.S. Mafia." "D.D.O.S. attacks are still one of the primary ways of extorting a company, and we're seeing a lot of that," said Larry D. Johnson, special agent in charge of the United States Secret Service's criminal division. "I think the bad guys know that if the extortion amounts are relatively low a company will simply pay to make them go away." Mr. Tereshchuk's apparent ability to start a D.D.O.S. attack attested to what investigators describe as his unusual technological dexterity, despite evidence of his psychological instability. It also explained how he was able to evade detection for years, and his methods for pulling off that feat surfaced after the F.B.I. began following him. Using wireless computing gear stashed in an old, blue Pontiac, and fishing for access from an antenna mounted on his car's dashboard, Mr. Tereshchuk cruised Virginia and Maryland neighborhoods. As he did so, federal court documents say, he lifted Yahoo and America Online accounts and passwords from unwitting homeowners and businesspeople with wireless Internet connections. The documents also say he then hijacked the accounts and routed e-mail messages to MicroPatent from them; he used wireless home networks he had commandeered to hack into MicroPatent's computer network and occasionally made use of online accounts at the University of Maryland's student computer lab, which he had also anonymously penetrated. BY late February of last year, however, the F.B.I. had laid digital traps for Mr. Tereshchuk inside the student lab, which was near his home. As investigators began to close in on him, his e-mail messages to Mr. Videtto became more frantic. A note sent on Feb. 28 told Mr. Videtto that if he forked over the $17 million then "everything gets deactivated, sanitized, and life will go on for everybody." In his last e-mail message, sent several days later, he dropped his guard completely: "I am overwhelmed with the amount of information that can be used for embarrassment," he wrote. "When Myron gets compensated, things start to get deactivated." On March 10, 2004, federal agents swarmed Mr. Tereshchuk's home, where they found the hand-grenade components and ricin ingredients. The agents arrested him in his car the same day, in the midst of writing his new crop of e-mail messages to Mr. Videtto. Late last year, Mr. Tereshchuk was sentenced to five years in prison after pleading guilty to a criminal extortion charge filed by the United States attorney's office in Alexandria. Earlier this year he pleaded guilty to criminal possession of explosives and biological weapons, charges that the United States attorney's office in Baltimore had filed against him. Possessing illegal toxins carries a maximum term of life in prison. Mr. Tereshchuk is expected to be sentenced this fall. From isn at c4i.org Mon Aug 8 01:06:41 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 8 01:18:14 2005 Subject: [ISN] An Insider's View of 'Ciscogate' Message-ID: http://www.wired.com/news/technology/0,1282,68435,00.html By Jennifer Granick Aug. 05, 2005 Attorney Jennifer Granick represented computer security researcher Michael Lynn in his conflict with Cisco and ISS at the Black Hat conference. The following is reprinted from her blog with permission. What follows is my take on "Ciscogate," the uproar over researcher Michael Lynn's presentation at this year's Black Hat conference, in which he revealed that he was able to remotely execute code on Cisco routers. I have been representing Mike during this crisis, so I'm clearly partisan, and what I can say is limited by attorney-client responsibilities. But while many people are speculating about the facts, there hasn't been much on the law, which turns out to be really interesting. I arrived in Las Vegas around 1:00 p.m. on Wednesday. My plane had been delayed, and I was anxious to get to Caesar's Palace and get prepared for my presentation, scheduled for 3:15 p.m. My parents and sister also were coming to see me, and I had to get approval for their day passes from the Black Hat powers-that-be. I had heard that there was a chance of some legal problems with a talk that Mike Lynn had planned to give about Cisco router vulnerability and that the night or so before the conference, Cisco sent temp workers to cut Lynn's slides out of the presentation materials and to seize CDs containing his PowerPoint presentation. But I wasn't involved in the case yet. When I arrived, someone pointed Lynn out to me. He was wearing a white backward-facing baseball hat with the word "GOOD" on it and chatting animatedly with friends. I introduced myself, and he told me that he'd quit his job and given the talk anyway, and that he expected to be sued. Lynn knew that Cisco had fixed the problem he found and stopped distributing the vulnerable code, but he was deeply concerned that the company did not do nearly enough to persuade its customers to upgrade promptly, or to explain to them why upgrading was necessary. Based on some web searching, he thought that Chinese hackers were working on breaking routers too, and that people needed to know. Up until very recently, Mike's employer, ISS, had approved his talk and was happy for him to give it. But very recently, they dramatically changed their minds and forbade him from giving it. They made Mike pick another topic. By the morning of the conference, Mike decided he had to quit his job and give the talk anyway. (In subsequent conversations with Cisco attorneys, I was assured that Cisco and ISS were working on a presentation that would reveal the flaw without revealing what Cisco and ISS felt was proprietary information or giving bad guys a road map to an exploit. I never saw this presentation, and to the best of my knowledge Mike didn't either. If this is true, I don't know why Lynn, ISS and Cisco were communicating so poorly. Of course, I also don't know what Cisco and ISS were worried about, since Lynn's presentation neither revealed confidential information nor provided much assistance to would-be intruders. Cisco also told me that they offered to give the new joint ISS and Cisco talk, but that Black Hat refused. My understanding of Black Hat's position was that the speaking slot wasn't given to Cisco and ISS but to Mike Lynn, and if he wanted to talk about something else, he could, but they weren't going to give the slot to Cisco just because the originally scheduled talk was about their product.) I'm generally a believer in the free flow of information. I've written an article on vulnerability disclosure, and generally don't like rules that stop people from telling the truth, for whatever reason. But I understand that exploit code, while communicative, can also be used as a dangerous tool. Lynn understood this too. His presentation did not give away exploit code, or even enough information for listeners to readily create exploit code. In fact, he said, Cisco employees who had vetted the information were themselves unable to create and exploit from his information. But Mike wanted to show people that (1) he knew what he was talking about and (2) he could do what he said could be done. He included just enough information to make those points. (Following the talk, other researchers who'd seen it agreed that it would take a lot of work to get from Mike's presentation to an exploit.) After my talk, I caught up with Mike and discussed the possibility that Cisco or ISS would sue him. I told him to call me if he heard anything. Then my family and I went to Shintaro at the Bellagio for dinner. It was my parents' 37th anniversary. Shintaro has three really beautiful jellyfish tanks in the front of the restaurant, behind the sushi bar. The restaurant is actually kind of large and sits on the Bellagio lagoon. We wanted a table with a window view, but the maitre d' said they were all reserved -- even though we had a reservation, it was 5:45 p.m. and there were very few other people around. No one came to sit at those tables the whole time we were there. We had sushi, which was really fresh and good, and then my sister and I shared the crispy lobster in black bean sauce. As with my father's lamb dish, it was really good, but the sauce was a little overpowering for the delicacy of the meat. The waiter was adept at explaining the sakes, and I ordered a really good one to share with my dad, a junmai ginjo called gissen, I believe. I would definitely go back if it were not for the snootiness of not letting us have a window seat even though no one cool enough to pre-empt us would dream of going to dinner so ungodly early. By the time dinner was over, Cisco and ISS had filed a lawsuit and served papers requesting a temporary restraining order on Black Hat, but not on Mike. Mike had heard about the lawsuit, though, and called me. I met him at Caesar's Palace, where a reporter gave me a copy of the moving papers. Black Hat's PR person told me that Cisco and ISS were suing Black Hat and Lynn, and that they'd scheduled an ex parte hearing before Judge White in San Francisco for the next morning at 8:30 a.m. to ask for a temporary restraining order. Now I had to decide whether I was interested in the case. I took the papers back to my room to read, and told Mike not to talk directly to opposing counsel. If they called him, he should tell them to call me. This is just habit that I can't break. As a criminal defense attorney, you never let opposing counsel get anywhere near your client. Even though Mike wasn't my client, and this wasn't my case, and it wasn't criminal, it was reflex to protect him at all costs from the prying questions of an opponent. Sure enough, the attorney for ISS and Cisco, Andrew Valentine, called Mike, and then called me. Valentine is a pretty pleasant, reasonable person for someone who's sued someone I like very much. We started talking about the case, and I was asking what exactly he was claiming that Lynn had done wrong. It appeared to be three things. First, ISS was claiming copyright in the presentation that Mike had given on Wednesday morning. Second, Cisco was claiming copyright in the decompiled machine code that Mike obtained from the Cisco binaries and had included in his slides. And finally, Cisco was claiming trade secret in the information Mike had obtained by decompiling and studying Cisco source code. The complaint [2] (.pdf) also alleged that Mike had breached his nondisclosure agreement with ISS. I didn't and don't think much of the legal case, and I'll explain why in the next installment. But every attorney knows that an opponent's weak legal case is first and foremost an opportunity to get a good settlement. No party wants to litigate against a rich corporation if they don't have to. It's a different story for the lawyers, though. For me, no matter how much I care about the client, it's a job that I enjoy. I like to litigate a case if the issues are interesting and these definitely are. But the client comes first, so I asked Valentine what his clients really wanted out of all of this. We parsed and narrowed, and came to a point where I thought we might be able to cut a deal. I told him I'd talk to Lynn and Black Hat and get back to him one way or another. When I first talked to Valentine, I wasn't even sure I wanted to be involved in the case, but as I read the temporary restraining order papers, I became really interested in the legal issues that the suit raised. You'll remember that ISS claimed copyright in the slides Mike used on Wednesday morning. I hadn't seen the original ISS slides, but I imagined that they looked different but had similar bullet points or words. This wasn't very interesting to me. I would argue that the bullet points were unoriginal and not deserving of much copyright protection, or that it was fair use, or that Mike jointly retained the copyright with ISS, but none of this is particularly fun. The second copyright claim was Cisco's in the decompiled code. Certainly Cisco has copyright in the source code, and I suppose in the binary, too, and therefore it probably has copyright in the machine code as well. But Mike only used little edited snippets of the machine code to illustrate his points about how he found the IOS vulnerability and why it existed. This was classic fair use, something important to defend, but only kind of fun, if only because it was so damn obviously permissible. The more interesting claim was the trade secret claim. They were suing under California's trade secret law. California has adopted the Uniform Trade Secrets Act, which is relatively broad. It prohibits the misappropriation of trade secrets. A trade secret is information that: (1) derives independent economic value, actual or potential, from not being generally known to the public or to other persons who can obtain economic value from its disclosure or use; and (2) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy. So the first question is, what's the secret? The complaint says that Lynn had Cisco source code, but he didn't. He had the binary code. The binary isn't secret, since Cisco sells it. Is the decompiled code secret? Is it the fact that there's a vulnerability? Would the law allow a product flaw to be a protected trade secret? I've had lawyers argue it to me, but I can't believe that any court would think that's a good idea. Imagine if we did that with cars. The fact that it blows up if someone rear ends you is a protected secret, because people wouldn't buy the cars if they had that information? I'm not sure there's anything here of Cisco's that the law would protect. The second question is, even if there is some kind of trade secret, did Mike misappropriate it. Misappropriation means acquisition by improper means, or disclosure without consent by a person who used improper means to acquire the knowledge. The law specifically says that reverse engineering (decompiling) is proper, not improper, means. As used in this title, unless the context requires otherwise: (a) "Improper means" includes theft, bribery, misrepresentation, breach or inducement of a breach of a duty to maintain secrecy, or espionage through electronic or other means. Reverse engineering or independent derivation alone shall not be considered improper means. So then the question is, did Mike use reverse engineering or independent derivation alone? It seemed that Cisco was claiming that Mike's actions were improper because he violated the End User License Agreement, which prohibited reverse engineering. So now I was having fun. I'm totally interested in EULAs and the circumstances under which they take away public rights that are otherwise guaranteed us. Usually, a breach of contract is no big deal. But increasingly in the tech field, we're seeing big penalties for what's essentially a contract violation. Under the Computer Fraud and Abuse Act, if you exceed your authorization to access a computer, you've committed a crime. Cases have said you exceed authorization when you breach a EULA, terms of service or employment contract. Other cases have said that EULAs can waive fair-use rights and other rights guaranteed under copyright law. Lynn's case presented the question of whether EULAs could subvert the legislature's express desire to allow people to reverse-engineer trade secrets. I decided to get involved in the case. There were lots of ways to argue the case. I could say that the EULA wasn't enforceable. I could say that if Lynn violated the EULA, it was only at the behest of plaintiff ISS, and I could cross-claim for indemnification. But my best legal argument was that violation of an End User License Agreement is not a trade secret violation. "Improper means" includes a breach of a duty to maintain secrecy. But the EULA did not impose a duty to maintain secrecy. It was merely a promise not to reverse-engineer. A violation of that promise is a violation of contract, but not an improper means of discovering a trade secret. There was the possibility that Mike had information that was secret as to ISS and that he had promised to keep secret under his employment agreement or NDA. But the complaint didn't identify any ISS trade secrets, and Mike hadn't disclosed any ISS information other than whatever was in the presentation, so this was a great legal argument. Fortunately for Mike, I never got to make it to a judge, because we were able to settle the case within 24 hours. A lot of people have asked what the basis was for the injunction that the court entered, or why the court entered an injunction, or why Mike can't give out the slides from his presentation, and the answer to each question is the same. We agreed to an injunction to settle the case, and the reason we settled the case is because all Mike has to do is stuff he's mostly willing to do anyway, and Cisco and ISS will dismiss the lawsuit. At the point that you get sued, or even charged with a crime, it matters less what actually happened and whether you did something wrong and more what it takes to get out of the case as unscathed as possible. It's sad, but true, that our legal system can often be more strategy than justice. Though I wanted to fight the case, as a good advocate, I had to explore the possibility of settling it as well. (And I definitely didn't want to have to fly back to San Francisco for a court hearing the next morning!) Valentine, the Cisco/ISS lawyer, was pretty reasonable, and able to clearly state what exactly it was that his clients wanted, at least at that time of day. I went back to Lynn and Black Hat with his proposal and could see that we were close to an agreement. I called Valentine and told him, and he sent me bullet points representing the essence of our agreement. It was 1:30 a.m. I e-mailed back some comments, but we basically had a deal. Then the Black Hat people and I double-checked that the impounded official video of Lynn's presentation was safe and sound, and I went to bed. I woke up at 5:30 a.m. because the Black Hat lawyer and I were supposed to meet at 6 a.m. to get a copy of the settlement agreement that Valentine had courageously stayed up all night writing. We were hoping to get it signed before the 8:30 a.m. court hearing that day. Now, Valentine is licensed to practice in California and his bar number is close to mine, so we were admitted about the same year, and I imagine he's about my age, maybe a little older. At our age, staying up all night really sucks. For those of you in your 20s who are reading this, stay up all night now as much as you can before you lose the knack. By the time Valentine sent it to us, he was pretty raw, I'm sure. Not thinking, I redlined his proposal pretty heavily and sent it back to him with a breezy note. He was getting ready to leave for the court hearing, and I think my redlines might have broken his usually reasonable brain. His position basically went from "we're close to a deal," to "forget this, we have no deal and I've got court to go to." I was seriously disconcerted. If I was going to have a temporary restraining order hearing, I would have at least written a brief, and maybe even have showed up in San Francisco. I reminded Valentine that we'd agreed that if we were close, we'd postpone the hearing, and we were definitely close. He said he'd have to talk to his clients and he'd get back to me. So there I was, sitting with Mike on the Black Hat conference floor, unable to check my e-mail because you hackers sniff my password and lock me out of my own account, doing Lexis searches and waiting for word of whether we'd be arguing against a temporary restraining order in 30 minutes, or knocking out a deal. Luckily, there were bagels. After chilling out during his long drive, Valentine was true to his word, and his clients were willing to talk about a deal. We frantically scrambled to make the speaker phone in the hotel connect audibly to the conference phones in the courtroom, then told the judge that with a little talking, we might be able to settle the case in its entirety. Judges love that. So the Cisco/ISS team, which was about six people, retired to the attorney conference room in the lounge upstairs in the Federal Building, the Black Hat lawyer, Mike Lynn and I settled into the Black Hat suite at Caesar's Palace, and we got to work. Our basic agreement was that if Lynn and Black Hat agreed not to disseminate the presentation, the video or the decompiled code any further, and Lynn agreed not to disseminate any of the stuff he worked on while at ISS at all, then Cisco and ISS would drop the case. Everyone was cool with this. But if you've ever negotiated something, you know it is painstaking work. Even if you generally agree, you have to imagine everything that you might want and everything that you want to avoid. Then you have to draft language that describes clearly and precisely exactly that and no more, while still agreeing. We had a couple of bullet points at 1:30 a.m. the night before, but once you got all the lawyers together, everyone was able to think about other terms and conditions that might be nice to have, as well as things that might theoretically happen that should be prohibited. Its kind of a code among lawyers that what's said in settlement negotiations doesn't get blabbed around. When working things out for our clients, lawyers sometimes take unofficial positions to see how it sounds, or think out loud, or act more rabidly than we really feel, staking out a position from which we can come down. So I'm going to try to keep to the code but still point out a few things about the agreement process. Overall, the lawyers in the conference were relatively reasonable, under the circumstances, especially since there wasn't inherently a lot of trust between the two sides. If you read the settlement agreement, you can reverse-engineer the issues with which each side was concerned. For example, ISS and Cisco insisted on stipulating between themselves that they had prepared an alternative presentation "designed to discuss internet security, including the flaw which Lynn had identified, but without revealing Cisco code or pointers which might help enable third parties to exploit the flaw, but were informed they would not be allowed to present that presentation at the conference." We insisted that the agreement specifically state that Lynn was not precluded from lawful discussions of internet security using materials lawfully obtained. Probably the most hotly debated provision was paragraph 9, where we all agreed that ISS and Cisco should be able to reassure themselves that at the end of this matter, Lynn would not retain any materials to which he wasn't entitled, and we all agreed that Lynn and others had privacy rights that should be honored, so we had to work out a process that would respect both concerns. We worked almost nonstop from 8:30 a.m. to 2:30 p.m., running on caffeine and cold bagels. Some lawyers were great with punctuation, some with grammar. I personally spent five whole minutes convincing everyone to change a "which" to a "whether." Sigh. At a certain point, you can lose sight of the forest because of all the trees. We had delays exchanging versions of the settlement documents because the Black Hat lawyer didn't have a laptop with him, and I kept getting my password sniffed and locked out of my e-mail account whenever I would use the wireless. (Did I mention how annoying this is? Oh, well. Live by the sword, die by the sword.) But by the afternoon we had something everyone agreed upon. As we were wrapping up, one of the opposing lawyers asked me if I was happy. "Happiness is a relative term," I responded, "and I'm relatively happy." That afternoon we reconvened in court (the Vegas team by telephone) to file the document with the judge. The judge entered the stipulated injunction immediately, Cisco and ISS promised to dismiss the case once and for all when we complied with the terms, and Team Vegas breathed a sigh of relief and made a date to drink expensive champagne together that very evening. Meanwhile, my parents retired to Vegas and I went off to have dinner with my mom and sister, and do some shopping in the Forum Shops. (The Granicks are from New Jersey.) It was Thursday at 6 p.m., and we were sitting at the Chinese place there, and my mother and I had just ordered a gigantic two-person Mai Tai. (Photo to be posted soon. Check back.) I was pix-messaging a phone photo of us drinking it to my father when the phone rang in my hand. The message was that there were two FBI agents looking for me and asking questions about Mike's presentation, that they were wandering around the floor of the Black Hat conference, that they were wearing suits and couldn't be missed, and that they "just wanted to talk." "Fuck that," I advised. Always judicious when dealing with law enforcement, I excused myself from my family meal, and ran back to the convention center to see what was going on. To be continued.... [1] http://www.granick.com/blog/ [2] http://www.granick.com/blog/lynncomplaint.pdf From isn at c4i.org Tue Aug 9 04:47:08 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 9 04:56:14 2005 Subject: [ISN] Computer security not a telework hindrance, says advocacy group Message-ID: http://www.govexec.com/dailyfed/0805/080805p1.htm By Daniel Pulliam dpulliam at govexec.com August 8, 2005 The security of the government's computer systems is not an impediment to expanding agencies' use of telework, says a report from a cybersecurity public policy advocacy group. The 12-page report [1] urges agencies to allow employees to work from home using high-speed Internet connections and telephone lines. Fifteen years of pilot programs, legislative mandates, threats to cut funding and presidential directives have made little difference in the number of employees who are able to work away from the office, according to the report from the Arlington, Va.-based Cyber Security Industry Alliance. "Overall federal efforts are puny compared to the wide adoption of telework by the private sector," the report says. "Adoption of telework in the federal government began in 1990 and is on the upswing, but the level seriously lags private industry." According to a survey by the Dieringer Research Group of Milwaukee, Wis., 44.4 million Americans worked from home in 2004, up from 41.3 million in 2003, a 7.5 percent increase. About 14 percent of federal workers worked away from their main offices in 2002 and 2003, according to numbers from a May 2004 Government Accountability Office report [2]. Despite extensive Internet-based attacks on government computer systems [3], the report states that human error, not technological lapses, has been the cause of most major incidents of compromised computer information. Establishing solid network and physical security systems remains critical, and guidelines established by the National Institute of Standards and Technologies provide broad direction for securing computer systems used by teleworkers. "It is a fairly common misconception that cybersecurity concerns are holding back telework in the federal government," said CSIA executive director Paul Kurtz. The barriers agencies face in expanding telework include a lack of financial incentives because agencies do not get to keep money saved through reduced overhead costs, and the preference of managers to have their employees in the same physical location. CISA urged the Office of Management and Budget to include telework in its President's Management Agenda for e-government and for OMB to ensure that agencies comply with the Office of Personnel Management's emergency planning guidelines [4], which lists telework as an important contingency planning tool. The report states that calls by Rep. Frank Wolf, R-Va., for agencies to meet minimum standards for telework went unheeded and requests for the results of a measure mandating that agencies create telework programs [5] or lose $5 million in funding went unanswered. Later this year, CISA will hold a town hall-style meeting in the Washington area promoting telework. -=- [1] https://www.csialliance.org/resources/pdfs/CSIA_Telework.pdf [2] http://www.gao.gov/new.items/d04950t.pdf [3] http://www.govexec.com/dailyfed/0805/080505p1.htm [4] http://www.govexec.com/dailyfed/0904/090104dp1.htm [5] http://www.govexec.com/dailyfed/1204/121304d1.htm From isn at c4i.org Tue Aug 9 04:47:32 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 9 04:56:30 2005 Subject: [ISN] Questions dog Cisco routers Message-ID: http://www.networkworld.com/news/2005/080805-cisco-routers.html By Ellen Messmer and Phil Hochmuth Network World 08/08/05 Heavy fallout continues on several fronts from a security researcher's recent disclosure that unpatched Cisco routers can be subverted by buffer-overflow attacks and shell-code exploits. Among the developments last week: Cisco continually revised its security bulletin, adding details as to how versions of unpatched IOS software could be undermined by a "specifically crafted IPv6 packet." Sources at Cisco say testing will continue indefinitely and could include findings related to more than simply IPv6-related exploits. The researcher who touched off the uproar, Michael Lynn, says he is now the subject of inquiries by FBI agents, and he continues to defend the propriety of his actions. The episode rekindled debate about "responsible disclosure," the notion that information about major security problems should be made public in a way that brings minimal risk to customers. According to Lynn and other experts, what Lynn described and demonstrated at the Black Hat Conference on July 27 could potentially lead to manipulation of Cisco router tables, denial-of-service attacks and access to confidential data. Through a security advisory, Cisco has indicated that the way some unpatched IOS routers handle IPv6, which has seen little adoption in North America outside of research labs, is a conduit for the type of buffer-overflow exploit revealed by Lynn. But last week, a Cisco spokesman acknowledged the exploit may be possible in other ways. "There's ongoing information gathering and more testing," says Cisco spokesman John Noh. Cisco last week also released a new patch for Cisco IOS-XR, its new carrier-focused router operating system, which was introduced last year for its CRS-1 Internet core router, and ported to the 12000 series of carrier routers this year. Experts and users say the hole in IOS appears not to be an immediate concern based on what is public knowledge at the moment, since patches are available. But what concerns some is that Lynn's exploit techniques take router hacking to a new level, which eventually could have security implications for Cisco customers. "Strategically, this is a very serious issue for Cisco," says David Lawson, vice president and director of global security practice at Greenwich Technology Partners, a New York integration and consulting firm that specializes in Cisco technology. "It proves something we've been saying in the security field for a long time, that a router is breakable." Many IOS exploits in the past would simply cause a router to crash or reload itself, he adds. "The big key to what [Lynn] did was to demonstrate a way to fool [the router] into thinking it was already crashing, so that it didn't initiate the shutdown sequence. If you can do that, that opens up the ability to open up other exploits. Now you can actually get code running that does god-only-knows what." Responsible disclosure? As for the question of responsible disclosure and whether Lynn represented that ideal or not, opinions continue to differ. "I personally wouldn't have done it the way he did it," says Justin Bingham, CTO at security vendor Intrusic, referring to Lynn's action in defying Cisco and Internet Security Systems (ISS) - his employer until he quit just hours before giving his demonstration. "I like my career being a security researcher and a lot of that is based on trust with your customers and other companies." Lynn, who has acknowledged breaking non-disclosure agreements in speaking out about the router exploit, says he took the step out of concern that withholding the knowledge would help would-be attackers and even posed a national security concern. "The vulnerability which I demonstrated-but didn't give any information about-was properly disclosed to Cisco months in advance," Lynn says. "They had patches publicly available for months before I went on stage. "That said, the disclosure debate is one that needs to happen. The idea of full disclosure is just about as dangerous as no disclosure at all. As with most things, we have to find the proper balance." While Lynn has settled one lawsuit with Cisco and ISS, agreeing not to disclose anything he knows about the exploit, his problems don't seem to be over. The FBI is investigating him and interviewing friends and roommates, he says. ISS, which declined to discuss the Lynn matter last week, has sought to stop the spread of the electronic version of the presentation slides that Lynn showed at Black Hat-many of which are labeled with the ISS logo-by threatening legal action against Web sites posting them. ISS has benefited from its research by including preemptive protections for the vulnerabilities in its Proventia IPS product line and Internet Scanner products. ISS had been planning to make a big splash at Black Hat by unveiling the Cisco router flaw, but backed down when Cisco balked. But Lynn, after quitting his job at ISS, spoke out anyway. Customers want more info. Cisco customers say they would like to know about these types of security problems as soon as possible. "I'd like to be the first one to find out," says Bob Lescaleet, MIS department manager at Pace Suburban Bus Service, a government agency in Arlington Heights, Ill., serving a six-county region. "I'm not sure Cisco should have kept this quiet as long as they have." John Monaghan, vice president of IT for Marnell Corrao Associates, a Las Vegas construction and architectural firm that uses Cisco routers and firewalls in its corporate and field offices, says he was troubled that Cisco was working with ISS on how to present the shell-code exploit at a hacker conference, but not telling customers about the potential threat. "We are concerned that a vulnerability has existed, and that Cisco didn't come clean and let us know about it," Monaghan says. "As far as getting information from Cisco, it's more of a pull from our end than a push from their end. You had to dig through an awful lot of rhetoric to find out that this vulnerability only has to do with IPv6." "As a user, you worry if there's stuff out there already in the wild," says Dennis Schwind, network specialist at Miami University in Oxford, Ohio. "Cisco is not telling us anything about" the shell-code exploit, he says. "You're just left saying, I sure as hell hope this isn't big. That's really what you're left [with], because there isn't any real detail on what the real impact would be if this is exploited other than the 'execution of arbitrary code,'" he says, referring to language used in Cisco's security notice issued last week. Microsoft weighs in Microsoft last week offered its view on responsible disclosure, saying it entails seeking to ensure there's a fix in place before publicly identifying a flaw-but that there should a time frame for this, says Stephen Toulouse, Microsoft's security program manager in the Microsoft security response center. In general, Microsoft supports the Guidelines for Security Vulnerability Reporting and Response published under the aegis of the Organization for Internet Safety. These guidelines, while declaring there's "no single universally appropriate time frame for investigating and remedying security vulnerabilities," does state that 30 days is a "good starting point." The guidelines also suggest a 30-day "grace period" during which the remedy and information about the security problem is shared only with people and organizations "that play a critical role in advancing the security of users, critical infrastructures and the Internet." However, Toulouse says if a security vulnerability is highly critical, he would consider releasing information within a day. Symantec, which has IPS products but doesn't do the type of security research ISS does, didn't have the advance knowledge about the exploit that ISS did, says Alfred Huger, senior director of engineering at Symantec Security Response. Nonetheless, he noted that sometimes researchers do share information about exploits across vendor boundaries, usually based on personal relationships. Huger says Symantec would probably have treated the situation differently than ISS and Cisco did based on its own corporate guidelines for responsible disclosure, which give an IT vendor 30 days to correct an identified problem before going public. McAfee President Gene Hodges said his company's policy is "to share as much information as you need to share and nothing more." The Cisco router flaw is "a very important vulnerability, probably one that's had the biggest impact of anything we've seen all year." Among the questions surrounding the Cisco router exploit is whether a researcher's attempt to use reverse engineering and disassemble code to discover flaws is illegal - a charge raised against Lynn by Cisco and ISS in legal filings. "In the anti-virus business, that's exactly what we do," Hodges says. "You put it in the de-compiler and try to figure out how it operates." Mark Rasch, chief security counsel at security firm Solutionary in Omaha, Neb., says, "Reverse engineering is not clearly illegal." Lynn maintains that he was simply following orders from his then-employer. "It seems to me there is a license agreement dispute over that now, but the license was with ISS, not me," Lynn says. From isn at c4i.org Tue Aug 9 04:47:45 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 9 04:56:59 2005 Subject: [ISN] Huge ID theft ring affects at least 50 banks Message-ID: http://software.silicon.com/security/0,39024655,39151163,00.htm By Ingrid Marson 9 August 2005 A major identity theft ring discovered last week has affected the customers of at least 50 banks, according to Sunbelt Software, the security firm that uncovered the operation. The operation, which is thought to be under investigation by the FBI and Secret Service, is currently gathering personal data from compromised machines and sending them to a server where they are saved in a file. Sunbelt Software said on Monday that in the two days it has been monitoring the file it has seen confidential financial details of the customers of the Bank of America, PayPal and up to 50 international banks, according to Eric Sites, the vice president of research and development at Sunbelt. Sites said: "For almost every bank that is listed [in the file], it's possible to get into the person's account." As well as passwords for online banking sites, information on credit cards has also been gathered. Sites said that Sunbelt had found one customer's credit card number, expiry date and security code as well as their name and address, which would allow anyone to use their credit card. The data theft was initially reported to be carried out by a modified variant of a spyware application, called CoolWebSearch (CWS) but Sunbelt has now found that the activities are carried out by a mail zombie and a separate Trojan, which is downloaded at the same time as CWS. The malicious code is hosted on a website that mainly hosts pornography, which Sites was unwilling to name. Users of Windows XP who have not installed SP2 are particularly vulnerable as the code will be automatically downloaded without the user's knowledge. Sunbelt is currently investigating whether users of earlier Windows versions, such as Windows 2000 and Windows ME, are also vulnerable. "If you have an unpatched Windows machine, when you go to the URL it will automatically download everything from the website, including the Trojan. All you have to do is type in the URL and you're hosed," said Sites. The Trojan is a new variant, so antivirus and anti-spyware vendors do not yet block it, according to Sites. Sunbelt plans to send information on the Trojan to security firms as soon as possible. The Trojan carries out keylogging, and also gathers information stored by Internet Explorer's auto-complete function. This data includes any information that has been typed into forms, including usernames and passwords. Two variants of the data-stealing Trojan have been found, one of which sends data to a publicly available server, which is being monitored by both Sunbelt and the Secret Service, according to Sites. He claimed this server will not be shut down straight away so that the FBI and Secret Service can track down the perpetrators. Sunbelt believes the operation has only been running for a couple of weeks and has affected a "couple of thousand machines", according to Sites. An FBI spokesperson was unable to confirm whether or not an investigation was taking place. Ingrid Marson writes for ZDNet UK From isn at c4i.org Tue Aug 9 04:48:16 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 9 04:57:13 2005 Subject: [ISN] More Tales From 'Ciscogate' Message-ID: http://www.wired.com/news/technology/0,1282,68466,00.html By Jennifer Granick Aug. 08, 2005 Attorney Jennifer Granick represented computer security researcher Michael Lynn in his conflict with Cisco and ISS at the Black Hat conference. The following is reprinted from her blog [1] with permission. The story so far [2]: Cisco and Internet Security Systems sued Mike Lynn and Black Hat immediately following Mike's speech on vulnerabilities in Cisco's widely used internet routers. The lawyers scrambled, and we were able to settle the case cheaply and expeditiously within 24 hours. We had plans to drink expensive champagne. But then, mere hours after we filed the settlement papers, FBI agents showed up on the conference floor and started asking questions. I hurried away from my mother and our giant mai tai to the Black Hat area, where I found two men, obviously FBI agents, talking with the Black Hat lawyer. The agents told us that they were from the Las Vegas office, that they were visiting at the request of the Atlanta office (close to where both Lynn and ISS are located) and that they weren't currently interested in talking with Mike. One of the very next things I did was call Andrew Valentine, the Cisco/ISS lawyer. After spending hours working together, settling this case, after the bonhomie and the virtual handshakes, they'd still have a federal investigation hanging over our heads? I was really mad. Unfortunately, Valentine didn't answer the phone. If he had, I would have learned that he didn't know about the federal investigation. Instead, I left him a voicemail in which I definitely used the word "sleazy" more than once. I then turned on the general counsel for Cisco and the outside lawyer for ISS. Both calmly informed me that they hadn't known about the federal investigation before my call. Valentine got one more call from me, apologizing for assuming he'd screwed us over. The next step was to find out the extent of the federal interest in this matter and what they were investigating. I'm limited about what I can say on this point, as it is rarely a good idea to talk about the details of an ongoing federal investigation. I will say that there are currently no criminal charges, and I'm confident that there won't ever be, that the investigation soon will end, and that Mike will be able to go on with his life. I can talk about the work I did and everything that unraveled next, however. This should give you some idea of what a lawyer's job entails when she's not in court. The first thing I did was go back to my room and call the Las Vegas FBI office. I notified the agent in charge that I represented Mike Lynn and that he was asserting his Fifth and Sixth Amendment rights not to be questioned outside my presence. (Tip: Always assert both your right to remain silent and your right to have an attorney present.) I asked to confirm that there was no arrest warrant, and the person answering the phone said she'd leave a message for the lead agent. I then did the same for the Atlanta office. I asserted Mike's constitutional rights on his behalf, and asked for confirmation that there was no arrest warrant. I also wanted to learn who the assistant U.S. attorney on the case was. Every federal investigation has a prosecutor assigned to it, even before charges are filed. The prosecutor is the person to convince of your client's innocence, or at the very least, that your client should be allowed to self-surrender on a warrant rather than getting nabbed in front of his children or at work. (Another tip: Don't try to convince law enforcement of your own innocence. Get a lawyer. Really.) The agent who answered at the Atlanta office told me he'd leave a message and get back to me. It was 9 p.m. Vegas time and midnight on the East Coast. I figured everything probably would be all right, at least until the morning, and I could go to the Microsoft party at Pure, the new nightclub in Caesar's Palace. I left a message for Mike on his friend's phone, since his own mobile phone had spitefully decided to die. Pure was a little cavernous for the size of our crowd, but it looks great: a dark dance floor framed by white gauzy private tables. They didn't have Rumplemintz, now my new favorite drink, but they did have a full bar, and I was up for a drink. I hadn't been to any talks or chatted with anyone at the conference, so this was my first chance to talk to other attendees. And great people were at this party. I met the unindicted co-conspirator of one of my past clients as well as an old hacker friend turned spook turned respectable private citizen who I hadn't seen in several years. Then my cell phone began to ring. I want to give a little background before I chronicle the hysteria of the next three hours. First, everyone at the conference knew immediately that FBI agents had come by asking questions about Mike and the Cisco IOS presentation. The agents stuck out in the crowd because of their business suits. Though both lacked the tell-tale facial hair that often characterizes county officials, they were clearly law enforcement. Second, the Black Hat/DefCon crowd is filled with both conspiracy theorists and reporters, and sometimes the two types overlap. So all the hens were clucking, passing stories to each other and distorting the information between tellings. When my phone started to ring, it was friends of mine, friends of Mike's and various reporters calling. I received about five calls, all with rumors that Mike was in the process of getting arrested, in custody, that his house in Atlanta had been raided, or that agents were swarming the hotel looking for him. I tried but couldn't reach Mike. Worried, I gathered my stuff and left the party, returning to my room to call the government, just as Pure was shooing all the hackers out to make room for the beautiful people of Vegas. It was 11:30 p.m. I called the Las Vegas FBI office. The agent told me he couldn't check on arrest warrant information without Mike's date of birth. I estimated the year, but that wasn't good enough. I had to talk to Mike, but his cell phone was dead. Again, I left a message with friends. Then I called the Atlanta office. The night agent was extremely helpful, but it was 3 a.m. there, the office was closed and the agents had all gone home. The night person gave me the name of the Atlanta agent and said she would have him call me first thing the next day. She had no other information for me. My phone rang and it was Mike, not yet arrested after all, calling with his birth date. Relieved, I called the Las Vegas office. But between now and my last call, the only agent on duty had gone home. The woman answering the phone was just a clerk and said she couldn't give me any information until the office reopened the next morning. Just because he wasn't arrested didn't mean he wouldn't be, so I had to know about the arrest warrant. But this clerk wasn't talking. One of the things they don't tell you in law school is how much schmoozing the job requires. They also don't train you how to calculate whether being sweet, being annoying or being self-righteous will best help you get your way. Only experience can really teach this. I opted for a combination of all three. I explained how worried I was, how my client was a nice young man, more than willing to turn himself over and save everyone a lot of trouble if only she could help me. Then I suggested it was their fault we were all in this situation. After all, I called just a half hour ago. No one told me that the office would close. If I had known, I would have done things differently. I need this information. If you want this guy, I have him right here, I said. I kept asking the same questions different ways. The agent became a little annoyed with me, but then promised to call the Las Vegas agent I'd met and leave him a message. "Will he call me back tonight?" I asked. "Maybe," she said. And we hung up the phone. Amazingly, he did call me back that night. Groggy from sleep, the agent called me from his cell phone at 12:30 a.m. He told me there was no arrest warrant and no agents from his office looking for Mike. I was surprised and grateful for the call, and very impressed with the agent's consideration. So I called Mike again, and told him to come meet me at the Caesar's Palace bar. I bought him and his friend a drink, and reassured him that arrest was not imminent. Our work was done until tomorrow morning. Some shmoo friends joined us and we all headed to Tangerine at Treasure Island, where the Microsoft party crowd had gone, to try to salvage the rest of the night. At Tangerine, there was a long line waiting to get in. My schmoozing abilities were already warmed up, so I walked up to the bouncer at the VIP door and simply asked to be let in. The bouncer agreed and I was escorted inside. I waited for Mike and his friends, but as far as I know, they didn't make it in after me. I thought about going back to the bouncer to advocate for them, but decided against it. "I can only do so much," I told myself. "I'm just a lawyer." In one of the more intelligent moves of the day, I left Tangerine at the reasonable hour of 3 a.m. and headed home for some sleep, confident that Mike was definitely not in jail. My phone rang the next morning at 5 a.m. It was the Atlanta FBI agent, responsibly returning my call first thing in the morning, exactly as I'd asked him to do. It had seemed like a good idea to be called at first light when I hadn't known whether my client was in jail. We had a conversation, and I think it went well. That's all I can tell you. A reporter's call woke me next at 7 a.m. Sleepily, I decided that I should confirm the existence of a federal investigation, but assure people that the rumors of incarceration and computer seizures were false. I was pretty awake after that call, or at least I wasn't about to go back to sleep, and apparently I'd received the name and number of the assistant U.S. attorney when the Atlanta agent called earlier, so I called him. I then called Mike to meet me so I could update him on that conversation. On the way to talk to Mike, I got a text message from the Cisco general counsel, returning my call from the night before, stating he had information for me and asking me to call him. I almost didn't call, because by now I'd already talked to the government and knew what was happening. But since he was nice enough to get back to me, I dialed him on my way out the door. He informed me that, in direct violation of the court-ordered settlement injunction filed just the day before, someone had failed to take Mike Lynn's presentation off of the Black Hat web server. He told me to prepare to go back to court for a possible contempt hearing later that day. A little frazzled, I hurried down to the Caesar's coffee shop to meet Mike. But I'd forgotten to put in my contact lenses, and didn't realize until I got off the elevator. I couldn't even see if Mike was waiting for me or not. It was going to be another long day. The Black Hat lawyer scrambled to undo the damage. Mike wasn't responsible for the Black Hat server, but this was a serious gaffe that could scuttle the whole settlement we'd worked so hard to obtain. Eventually, through an excess of diplomacy, Black Hat was able to convince the plaintiffs' lawyers that the error was inadvertent and that the settlement should go forward. No one was having an easy week. Meanwhile, people were still calling me with arrest rumors and tales of Atlanta search-warrant executions. I was pulled out of one DefCon talk three separate times to confront rumors that Mike hadn't made it through security at the airport. One caller told me he had received that bad news directly from Mike. But upon further questioning, I learned that they had last talked an hour earlier than when I last talked with my client and everything had been fine. Everyone means well, but when dealing with something like a federal investigation that they don't understand and don't trust, the truth is hard to find. Today, Mike's responsibilities under the settlement agreement are almost complete, and I expect the civil case to be dismissed very soon. As for the federal investigation, there was only so much more I could do for Mike in Las Vegas. He would return to Atlanta and I to San Francisco. An Atlanta lawyer who was familiar with the U.S. attorney's office there would be in a better location to monitor the situation on the ground. When Mike returned to Atlanta, he hired a great lawyer there. I'm optimistic about the outcome and looking forward to the day when Mike and I get to have that glass of champagne. Mike quit his job to give a presentation his employer didn't want him to give. But he did so out of a sense of responsibility to internet security. I'm proud that my employment [3] doesn't make me choose between the two. -=- [1] http://www.granick.com/blog/ [2] http://www.wired.com/news/technology/0,1282,68435,00.html [3] http://cyberlaw.stanford.edu/ From isn at c4i.org Tue Aug 9 04:45:36 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 9 04:57:40 2005 Subject: [ISN] NZ the victim of faulty intelligence from IBM Message-ID: http://www.stuff.co.nz/stuff/0,2106,3369744a28,00.html 08 August 2005 IBM has erroneously identified New Zealand as the world's second largest source of worm, virus, phishing and hacking attacks during the first half of the year. The claim was made in its Global Business Security Index Report, a regular report the company produces on internet threats. IBM said in a statement issued in Armonk, New York that during the first half of the year 12 million such internet attacks were launched from the US, 1.2 million from New Zealand and one million from China. The rankings are given in absolute terms - rather than by head of Population - meaning that, if correct, New Zealanders would be responsible for hundreds of times their share of internet crime. IBM New Zealand spokeswoman Rachel Dahlberg says references to New Zealand as the second largest source of internet crime were removed from a report issued by IBM earlier this year after doubts emerged about their accuracy. She says that due to the way the internet addressing system works, internet attacks launched from a number of other countries, including South Korea, had been identified as originating from New Zealand. "New Zealand does not have a unique range of IP addresses blocked for itself as a country, as is the case with many other countries. We intend to further investigate the raw information supplied to us by external sources and how this can be improved to more accurately represent the New Zealand figures." IBM's statement said the report was put together based on information provided by IBM's 3000 information security professionals. Its findings are widely reported overseas. From isn at c4i.org Tue Aug 9 04:46:37 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 9 04:58:00 2005 Subject: [ISN] Linux Security Week - August 8th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 8th, 2005 Volume 6, Number 33n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Ten Reasons towards Cryptography," "Linux Security: Is it Ready For The Average User," and "The Threat From Within." --- ## Internet Productivity Suite: Open Source Security ## Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more! http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- LINUX ADVISORY WATCH This week, advisories were released for gaim, gopher, pdns, apt- catcher, ethereal, im-sdk, selinux-policy-targeted, gamin, pam, netpbm, mkinitrd, kde, arts, NetworkManager, labraw, ckermit, httpd, gphoto, coreutils, iiimf, yum, gimp, redhead, zlib, fetchmail, sandbox prsotext, proftpd, nbsmtp, dump, and SquirrelMail. The distributors include Debian, Fedora, Gentoo, and Red Hat. http://www.linuxsecurity.com/content/view/120030/150/ --- Network Server Monitoring With Nmap Portscanning, for the uninitiated, involves sending connection requests to a remote host to determine what ports are open for connections and possibly what services they are exporting. Portscanning is the first step a hacker will take when attempting to penetrate your system, so you should be preemptively scanning your own servers and networks to discover vulnerabilities before someone unfriendly gets there first. http://www.linuxsecurity.com/content/view/119864/150/ --- Linux File & Directory Permissions Mistakes Greetings, gentle reader, and welcome to linuxsecurity.com and our new recurring series of articles on security related mistakes and how to avoid them. I'm your host, Pax Dickinson, and today we'll be reviewing basic Linux file and directory permissions and how to avoid some common pitfalls in their use, in this episode of Hacks From Pax. One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Ten Reasons towards Cryptography 5th, August, 2005 Cryptography is already the de facto way of securing sensitive web traffic and it is now reaching across the entire enterprise as companies start to use industry-standard protocols such as SSL internally - even between servers only a few feet apart. http://www.linuxsecurity.com/content/view/120032 * Exploit writers team up to target Cisco routers 1st, August, 2005 It's Saturday night, a time for blowout parties at the annual DEF CON hacker convention, including the Goth-flavored Black and White Ball. But a half dozen researchers in the nondescript room quietly drink, stare at the screens of their laptops, and in low voices, discuss how to compromise two flat metal boxes sitting on a sofa side table: Cisco routers. http://www.linuxsecurity.com/content/view/119990 * Google now a hacker's tool 2nd, August, 2005 Although security software can identify when an attacker is performing reconnaissance work on a company's network, attackers can find network topology information on Google instead of snooping for it on the network they're studying, he said. This makes it harder for the network's administrators to block the attacker. "The target does not see us crawling their sites and getting information," he said. http://www.linuxsecurity.com/content/view/120001 * What to do before an IOS disaster strikes 2nd, August, 2005 Last week, former Internet Security Systems researcher Michael Lynn presented at the Black Hat USA 2005 conference a reliable process that could be used to exploit Cisco routers running the Internetworking Operating System (IOS.) Even though the exact exploit demonstrated during his presentation was not disclosed, Lynn showed enough details to prove that the exploit is real and that previous misconceptions that routers and switches are not exploitable are false. http://www.linuxsecurity.com/content/view/120009 * DNS servers - an Internet Achilles heel 3rd, August, 2005 Hundreds of thousands of Internet servers are at risk of an attack that would redirect unknowing Web surfers from legitimate sites to malicious ones. http://www.linuxsecurity.com/content/view/120014 * Worms could dodge Net traps 5th, August, 2005 Future worms could evade a network of early-warning sensors hidden across the Internet unless countermeasures are taken, according to new research. In a pair of papers presented at the Usenix Security Symposium here Thursday, computer scientists said would-be attackers can locate such sensors, which act as trip wires that detect unusual activity. That would permit nefarious activities to take place without detection. http://www.linuxsecurity.com/content/view/120034 * Key bugs in core Linux code squashed 4th, August, 2005 Serious security bugs in key parts of the latest Linux code have been fixed, but some small glitches have been introduced, according to a recent scan. http://www.linuxsecurity.com/content/view/120026 * Flaws Found in MySQL Tracking System 2nd, August, 2005 Flaws have been found in MySQL Eventum 1.5.5 and prior that allow malicious users to conduct cross-site scripting and SQL injection attacks.

{mos_sb_discuss:22}

http://www.linuxsecurity.com/content/view/120000 * Car Whisperer 3rd, August, 2005 The carwhisperer project intends to sensibilise manufacturers of carkits and other Bluetooth appliances without display and keyboard for the possible security threat evolving from the use of standard passkeys. http://www.linuxsecurity.com/content/view/120013 * The Sniffer vs. the Cybercrooks 1st, August, 2005 The investment bank, despite billions in annual revenue and the small squadron of former police, military and security officers on its payroll, was no match for Mark Seiden.

"Tell me the things you most want to keep secret," Mr. Seiden challenged a top executive at the bank a few years back. The executive listed two. One involved the true identities of clients negotiating deals so hush-hush that even people inside the bank referred to them by using a code name. The other was the financial details of those mergers and acquisitions. http://www.linuxsecurity.com/content/view/119991 * Linux Security - Is it Ready For The Average User? 1st, August, 2005 There seems to be a new important security patch out for Linux every month, lots of "do not use this program" warnings, too many articles and books with too little useful information, high-priced consultants, and plenty of talk about compromised systems. It is almost enough to send someone back to Windows. Can the average Linux user or system administrator keep his or her system secure and still have time to do other things? http://www.linuxsecurity.com/content/view/119993 * Cyber-criminals turn to extortion and fraud 3rd, August, 2005 Governments, financial services firms and manufacturing companies are now the top targets for security attacks, according to research published today by IBM. http://www.linuxsecurity.com/content/view/120022 * An IT Manager.s Guide to Provisioning and Identity Management 4th, August, 2005 With staff now requiring access to so many internal and external computer systems, all of which might require separate usernames, passwords and access privileges, identity management is far from straightforward. Learn what can be done to simplify identity management. http://www.linuxsecurity.com/content/view/120025 * A Hacker Games the Hotel 1st, August, 2005 A vulnerability in many hotel television infrared systems can allow a hacker to obtain guests' names and their room numbers from the billing system. http://www.linuxsecurity.com/content/view/119989 * Hackers Demonstrate Their Skills in Vegas 2nd, August, 2005 Even the ATM machines were suspect at this year's Defcon conference, where hackers play intrusion games at the bleeding edge of computer security. http://www.linuxsecurity.com/content/view/119998 * Wireless hijacking under scrutiny 1st, August, 2005 A recent court case, which saw a West London man fined (char)500 and sentenced to 12 months' conditional discharge for hijacking a wireless broadband connection, has repercussions for almost every user of wi-fi networks. http://www.linuxsecurity.com/content/view/119992 * The Threat From Within 2nd, August, 2005 Malicious insiders represent today's toughest challenge for security architects. Traditional database security tools such as encryption and access controls are rendered useless by a trusted employee who has--or can easily obtain--the right credentials. In addition, more users in the enterprise are getting database access, including DBAs, application developers, software engineers, and even marketing, HR, and customer support representatives. And whether spurred by revenge or tempted by easy money, insiders can sell their booty on a bustling information black market. http://www.linuxsecurity.com/content/view/119999 * Hackers cash in on 802.1x confusion 3rd, August, 2005 Companies are leaving their wireless networks exposed to hackers because of widespread failure to understand or implement 802.11x security systems, a survey has claimed. http://www.linuxsecurity.com/content/view/120015 * Hackers Say Wireless Is Weak 4th, August, 2005 Lock down your wireless network -- that.s the message coming loud and clear now that the DefCon hacker convention has rolled through Las Vegas. http://www.linuxsecurity.com/content/view/120027 * Passing the conference 'sniff' test 5th, August, 2005 At last year's USENIX Security Symposium, Marcus Ranum was minding his own business -- checking his e-mail, updating his Web site, etc. -- when another conference attendee sent him an e-mail. In the text: Ranum's password. Ranum, known for his work in intrusion detection, later angrily confronted the sender at the conference about invading his privacy. Bill Cheswick, a well-known security expert who sent the offensive message, later chalked up his actions as just "a friendly nudge." http://www.linuxsecurity.com/content/view/120033 * Wireless Data Transmission Security 5th, August, 2005 The main purpose of our paper is to describe the various forms of wireless data transmission and to address the security concerns in each. The major form of wireless data transmission that we will be covering will be Wi-Fi. We will discuss security concerns, how to protect yourself, the future of Wi-Fi, and what it is used for in today.s world. http://www.linuxsecurity.com/content/view/120039 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Aug 9 04:46:53 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 9 10:02:03 2005 Subject: [ISN] File breach prompts call for inquiry Message-ID: http://www.theage.com.au/news/national/file-breach-prompts-call-for-inquiry/2005/08/08/1123353263586.html By Mathew Murphy August 9, 2005 An industry group has called for a public inquiry into the way confidential information is handled, saying the disclosure of hundreds of police files by the Office of Police Integrity is just the "tip of the iceberg". The Australian Computer Society said computer security was the missing link in the debate surrounding increased national security. It said it was "frighteningly easy" to obtain information. Karl Reed, from the society's Victorian branch, said an inquiry should look at who had access to confidential information and how it was distributed. "We have sat and watched these things happen for 18 months now," he said, "so this problem doesn't just exist (in the OPI). It exists in a number of organisations. Let's do something, as we would in another public infrastructure failure, to see both what actually went wrong and what is the best practice for fixing it." Mr Reed, an associate professor in computer science at La Trobe University, said information technology graduates across the country had next to no knowledge about handling secure information. He said training needed to be part of tertiary courses and certification. "We also need the creation of a major research centre that would focus on the issues of privacy and security in a modern technological society," he said. ACS national president Edward Mandla said technological security needed to be tightened and a move must be made towards stopping computer users giving away their user names and passwords too freely. From isn at c4i.org Wed Aug 10 02:34:34 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 10 02:44:31 2005 Subject: [ISN] Hackers hit college computer system - Identity theft fears at Sonoma State Message-ID: http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/08/09/BAGLJE50C81.DTL Stacy Finz Chronicle Staff Writer August 9, 2005 Hackers have broken into Sonoma State University's computer system, where they had access to the names and Social Security numbers of 61,709 people who either attended, applied, graduated or worked at the school from 1995 to 2002, university officials disclosed Monday. So far, there have been no reports of identify theft that can be linked to the break-in, which happened in July. It was initially believed by the university's technical staff to be a virus, but it turned out to be the latest in what has become a nationwide security problem on college campuses. Last year, hackers gained access to more than 178,000 names and Social Security numbers of present and past San Diego State University students. Similar incidents were reported that year at colleges across California and in Georgia, Texas and New York. Jean Wasp, a spokeswoman for Sonoma State, said campus administrators don't believe the exposed data was stolen. Nonetheless, they are using e-mails to notify as many people as they can locate addresses for -- nearly 6,000 so far -- about the security breach. She said the university was hoping that the remaining 61,709 would learn of the break-in from news reports. The campus, located in Rohnert Park, is required by law to publicize the fact that the files were compromised. "We don't think (the hackers) took anything," Wasp said. "We don't really know what they were doing. They could have been using our system just to attack another system." Katharyn Crabbe, vice president for student affairs and enrollment at Sonoma State, said the intruder had found a weakness in a Microsoft Windows operating system that allowed access to seven workstations containing the confidential information. Then, the hacker used the school's system to break into other workstations outside the university. "All we know is that someone was in the room, so to speak," she said. As soon as university officials realized what was happening, they cleaned out the workstations to prevent the hacker from returning, and they are working with Microsoft to repair the weakness in the software, Crabbe said. The compromised data did not contain bank and financial information, credit card or driver's license numbers, she said. Sonoma State urged anyone whose information could have been breached to contact one of the three national credit-reporting agencies to start a free fraud-alert process. More information about how to go about the procedure has been posted on the school's Web site at www.sonoma.edu/uaffairs/incident. Colleen Bentley-Adler, spokeswoman for the California State University chancellor's office, said at least 10 of their campuses had experienced these types of computer break-ins. One of the steps the university system is taking is dropping the use of Social Security numbers and instead assigning students and staff unique identifiers. "I think it's impossible to completely stop it from happening," she said. "But we're doing everything we can to make it more difficult." From isn at c4i.org Wed Aug 10 02:34:56 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 10 02:44:53 2005 Subject: [ISN] Hackers Hijacking Phones, Running Up Huge Bills Message-ID: http://www.newsnet5.com/dontwasteyourmoney/4827952/detail.html August 9, 2005 CLEVELAND -- Consumers are now accustomed to protecting their computers from viruses, pop-up ads, spyware and identity theft. But now, hackers are making a new effort to hit people where it hurts -- the wallet. NewsChannel5 Consumer Specialist John Matarese reported that scam artists are using a virus to hijack modems and make expensive, long distance telephone calls to other countries. It happened to Richard Fahrenbruck, who said he found a $68 charge on his phone for a 37-minute call to New Guinea. Fahrenbruck said the charge was made by a firm called USBI. The Indiana Consumer Counselor's Office has just requested an investigation into USBI and five similar billing companies. The agency said the companies are allowing the modem hijacking, while the company said it isn't doing anything wrong. USBI did agree to remove the charge from Fahrenbruck's bill. The family said they plan to check their computer for viruses. Matarese said that consumers should contact their phone company and the third party billing company immediately if this happens to them. He added that consumers should be prepared for a fight as they charges might not be automatically removed. Copyright 2005 by NewsNet5. From isn at c4i.org Wed Aug 10 02:35:08 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 10 02:45:23 2005 Subject: [ISN] UK hacking suspect located in Greece Message-ID: http://www.smh.com.au/news/breaking/uk-hacking-suspect-located-in-greece/2005/08/10/1123353327433.html Athens August 10, 2005 Police on the island of Crete have searched the home of a British computer scientist who allegedly hacked into the site of a British insurance company to extort money from the firm, authorities say. The 54-year-old man from London, who was not otherwise identified, was located following cooperation with British authorities, police said in a statement. The suspect has not been arrested because the alleged crimes are not covered by the country's fast-track prosecution system. In London, police confirmed they were co-operating with Greek authorities but did not give any details of the investigation or say whether they would seek the man's extradition, a police spokesman said. Greek police, who seized computers and hard disks from the man's home on Monday, said in a statement that he allegedly cancelled dozens of insurance contracts and changed the firm's share price listed on the company's website. He also posted false statements, claiming company executives had been involved in fraud, and alleging that the firm adopted discriminatory policies against Muslims following the July 7 terrorist bombings in London. The suspect moved to the town of Sitia on Crete a year ago and was active in the local real estate market. From isn at c4i.org Wed Aug 10 02:37:13 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 10 02:48:48 2005 Subject: [ISN] Microsoft's HoneyMonkeys Show Patching Windows Works Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=167600716 By Gregg Keizer TechWeb News Aug. 8, 2005 Microsoft unveiled details of its Strider HoneyMonkey research, a project that sniffs out sites hosting malicious code, and hands the information to other parts of the company for patching or legal action. The technical report outlines the concept of cruising the Web with multiple automated Windows XP clients -- some unpatched, some partially patched, some patched completely -- to hunt for Web sites that exploit browser vulnerabilities. The HoneyMonkey concept, said Yi-Min Wang, the manager of the Cybersecurity and Systems Management Research Group, is completely different from the better-known honeypot approach to searching for malicious exploits. "Honeypots are looking for server-based vulnerabilities, where the bad guys act like the client. Honeymonkeys are the other way around, where the client is the vulnerable one." Using 12 to 25 machines as the "active client honeypots," Wang's group instructed a PC to surf to one of the 5,000 URLs it had identified as potentially malicious; that PC ran unpatched Windows XP SP1. If it caught the site downloading software without any user action, it passed it on to a Windows XP SP2 honeymonkey, which in turn would pass it up the food chain if necessary to a partially-patched SP2 system, then to a nearly-fully patched SP2 PC (all but the most recent patch), and finally to a fully-patched SP2 computer. In the first month, the honeymonkeys found 752 unique URLs operated by 287 Web sites that can successfully deliver exploit code against unpatched Windows XP PCs. That chain of monkeys gives Microsoft a good idea of the seriousness of the exploit being used by a site, as well as the size of the potential victim pool. And if what Wang called the "end-of-the-pipeline monkey," the fully-patched SP2 system, reports a URL as an exploit, Microsoft knows it has a zero-day browser exploit on its hands, one for which no patch is currently available. "Once we detect a zero day exploit, we contact Microsoft's Internet Safety Enforcement Team and the Microsoft Security Response Center," said Wang. In effect, the Strider HoneyMonkey project act as a "lead generator" for both the security and legal enforcement arms of Microsoft. "If it's a bad site, we want to take the site down permanently," said Scott Stein, a senior attorney with Microsoft. To do that, Microsoft may turn to the site's hosting vendor or ISP to shut down the exploiter, or if that doesn't work, law enforcement. "One of the most important things is getting this information into the hands of our customers," said Stephen Toulouse, program manager for Microsoft Security Response Center. "We can do that with a security advisory, or in a bulletin, to tell customers not only that 'here's the vulnerability,' but that this is actively being exploited and perhaps should be given priority for patching." During the initial run of the project, the honeymonkeys demonstrated the value of keeping Windows XP up to date, said Toulouse. "One thing I'd stress out of this is the importance of keeping software up to date." An unpatched XP SP1 PC, for instance, would be vulnerable to 688 URLs and 270 sites, 91 and 94 percent, respectively, of all those uncovered by the honeymonkeys. But update to SP2, and those numbers fall to 204 and 115 (27 and 43 percent). Better yet, a partially-patched SP box -- one updated to those fixes released through early 2005 -- is vulnerable to only 17 malicious URLs and 10 sites (2 and 3 percent of all those found). Wang's honeymonkeys -- the "monkey" name comes from the idea that the automated clients mimic a human's actions, as in 'monkey see, monkey do' -- found its first zero-day browser exploit in early July, when it identified a page using the Javaprxy.dll exploit that already publicly known, but not yet patched. (The July 12 patch batch included one that employed a work-around fix for the Javaprxy.dll bug.) The page found by the honeymonkeys was the first URL reported to the Microsoft Security Response Center. Within two weeks, however, the honeymonkeys detected that over 40 of the 752 exploit URLs had started to "upgrade" to the exploit; the three Web sites responsible for all the pages were reported to the center. While Wang or Toulouse wouldn't comment on whether the honeymonkey concept would be used to provide Internet Explorer 7 users with information about malicious sites in the future, Want did say that the project was already being expanded. "We do expect to grow the network into the hundreds of machines so that we can scan millions of pages," he said. Already, the team is sending honeypots to a list of the most popular Web sites -- determined by the popularity of those sites in common search engines -- in an attempt to find out if exploiters have infiltrated the "good neighborhoods" of the Internet. Later, Wang intends to sic the honeymonkeys on URLs embedded in spam and phishing e-mails. "We know that the exploiters won't try to host malicious software on the largest Web sites, because that's just too obvious," said Want. "But what if they exploit the five-thousandth most-popular site?" From isn at c4i.org Wed Aug 10 02:35:24 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 10 02:49:20 2005 Subject: [ISN] Download Problem Interferes with IE Patch Release Message-ID: http://www.eweek.com/article2/0,1895,1846419,00.asp By Ryan Naraine August 9, 2005 Microsoft late Tuesday confirmed that its "critical" Internet Explorer patches had to be pulled after a hiccup caused some of the downloads to be corrupted. The glitch was detected by users attempting to install the IE patch from the Microsoft Download center. "Shortly after we released the updates this morning we found that several of the Internet Explorer updates provided only to the Download Center were corrupted, breaking the digital signature and preventing them from installing," a post on the official Internet Explorer Weblog said. The patches posted on Microsoft Update and Windows Update were not affected by the glitch and are installing properly. "We've identified the problem, removed the affected updates from the Download Center, and will repost them shortly to correct the issue," said Jeremy Mazner, technical evangelist for Windows Vista and IE. The cumulative IE update was part of the August release of six security bulletins from the software maker to cover eight vulnerabilities in the Windows operating system. The IE bulletin carries a "critical" rating and delivers patches for three separate remote code execution flaws in the world's most widely used browser. The most serious of the three is a flaw in the way IE handles JPEG images. An attacker could exploit the vulnerability by creating a malicious JPEG image and luring a Web surfer to view the image. "An attacker who successfully exploited this vulnerability could take complete control of an affected system," the company said, adding that the malicious image could also be distributed via e-mail. The bulletin also includes patches for a cross-domain flaw in IE that could lead to system takeover and information disclosure attacks. A third remote code execution bug was found in the way the browser instantiates COM Objects that are not intended to be used in Internet Explorer. This flaw could also be exploited by an attacker to take "complete control" of an unpatched system, Microsoft Corp. warned. From isn at c4i.org Wed Aug 10 02:36:33 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 10 02:49:52 2005 Subject: [ISN] Huge ID theft ring affects at least 50 banks Message-ID: Forwarded from: Mark Bernard Dear Associates, PayPal and "International" banks (Canada/Europe) sounds like a potential big problem, unless its just a marketing ploy...... Folks these things aren't going away but we need to become even more diligent with our risk management programs. Its beginning to look as though we need to start testing systems and reviewing audit findings of those businesses wherever our services are being used or channelled through. Based on my research it was falling off expectations made back 5 - 6 years previous. Hence the introduction of privacy legislation. I wonder if privacy legislation is having the impact that it was design for with the continued onslaught of e-crime. I also wonder if it will get to the point where a few examples will need to be made before businesses do whatever is necessary. All the best, Mark. Mark E. S. Bernard, CISM, CISSP, PM, e-mail: Mark.Bernard@TechSecure.ca; Web: http://www.TechSecure.ca; Phone: (506) 325-0444 ----- Original Message ----- From: "InfoSec News" To: Sent: Tuesday, August 09, 2005 5:47 AM Subject: [ISN] Huge ID theft ring affects at least 50 banks > http://software.silicon.com/security/0,39024655,39151163,00.htm > > By Ingrid Marson > 9 August 2005 > > A major identity theft ring discovered last week has affected the > customers of at least 50 banks, according to Sunbelt Software, the > security firm that uncovered the operation. > > The operation, which is thought to be under investigation by the FBI > and Secret Service, is currently gathering personal data from > compromised machines and sending them to a server where they are > saved in a file. > > Sunbelt Software said on Monday that in the two days it has been > monitoring the file it has seen confidential financial details of > the customers of the Bank of America, PayPal and up to 50 > international banks, according to Eric Sites, the vice president of > research and development at Sunbelt. > > Sites said: "For almost every bank that is listed [in the file], > it's possible to get into the person's account." > > As well as passwords for online banking sites, information on credit > cards has also been gathered. Sites said that Sunbelt had found one > customer's credit card number, expiry date and security code as well > as their name and address, which would allow anyone to use their > credit card. > > The data theft was initially reported to be carried out by a > modified variant of a spyware application, called CoolWebSearch > (CWS) but Sunbelt has now found that the activities are carried out > by a mail zombie and a separate Trojan, which is downloaded at the > same time as CWS. From isn at c4i.org Wed Aug 10 02:36:53 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 10 02:50:15 2005 Subject: [ISN] Businesses May Not Report Cyber Attacks Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/08/09/AR2005080900907.html By MARK SHERMAN The Associated Press August 9, 2005 WASHINGTON -- Most businesses do not report cyber attacks to law enforcement authorities, fearing the disclosure would harm their image and benefit rivals, FBI Director Robert Mueller said Tuesday. This reluctance has become especially important at a time when identity theft is growing rapidly and terrorists are increasingly using the Internet, Mueller said in a speech to the InfraGard national conference, private companies that share security tips and expertise with the FBI. "Today a command sent over a network to a power station's control computer could be just as deadly as a backpack full of explosives," Mueller said. Business leaders last month announced an education campaign to better protect sensitive client information from hackers and other thieves, after a string of high-profile data thefts and losses. In June, CardSystems Solutions Inc. disclosed that a breach of its system that processes transactions between merchants and credit card issuers exposed 40 million accounts to possible fraud. Mueller's comments were based on an annual survey conducted by the FBI and the private Computer Security Institute that found just 20 percent of businesses reported computer intrusions last year, a figure that has held steady for several years. The reasons cited most often for keeping the incidents quiet were loss of business to competitors and potential damage to a company's image among consumers. Mueller said he understood those concerns and promised the FBI would be more sensitive in responding to computer hackings. "We also recognize that putting on raid jackets and rushing in may not be the best answer in situations such as those," he said. Businesses must overcome those fears, he said, and be more forthcoming in reporting computer hacking to authorities. "Maintaining a code of silence will not benefit you or your company in the long run," he said. "We cannot investigate if we are not aware of the problem." -=- On the Net: Computer Security Institute: http://www.gocsi.com/ InfraGard: http://www.infragard.net/index.htm From isn at c4i.org Thu Aug 11 03:15:32 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 11 03:23:56 2005 Subject: [ISN] US schookids run amok on internet Message-ID: http://www.theregister.co.uk/2005/08/10/kutztown_13/ By Lester Haines 10th August 2005 US authorites are preparing to throw the book at 13 high school kids for "computer trespass" after the Dirty Baker's Dozen - aka the Kutztown 13 - bypassed school computer security measures to indulge in an orgy of net surfing and online chat. The Pennsylvania perps face a 24 August meeting with the beak in the rather agreeably named Berks County juvenile court charged with computer trespass - an "offense state law defines as altering computer data, programs or software without permission" as AP explains. The possible punishments if they are found guilty include juvenile detention, probation and community service, although mercifully it appears that the prosecution will not be pushing for them to meet Ol' Sparky. Which is surprising, since the list of outrages perpetrated by the gang makes chilling reading indeed. It all began last Autumn when the education authority supplied around 600 Apple iBook laptops to students at the high school. Naturally, they came complete with net-access-limiting filtering programme, and snooping software allowing the powers that be to see just what their charges were up to. The administrators had not, however, reckoned on the sheer determination and machiavellian cunning of the students. They quickly found the admin password allowing unrestricted internet access - not by a keystoke logging black op or extracting it from the IT manager at the point of a gun - but rather because it was taped to the back of every machine. Unsurprisingly, the miscreants immediately ran amok online, surfing with impunity and indulging in that most forbidden of fruits - iChat. Naturally, in the same way as youngsters sent to borstal will normally complete their sentence rather better informed about improved criminal methodology than rehabilitated back into society, once the Kutztown 13 had access to the wild wild web, they became more sophisticated in their criminal activities. Although the admin password on some laptops was changed, the rascals cracked that using a decryption programme they found on the net. They also disabled the remote monitoring function and used it to spy on the administrators' own machines. Finally, and most disturbingly, AP reports that "at least one student viewed pornography". Hence the 24 August dateline with destiny. The parents of the Kutztown 13 claim that the school has overreacted, and that the kids are being punished for making monkeys of the system, rather than any serious misdemeanour. One of the criminal masterminds, 15-year-old John Shrawder, reckons a felony conviction could hurt his future prospects. He told AP: "There are a lot of adults who go 10 miles over the speed limit or don't come to a complete stop at a stop sign. They know it's not right, but they expect a fine, not a felony offense." Shrawder's uncle John agrees, and has set up a campaigning website to champion their cause. He said: "As parents, we don't want our kid breaking in to the Defense Department or stealing credit card numbers. But downloading iChat and chatting with their friends? They are not hurting anybody. They're just curious." That's as maybe. The school's legal representative, Jeffrey Tucker, insisted: "The students fully knew it was wrong and they kept doing it. Parents thought we should reward them for being creative. We don't accept that." We're inclined to agree. Older readers will recall that such behaviour in our day would certainly have attracted a sound thrashing with the birch and most likely transportation to the antipodes. The problem with the kids of today is that... [Editorial note: The remainder of this analysis of the state of modern youth can be heard later today in the snug of Ye Olde Boy in Witheringspoonhampton where our correspondent will be found - as ever - muttering "When I were a lad..." into his foaming flagon of Thruppleton's light and mild]. ? From isn at c4i.org Thu Aug 11 03:15:44 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 11 03:24:17 2005 Subject: [ISN] Jury Deliberates in Computer Theft Trial Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/08/10/AR2005081001661.html By DAVID HAMMER The Associated Press August 10, 2005 LITTLE ROCK, Ark. -- A federal jury began deliberations Wednesday in the trial of an accused computer data thief in one of the largest federal computer theft cases. Scott Levine, former chief executive of the bulk e-mail firm Snipermail.com Inc., based in Boca Raton, Fla., faces 144 counts from a July 2004 indictment in what prosecutors described as one of the largest computer crime cases ever. Levine is accused of stealing 8.2 gigabytes of information from Little Rock-based Acxiom Corp., one of the world's largest database companies. The violations occurred from around April 2002 to August 2003. The 1.6 billion records included names, home addresses, phone numbers, e-mail addresses, bank and credit card numbers involving millions of individuals. But prosecutors determined that no identity fraud was committed. There was, however, a sale of information to a marketing company, prosecutors say. In a four-week trial filled with high-tech testimony, both sides tried to simplify their arguments through symbolism. Defense lawyer David Garvin pleaded Levine's innocence using an oft-quoted parable about a child saving starfish sent ashore to die by the uncontrollable tide. Prosecutor Karen Coleman countered with her own analogy. "Scott Levine's username was Snipermail13 _ why was 13 chosen? Because that was the number of Miami Dolphins quarterback Dan Marino," Coleman said. "And just like a quarterback leads the team, Scott Levine led the crime." Like Coleman, Garvin attached significance to the computer name used by Levine's brother-in-law Mike Castro, one of the six Snipermail employees who pleaded guilty to acting as Levine's coconspirators in exchange for their testimony against Levine. Castro's username was Snipermail007. Garvin said Castro thought of himself as a secret agent, a computer James Bond who could use his tech-savvy to frame Levine, a boss who once was so ill-at-ease with computers that he had to write out his e-mails by hand. Assistant U.S. Attorney Todd Newton asked jurors to focus on the work done on Levine's personal laptop computer, using monitors to show jurors online chats among Snipermail employees about Levine's pet project of downloading as many Acxiom files as possible. Prosecutors say Levine was using the files to start postal mail marketing campaigns and to bolster Snipermail's contact lists to make the company look more attractive for a multimillion-dollar buyout. Jurors were to resume deliberations Thursday morning. ? 2005 The Associated Press From isn at c4i.org Thu Aug 11 03:15:55 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 11 03:24:41 2005 Subject: [ISN] All speed camera fines in doubt Message-ID: http://www.news.com.au/story/0,10117,16204811-1242,00.html August 10, 2005 EVERY fine issued by speed cameras could be invalid, after the Roads and Traffic Authority admitted yesterday it could not prove the authenticity of the pictures they take. In a double blow to the RTA, The Daily Telegraph can also reveal that Sydney Harbour Tunnel cameras monitoring toll cheats have been switched off for at least three years - and no penalties handed out. The revelation came as Sydney magistrate Lawrence Lawson threw out a speeding case after the RTA said it had no evidence that an image from a camera had not been doctored. Mr Lawson had adjourned the case in June, giving the RTA eight weeks to produce an expert to prove pictures from a speed camera on Carlingford Rd, Epping, had not been altered after they were taken. He said it was a matter of public interest and the RTA should be given time to back up its case. But RTA lawyers yesterday told Hornsby Local Court they could not find an expert and the case was thrown out, with $3300 in legal costs awarded to the motorist, a man allegedly caught speeding through a school zone on November 18 last year. Lawyer Dennis Miralis, who has won several high-profile cases against the RTA involving speeding motorists, said the case proved a public inquiry into speed cameras was desperately needed. "The integrity of all speed camera offences has been thrown into serious doubt and it appears that the RTA is unable to prove any contested speed camera matter because of a lack of admissible evidence," Mr Miralis said. The case revolved around the integrity of a mathematical MD5 algorithm published on each picture and used as a security measure to prove pictures have not been doctored after they have been taken. Mr Miralis argued that the RTA had to prove the algorithm it used was accurate and could not be tampered with. He said: "It is our understanding that since speed cameras were introduced approximately 15 years ago on NSW roads, not one single speed camera photograph has been capable of proving an offence." The NSW Law Society said the judgment could "open the doors" for other drivers caught by speed cameras to mount the same defence. From isn at c4i.org Thu Aug 11 03:16:44 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 11 03:25:04 2005 Subject: [ISN] Security UPDATE -- Security Information on the Web -- August 10, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Rapid and Reliable Recovery from Symantec http://list.windowsitpro.com/t?ctl=107B0:4FB69 Using Security Compliance Software to Improve Business Efficiency and Reduce Costs http://list.windowsitpro.com/t?ctl=1079B:4FB69 ==================== 1. In Focus: Security Information on the Web 2. Security News and Features - Recent Security Vulnerabilities - F-Secure Reports First Viruses for Microsoft Command Shell - Bluetooth Security Essentials 3. Security Toolkit - Security Matters Blog - FAQ 4. New and Improved - Improved FTP Client ==================== ==== Sponsor: Rapid and Reliable Recovery from Symantec ==== As a leader in Information Security, Symantec now delivers rapid and reliable system and data recovery solutions, including Symantec LiveState Recovery 3.0. With Symantec LiveState Recovery, you can perform a full system restoration, a complete bare metal recovery or restore individual files and folders in minutes. When disaster strikes, quickly restore failed systems to a specified point-in-time without manually rebuilding and reinstalling from scratch. Symantec LiveState Recovery is a disk-based backup solution designed to capture a server's entire live state, including files, configurations and settings, in one easy-to-manage file. Administrators can capture full and incremental snapshots throughout the day without interrupting user productivity or application usage. Save backups to virtually any disk storage device including SAN, NAS, or RAID array. See http://list.windowsitpro.com/t?ctl=107B0:4FB69 for more information. ==================== ==== 1. In Focus: Security Information on the Web ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Recently I did a little poking around the Internet for security information sources that I don't already regularly read. Over the past few days, I've discovered a few sites that you might find useful. When I heard that Mozilla Foundation was starting Mozilla Corporation, I went to read about that and subsequently came across a huge list of Mozilla-related blogs. Many of them are written by developers and contain some information related to security or are written by people involved directly with Mozilla product security. So if you use Mozilla software, take time to go through the extensive list at MozillaZine, where you'll find dozens of useful blogs. http://list.windowsitpro.com/t?ctl=107B4:4FB69 Another place you can find a huge list of blogs is at Microsoft's Web site. The company hosts some blogs on the Microsoft Developer Network (MSDN). I didn't count how many are listed there, but I can tell you there are a lot! The first URL lists the most recent posts; the second URL lists the blogs by blog name. http://list.windowsitpro.com/t?ctl=107B1:4FB69 http://list.windowsitpro.com/t?ctl=107AE:4FB69 You can also visit the Microsoft Community Blog site, where you can find even more blogs, all of which are written by Microsoft employees. If you use the search facility at that site to search for "security," you'll find that 25 blogs contain that word in either their title or description. I subscribe to the Really Simple Syndication (RSS) feeds of many of them, and they usually contain interesting information, although I will warn you that you might have to endure the occasional post about somebody's weekend or vacation adventures. http://list.windowsitpro.com/t?ctl=107A3:4FB69 Another blog you might be interested in is written by the Microsoft Internet Explorer (IE) development team. Keep an eye on that one if you're interested in the upcoming IE 7.0 (at the first URL below). Likewise you can keep tabs on the development of Windows Vista and its RSS features by reading the blog of the developers on Microsoft's RSS team (at the second URL below). http://list.windowsitpro.com/t?ctl=107B6:4FB69 http://list.windowsitpro.com/t?ctl=107B5:4FB69 You probably know who Mark Russinovich is, but did you know he has a blog? I didn't realize that until last week. So now I subscribe to his RSS feed. It's a very interesting blog, and as you probably suspect, it does contain very technical discussion and information. Be sure to check it out. http://list.windowsitpro.com/t?ctl=107B3:4FB69 Another interesting site I recently found is Spamfo.co.uk, which offers information pertaining to spam, including a lot of recent news items. If spam is a real bother to you, you might want to check in on the site once in a while. http://list.windowsitpro.com/t?ctl=107B7:4FB69 Last, but certainly not least, is Risks Digest, which has information about security problems and a wide variety of other risks. You might already know about it because it's been around for 20 years. In essence, Risks Digest is a moderated discussion forum on Usenet (comp.risks) that's republished on various Web sites and can be obtained via email as well as in a Resource Description Framework (RDF) feed, which should work in most popular RSS feed reader applications. You can preview recent digests at the Web site below. http://list.windowsitpro.com/t?ctl=107B9:4FB69 When you take time to review these sites, you'll find that not only do they contain useful information but that there are probably far more interesting information sources than you can possibly read in a reasonable period of time. Nevertheless, you could at least bookmark the sites that interest you and refer to them when the need arises. ==================== ==== Sponsor: BindView ==== Using Security Compliance Software to Improve Business Efficiency and Reduce Costs Learn To Sort Through Sarbanes-Oxley, HIPAA And More Legislation Quicker And Easier! In this free white paper, get the tips you've been looking for to save time and money in achieving IT security and regulatory compliance. Find out how you can simplify these manually intensive, compliance-related tasks that reduce IT efficiency. Turn these mandates into automated and cost effective solutions. Download your copy today! http://list.windowsitpro.com/t?ctl=1079B:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=107A2:4FB69 Identity Theft Ring Discovered Sunbelt Software uncovered an identity-theft ring. Sunbelt CEO Alex Eckelberry said that the ring was discovered by Senior Spyware Research Analyst Patrick Jordan, who joined the company a week ago. http://list.windowsitpro.com/t?ctl=107A9:4FB69 F-Secure Reports First Viruses for Microsoft Command Shell Microsoft released a beta of its new command-line shell MSH (code- named Monad) in June, and already viruses have been developed that take advantage of the new technology. According to security solutions provider F-Secure, a virus writer published five sample viruses in a Web-based "magazine" dedicated to writers of computer viruses. http://list.windowsitpro.com/t?ctl=107A7:4FB69 Bluetooth Security Essentials As with its better-known cousin Wi-Fi, security questions have arisen about Bluetooth, and in recent months, terms such as Bluejacking and Bluesnarfing have entered the security professional's lexicon. John Howie takes a look at Bluetooth, including its security features and potential risks, and walks through the process of securing a Bluetooth implementation. http://list.windowsitpro.com/t?ctl=107A6:4FB69 ==================== ==== Resources and Events ==== Sort Through Sarbanes-Oxley, HIPAA Legislation and More--Quicker And Easier! In this free Web seminar, get the tips you've been looking for to save time and money in achieving IT security and regulatory compliance. Find out how you can simplify these manually intensive, compliance- related tasks that reduce IT efficiency. Plus--sign up today and you'll receive a free white paper by Charles Kolodgy of IDC on using security compliance software to improve business efficiency and reduce costs. http://list.windowsitpro.com/t?ctl=1079E:4FB69 Integrate Fax Services with Business Applications for Big ROI In this free eBook you'll discover all you need to know about fax technology! You'll learn how to improve business processes by minimizing manual faxing and integrating faxing into your business workflow for improved ROI. The eBook will also look at the how-to of the desktop fax client, fax automation, faxing hardware and software technologies, and the future of faxing. Let this important guide help you stay on top of fax server technology within your business environment. http://list.windowsitpro.com/t?ctl=107A1:4FB69 The 15-Minute Failover Solution for Exchange Do you rest confidently knowing your Exchange and BlackBerry backup/restore solution meets your high-availability requirements? If not, you won't want to miss this free Web seminar. Join industry guru Paul Robichaux and learn all about choosing the appropriate technology, balancing the cost and the skill set, assessing the knowledge level required, the complexity added to your existing environment, and how much availability each technology gives you. Attend and you could win a $50 gift certificate to Best Buy! http://list.windowsitpro.com/t?ctl=1079C:4FB69 Reduce Downtime With Continuous Data Protection Continuous or real-time backup systems help avoid the danger of losing data if your system fails after the point of backup by providing real-time protection. In this free Web seminar, learn how to integrate them with your existing backup infrastructure, how to apply continuous protection technologies to your Windows-based servers, and more. Sign up today and learn how you can quickly roll back data not just to the last snapshot or backup, but to any point in time! http://list.windowsitpro.com/t?ctl=107A0:4FB69 Compliance vs. Recovery: Can You Have Your Cake and Eat It Too? In this free Web seminar, discover the issues involved with integrating your compliance system with backup and recovery, including backup schedules, the pros and cons of outsourcing your backup media storage and management, the DR implications of having to back up all that compliance data, and the possibility of using alternative backup methods to provide backup and compliance in a single system. You'll learn what to watch out for when combining the two functions and how to assess whether your backup/restore mechanisms are equal to the challenge. http://list.windowsitpro.com/t?ctl=1079F:4FB69 ==================== ==== Featured White Paper ==== Converting a Microsoft Access Application to Oracle HTML DB Get the most efficient, scaleable and secure approach to managing information using an Oracle Database with a Web application as the user interface. In this free white paper, learn how you can use an Oracle HTML Database to convert a Microsoft Access application into a Web application that can be used by multiple users concurrently. You'll learn how to improve the original application by adding hit highlighting and an authorization scheme to provide access control to different types of users. http://list.windowsitpro.com/t?ctl=1079D:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Shortsighted Bankers Add to the Fraud Problem by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=107AF:4FB69 A friend received a surprising email message that demonstrates just how shortsighted bankers can be. Read this blog item to learn how much information was revealed in the email message and why such messages are a really bad idea. http://list.windowsitpro.com/t?ctl=107A8:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=107AC:4FB69 Q: What happened to the "No Override" option in Group Policy Management Console (GPMC)? Find the answer at http://list.windowsitpro.com/t?ctl=107AA:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Try a Sample Issue of the Windows IT Security Newsletter! Security Administrator is now Windows IT Security. We've expanded our content to include even more fundamentals on building and maintaining a secure enterprise. Each issue also features product coverage of the best security tools available and expert advice on the best way to implement various security components. Plus, paid subscribers get online access to our entire online security article database! Sign up to try a sample issue today: http://list.windowsitpro.com/t?ctl=107A5:4FB69 Windows IT Pro Gives IT Professionals What They Need The August issue is a must have! Subscribe now and find out the best ways to plan for Longhorn, what you need to know about VBScripts, and how to make sense of SQL Server. If you order today, you'll also gain exclusive access to the entire Windows IT Pro online article database (over 9000 articles) and save 44% off the cover price! http://www.windowsitpro.com/rd.cfm?code=theu2058wu ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Improved FTP Client Ipswitch announced the worldwide availability of Ipswitch WS_FTP Professional 2006, a new version of Ipswitch's FTP client for sending data. Advanced Encryption Standard (AES) ciphers now use 256 bits in concert with OpenPGP and Secure Sockets Layer (SSL) over FTP transfers. HTTP and HTTP Secure (HTTPS) transfers allow users to connect more easily to many external and remote data stores. Ipswitch WS_FTP Professional 2006 in English, French, and German is available directly from Ipswitch's Web site for $54.95 ($89.95 including a 1-year service agreement). http://www.ipswitch.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Professional and secure remote control from all major platforms http://a.windowsitpro.com/RealMedia/ads/click_lx.ads/www.windowsitpro.com/1112745096/x14/Penton/WN_Danware_Aug05_NLsplink_118338/1x1.gif/1 Argent versus MOM 2005 Experts Pick the Best Windows Monitoring Solution http://a.windowsitpro.com/RealMedia/ads/click_lx.ads/www.windowsitpro.com/TextLink/1112745096/x14/Penton/WN_Argent_Aug05_NLSplink116193/1x1.gif/1 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://www.windowsitpro.com/forums About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://www.secadministrator.com/rd.cfm?code=00ep254xeb View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Aug 11 03:17:09 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 11 03:25:26 2005 Subject: [ISN] REVIEW: "File System Forensic Analysis", Brian Carrier Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKFSFRAN.RVW 20050608 "File System Forensic Analysis", Brian Carrier, 2005, 0-321-26817-2, U$49.99/C$69.99 %A Brian Carrier %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2005 %G 0-321-26817-2 %I Addison-Wesley Publishing Co. %O U$49.99/C$69.99 416-447-5101 800-822-6339 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0321268172/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321268172/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321268172/robsladesin03-20 %O Audience a- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 569 p. %T "File System Forensic Analysis" The preface states, correctly, that there is little information for the forensic investigator on the topic of file system structures and internals that are useful for providing direction on tracing and tracking information on the disk. The author also notes that there are a number of worthwhile texts that address the general topic of investigation. Therefore, the author intends to address the former rather than the latter. At the same time, there is an implication in the initial section that this work is only the merest introduction to the subject of computer forensics. Part one is aimed at providing foundational concepts. Chapter one, in fact, does provide a quick review of the investigation process, and a list of forensic software toolkits. A sort of "Computers 101" is in chapter two, with a not-terribly-well structured collection of facts about data organization, drive types, and so forth, with varying levels of detail. Chapter three addresses different factors and problems in hard disk data acquisition, although the inventory is neither complete nor fully explained. Part two deals with the analysis of drive volumes or partitions, with chapter four outlining basic structures. DOS (FAT [File Allocation Table] and NTFS) and Apple partition details are discussed in chapter five. Chapter six reviews various UNIX partitions. Multi-disk systems, such as RAID (Redundant Array of Inexpensive Disks) are covered in chapter seven. Part three delves into the data structures of the file system itself. Chapter eight introduces concepts used in considering file systems. Details of the FAT system are in chapters nine and ten. A very detailed explanation of the disk and file structures of the NTFS system, as well as considerations for analysis, is provided in chapters eleven to thirteen. The Linux Ext2 and Ext3 structures are discussed in chapters fourteen and fifteen. Chapters sixteen and seventeen cover the UFS1 and UFS2 schemes, found primarily in BSD (Berkeley Systems Distribution) derived versions. This book does provide a wealth of detail, once it gets into the specifics of partitions and structures. The introductory material, writing, and technical level are quite uneven, which makes it difficult to use. Still, those seriously involved with the data recovery aspect of digital forensics should consider this work a valuable resource. copyright Robert M. Slade, 2005 BKFSFRAN.RVW 20050608 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu I don't yet have a solution, but I have a new name for the problem. - Ross A. Leo, CISSPforum, 20050712 http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Thu Aug 11 03:15:05 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 11 03:25:53 2005 Subject: [ISN] Hackers rake it in with crash attacks Message-ID: http://www.newscientist.com/channel/info-tech/mg18725125.900 13 August 2005 New Scientist Print Edition. CYBERCRIMINALS are making a mint bringing e-commerce firms to a standstill with distributed denial of service attacks (DDoS), according to the UK's National Criminal Intelligence Service. In a report issued on 3 August, called the 2005 UK Threat Assessment www.ncis.co.uk/ukta.asp the NCIS details cases from 2004 in which a gang based in Russia used a botnet, a network of virus-infected computers, to flood several online gambling websites with useless data, so they couldn't trade with their users. The extortionists' botnet had a total bandwidth of 3 to 4 gigabits per second, exposing the firms' servers to the equivalent of 200,000 emails per second. "The attacks were soon followed by an extortion demand, often for no more than $5000," says the NCIS. "As some companies were losing ?100,000 an hour while under attack, many chose to pay up." Issue 2512 of New Scientist magazine, 13 August 2005, page 27 From isn at c4i.org Thu Aug 11 03:15:18 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 11 03:27:05 2005 Subject: [ISN] U.S. officials go to hackers' convention to recruit Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,103825,00.html By Andy Sullivan AUGUST 10, 2005 REUTERS Attention hackers: Uncle Sam wants you. As scam artists, organized-crime rings and other miscreants find a home on the Internet, top federal officials are trolling hacker conferences to scout talent and talk up the glories of a career on the front lines of the information wars. "If you want to work on cutting-edge problems, if you want to be part of the truly great issues of our time ... we invite you to work with us," Assistant Secretary of Defense Linton Wells told hackers at a recent conference in Las Vegas. Wells and other "feds" didn't exactly blend in at Defcon, an annual gathering of computer-security experts and teenage troublemakers that celebrates the cutting edge of security research. The buttoned-down world of Washington seems a continent away at Defcon, which was named as a spoof on the Pentagon's code for military readiness derived from "defense condition." Graffiti covers the bathroom walls, DJs spin electronic music by the pool until dawn, and hackers who "out" undercover government employees win free T-shirts. At a "Meet the Feds" panel designed to bridge the cultural divide, a young man waved a pages-long manifesto and demanded, "I would like to know why the federal government, especially some of the law enforcement agencies, are destroying this country." Despite appearances, hackers and the government have long enjoyed a symbiotic relationship. Federal research dollars funded development of the Internet and many other cutting-edge technologies, and many hackers first learn the ins and outs of computer security through military service before moving on to private-sector jobs. College students in computer-security programs can have their tuition picked up by the government if they agree to work for it when they graduate. Feds have been a key part of the Defcon audience since its inception in 1992, though they are required to stay at off-site hotels to avoid some of the wilder goings-on. Along with recruiting, the conference gives federal officials a chance to develop sources and keep up with new research. "I'm learning while I'm here, but I'm also getting the names of people I can maybe call on later so we have a better understanding as cases go along," said Don Blumenthal, who oversees the Internet lab for investigators at the Federal Trade Commission. Tensions between feds and hackers ran high in 2001, when the FBI arrested Russian programmer Dmitri Skylarov at the conference for writing a program that could break copy protection on electronic books. The relationship between the two sides has become less adversarial in recent years, according to long-time attendees, and government employees now account for nearly half of the audience. Some Defcon staffers even hold down day jobs with the National Security Agency and other government shops. "You can't be deceived by the uniforms," said technology commentator Richard Thieme. "I talked at the Pentagon, and one-third of the people in the audience I already knew from Defcon." That's not to say that Defcon has gone straight. The ability to break into computer systems is prized above all, and conference attendees whose computers fell prey to their colleagues' attacks are displayed on a "wall of sheep." Some hackers spent the weekend in their hotel rooms cooking up a new way to take control of the Cisco Systems Inc. routers that underpin much of the Internet. Many defend this "black hat" approach, arguing that attacks that cause damage in the short term raise awareness of online threats and thus improve the security picture as a whole. Lynn and other feds made clear that they aren't interested in working with those who break into computer systems without permission. "We're looking for people who haven't crossed that line yet," said Jim Christy, director of the U.S. Department of Defense's Cyber Crime Institute. "You've got to get folks with the right morals." Blumenthal said that while he was impressed with the honesty of the people he had met, he would double-check the information he receives from them as he does with other sources. "I have to feel confident that what I'm getting is a straight story," Blumenthal said. "I find out if I have a curve thrown at me." From isn at c4i.org Fri Aug 12 01:09:23 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 12 01:28:04 2005 Subject: [ISN] E-mail wiretap case can proceed, court says Message-ID: http://news.com.com/E-mail+wiretap+case+can+proceed%2C+court+says/2100-1028_3-5829228.html By Declan McCullagh Staff Writer, CNET News.com August 11, 2005 In a closely watched case governing Internet privacy, a federal appeals court has reinstated a criminal case against an e-mail provider accused of violating wiretap laws. The 1st Circuit Court of Appeals, in a 5-2 vote, ruled on Thursday that an e-mail provider who allegedly read correspondence meant for his customers could be tried on federal criminal charges. That decision reverses a 2-1 vote by a three-judge panel last year that raised alarms among civil libertarians and even sparked a flurry of efforts in Congress to rewrite wiretapping law in response. Privacy advocates had warned that if last year's ruling by the 1st Circuit was left untouched, it could usher in more e-mail eavesdropping by the government. In a rare meeting of minds, the U.S. Justice Department also urged that the case not be dismissed. Lawyers for the defense, on the other hand, said that a broad reading of wiretapping law would open the door for prosecutions of Internet service providers performing normal business practices. The case deals with an indictment of Bradford Councilman, formerly vice president of online bookseller Interloc, which is now part of Alibris. Interloc provided some of its customers, typically dealers of rare or used books, with e-mail addresses ending in "@interloc.com." Councilman allegedly ordered the creation of a Procmail script, which saved copies of inbound messages from Amazon.com sent to those specialty book dealers, in hopes of gaining commercial intelligence. (Procmail is a popular Unix utility used for sorting and delivering incoming e-mail.) At the heart of the case is whether such e-mail duplication violates the labyrinthine definitions embedded in the federal Wiretap Act, which governs the interception of "electronic communications." Because the law's definition can be interpreted to not cover e-mail stored in a mail queue, even temporarily, Councilman's lawyers argued that his alleged actions did not violate the law. In Monday's majority opinion written by Judge Kermit Lipez, the First Circuit disagreed. The judges said that the "statute contains no explicit indication that Congress intended to exclude communications in transient storage from the definition." "This is an important victory for online privacy," said Marc Rotenberg, director of the Electronic Privacy Information Center, which submitted a brief in the case. "It establishes a high standard for the interception of Internet communications even when they're in temporary storage." A spirited dissent by Judge Juan Torruella accused his colleagues of judicial activism. "It is Congress' failure to provide (specific) language in its definition of 'electronic communication' that incites the majority into engaging in what I believe to be an unfortunate act of judicial legislation," he wrote. Previous Next "Our interpretation of the statute does not require that we assume that Congress contemplated the complete evisceration of the privacy protections for e-mail," Torruella wrote. Instead, he and a fellow dissenter said, privacy could be guaranteed by a simple contract between e-mail providers and their customers. It's not clear what happens next. Councilman's attorneys at the Boston firm of Good & Cormier could not be reached for comment on Thursday. Their options include seeking Supreme Court review or resuming their arguments after a trial is held. In a statement late Thursday, Rep. Jay Inslee, D-Wash., applauded the ruling. If last year's ruling had not been overturned, Inslee said, Internet service providers "could read consumers' e-mails more freely, and law enforcement could abide by fewer privacy protections in order to intercept such communications." Inslee co-sponsored one of the bills introduced as a response to the earlier court decision. Orin Kerr, a law professor at George Washington University who also worked on a brief in this case, predicts that Congress may still move forward with some of its proposals to amend the Wiretap Act. (Sen. Patrick Leahy, a Vermont Democrat, even joined one of the friend-of-the-court briefs in this case.) "The opinion is so narrow that it leaves work for Congress to do," Kerr said. Copyright ?1995-2005 CNET Networks, Inc From isn at c4i.org Fri Aug 12 01:09:37 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 12 01:28:26 2005 Subject: [ISN] Verizon Wireless Fixes Web Site Vulnerabilities Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/08/11/AR2005081101240.html By Brian Krebs washingtonpost.com Staff Writer August 11, 2005 Verizon Wireless said today that computer programming flaws in its online billing system could have allowed customers to view account information belonging to other customers, possibly exposing limited personal information about millions of people. A spokesman for the Bedminster, N.J., company, a joint venture between Verizon Communications Corp. and Vodafone Group PLC, declined to say how many of the company's 45 million subscriber accounts were at risk. Verizon Wireless said the problem appeared to be limited to accounts for customers in the eastern United States who had signed up for its "My Account" feature. The phone giant said it had corrected the glitch as of 2 a.m. Eastern Time today. The "My Account" feature has been available on the Verizon Wireless Web site for the past five years, though spokesman Tom Pica said the company does not yet know how long the faulty code was in place on the service. Pica confirmed the Web site flaw allowed a user to view another subscriber's balance of remaining airtime minutes and the number of minutes that customer had used in the current billing cycle. Two other flaws could have exposed data about a customer's general location -- i.e., city and state -- and the make and model of phone the customer uses, Pica said. There is no indication that anyone took advantage of the flaws or that any customer financial information such as Social Security or credit card account numbers was disclosed, Pica said. The flaws also did not allow access to phone numbers associated with customers' incoming and outgoing calls, and "no customer data could be manipulated and changed in any way," he said. Pica said the company was still assessing whether it would notify customers about the situation, but he said that based on the information gathered so far Verizon Wireless does not believe any sensitive personal information was revealed. The flaw that exposed account information was reported to Verizon Wireless by Jonathan Zdziarski, a software developer from Milledgeville, Ga., who said he discovered it while writing a computer program that would automatically query his account online and report the number of minutes he had used from his wireless plan. Zdziarski found that by simply entering another subscriber's wireless phone number on a particular portion of the site, he could pull up some information about that person's account. Pica said the flaws did not expose customer account balances or latest payment information. But Zdziarski provided washingtonpost.com with a screenshot showing that the vulnerabilities exposed account balances and the date of the most recent payment, a claim that Pica said the company could not confirm. After Zdziarski's alert, Verizon Wireless technicians reviewed other portions of the company's billing system and fixed one, but the technicians disabled the feature that allowed viewing of customer location until technicians could figure out a way to secure it, according to Pica. Zdziarski said he later conducted other tests and found that the glitch he discovered could also be exploited to transfer one customer's account to another handset, a technique known as "cloning." The user of a cloned phone can intercept all of the victim's incoming wireless calls, and also make calls that later would be billed to the victim's account. Zdziarski said he was prevented from fully testing whether the flaw could be used to clone Verizon Wireless phones because the service that allows customers to map existing phone numbers to new handsets appeared to be offline at the time he reported the flaw. "This was a very easy hack to do," Zdziarski said. "I'm sure if I've discovered it, then certainly your typical 'script kiddie' could figure it out." Pica said company technicians were still trying to verify Zdziarski's phone-cloning claims. The incident is just the latest in a string of disclosures from companies that failed to adequately secure access to their customers' personal information. One of Verizon Wireless's biggest competitors, Bellevue, Wash.-based T-Mobile International, disclosed last year that a security hole in its Web site exposed data on at least 400 customers, including a then-active Secret Service agent. Earlier this year, a group of hackers used other flaws in T-Mobile's site to break into the phones of dozens of celebrities, in an incident that exposed racy photographs and personal notes and contacts for hotel heiress and socialite Paris Hilton. Bruce Schneier, founder of Counterpane Internet Security in Mountain View, Calif., said the type of security vulnerability that affected the Verizon Wireless site is exceedingly common and will remain so as long as companies face no legal liability when they fail to secure customer data. "There are probably tons of other big companies who have the same problems, because this is a really common mistake," Schneier said. "But if 15 million people can sue Verizon when they make a sloppy mistake like this, then it becomes an expensive mistake. Right now the only thing that happens to Verizon is they have a somewhat bad public-relations day." ? 2005 Washingtonpost.Newsweek Interactive From isn at c4i.org Fri Aug 12 01:08:25 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 12 01:28:50 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-32 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-08-04 - 2005-08-11 This week : 58 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Microsoft has released their monthly security updates, which corrects several vulnerabilities in various Microsoft products. All users of Microsoft products are advised to check Windows Update for available security updates. Additional details can be found in referenced Secunia advisories below. Reference: http://secunia.com/SA16373 http://secunia.com/SA16372 http://secunia.com/SA16368 http://secunia.com/SA16356 http://secunia.com/SA16354 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA16373] Internet Explorer Three Vulnerabilities 2. [SA16105] Skype "skype_profile.jpg" Insecure Temporary File Creation 3. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 4. [SA16298] Linux Kernel xfrm Array Indexing Overflow Vulnerability 5. [SA15870] Opera Download Dialog Spoofing Vulnerability 6. [SA16372] Microsoft Windows Plug-and-Play Service Buffer Overflow 7. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 8. [SA15756] Opera Image Dragging Vulnerability 9. [SA16210] Microsoft Windows Unspecified USB Device Driver Vulnerability 10. [SA16071] Windows Remote Desktop Protocol Denial of Service Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA16373] Internet Explorer Three Vulnerabilities [SA16364] Lasso Professional Auth Tag Security Bypass Vulnerability [SA16372] Microsoft Windows Plug-and-Play Service Buffer Overflow [SA16356] Microsoft Windows Print Spooler Service Buffer Overflow Vulnerability [SA16354] Microsoft Windows Telephony Service Vulnerability [SA16344] EMC Navisphere Manager Directory Traversal and Directory Listing [SA16368] Microsoft Windows Two Kerberos Vulnerabilities UNIX/Linux: [SA16387] Red Hat update for gaim [SA16384] Red Hat update for gaim [SA16379] Gaim Away Message Buffer Overflow and Denial of Service [SA16363] Ubuntu update for ekg/libgadu3 [SA16341] Conectiva update for krb5 [SA16331] Mandriva update for ethereal [SA16358] Red Hat update for ruby [SA16349] Trustix update for multiple packages [SA16336] Gentoo update for netpbm [SA16391] Red Hat update for cups [SA16390] Fedora update for kdegraphics [SA16385] Ubuntu update for xpdf/kpdf [SA16383] Red Hat update for xpdf/kdegraphics [SA16380] CUPS xpdf Temporary File Writing Denial of Service [SA16374] Xpdf Temporary File Writing Denial of Service [SA16370] VegaDNS "message" Cross-Site Scripting Vulnerability [SA16362] cPanel Password Change Privilege Escalation Security Issue [SA16334] Ubuntu update for apache2 [SA16382] Red Hat update for ucd-snmp [SA16367] Sun Solaris printd Daemon Arbitrary File Deletion Vulnerability [SA16381] Red Hat update for sysreport [SA16360] Gentoo update for heartbeat [SA16359] FFTW fftw-wisdom-to-conf.in Insecure Temporary File Creation [SA16345] Lantonix Secure Console Server Multiple Vulnerabilities [SA16343] Inkscape ps2epsi.sh Insecure Temporary File Creation [SA16335] Conectiva update for heartbeat [SA16355] Linux Kernel Keyring Management Denial of Service Vulnerabilities [SA16352] Wine winelauncher.in Insecure Temporary File Creation [SA16328] Red Hat update for dump Other: Cross Platform: [SA16386] WordPress "cache_lastpostdate" PHP Code Insertion [SA16347] SysCP Two Vulnerabilities [SA16346] Comdev eCommerce File Inclusion Vulnerability [SA16342] Gravity Board X Multiple Vulnerabilities [SA16339] XOOPS PHPMailer and XML-RPC Vulnerabilities [SA16330] Flatnuke Multiple Vulnerabilities [SA16388] PHlyMail Unspecified Login Bypass Vulnerability [SA16375] XMB Forum Server Set Variable Overwrite and SQL Injection [SA16369] Open Bulletin Board SQL Injection Vulnerabilities [SA16366] MyFAQ Multiple Scripts SQL Injection Vulnerability [SA16361] PHPSiteStats Unspecified Login Bypass Vulnerability [SA16353] PHPLite Calendar Express Two Vulnerabilities [SA16351] phpIncludes News System SQL Injection Vulnerability [SA16371] FunkBoard Multiple Cross-Site Scripting Vulnerabilities [SA16365] Chipmunk Forum "fontcolor" Cross-Site Scripting Vulnerability [SA16357] e107 HTML / TXT Attachment Script Insertion Vulnerability [SA16348] Invision Power Board HTML / TXT Attachment Script Insertion [SA16338] Jax LinkLists Cross-Site Scripting and Information Disclosure [SA16337] Jax Guestbook Cross-Site Scripting and Information Disclosure [SA16333] Jax Calendar Cross-Site Scripting Vulnerability [SA16332] Jax Newsletter Cross-Site Scripting and Information Disclosure [SA16329] tDiary Cross-Site Request Forgery Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA16373] Internet Explorer Three Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-09 Three vulnerabilities have been reported in Internet Explorer, which can be exploited by malicious people to conduct cross-site scripting attacks or compromise a user's system. Full Advisory: http://secunia.com/advisories/16373/ -- [SA16364] Lasso Professional Auth Tag Security Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-08-10 A vulnerability has been reported in Lasso, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16364/ -- [SA16372] Microsoft Windows Plug-and-Play Service Buffer Overflow Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2005-08-09 ISS X-Force has reported a vulnerability in Microsoft Windows, which can be exploited by malicious users to gain escalated privileges or by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16372/ -- [SA16356] Microsoft Windows Print Spooler Service Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2005-08-09 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16356/ -- [SA16354] Microsoft Windows Telephony Service Vulnerability Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2005-08-09 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges or by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16354/ -- [SA16344] EMC Navisphere Manager Directory Traversal and Directory Listing Critical: Moderately critical Where: From local network Impact: Exposure of system information, Exposure of sensitive information Released: 2005-08-08 Two vulnerabilities have been reported in EMC Navisphere Manager, which can be exploited by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/16344/ -- [SA16368] Microsoft Windows Two Kerberos Vulnerabilities Critical: Less critical Where: From local network Impact: Spoofing, Exposure of sensitive information, DoS Released: 2005-08-09 Two vulnerabilities have been reported in Microsoft Windows, which can be exploited by malicious users to cause a DoS (Denial of Service), reveal sensitive information, or impersonate other users. Full Advisory: http://secunia.com/advisories/16368/ UNIX/Linux:-- [SA16387] Red Hat update for gaim Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-08-10 Red Hat has issued an update for gaim. This fixes a vulnerability and two weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/16387/ -- [SA16384] Red Hat update for gaim Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-10 Red Hat has issued an update for gaim. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16384/ -- [SA16379] Gaim Away Message Buffer Overflow and Denial of Service Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-08-10 A vulnerability and a weakness have been reported in Gaim, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/16379/ -- [SA16363] Ubuntu update for ekg/libgadu3 Critical: Highly critical Where: From remote Impact: Unknown, Privilege escalation, DoS, System access Released: 2005-08-09 Ubuntu has issued updates for ekg and libgadu3. These fix some vulnerabilities, which can be exploited by malicious, local users to perform certain actions with escalated privileges, or by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16363/ -- [SA16341] Conectiva update for krb5 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-08-09 Conectiva has issued an update for krb5. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16341/ -- [SA16331] Mandriva update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-08-05 Mandriva has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16331/ -- [SA16358] Red Hat update for ruby Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-08-08 Red Hat has issued an update for ruby. This fixes a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16358/ -- [SA16349] Trustix update for multiple packages Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2005-08-08 Trustix has issued updates for multiple packages. These fix some vulnerabilities, which can be exploited to disclose certain sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16349/ -- [SA16336] Gentoo update for netpbm Critical: Moderately critical Where: From remote Impact: System access Released: 2005-08-05 Gentoo has issued an update for netpbm. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16336/ -- [SA16391] Red Hat update for cups Critical: Less critical Where: From remote Impact: DoS Released: 2005-08-10 Red Hat has issued an update for cups. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16391/ -- [SA16390] Fedora update for kdegraphics Critical: Less critical Where: From remote Impact: DoS Released: 2005-08-10 Fedora has issued an update for kdegraphics. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16390/ -- [SA16385] Ubuntu update for xpdf/kpdf Critical: Less critical Where: From remote Impact: DoS Released: 2005-08-10 Ubuntu has issued updates for xpdf and kpdf. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16385/ -- [SA16383] Red Hat update for xpdf/kdegraphics Critical: Less critical Where: From remote Impact: DoS Released: 2005-08-10 Red Hat has issued updates for xpdf and kdegraphics. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16383/ -- [SA16380] CUPS xpdf Temporary File Writing Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-08-10 A vulnerability has been reported in CUPS, which can be exploited by malicious people to cause a DoS (Denial of Service) on a vulnerable system. Full Advisory: http://secunia.com/advisories/16380/ -- [SA16374] Xpdf Temporary File Writing Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-08-10 A vulnerability has been reported in Xpdf, which can be exploited by malicious people to cause a DoS (Denial of Service) on a vulnerable system. Full Advisory: http://secunia.com/advisories/16374/ -- [SA16370] VegaDNS "message" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-10 dyn0 has discovered a vulnerability in VegaDNS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16370/ -- [SA16362] cPanel Password Change Privilege Escalation Security Issue Critical: Less critical Where: From remote Impact: Privilege escalation Released: 2005-08-10 IHS has discovered a security issue in cPanel, which may allow malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16362/ -- [SA16334] Ubuntu update for apache2 Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, DoS Released: 2005-08-05 Ubuntu has issued an update for apache2. This fixes two vulnerabilities, which can be exploited by malicious people to potentially cause a DoS (Denial of Service) and conduct HTTP request smuggling attacks. Full Advisory: http://secunia.com/advisories/16334/ -- [SA16382] Red Hat update for ucd-snmp Critical: Less critical Where: From local network Impact: DoS Released: 2005-08-10 Red Hat has issued an update for ucd-snmp. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16382/ -- [SA16367] Sun Solaris printd Daemon Arbitrary File Deletion Vulnerability Critical: Less critical Where: From local network Impact: Manipulation of data Released: 2005-08-09 A vulnerability has been reported in Solaris, which can be exploited by malicious users to delete files on a vulnerable system. Full Advisory: http://secunia.com/advisories/16367/ -- [SA16381] Red Hat update for sysreport Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-10 Red Hat has issued an update for sysreport. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16381/ -- [SA16360] Gentoo update for heartbeat Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-08 Gentoo has issued an update for heartbeat. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16360/ -- [SA16359] FFTW fftw-wisdom-to-conf.in Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-08 Javier Fernandez-Sanguino Pena has reported a vulnerability in FFTW, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16359/ -- [SA16345] Lantonix Secure Console Server Multiple Vulnerabilities Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation Released: 2005-08-08 c0ntex has reported some vulnerabilities in Lantonix Secure Console Server, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16345/ -- [SA16343] Inkscape ps2epsi.sh Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-09 Javier Fernandez-Sanguino Pena has reported a vulnerability in Inkscape, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16343/ -- [SA16335] Conectiva update for heartbeat Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-05 Conectiva has issued an update for heartbeat. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16335/ -- [SA16355] Linux Kernel Keyring Management Denial of Service Vulnerabilities Critical: Not critical Where: Local system Impact: DoS Released: 2005-08-09 Some vulnerabilities have been reported in the Linux kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16355/ -- [SA16352] Wine winelauncher.in Insecure Temporary File Creation Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-08-08 Javier Fernandez-Sanguino Pena has reported a vulnerability in wine, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16352/ -- [SA16328] Red Hat update for dump Critical: Not critical Where: Local system Impact: DoS Released: 2005-08-04 Red Hat has issued an update for dump. This fixes a weakness, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16328/ Other: Cross Platform:-- [SA16386] WordPress "cache_lastpostdate" PHP Code Insertion Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-10 kartoffelguru has discovered a vulnerability in WordPress, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16386/ -- [SA16347] SysCP Two Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-08 Christopher Kunz has reported two vulnerabilities in SysCP, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16347/ -- [SA16346] Comdev eCommerce File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-08 none has discovered a vulnerability in Comdev eCommerce, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16346/ -- [SA16342] Gravity Board X Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, System access Released: 2005-08-09 rgod has discovered some vulnerabilities in Gravity Board X, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16342/ -- [SA16339] XOOPS PHPMailer and XML-RPC Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-08-09 Some vulnerabilities have been reported in XOOPS, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16339/ -- [SA16330] Flatnuke Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-08-05 rgod has discovered some vulnerabilities in Flatnuke, which can be exploited by malicious people to conduct cross-site scripting attacks, script insertion attacks, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16330/ -- [SA16388] PHlyMail Unspecified Login Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-08-10 A vulnerability has been reported in PHlyMail, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16388/ -- [SA16375] XMB Forum Server Set Variable Overwrite and SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-08-10 Heintz has discovered two vulnerabilities in XMB Forum, which can be exploited by malicious users to overwrite certain server set variables or conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16375/ -- [SA16369] Open Bulletin Board SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-08-09 abducter has discovered some vulnerabilities in Open Bulletin Board, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16369/ -- [SA16366] MyFAQ Multiple Scripts SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-08-09 Censored has discovered a vulnerability in MyFAQ, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16366/ -- [SA16361] PHPSiteStats Unspecified Login Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-08-08 A vulnerability has been reported in PHPSiteStats, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16361/ -- [SA16353] PHPLite Calendar Express Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-08-09 Two vulnerabilities have been reported in Calendar Express, which can be exploited by malicious people to conduct SQL injection or cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16353/ -- [SA16351] phpIncludes News System SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-08-08 A vulnerability has been reported in phpIncludes, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16351/ -- [SA16371] FunkBoard Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-09 rgod has discovered multiple vulnerabilities in FunkBoard, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16371/ -- [SA16365] Chipmunk Forum "fontcolor" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-09 rgod has discovered a vulnerability in Chipmunk, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16365/ -- [SA16357] e107 HTML / TXT Attachment Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-09 edward11 has discovered a vulnerability in e107, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16357/ -- [SA16348] Invision Power Board HTML / TXT Attachment Script Insertion Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-09 V[i]RuS has discovered a vulnerability in Invision Power Board, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16348/ -- [SA16338] Jax LinkLists Cross-Site Scripting and Information Disclosure Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-08-05 Lostmon has discovered some vulnerabilities in Jax LinkLists, which can be exploited by malicious people to conduct cross-site scripting attacks or disclose certain information. Full Advisory: http://secunia.com/advisories/16338/ -- [SA16337] Jax Guestbook Cross-Site Scripting and Information Disclosure Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-08-05 Lostmon has discovered some vulnerabilities in Jax Guestbook, which can be exploited by malicious people to conduct cross-site scripting attacks or disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/16337/ -- [SA16333] Jax Calendar Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-05 Lostmon has discovered a vulnerability in Jax Calendar, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16333/ -- [SA16332] Jax Newsletter Cross-Site Scripting and Information Disclosure Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-08-05 Lostmon has discovered some vulnerabilities in Jax Newsletter, which can be exploited by malicious people to conduct cross-site scripting attacks or disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/16332/ -- [SA16329] tDiary Cross-Site Request Forgery Vulnerability Critical: Less critical Where: From remote Impact: Hijacking Released: 2005-08-08 A vulnerability has been reported in tDiary, which can be exploited by malicious people to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/16329/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Aug 12 01:09:10 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 12 01:29:16 2005 Subject: [ISN] Hack in the Box security conference coming soon Message-ID: http://www.theinquirer.net/?article=25327 By INQUIRER staff 11 August 2005 THIS YEAR'S HACK IN THE BOX security conference will be held in Kuala Lumpur, Malaysia yet again, where world renowned hackers and security specialists will present thair latest research and findings over 4 days. They conference starts off with six technical training sessions, followed by two days of network security presentations, while all four days will feature an industry exhibition and technology showcase. Keynote speakers at the conference will be Microsoft's Tony Chor - group program manager for the Microsoft Internet Explorer Group - and Mikko Hypponen, who's the chief research officer at F-Secure Corp. Chor is responsible for leading the IE team's security response as well as the design and development of new IE releases. Mikko's a veteran when it comes to IT security, having consulted big names such as IBM, Microsoft, the FBI, the US Secret Service, Scotland Yard and Interpol. Dhillon Andrew Kannabhiran, the founder and chief executive officer of Hack In The Box, is hoping that this year's conference will be "extra special." The conference goes ahead from the 26th to the 29th of September 2005, at The Westin hotel in Kuala Lumpur. ? L'INQ Hack in the Box http://www.hackinthebox.org/ From isn at c4i.org Fri Aug 12 01:09:53 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 12 01:29:36 2005 Subject: [ISN] New energy bill has cybersecurity repercussions Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,103834,00.html By Thomas Hoffman AUGUST 11, 2005 COMPUTERWORLD The new energy bill signed into law by President Bush this week is expected to have the greatest impact on IT departments at power companies because it allows federal enforcement of upcoming cybersecurity standards, according to industry IT executives and other experts. Under the new law, the Federal Energy Regulatory Commission (FERC) has the authority to establish a national electric reliability organization with the power to oversee and audit reliability standards. Instead of developing its own standards, the FERC plans to adopt those set by the North American Electric Reliability Council (NERC), said Ellen Vancko, a spokeswoman for the organization. The NERC is a Princeton, N.J.-based voluntary organization that sets standards for the reliable operation and planning of the nation's bulk electricity system. A spokeswoman for the FERC was unable to confirm the agency's plans today. The NERC is developing cybersecurity standards (see "Utility cybersecurity plan questioned" [1]) that cover areas ranging from the security of critical cyber assets to personnel screening and training requirements. The standards, known as CIP-002 to CIP-009, have been in the works for the past two years. Executives from electrical utilities and independent systems operators (ISO), which oversee regional power grids, recently submitted comments on the third draft of the cybersecurity standards, said Laurence W. Brown, director of legal affairs for the retail energy services division of Edison Electric Institute Inc. in Washington. Brown said a fourth draft of the standards is expected to be voted on by participating energy companies this fall. If the standards are approved by NERC members and the group's board, they would likely go into effect next spring, said Brown. That should give power companies enough time to craft budgets that address the new requirements and create a list of physical and cyber assets that will be audited by the new reliability organization established by the FERC, he said. Brown said most big utilities and ISOs "are darn near fully compliant with 1200" -- the predecessor cybersecurity standard created by the NERC in 2003 -- and with the bulk of the new cybersecurity standards being drafted. The biggest challenge for power companies in meeting the upcoming standards, said Brown, is creation of a list of physical and cyber assets that need to be audited each year. "The most difficult issue is being able to demonstrate that you have looked at all of the areas that need to be tested and [are] doing the work necessary," said Brown. For instance, Southern Co. identified its critical assets after the 9/11 terrorist attacks in the U.S., but it will now have to put together a different list to address cyber assets, said Bob Canada, a business-assurance principal for the Atlanta-based superregional power company. While there may be some overlap with its post-9/11 asset management efforts, the new requirements will require "a significant effort" to implement effective security controls for some of Southern Co.'s facilities, he said. For example, the company might need to restrict access by workers to portions of a computer console or an area of a power plant to ensure that the duties the workers undertake are authorized, said Canada. "When we built these things way back, I'm sure they weren't designed for cybersecurity; they were built to comply with the needs of the plant," said Canada. He said the amount of time needed to identify and list Southern Co.'s cyber assets "will be significant." PJM Interconnection LLC, an ISO that serves 51 million electric customers from North Carolina to New Jersey, has been tracking its cyber assets since March 2004 in compliance with the 1200 standard, said Tom Bowe, chief security officer at the Valley Forge, Pa.-based company. "I don't want to bait anyone, but do I feel confident in our level of security," said Bowe. Still, he added, "day to day, that confidence can ebb and flow with the latest threat that's been published." Midwest Independent Transmission System Operator Inc. in Carmel, Ind., already identifies and monitors its cyber assets through an SAS 70 audit, said Jim Schinski, vice president and CIO for the nonprofit organization, which serves the electrical transmission needs for much of the Midwest. The regional grid operator has twice hired third parties to try to hack into its systems during the past two years, said Schinski. Although he declined to talk about vulnerabilities that had to be corrected, Schinski said, "We came out of the report in very good shape." Under the NERC's proposed cybersecurity standards, power companies will also have to conduct extensive background investigations on employees. At some companies, that burden may fall upon IT security departments. For example, PJM's IT security division shares those responsibilities with the company's human resources department, said Bowe. [1] http://www.computerworld.com/securitytopics/security/story/0,10801,101906,00.html From isn at c4i.org Fri Aug 12 01:10:06 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 12 01:29:53 2005 Subject: [ISN] Y. hacking charge filed Message-ID: http://deseretnews.com/dn/view/0,1249,600154978,00.html By Tad Walch Deseret Morning News August 11, 2005 PROVO - A federal prosecutor has charged a Brigham Young University student with fraud for tampering with four campus computers to secretly log the private keystrokes of 600 students who used the machines. Esteban N. Rodriguez, 25, "intentionally accessed a computer without authorization and exceeded authorized access, and thereby obtained information from a protected computer," according to documents filed Tuesday in U.S. District Court. Rodriguez declined an interview request when contacted by phone Wednesday evening. According to a BYU Web site, he is from Necochea, Argentina. The sophisticated software used in the break-in last spring recorded every keystroke entered on four of the computers in the Widtsoe Building open-access computer lab. The captured information was periodically transmitted via e-mail to a Hotmail account created with a bogus name. However, there is no evidence the information was used for identity theft or any other purpose, said BYU officials and Melodie Rydalch, spokeswoman for the U.S. Attorney's Office in Salt Lake City. No motive was given for the break-in. Investigators had speculated the crime was an inside job by someone with access to the lab's master password. Rodriguez had worked as a part-time student employee in the lab. In fact, a work phone number listed for him on a BYU Web site was for a computer lab in another campus building, the Kimball Tower. BYU officials could not confirm Wednesday whether Rodriguez was still employed by that lab. An employee in the lab who answered the phone Wednesday night said he had not seen Rodriguez this summer. The spyware was discovered in late April when another student employee in the Widtsoe lab noticed strange icons on two computer monitors. A sophisticated search uncovered the software on two additional machines. BYU moved quickly to protect the identities of students. The university terminated their passwords to the campus intranet - called Route Y - so no one else could access their campus records, BYU spokesman Brent Harker said. Each student was contacted by phone, e-mail or via a notice on their student computer accounts. They were told to change their Route Y passwords and advised to do the same with other accounts they might have accessed online from the Widtsoe Building computers. Harker said the administrative password in the Widtsoe lab should have been changed more often. "Since that time we've changed administrative passwords in that lab and reinforced a general policy to change those passwords routinely," Harker said. "This wasn't done from outside, it was from within." FBI and BYU investigators seized a computer from a Provo residence and used subpoenas to gather telephone and other electronic records during an investigation. The federal charge for fraud and related activity in connection with computers is a misdemeanor, Rydalch said. It carries a maximum penalty of up to one year in prison and a $100,000 fine. From isn at c4i.org Fri Aug 12 01:20:18 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 12 01:30:18 2005 Subject: [ISN] Two new spyware threats emerge Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=4195 By Andrew Brandt PC World.com 11 August 2005 Far from getting a handle on the issue of spyware, two events this week have demonstrated the growing problem. Sunbelt Software, maker of the CounterSpy spyware remover program, announced its researchers had discovered a new spyware distribution that installs itself via an Internet Explorer security exploit and is powered by the CoolWebSearch spyware application. The code uses components of the VX2/Transponder spyware application together with an unknown Trojan horse application to steal sensitive financial and personal information and send it to a remote server. Sunbelt researchers discovered sensitive personal information (including bank account log-ins, credit card information, and billing addresses) belonging to thousands of people stored on a server that is physically located within the United States and that the data thieves were using as a dead drop for their ill-gotten data. Alex Eckelberry, Sunbelt's president, explained: "It's a little Trojan that sits there and [reads data stored in] the Protected Storage area." Windows XP uses the Protected Storage area to record sensitive information, such as your browser's AutoComplete histories for URLs, passwords that you instruct Explorer to save and enter automatically, and data you submit to websites on SSL-protected forms. The Trojan horse reads this information, including "search terms, stuff you enter in forms, passwords, everything you enter at a bank," according to Eric Sites, Sunbelt's vice president of research and development - and then forwards the data to the server. As yet, there's no fix for the problem, although alternative browsers, such as Firefox, do not store their auto-complete information in the Protected Storage area, and are therefore are immune. Investigative curiosity also led researchers at anti-spyware company Webroot to a bizarre discovery of a symbol of hate embedded in a spyware distribution. Late last week, Webroot's researchers discovered a file compressed into a new variant of the SARS Trojan horse containing the words "ein Volk, ein REICH, ein Fuhrer !!!" beneath a Nazi swastika rendered in ASCII text. The phrase, "one people, one nation, one leader," quoting Adolf Hitler is a popular slogan at websites run by white supremacist groups. The Trojan itself is dangerous. "Normally, it sits on your machine, resident in memory, and waits for some kind of trigger," said Paul Piccard, Webroot's director of threat research. "If it sees a secure connection starting, it begins logging that connection. It then reports to a central location." The malware file that Webroot discovered had been compressed using the UPX compression method. Accompanying the executable Trojan horse was a text file containing the swastika and the Hitler quote. "This is the first hate speech we've heard of [in spyware]," Piccard said. "I'd hope this is just an isolated thing. This just came out of nowhere - you don't expect to find it in spyware or adware. It took us by surprise." "It could be there for the shock value, or it could be [that the Trojan was distributed by] people who really believe in this thing," Piccard said. "It's probably not a joke." From isn at c4i.org Mon Aug 15 06:09:01 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 15 06:26:54 2005 Subject: [ISN] Linux Advisory Watch - August 12th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 12th, 2005 Volume 6, Number 33a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for yaboot, ttmkfdir, Netpbm, ruby, squirrelmail, sysreport, xpdf, kdegraphics, cups, ucd-snmp, gaim, ethereal, and gpdf. The distributors include Fedora, Gentoo, and Red Hat. --- ## Internet Productivity Suite: Open Source Security ## Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more! http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- Hacks From Pax: PHP Web Application Security By: Pax Dickinson Today on Hacks From Pax we'll be discussing PHP web application security. PHP is a great language for rapidly developing web applications, and is very friendly to beginning programmers, but some of its design can make it difficult to write web apps that are properly secure. We'll discuss some of the main security "gotchas" when developing PHP web applications, from proper user input sanitization to avoiding SQL injection vulnerabilities. Many PHP application vulnerabilities are caused by not properly initializing variables. This is an example of how PHP, by not requiring the developer to initialize a variable before using it, sacrifices security for ease of use. For example, the following code is easily exploitable. if (user_auth()) { $access = true; } if ($access) { do_sensitive_things(); } This could be exploited by tacking an ?access=true to the end of the url, and the if ($access) test would be passed despite the user_auth() function returning false. This hole could be closed easily by adding a $access = false; at the top of the script, but not all security holes are this easy to spot. Thankfully, PHP now defaults the register_globals option to off. This setting would pass the access variable sent by the url to the script as $_GET[access] rather than just $access. This closes off many of these types of vulnerabilities, but when writing PHP code, especially code for distribution, you should never assume that this option will be set correctly, and always initialize your PHP variables. Users in a shared hosting environment may not have the ability to set these options to their most secure setting. * Always initialize PHP variables before using them. * Always set register_globals to off, but never write code that assumes this setting. * You can use the ini_get() function to determine if register_globals is set at runtime. Read Entire Article: http://www.linuxsecurity.com/content/view/120043/49/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: yaboot-1.3.12-10 4th, August, 2005 Updated package. http://www.linuxsecurity.com/content/view/120028 * Fedora Core 4 Update: ttmkfdir-3.0.9-16.1 5th, August, 2005 This update fixes a problem with ttmkfdir not including native encodings of Asian TrueType fonts in fonts.scale files used by the X font server. Users of Chinese, Japanese, and Korean fonts are recommended to reinstall the font packages for these languages after updating ttmkfdir. http://www.linuxsecurity.com/content/view/120037 * Fedora Core 3 Update: ttmkfdir-3.0.9-14.1 5th, August, 2005 This update fixes a problem with ttmkfdir not including native encodings of Asian TrueType fonts in fonts.scale files used by the X font server. Users of Chinese, Japanese, and Korean fonts are recommended to reinstall the font packages for these languages after updating ttmkfdir. http://www.linuxsecurity.com/content/view/120038 * Fedora Core 4 Update: selinux-policy-targeted-1.25.3-12 5th, August, 2005 Updated package. http://www.linuxsecurity.com/content/view/120040 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Netpbm Arbitrary code execution in pstopnm 5th, August, 2005 The pstopnm utility, part of the Netpbm tools, contains a vulnerability which can potentially result in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120031 * Gentoo: Heartbeat Insecure temporary file creation 7th, August, 2005 Heartbeat is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/120041 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: ruby security update 5th, August, 2005 Updated ruby packages that fix an arbitrary command execution issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120035 * RedHat: Moderate: squirrelmail security update 5th, August, 2005 An updated squirrelmail package that fixes two security issues is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120036 * RedHat: Low: sysreport security update 9th, August, 2005 An updated sysreport package that fixes an insecure temporary file flaw is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120049 * RedHat: Moderate: xpdf security update 9th, August, 2005 An updated xpdf package that fixes a security issue is now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120050 * RedHat: Moderate: kdegraphics security update 9th, August, 2005 Updated kdegraphics packages that resolve a security issue in kpdf are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120051 * RedHat: Important: cups security update 9th, August, 2005 Updated CUPS packages that fix a security issue are now available for Red Hat Enterprise Linux. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120052 * RedHat: Low: ucd-snmp security update 9th, August, 2005 Updated ucd-snmp packages that a security issue are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120053 * RedHat: Critical: gaim security update 10th, August, 2005 An updated gaim package that fixes a buffer overflow security issue is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120055 * RedHat: Critical: gaim security update 10th, August, 2005 An updated gaim package that fixes multiple security issues is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120056 * RedHat: Moderate: ethereal security update 10th, August, 2005 Updated Ethereal packages that fix various security vulnerabilities are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120061 * RedHat: Moderate: gpdf security update 10th, August, 2005 An updated gpdf package that fixes a security issue is now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120062 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Aug 15 06:09:43 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 15 06:27:19 2005 Subject: [ISN] NY enacts security breaches disclosure law Message-ID: http://www.theregister.co.uk/2005/08/12/ny_security_breaches_disclosure/ By John Leyden 12th August 2005 New York has enacted an information security breaches law which will oblige firms and local government agencies to notify customers in the state if their personal information is taken or its systems are hacked into. The legislation is designed to promote a culture of security. It also helps protect consumers by giving them the information they need to head off possible identity theft when sensitive details such as Social Security, driver's license and credit card numbers become exposed. Organisation with customers in New York are obliged to notify these people of a breach as soon as practically possible. The Information Security Breach and Notification Act in New York is broadly similar to security breaches laws enacted in California more than two years ago. Legislation requiring consumer notification of data security breaches has been approved in at least 15 states since then. Federal security disclosure laws are under consideration but opposed by some who fear it might dilute state laws, Red Herring reports. New York's decision to press ahead with its legislation follows a series of high profile consumer data security breaches involving US firms including data mining firm ChoicePoint, payment processing firm CardSystems Solutions and others. "The events of the last few months underscore the urgency of protecting consumers. If a person is not aware that he or she has been a victim of identity theft, then the damage done could be severe and irreversible. Prompt notification gives New Yorkers needed protections," said New York State Assembly member James Brennan, who sponsored the law. "In the last year, over 9,000 New Yorkers were exposed to identity theft because of inadequate security and poor notification procedures." ? From isn at c4i.org Mon Aug 15 06:09:30 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 15 06:27:39 2005 Subject: [ISN] Pass the Aspirin Message-ID: http://www.rednova.com/news/technology/205549/pass_the_aspirin/ 12 August 2005 The ubiquitous Laptop! So much in so small a package, and therein lies the probLem. More costLy than many desktop computers, they pack an entire office into a tiny box. Some community bankers "live" out of their Laptops. Which is fine unless the Laptop goes missing and private customer data is exposed to potential loss, and worse. At ABA's recent Regulatory Compliance Conference, speakers warned Listeners that one of the most common causes of customer data breaches is the "lost laptop." "I've had clients trolling the pawnshops, trying to find out what happened to their missing laptops," said Oliver Ireland, partner at the Morrison & Foerster law firm, in Washington, D.C. Gilbert Schwartz, partner at Schwartz & Ballen, also of Washington, advised bankers to be sure that any laptop that leaves the bank premises be equipped for data encryption. The only saving grace, he added, about the "lost laptop" is that thieves most typically are opportunists looking to simply fence the machine itself. William H. Henley, Jr., of the FDIC said the loss of a laptop protected by encryption might not have to be disclosed to the public- the federal guidelines give banks some leeway on disclosure. Henley, examination specialist in FDIC's Technology Supervision Branch, in its Division of Supervision and Consumer Protection, said this ultimately hinges on the bank's assessment of the likelihood of the encrypted data remaining so. The comments at the compliance conference prompted this month's Pass the Aspirin question. THE HEADACHE Lost laptops lay open lenders to liability: Does your bank have an established policy and procedure regarding removal of bank-owned laptops from the bank's premises and the inclusion of customer files on those laptops? REMEDY 1 Tom Mantor, president and COO, Bank of Walnut Creek, $500 million- assets, Walnut Creek, Calif. Our bank has an established policy whereby laptops may leave the premises. However, no customer information is stored on laptops. Customer information is stored on network drive and can be accessed off-site. In addition, only a handful of laptops are authorized and that is to select senior staff. By comparison, paper customer files are not allowed off-site. REMEDY 2 Jim Mathews, vice-president, Internal Audit, Valley Bank & Trust, $248.8 million-assets, Brighton, CoIo. Although we only have only a handful of these units in our bank that can be checked out, we adhere to our laptop usage policies very closely before releasing a unit. The major use of our laptops so far have been for use at off- site training sessions, allowing the officer an effective way to take notes, and to keep in touch with the bank as well through our network. The only encryption we use is what is provided by Microsoft in its software suite on the laptop. Mathews provided excerpts from the bank's laptop usage policy, which can be found at www.ababj.com. REMEDY 3 John Hutchison, senior vice-president-compliance, Capital City Bank Group, Inc., $2.3 billion-assets, Tallahassee, FIa. Yes, we have a policy. Any associate taking a laptop off bank premises must keep it in their personal possession. It cannot be checked at an airport, given to a hotel porter, or otherwise allowed out of the associate's hands, unless any client information on it has been encrypted. Whenever possible, client information would be encrypted, and the laptop would always be password protected. Any associate who wishes to have access to the main systems from their laptop must be able to justify the need, and firewall protection is provided. Similar limitations would apply to any paper file. Associates are permitted to take certain files out of the office (such as to deliver files to auditors or examiners in another location), but they are not supposed to take them home if they contain loan documents. Any paper files with client information should be in their personal possession at all times. REMEDY 4 I Mike Murphy, executive vice-president and CFO, First American Bank, $242 million-assets, Purcell, OkIa. We do not have a "poLicy" regarding removal of bank-owned laptops from banking premises, but we do have a "practice" of not putting customer information on the laptops we do have. That information is housed on servers maintained in secure areas of each banking center. Those laptops which we do have are primarily used for training lab purposes. It is interesting you bring this up because we recently had a laptop which was stolen from banking premises. One of the first questions we asked was what was on the laptop. Fortunately, the answer did not include any customer information. ASPIRIN RESOURCES Some of the solutions to laptop security simply require common sense. You don't leave a laptop with sensitive data on it-or perhaps any laptop-in an unoccupied hotel or conference room without some precautions. Some suggest separating the computer from the sensitive data by storing the latter on a removable memory device. One doesn't hear anything about shackling the laptop to the traveler's wrist, though it would certainly make going through airport security interesting. Speaking of the government, the following links have some federal tips on laptop security: physical security, www.uscert.gov/cas/tips/ST04-017.html and data security, www.us- cert.gov/cas/tips/ST04020.html Three categories of products that can address aspects of the lost laptop problem are: encryption software; physical security devices; and laptop tracking software. Please note that these listings appear as a sampling of what's out there, and in no way imply an endorsement on the part of ABA Banking Journal nor the American Bankers Association. Encryption: Some encryption programs are comprehensive, while others offer "a Ia carte" software, with separate products covering encryption of storage media, e-mail, and more. Certain Windows operating systems, as indicated in one of the bankers' answers above, feature encryption of their own. It is up to the bank whether these built-in measures suffice. Further information about Windows- based encryption can be found at www.microsoft.com. Control Break International, Inc., www.safeboot.com Cypherus, Inc., www.cypherus.com Jetico, Inc., www.jetico.com PC-Encrypt, Inc., www.pc-encrypt.com PC Guardian Technologies, Inc., www.pc guardiantechnologies.com PGP Corp., www.pgp.com SafeNet Inc., www.safnet-inc.com Physical security: These devices may include cabling; locks; lockable frames that can prevent a closed laptop from being opened; specialized locks for drives and removable media; barcoded stickers that make it harder to sell stolen laptops to unsuspecting buyers; and more. Some may be packaged with encryption or other security software. Computer security Products, Inc., www.computersecurity.com Compucage International, www.com pucage.com. PC Guardian Anti-Theft Products, Inc., www.pcguardiananti-theft. com STOP (security Tracking of Office Proper ty), www.stoptheft.com Think Products, Inc., www.laplocker.com Laptop tracking: This type of software automatically transmits via the internet to a central location when the laptop is used to go online and reveals where the machine is plugged into the internet. If a machine is reported stolen to the software vendor, the information is reported to local, authorities. Some of these companies offer additional services as part of the package, including the ability to destroy all data on the laptop's hard drive from the vendor's location while the machine is online. One vendor, Absolute Software, Inc., posts a $1,000 guarantee on its website. If they fail to get your missing laptop back, you get the money. Absolute Software, Inc., www.absolute.com CyberAngel security Solutions, Inc., www.sentryinc.com Stealth Signal, Inc., www.stealthsignal. com Trackion, www.trackion.com HEADACHE #2 Data breaches have been much in the news because of recent breaches at major retailers, the new federal mandates regarding breaches connected with bank customer information, and passage of some relevant state laws. Some banks automatically issue new cards to affected customers, while others may do so only on request. How has your bank handled this and what kinds of costs have you faced? REMEDY 1 Gordon L. Gentry, Jr., chairman, TowneBank/Peninsula, $1.5 billion-assets, Newport News, Va. In the last two years, we have re-issued certain credit cards due to notification by MasterCard that merchants have experienced a data breach. While not a massive number, the expense-estimated to be several thousand dollars-is one we would not otherwise have encountered. REMEDY 2 Jon Rohlfs, assistant vice-president and security officer, First State Bank and Trust, $156.1 million-assets, Fremont, Neb. First State Bank & Trust Co. has been affected by the recent breaches at third-party processors. We have chosen to close all cards that were involved with these breaches, so we have incurred a cost of reissuing new cards ($2.50 per card), as well as the time spent doing so. Copyright Simmons-Boardman Publishing Corporation Aug 2005 From isn at c4i.org Mon Aug 15 06:05:32 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 15 06:27:55 2005 Subject: [ISN] SCC class takes a byte out of crime Message-ID: http://www.eastvalleytribune.com/index.php?sty=46138 By Victor Allen Tribune August 14, 2005 Would-be Internet crime fighters are learning how to take on the latest computer viruses and worms in a new class offered at Scottsdale Community College. The class, available for the first time this semester, could also help computer users protect themselves against Internet hackers and attacks. "It's like boot camp for security," said Ron Monroig, a business professor at the school. The demand for students with anti-hacker skills is great, Monroig said. An entry-level position pays $40,000 to $60,000, depending on experience and knowledge, he said. "Hackers are providing us with annuity in this particular technology because they're never going to go away," Monroig said. The U.S. Department of Homeland Security is funding research and course studies for similar classes at colleges throughout the country, he said. He was not sure how much money SCC received for its program. Computer crime takes a heavy toll on American businesses and families, said Pinny Sheoran, executive director of the Business and Industry Institute at Mesa Community College. Identity theft can cost an individual $1,000 to $20,000 in property loss, and a business could lose $5 million to $10 million, depending on its size, she said. "There is a deep sort of concern," Sheoran said. "Our entire infrastructure is dependent on networks. How do you train people who are managing them to harden both the infrastructure and the software against attack?" The true cost and depth of damage from computer crime in the U.S. is probably much greater than reports show, said FBI special agent Tom Liffiton at the agency's Washington, D.C., office. Most computer crime is not detected or reported, he said. Companies that have managed network security report only 20 percent of attacks to law enforcement, and they report their losses at an equal frequency to their own legal staffs, Liffiton said. Most individuals and companies, especially smaller firms, have little or no computer security, he said. "They don't even have a clue as to what their losses are or even that they've been attacked," Liffiton said. Classes at SCC begin Saturday. For information on the class, call (480) 423-6610 or visit www.sc.maricopa.edu/cis. From isn at c4i.org Mon Aug 15 06:13:26 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 15 06:28:39 2005 Subject: [ISN] Chinese Hackers Could Use Korea in Attacks against Japan Message-ID: http://english.donga.com/srv/service.php3?bicode=020000&biid=2005081537228 by Suk-Min Hong smhong at donga.com AUGUST 15, 2005 Chinese hackers have put Korea on emergency alert as they will reportedly carry out a large-scale attack through Korea against Japanese Internet websites. Korean servers are highly likely to be chosen as routes for Chinese hackers to avert Japan's defenses. Netizens fear of a potential "cyber Sino-Japanese war," comparing the current situation to the Sino-Japanese War that broke out on the Korean peninsula. The Ministry of Information and Communication (MIC) and Internet related businesses revealed on August 14 that over 45,000 hackers led by the country?s largest hacker group, Honker Union, plan to launch an all-out attack on Japanese websites starting August 15, the 60th anniversary of the end of World War Two. In particular, the publisher Husosha that has been criticized for distorting history and anti-China sites in Japan are reportedly the major targets. Chinese hackers so far have mounted as many as six "cyber wars" since 1999 against Taiwan, the U.S., and Japan, among others. More than 30,000 members are registered in Honker Union, and China is known to nurture more than 100,000 hackers at the national level. The problem is that Korea may be affected negatively if Japan blocks Chinese IPs identified as hacking sources in countering any attacks. Chinese hackers may believe that Japan may find it hard to stave off the attack if they target Japanese websites via Korea. If Korean sites are used as detours and hit with a wave of connections from China, domestic mid- and large-sized computers could go down thanks to overloads and be misperceived as hacking targets. In response, the MIC sent official notices to domestic ISPs and over 300 universities to call for increasing Internet security. KT, the largest domestic communications carrier, devised and distributed "Prevention and Response Plans for the Chinese-Japanese Cyber War" for every branch office and plans to run a 24-hour "Emergency Control Center." Dacom also decided to organize a contingency team composed of over 80 individuals in three teams, which will operate until August 16. From isn at c4i.org Mon Aug 15 06:19:13 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 15 06:29:00 2005 Subject: [ISN] Teen hacker pleads guilty Message-ID: http://www.sacbee.com/content/news/crime/story/13405296p-14246593c.html By Ramon Coronado Bee Staff Writer August 13, 2005 One of three Sheldon High School students accused of hacking into their school computer to change grades pleaded guilty Friday in Sacramento Juvenile Court. "You want good grades, you earn them. To change grades is cheating," said Juvenile Court Referee Daniel Horton, who is acting as a judge. The 16-year-old admitted guilt to two of five charges. Originally filed as felonies, they had been reduced to misdemeanors. The remaining charges were dismissed. The boy must perform 100 hours of community service, and he and his parents are liable for a portion to be determined later of the $67,000 in damages to the school district. The same deal was struck Wednesday for the other two Sheldon High students, ages 15 and 17. Names of the boys are not being disclosed because they are minors. A hearing is set for Oct. 11 when a judge will decide how much each boy and their families will pay. "The debt can follow the minors for years and it can hinder their ability to secure credit for major purchases such as cars and homes," said Deputy District Attorney Sue Wilson. The Elk Grove Unified School District is seeking the restitution amount claiming that is how much it had to pay as a result of the student hacking into their computers. The investigation and additional security measures account for some of the district's costs. But most of the money spent went into mailing notices to 70,0000 current and former students and 10 teachers whose personal information was compromised by the hacking. The three students were accused of breaking into the school computer using a keystroke recording device, software and other computer equipment to change their grades to A's. In multiple breaches, which occurred between May and October of last year, home addresses and Social Security numbers were compromised, officials claimed. A state identity theft law required the district to make the notification to those affected. The Sheldon students were among seven high school students in the area who in unrelated incidents have been accused of hacking into school computers to change grades. Eight felony computer theft charges are still pending against a Laguna Creek High School senior who in February was accused of using hacking software to break into the school computer system. More than 6,000 district employees had personal information compromised, school officials said. And an investigation into possible felony charges against another Laguna Creek senior is ongoing, Wilson said. The student is accused of the unauthorized use of a school employee's password to change the grades of more than 36 students, including his own. That student was initially expelled and banned from attending graduation. He was later given his diploma after officials determined he had earned enough credits. Two 17-year-old Natomas Unified School District high school students admitted earlier this year to misdemeanor computer theft charges and were also sentenced to perform 100 hours of community service. Horton said Friday that some might think that 100 hours of community service is a "slap on the wrist." "I have trouble with this case. You didn't hurt somebody, but this is somewhat sophisticated (crime)," Horton told the 16-year-old. From isn at c4i.org Mon Aug 15 06:08:31 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 15 06:29:14 2005 Subject: [ISN] Lessons to Learn from Cisco vs. Lynn Message-ID: http://www.eweek.com/article2/0,1895,1847745,00.asp By Larry Loeb August 12, 2005 Opinion: By suing the ISS researcher who disclosed their flaw, Cisco looks like a bully and draws extra attention to its vulnerability. Cisco, those folks that make professional-style routers so beloved by Internet types, beat up a fellow trying to share some research (done while he was employed by Internet Security Systems) at the recent Black Hat security conference in Las Vegas. Cisco filed a request on July 27 for a temporary restraining order in the U.S. District Court for the Northern District of California against Michael Lynn and the Black Hat organizers to prevent Lynn and Black Hat from "further disclosing proprietary information belonging to Cisco and ISS," as John Noh, a Cisco spokesman, put it. Noh also said, according to reports, that "It is our belief that the information that Lynn presented at Black Hat is information that was illegally obtained and violated our intellectual property rights." It appears that Lynn was involved in decompiling Cisco's software for research while he was employed at ISS, and Cisco thinks that kind of activity violated their rights. Lynn delivered a talk July 27 on IOS (the Cisco OS) shellcode that showed how using a known vulnerability attack code could be run on a router if one was directly (not remotely) connected to it. ISS had decided two days earlier to pull the talk (at Cisco's urging), but Lynn resigned from ISS and went ahead with it anyway. The exploit involves a way using IPv6 to fool the router into thinking that it is crashing, so that it does not initiate the shutdown sequence. Jennifer Granick, who was the attorney for Lynn, noted on her blog that "The lawyers scrambled, and we were able to settle the case cheaply and expeditiously within 24 hours. Mike's responsibilities under the settlement agreement are almost complete, and I expect the civil case to be dismissed very soon." There were also reports of FBI agents on the Black Hat conference floor asking questions about Lynn. The flaw has been fixed in recent (since April) IOS releases, according to Cisco. Further compounding the situation is the tactic that ISS is using against sites that have posted a PDF file describing the exploit. They have sent a cease-and-desist letter to Richard Forno and his InfoWarrior.org site, accusing Forno of publishing stolen proprietary information. Further legal action is threatened by the letter. Forno has pulled the slides from the site. The big question surrounding this entire affair is: What constitutes "responsible disclosure"? Lynn thinks he should be allowed to talk about a security flaw that has been patched for months, even though it involves breaking an NDA, because of its critical nature. Cisco customers are concerned about having to find out the true consequences of the flaw from a third party, rather than from Cisco. Cisco comes out of this affair looking like a major bully trying to hide a problem rather than confront it. And all the attention caused by the legal fluffing around can only draw attention to what otherwise might have been a quiet tech session. It simply shows once again that security through obscurity will never work for anyone, not even Cisco. From isn at c4i.org Tue Aug 16 02:19:52 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 16 02:33:14 2005 Subject: [ISN] New Sandhurst security breach Message-ID: Forwarded from: William Knowles http://www.guardian.co.uk/uk_news/story/0,3604,1549111,00.html Mark Honigsbaum August 15, 2005 The Guardian Security at the Sandhurst military academy in Surrey, where Prince Harry is training, came under renewed scrutiny yesterday after a tabloid newspaper claimed that an undercover reporter had come within touching distance of the prince on three occasions. The News of the World said its reporter had been able to gain access to Prince Harry's accommodation block after being issued with an "access all areas" security pass when he got a job in the academy's carpentry workshop. The journalist said he was able to get a job after providing a false employment history and bogus references. A Ministry of Defence spokesman said: "We take security at Sandhurst extremely seriously and will investigate these allegations." The alleged breach comes two months after the Sun allegedly gained access to Sandhurst and took video footage of the 20-year-old. The prince said at the time that the pictures were not of him. The News of the World, claimed its reporter got within touching distance of the prince three times: last Monday after a map-reading exercise, on Thursday after he had finished a run and on Friday as he moved belongings from his dorm. The newspaper also published pictures showing the route to Prince Harry's room. The reporter got a ?12,000-a-year job as a maintenance man. Four weeks later he received a security pass and the security codes for the doors. The breach will embarrass the defence secretary, John Reid. Following the Sun's infiltration in June, Mr Reid instructed Sandhurst to change its security procedures. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Tue Aug 16 02:20:09 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 16 02:33:37 2005 Subject: [ISN] Zotob worm finds its path limited Message-ID: http://news.com.com/Zotob+worm+finds+its+path+limited/2100-7349_3-5833777.html By Joris Evers Staff Writer, CNET News.com August 15, 2005 A new worm that was unleashed over the weekend affects only a limited group of Windows users and has not wreaked any widespread havoc, according to Trend Micro. As of Monday morning on the West Coast, the original Zotob.A had infected about 50 computers worldwide, and the first variant, Zotob.B, had compromised about 1,000 systems, the antivirus software maker said. "There are not that many infections," said David Perry, director of global education at Trend Micro. The worm, which has spawned at least two variants, exploits a hole in the plug-and-play feature in the Windows operating system. It surfaced only days after Microsoft offered a fix for the "critical" bug as part of its monthly patching cycle. While early reports on Zotob suggested it was spreading rapidly, the impact of the worm has actually been restricted because it targets PCs running Windows 2000, an older version of the software, Microsoft said. It poses no threat to computers running the newer Windows XP and Windows Server 2003, the company added. "Only a small number of customers have actually been affected," said Stephen Toulouse, a program manager in Microsoft's security group. "It is not something that has any type of widespread impact on the Internet...It hits Windows 2000 customers very specifically." Zotob appeared in record time after Microsoft's patch release, according to Trend Micro. "This is the fastest turnaround from the announcement of the vulnerability to an actual virus," Perry said. Last Tuesday, Microsoft issued patches to fix the plug-and-play vulnerability in various versions of Windows. The bulletins included fixes for the newer Windows XP and Windows Server 2003, even though the software maker already said at the time that only PCs running Windows 2000 were susceptible to a remote attack via the vulnerability. There are desktop and server versions of Windows 2000, which was released in 2000 for business users rather than consumers. More recent editions of Windows are available, but Windows 2000 remains popular. The operating system ran on 48 percent of business PCs during the first quarter of 2005, according to a recent study by AssetMetrix. Previous Next Users of Windows 2000 should be on guard, especially if they are not using a firewall, said Mikko Hypponen, director of antivirus research at software maker F-Secure. Zotob.A and Zotob.B scan the Internet for vulnerable systems using TCP port 445, a port typically blocked by a firewall, he said. When a target system is found by Zotob, it installs a shell program on the computer that downloads the actual worm code, named Haha.exe, using FTP (File Transfer Protocol). The newly infected system then starts searching for new computers to compromise. A second offshoot, Zotob.C, adds a mass-mailing capability, which means it can also spread by e-mail. The worm itself doesn't have a destructive payload, but the first two versions do let the attacker commandeer the infected machine. "It leaves an open back door. It could download anything," Perry said. Copyright ?1995-2005 CNET Networks, Inc From isn at c4i.org Tue Aug 16 02:18:19 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 16 02:33:58 2005 Subject: [ISN] ACSAC Tech Blitz Call for Papers Message-ID: Forwarded from: ACSAC Announcement List ------------------- Call For Papers ------------------- 21st Annual Computer Security Applications Conference Technology Blitz Session December 5-9, 2005 Tucson, Arizona http://www.acsac.org/sub/tb.html ACSAC is an internationally recognized forum where practitioners, researchers, and developers in information system security meet to learn and to exchange practical ideas and experiences. The Technology Blitz Session is a fast-paced forum for disseminating leading edge security solutions quickly without the necessity for lengthy dissolution. Each abbreviated work is be summarized in a 10 minute presentation followed by a 5 minute question and answer period during the conference. Thus, allowing for rapid articulation and immediate feedback from academic and industrial colleagues. Prospective authors are invited to submit extended abstracts for peer review. Accepted abstracts and presentation slides and will be published on the ACSAC web site after the conference. Successful Technology Blitz extended abstract submissions represent the most current activities in practical security research and are no more than 2-3 pages in length using a standard IEEE format (about 1800 words in length). Papers should describe only the main technical innovations, any accomplishments to date and lessons learned. Important Dates * Open submissions Now * Submission due date September 9 * Acceptance notification October 16 * Conference presentations December 6 Detailed submission information is at: http://www.acsac.org/sub/tb.html Technology Blitz topic areas include, but are not limited to the following list. Special consideration will be given to extended abstracts that discuss system implementation, deployment and lessons learned. * Access control * Applied cryptography * Audit and audit reduction * Biometrics * Certification and accreditation * Database Security * Denial of service protection * Defensive information warfare * Electronic commerce security * Enterprise Security * Firewalls and other boundary control devices * Forensics * Identification and Authentication * Information Survivability * Insider threat protection * Integrity * Intellectual property rights protection * Incident response planning * Intrusion detection and event correlation * Middleware and distributed systems security * Operating systems security * Privacy * Security engineering * Security management * Security services * Security standards and their application * Wireless Security Session Committee (tbc_chair@acsac.org) - Paul Jardetzky, Independent Consultant (Chair) - Jeremy Epstein, webMethods - Timothy Roscoe, Intel Research - Pierangela Samarati, University of Milan You are receiving this notice because you joined the ACSAC email notification list at http://www.acsac.org/join_ml.html. You can unsubscribe there if you wish. You can help ACSAC reach people who might benefit from this information. Feel free to forward this message with a personal note to your friends and colleagues. They can sign up at the above URL. ACSAC is sponsored by Applied Computer Security Associates, a not-for-profit all-volunteer Maryland corporation. Our postal address is 2906 Covington Road, Silver Spring, MD 20910-1206. This information is provided in compliance with the CAN-SPAM Act of 2003. From isn at c4i.org Tue Aug 16 02:18:46 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 16 02:34:20 2005 Subject: [ISN] Linux Security Week - August 15th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 15th, 2005 Volume 6, Number 34n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Real World Open Source: Security," "Why the computing world chose PKI,"Dump Your DMZ," and "OS exploits are old hat." --- ## Internet Productivity Suite: Open Source Security ## Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more! http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- LINUX ADVISORY WATCH This week, advisories were released for yaboot, ttmkfdir, Netpbm, ruby, squirrelmail, sysreport, xpdf, kdegraphics, cups, ucd-snmp, gaim, ethereal, and gpdf. The distributors include Fedora, Gentoo, and Red Hat. http://www.linuxsecurity.com/content/view/120075/150/ --- Hacks From Pax: PHP Web Application Security By: Pax Dickinson Today on Hacks From Pax we'll be discussing PHP web application security. PHP is a great language for rapidly developing web applications, and is very friendly to beginning programmers, but some of its design can make it difficult to write web apps that are properly secure. We'll discuss some of the main security "gotchas" when developing PHP web applications, from proper user input sanitization to avoiding SQL injection vulnerabilities. http://www.linuxsecurity.com/content/view/120043/49/ --- Network Server Monitoring With Nmap Portscanning, for the uninitiated, involves sending connection requests to a remote host to determine what ports are open for connections and possibly what services they are exporting. Portscanning is the first step a hacker will take when attempting to penetrate your system, so you should be preemptively scanning your own servers and networks to discover vulnerabilities before someone unfriendly gets there first. http://www.linuxsecurity.com/content/view/119864/150/ --- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Why the computing world chose PKI 11th, August, 2005 In Phil Zimmermann's response to "Does Phil Zimmermann need a clue on VoIP", Zimmermann offered a blistering attack on PKI based solutions and offered his own PGP solution as the superior alternative. There is just one little problem: the computing world chose PKI for the most part while PGP barely makes a dent in the email world. http://www.linuxsecurity.com/content/view/120064 * OSSEC v0.2 Available 12th, August, 2005 OSSEC HIDS is a self-contained system for Host-based intrusion detection. It performs log extraction, integrity checking and health monitoring. All this information is correlated and analyzed by a single engine, creating a very powerfull detection tool. http://www.linuxsecurity.com/content/view/120079 * Dump Your DMZ! 9th, August, 2005 DMZs (short for demilitarized zones) have been a standard component of network design ever since firewalls were invented. A DMZ is a network segment that contains all resources, such as Web servers and mail servers, accessible from the Internet. Implementing a DMZ allows you to limit network traffic from the Internet to these resources in the DMZ, while preventing any network traffic from the Internet to your internal network. As a general rule, a DMZ server should never contain any valuable data, so even if someone managed to break into a server in the DMZ, the damage would be minor. http://www.linuxsecurity.com/content/view/120047 * OS exploits are 'old hat' 9th, August, 2005 Security issues involving Cisco kit highlighted in Michael Lynn.s presentation at Black Hat are characteristic of networking vendors in general. Cisco is just the most visible of these vendors to target as hackers raise their sights from attacking operating systems towards attacking network infrastructure and database systems, security researchers warn. http://www.linuxsecurity.com/content/view/120048 * Real World Open Source: Security 12th, August, 2005 Security breaches in software applications and networks are one of the biggest threats organizations currently face. But unless you pack your computers into boxes and go back to pencils, paper, and typewriters, being mindful of electronic security is an unavoidable reality and business expense. Because security vulnerabilities are such a high stakes issue, the subject has become a political hot potato between open source and commercial software advocates, with each pointing a finger at the other. Some commercial software vendors claim that their model promotes security while the open source model weakens it; some open source developers claim the exact opposite. http://www.linuxsecurity.com/content/view/120077 * Red Hat bangs the security drum 9th, August, 2005 Red Hat has unveiled an initiative dubbed 'Security in a Networked World' at the LinuxWorld tradeshow in San Francisco. As part of the programme, the Linux vendor showcased its Red Hat Certificate System that allows organisations to manage security certificates used to sign emails, or authenticate users for online banking applications. It also supports authentication through the use of smartcards. http://www.linuxsecurity.com/content/view/120046 * Linux Providers Partner To Address Security And Support 10th, August, 2005 Companies that sell software and hardware around the Linux open-source operating system have known for some time that they've tapped into a gold mine, an area of the IT market with plenty of customer interest and enormous growth potential. The growth will continue as long as Linux and other open-source software are considered secure and are sold and serviced as bundles rather than as individual products. http://www.linuxsecurity.com/content/view/120057 * Is Firefox's Notification Lag Necessary? 11th, August, 2005 In a previous post about Firefox I proposed that the lack of automatic deployment of Firefox software updates is a disservice to the vast majority of Firefox users who may not bother to check in for updates. Today I found out another interesting tidbit: the Mozilla Foundation doesn't turn on Firefox's automatic notification feature for several hours after a new Firefox version is available. http://www.linuxsecurity.com/content/view/120063 * LinuxWorld Focus Turns to Security 8th, August, 2005 Looking to counter Microsoft Corp.'s claims of security superiority, open-source software vendors are giving the battle against vulnerabilities top billing at this week's LinuxWorld Conference & Expo in San Francisco. http://www.linuxsecurity.com/content/view/120044 * Security still underfunded 8th, August, 2005 Companies and governments secure their networks because they have massive financial resources, intellectual property and assets that need protection. Security for most companies, particularly the Fortune 100, does not exist in a vacuum -- most do something other than make hardware or software for their customers. Spending on security is up dramatically over where it was five years ago, but it's still much lower than it needs to be. Why? Because we're losing the battle. http://www.linuxsecurity.com/content/view/120045 * A CSO's Guide to the World 10th, August, 2005 I'm usually not one who gets into bumper sticker logic, but I like the idea of a CSO acting globally but thinking locally. By that I mean a CSO needs to devise and enforce global security policies, but also put some thought into how those policies will be implemented locally around the world. Otherwise, variations in national customs and culture can short-circuit even the most well-intentioned security policies. http://www.linuxsecurity.com/content/view/120058 * Torvalds: How to Keep Linux Kernel on Course 10th, August, 2005 The rapid pace of Linux development appeared to hit a roadblock last year with the industry's decision to forestall development of the Linux 2.7 kernel. Linux vendors and developers wondered if tweaking a single, stable 2.6 kernel could work in practice. http://www.linuxsecurity.com/content/view/120059 * GPL3 first public draft due early 2006 10th, August, 2005 The first draft of the next version of the General Public License should be released for public comments in early 2006, according to a key player in the effort to modernize the foundation of the free and open-source programming movements. http://www.linuxsecurity.com/content/view/120060 * Open-source allies go on patent offensive 11th, August, 2005 Two Linux allies are taking a leaf out of their opponents' book as they try to prevent software patents from putting a crimp in open source. Red Hat will finance outside programmers' efforts to obtain patents that may be used freely by open-source developers, the top Linux seller said Tuesday at the LinuxWorld Conference and Expo here. At the same time, the Open Source Developer Labs launched a patent commons project, which will provide a central list of patents that have been donated to the collaborative programming community. http://www.linuxsecurity.com/content/view/120065 * E-mail wiretap case can proceed, court says 12th, August, 2005 In a closely watched case governing Internet privacy, a federal appeals court has reinstated a criminal case against an e-mail provider accused of violating wiretap laws. The 1st Circuit Court of Appeals, in a 5-2 vote, ruled on Thursday that an e-mail provider who allegedly read correspondence meant for his customers could be tried on federal criminal charges. http://www.linuxsecurity.com/content/view/120078 * Sean Moshir on Wireless Security and Compliance 8th, August, 2005 In this interview, Sean Moshir, PatchLink Chief Executive Officer discusses security patching, vulnerability and compliancy management for wireless phones and PDA devices and talks about the current state and future of wireless security in the enterprise. http://www.linuxsecurity.com/content/view/120029 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Aug 16 02:19:05 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 16 02:34:43 2005 Subject: [ISN] Hacker found guilty in massive data theft case Message-ID: http://www.networkworld.com/news/2005/081505-hacker.html By China Martens IDG News Service 08/15/05 A Florida man was found guilty of stealing data from customer information management company Acxiom Friday. The prosecution estimates that Scott Levine and his defunct bulk e-mail marketing firm Snipermail.com stole more than 1.6 billion customer records by hacking into an Acxiom server. A jury in Little Rock, Ark., convicted Levine, of Boca Raton, on 120 counts of unauthorized access of a protected computer, two counts of access device fraud and one count of obstruction of justice. The jury cleared him of 13 counts of unauthorized access of a protected computer, one count of conspiracy and one count of money laundering. "Those who steal private information can expect to be aggressively investigated and brought to justice," Deputy Assistant Attorney General Laura Parsky, said in a Friday statement from the U.S. Department of Justice. The criminal investigation was jointly conducted by the FBI and the U.S. Secret Service, Criminal Investigation Division. Levine was charged on July 21, 2004, with breaking into an Acxiom computer database to steal personal data. Levine and other Snipermail staff downloaded around 8.2G bytes of personal data from the Acxiom server between April 2002 and August 2003, according to the Justice Department. Levine's case went to trial on July 11, 2005, and the jury started its deliberations on Aug. 10. Sentencing by U.S. District Court Judge William Wilson is set for Jan. 9, 2006. The maximum sentences for Levine's convictions would total 640 years in prison and/or fines of $30.75 million. Each count of which he's been convicted has a maximum associated fine of $250,000, while maximum prison time for each of the offenses range between five and 20 years. Several former Snipermail employees testified against Levine that they and he had conspired to cover up physical evidence relating to the break-ins and data theft. "This case sends a clear message that cybercrime will not be tolerated, and Acxiom is satisfied and pleased by the verdict," Acxiom said in a statement released Friday. "We believe this case sets an example and will deter others who may be attempting, or even contemplating, attacks on data security." Since the security breaches were first uncovered and stopped in the summer of 2003, Acxiom has committed to better protecting its systems and the data those systems contain, according to the company. "We have improved our intrusion detection, vulnerability scanning and encryption systems, enhanced our internal and external audit practices, and are fully committed to working with our clients and outside experts to ensure continuous improvement in our security environment," Acxiom said in the statement. "There is no evidence that any individuals are at risk of harm due to the breaches. It is also important to note that only one external server was accessed, and there was no intrusion of Acxiom's internal security firewalls or internal databases." Investigators from the Sheriff's Office in Hamilton County, Ohio, stumbled across Levine's database hacking while engaged in an unrelated investigation that Ohio resident Daniel Baas had illegally accessed and downloaded data from an Acxiom server. Baas later pled guilty to federal charges in Ohio on Dec. 2, 2003. From isn at c4i.org Tue Aug 16 02:19:22 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 16 02:35:04 2005 Subject: [ISN] Who can solve the CYBERPUZZLE? Message-ID: http://www.washingtontechnology.com/news/20_16/cover-stories/26748-3.html By ALICE LIPOWICZ 08/15/05 One to watch: Baker's role will impact cyber efforts IT executives anticipate that the Homeland Security Department's new cybersecurity czar position and its responsibilities may be shaped by another newcomer to the department with an even higher profile in the IT world: Stewart Baker, DHS' newly named assistant secretary for policy. Baker is one of Washington's most influential technology lawyers, and has been at odds with civil libertarians in the past. He was chief counsel to the 9/11 Commission and general counsel to the National Security Agency under the Bush and Clinton administrations. Baker was nominated for the new DHS position July 14, but the Senate has not confirmed him. A lawyer at Steptoe and Johnson LLP in Washington, Baker has been prominent in major IT privacy and data security debates over the last 15 years, including his advocacy on behalf of the NSA in the early 1990s of the Clipper Chip. It is based on the Skipjack algorithm and an encryption standard with a "back door," allowing spy agencies to access encrypted voice, fax and computer records for national security purposes. His appointment sends a positive message about the importance of IT and technology at DHS, said Dan Burton, vice president of government affairs at Entrust Inc. "Stewart Baker knows cybersecurity, the IT industry and government," Burton said. "To bring in someone of his stature sends a strong signal." "You would assume Stewart Baker would play a role, and it's natural that he would have some influence" on the cybersecurity post, said Patrick Burke, senior vice president and director of command, control, communications and intelligence for SRA International Corp. of Fairfax, Va. Baker declined a request to comment for this story. However, he has espoused some detailed views on IT for homeland security in the past. In his testimony to the 9/11 Commission in December 2003, Baker said he wants investigators to be able to search, within 30 seconds, a terrorism suspect's address, phone, e-mail, financial, travel and organization records. The government also needs to have access to private-sector data about a specific attack site within four hours after that site is threatened, and to be able to locate critical infrastructure nodes in the vicinity of an attack within five minutes, Baker said. To protect against abuses, DHS should make use of IT for electronic auditing and rules-based access control, as well as anonymization and one-way hashing, which allow data searching between private and public databases while also controlling access to protect privacy, Baker wrote in his testimony. But Mark Rothenberg, director of the Electronic Privacy Information Center, a nonprofit advocacy group, said he is worried about Baker's views on privacy because he has crossed swords with him many times on issues such as the Patriot Act and wiretapping. "It's disturbing that DHS, which will now have broad authority within the United States, selects someone who spends a great deal of time looking at means to expand electronic surveillance," Rothenberg said. From isn at c4i.org Tue Aug 16 02:21:32 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 16 02:35:23 2005 Subject: [ISN] Critical Veritas attack code loose Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=4215 By Robert McMillan IDG News Service 15 August 2005 Attackers are exploiting an unpatched hole in Symantec's Veritas Backup Exec Agent for Windows, the company has warned. A flaw in the product's Network Data Management Protocol agent could allow an attacker to gain access to the system and download files, the Fr-SIRT (French Security Incident Response Team) said in a statement Friday. Fr-SIRT rates the vulnerability as "critical". Symantec, which acquired Veritas in July of this year, says it is "not aware of any vendor-supplied patches for this issue". The company recommends that users block access to the TCP port that uses the service in question, port 10,000. The Metasploit penetration testing toolkit already takes advantage of this vulnerability, and there are reports that exploits for the flaw are already being used by attackers, Symantec said. The SANS Internet Storm Center said on its website on Friday that it has seen a jump in scans for port 10,000, and it advises Backup Exec users to block access to that port from all untrusted network. The flaw affects versions 8.x, 9.0, 9.1, and 10.0 of Backup Exec for Windows Servers, Fr-SIRT said. From isn at c4i.org Wed Aug 17 02:32:01 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 17 02:41:46 2005 Subject: [ISN] Zotob Proves Patching "Window" Non-Existent Message-ID: http://informationweek.com/story/showArticle.jhtml?articleID=168602115 By Gregg Keizer TechWeb News Aug. 16, 2005 Although the initial attack on Windows 2000 PCs by bot worms exploiting a week-old vulnerability hasn't grabbed much traction, the way hackers jumped on the bug is proof that the patching "window" is virtually non-existent, said security experts Tuesday. "The last week showed once more that there is no more patch window," wrote Johannes Ullrich, chief research officer at the SANS Internet Storm Center, in the group's daily alert. "Defense in depth is your only chance to survive the early release of malware." Exploits were circulating within three days of Microsoft disclosing the Plug and Play vulnerability and offering up a patch, and within five days, several bot worms -- notably Zotob.a and Zotob.b -- were attacking systems. "Microsoft must be fuming that virus writers are exploiting security holes in their software so quickly," said Graham Cluley, senior technology consultant for security vendor Sophos, in a statement. "It's not only embarrassing for the software giant, but a real headache for businesses who need to move quickly to roll out security patches." The reason for the fast hacker turn-around, said Ullrich, is that attackers are sharing more and more information. "Malware can only develop as fast as it is developing in this case because of extensive code sharing in the underground," Ullrich said. "The only way we can keep up with this development is by sharing information as efficiently. "We need to outshare the attackers." Even before the bots appeared, vulnerability investigators were tracking a high level of hacker chatter about the Plug and Play bug. Ken Dunham, senior engineer with VeriSign iDefense, said that this weekend his group eavesdropped on conversations about a Visual Basic script tool that would let attackers scan for vulnerable PCs. "There is a very high volume of hacker talk surrounding MS05-039 scanning and exploitation," Dunham said early Sunday morning, before the Zotob bot attacks were detected. "It is highly likely that malicious code will soon emerge exploiting this vulnerability." It did. In other developments, anti-virus vendors have identified additional bots that are using the Windows 2000 exploit to nail systems, including a third variation of the Zotob family and a new member of the Tilebot line. Zotob.c, for instance, is similar to its Zotob.a and Zotob.b brethren, but rather than attack as a network worm that requires no user interaction, it's a mass-mailed piece of malware posing as an image file attached to an e-mail message. Zotob.c uses such subject headings as "Warning!" or "Important" to get the na?ve to view the message and open the file attachment. "Because Zotob.c can also spread via e-mail it has the potential to affect more people than the previous incarnations," said Cluley. "The good news is that at the moment it does not appear to be spreading widely." That seems to be the consensus among security vendors for the moment. The Internet Storm Center, for example, rolled back its infocon "state of the Internet" warning from yellow -- "currently tracking a significant new threat" -- to green ("everything is normal") on Tuesday. Symantec did much the same, dropping its ThreatCon from level 2 to level 1. "The ThreatCon was maintained at level 2 as result of attackers publishing exploits and leveraging them in the wild," Symantec explained in its daily bulletin to DeepSight Threat Management customers. "As vendor-supplied patches and mitigating strategies have been available for 6 days, the risk associated with these issues is reduced, and as such the ThreatCon is being returned to level 1." On Monday Microsoft again updated the Plug and Play security advisory it originally published Thursday, August 11, to account for the variations on Zotob, as well as to clarify that even if administrators had enabled anonymous connections for Windows XP SP1 PCs, the current bots can't exploit the Plug and Play vulnerability anonymously on those systems. Microsoft has also created a new Web site dedicated to the Zotob attacks, dubbed " What You Should Know About Zotob." The site includes instructions on manually sniffing out the Zotob.a and/or Zotob.b, then links to a lengthy set of steps for cleansing an infected system. Although Microsoft has yet to update its free-of-charge Windows Malicious Software Removal Tool to account for the Zotobs, Symantec offers a free detection/deletion tool that takes care of the Zotob.a and Zotob.b variants. It can be downloaded from the vendor's Web site. From isn at c4i.org Wed Aug 17 02:31:17 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 17 02:42:04 2005 Subject: [ISN] NSF grants target cybersecurity research projects Message-ID: http://www.washingtontechnology.com/news/1_1/daily_news/26789-1.html By Alice Lipowicz Staff Writer 08/16/05 The National Science Foundation awarded $36 million in grants for cybersecurity research projects to protect computer operations at homes, offices and within critical infrastructure networks. The grants are part of the foundation's 2005 Cyber Trust program. The awards include $15 million for two new cybersecurity academic centers: $7.5 million to develop IT for trustworthy voting systems at Johns Hopkins University in Baltimore and $7.5 million to design, build and validate a secure IT infrastructure for the next-generation electric power grid at the University of Illinois in Urbana-Champaign. "These two centers represent opportunities to find solutions for urgent national problems," said Carl Landwehr, coordinator of the foundation's Cyber Trust program. Each center will receive approximately $1.5 million per year for five years. At Johns Hopkins, computer science professor Avi Rubin will direct A Center for Correct, Usable, Reliable, Auditable and Transparent Elections (Accurate), a collaborative project involving six institutions. Accurate will investigate software architectures, tamper-resistant hardware, cryptographic protocols and verification systems as applied to electronic voting systems. It also will look at system usability and the interaction between public policy and technology. The second collaborative center will be led by William Sanders, director of the Information Trust Institute at the University of Illinois. The new Trustworthy Cyber Infrastructure for the Power Grid project will bring together four institutions to develop technologies to carry critical information to grid operators in the event of cyber attacks and accidental failures. The Energy and Homeland Security departments also are expected to help fund and manage the center. The NSF also will distribute awards of at least $200,000 each to 34 other research projects to ensure authenticity of digital media; develop automated defenses against cyber attacks, including viruses, worms and spyware; extract information from large databases without compromising individual privacy; protect businesses from denial-of-service attacks; and safeguard children?s online transactions by increasing parental consent. From isn at c4i.org Wed Aug 17 02:31:06 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 17 02:42:27 2005 Subject: [ISN] Apple unloads dozens of fixes for OS X Message-ID: http://news.com.com/Apple+unloads+dozens+of+fixes+for+OS+X/2100-1002_3-5834873.html By Dawn Kawamoto Staff Writer, CNET News.com August 16, 2005 Apple Computer has released what seems to be one of its larger security updates for Mac OS X, doling out fixes for 44 flaws. Still, only a handful of the vulnerabilities are of major concern, according to security analysts. The package of fixes was released Monday. "This one is a big update. I don't recall seeing as many updates as we see today," said Thomas Kristensen, Secunia's chief technology officer. By comparison, Apple last May released an update for 20 vulnerabilities and in March distributed an update for a dozen flaws. But Kristensen noted that, with the new update, only a few of the 44 vulnerabilities are of great concern. He also said that 25 percent of the patches involve older vulnerabilities that have yet to lead to exploit code being developed by attackers. Still, Secunia is rating the overall update as "highly critical." Apple declined to comment on the vulnerabilities and referred all questions to its security update. The flaws affect Apple's Mac OS 10.3.9 and 10.4.2 operating system software and related server software. Kristensen said that some vulnerabilities involving AppKit and Safari are critical. AppKit, which is used to open RTFs (rich text files) and Word documents, has flaws that allow a remote attacker to create a malicious file that results in a buffer overflow. That in turn can lead to arbitrary code being executed on a user's system. Apple, however, notes that only some applications use AppKit, and that Microsoft Word for Mac OS X is not vulnerable. Flaws in Safari, meanwhile, can allow an attacker to bypass the browser's security checks and execute arbitrary commands, when the user clicks on a maliciously crafted rich text file. Another flaw, a vulnerability in Apple's Sever Manager D, a modified version of Apache, is also being considered critical by some. That flaw can result in a buffer overflow and remote execution of code by an attacker, with no user interaction, said Frank Nagle, assistant director of vulnerability aggregation for iDefense, a VeriSign company. Previous Next Although Apple lists other security flaws that could be exploited by a remote attacker, they are "less critical," according to Secunia. For example, two vulnerabilities in Apache 2 could be exploited by a remote attacker to either bypass security restrictions or launch a denial-of-service attack. But Apple did not set Apache 2 by default, so it is less of an issue than it would be if the same vulnerabilities affected Apache 1.3, Nagle said. From isn at c4i.org Wed Aug 17 02:31:29 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 17 02:42:58 2005 Subject: [ISN] Indian call centres sell off Australians' details Message-ID: http://www.abc.net.au/news/newsitems/200508/s1437366.htm August 15, 2005 Tens of thousands of Australians are at risk of computer fraud because their personal information is being made available illegally by workers inside call centres based in India. Tonight's Four Corners program reveals a black market in information held by Indian call centres. The program was able to get hold of personal details through a journalist who is working undercover and cannot be identified. "We were absolutely amazed at how easy it was to buy data. And secondly, the free flow of data was just astonishing," the journalist said. "A good analogy would be paedophile or child porn sites on the Internet. If you're one of them, you swap your pictures with their pictures, that's how the trade carries on." The undercover journalist was also behind the recent sting operation by Britain's Sun newspaper, which bought the bank details of 1,000 British people for just $7 each. "You can't go to these people and ask for 10 names. The minimum, it seems to us, the minimum quantity they will deal with is 1,000 names," the journalist said. The Australian names requested by Four Corners had a price tag of $10 each. It was offered ATM numbers, passport numbers and credit card details - enough information for hackers to assume the identity of Australians online. The program did not go ahead with the purchase but a sample of identifications included the personal details of Diane and Keith Poole. Ms Poole says the revelation leaves her feeling vulnerable. "I'm mortified because it leaves us fairly open, doesn't it?" she said. Mr Poole says a call centre operator working for Australian company Switch Mobile, asked him an unusual question. "They asked did I have a passport. I said, 'Yes I have a passport' but I said I wasn't prepared to give the number on that," he said. Switch Mobile spokesman Damien Kay says passport information is not needed. "The issue of personal information being sold goes way outside of our authorisation in the contracts that we have," he said. He says Switch is devastated that privacy laws are being flouted by its representative and has since terminated the contract it had with its telemarketing company. Cyber crime is described by former World Bank cyber intelligence expert Tom Kellerman as the most pervasive crime on the planet. "Organised crime has created a business model around hacking," he said. The threat of financial loss to a victim of identity fraud is bad in itself, but there is an even darker side to the crime. Personal details on any number of databases can be accessed and used for terrorist activities, which could include getting passports issued, establishing lines of credit or arranging fake IDs for people working undercover. From isn at c4i.org Wed Aug 17 02:31:47 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 17 02:44:25 2005 Subject: [ISN] New focus on cyber-terrorism Message-ID: http://www.csmonitor.com/2005/0816/p01s02-stct.html By Nathaniel Hoopes Contributor to The Christian Science Monitor August 16, 2005 Buried deep in America's new energy legislation is a requirement that power companies step up their safeguards against computer attack. Why does a law aimed at boosting energy production address the dangers of hackers, software "worms," and computer viruses? Because the automatic networks that run so-called "critical infrastructure" are emerging as a vital - and weak - link in America's defense against terrorism. Networks run everything from water-treatment plants and oil refineries to power grids and transport networks. They constantly read data and adjust, opening a valve here, closing a tank there, often keeping the facility operating 24/7. In the wrong hands, however, such systems could be compromised. "People downplay the importance of cyber-security, claiming that no one will ever die in a cyber-attack, but they're wrong," says Richard Clarke, a former terrorism and cyber-security czar in the Bush administration. "This is a serious threat." In March, for instance, hackers gained access to the electronic control systems of the nation's electric power grid, says Dave Powner a cyber-security specialist at the US Government Accountability Office (GAO). In 2003, a computer "worm" on the Internet may have helped delay power companies' response to the major Midwest and Northeast power outage, although the electric industry says it has found no evidence of a cyber-related effect. In all, the first half of 2005 saw 237 cyber-attacks worldwide - a 50 percent rise from the same period last year, according to IBM's global security intelligence team. From a national security viewpoint, the real danger is that a determined and talented cyber-terrorist could break into a utility or chemical plant's computer network and manipulate the sensor-control systems, experts say. That could set off an "accident" that could kill not just workers at the plant, but thousands of civilians in the surrounding area. Nearly 300 critical-infrastructure facilities lie in densely populated regions with 50,000 or more local residents, according to the Department of Homeland Security (DHS). "An attack on the scale of the Bhopal disaster in India is not impossible," says Mr. Clarke, citing the chemical leak that killed some 3,800 people in 1984. Despite such a nightmare scenario, federal officials are more immediately focused on the threat of a dual attack, says Mr. Powner of the GAO. "There is a lot of concern in government about what the FBI calls a swarming terrorist attack. You have a physical attack and a simultaneous cyber-attack on critical infrastructure - that really hurts your ability to respond." The cascading effect of such an attack could cost the nation billions of dollars. And getting the incredibly complex systems up and running again wouldn't be easy, security experts say. Many experts say that DHS is still relatively unprepared to protect America's critical infrastructure against a cyber-attack. "In government, when it came to senior level focus after Sept. 11, 99.9 percent was skewed towards physical protection, and cyber-security took a back seat," says Paul Kurtz, director of the Cyber Security Industry Alliance and a former Bush administration official. But he is optimistic that attitudes are changing. Facing mounting pressure, DHS is creating a national cyberspace response system. Supporters claim it will help the government work with the private sector to prevent, detect, and respond to cyber incidents. In November, DHS will launch its first major national exercise - code-named "Cyberstorm" - to test the government's ability to partner with the private sector in response to a major cyber incident. Last month, DHS Secretary Michael Chertoff created a new post, assistant secretary of cyber and telecommunications security, a position that Mr. Kurtz says will carry the necessary clout. But Clarke points out that the position hasn't been filled yet. "So far it's been all talk," he says. Power companies aren't waiting around for governments to protect them. "Ultimately industry has to be responsible for protecting its own assets," says Ellen Vancko of the North American Electric Reliability Council. The council is developing cyber-security standards, which its members will have to uphold. The industry has a lot to address, Clarke says. "Every time the government has tested the security of the electric power industry, we've been able to hack our way in - sometimes through an obscure route like the billing system," he says. "Computer-security officers at a number of chemical plants have indicated privately that they are very concerned about the openness of their networks and how easily they might be penetrated." From isn at c4i.org Thu Aug 18 03:08:00 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 18 03:17:09 2005 Subject: [ISN] IT infrastructures could be battlefields of future wars Message-ID: Forwarded from: William Knowles http://www.gcn.com/vol1_no1/daily-updates/36688-1.html By Patience Wait GCN Staff 08/17/05 HUNTSVILLE, Ala.- A professor from Auburn University has made the case that the United States may face a war in the future in which not a single shot is fired, but yet America loses. There could be "pre-emptive achievement of military objectives strictly by information warfare techniques," said John "Drew" Hamilton, associate professor of engineering and director of the Information Assurance Laboratory at the university. Hamilton projected that such a conflict could take place by 2015 - the time it would take to infiltrate computer development programs and insert malware into operating systems, applications software, firmware and hardware. Acquisition trends in the military actually facilitate the possibility of such a scenario, Hamilton added. "You don't expect the military to go to Home Depot to buy a [rocket launcher], but we expect them to go to Staples to buy software," he said. Software developers have always written back doors into their code, and even secure, partitioned systems such as the Secret IP Router Network have them. "I learned that when I got e-mail from Joint Forces Command to scan their attachments" for viruses, Hamilton said. The risk in pushing the use of commercial, off-the-shelf software is compounded by private-sector outsourcing, he said. Microsoft Corp., for instance, has outsourced some programming tasks to China and Russia. Hamilton said that Dan Wolf, information assurance director of the National Security Agency, told an academic group in June that "DOD agencies have been outsourcing IT services to [Section] 8a firms that are fronts for foreign intelligence agencies." Nor is the problem limited to the Microsoft environment. Linux, touted by open-source proponents, has its own vulnerabilities. "NSA [National Security Agency] recompiled the kernel so you can't turn off [key] logging, which is good for forensics," figuring out what happened after the fact, Hamilton said. Finally, the military has not made software a "core competency," according to Hamilton. "Some government agencies have contracted for software code they don't own the rights for." Hamilton suggested several steps that could be taken to pre-empt and prepare for this kind of warfare, including reverse-engineering software architecture to find weaknesses, identifying sensitive parameters that can be exploited and looking for undocumented functionality. He also said that the Defense Department should stop funding university research conducted by foreign nationals. Hamilton added that this is not a xenophobic reaction, but a reasonable response to a potential threat. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Aug 18 03:06:28 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 18 03:17:34 2005 Subject: [ISN] 'Spear Phishing' Tests Educate People About Online Scams Message-ID: http://online.wsj.com/public/article/0,,SB112424042313615131-z_8jLB2WkfcVtgdAWf6LRh733sg_20060817,00.html By DAVID BANK Staff Reporter of THE WALL STREET JOURNAL August 17, 2005 To fight computer crime, the good guys are masquerading as bad guys pretending to be good guys. In recent months, nearly 10,000 New York state employees have received email messages that appeared to be official notices asking them to click on Web links and provide passwords and other confidential information about themselves. Those who complied received gentle slaps on the wrist from William Pelgrin, New York's chief information security officer, who explained that the seemingly authentic messages were crafted by state officials "to demonstrate how realistic attackers' fake emails can seem." The exercise, along with similar ones conducted at the U.S. Military Academy at West Point, N.Y., and at least two other organizations, represents a new -- and controversial -- approach to fending off computer hackers. By using some of the same "social engineering" techniques as the attackers, defenders hope to train users to be more careful about sharing sensitive information online. Mr. Pelgrin plans to brief officials from other states about the exercise in a conference call today. "This is not a one-shot deal," Mr. Pelgrin says. "I've got to reinforce that behavioral change to make it permanent." Such change is important because hackers are increasingly exploiting the weakest link in computer security -- humans. Most computer users have become savvy enough to avoid obvious attempts at what security experts call "phishing" -- phony email messages, often purportedly from financial institutions, that ask for personal information such as account or Social Security numbers. But many are still succumbing to a new wave of more sophisticated attacks, dubbed "spear phishing," that are targeted at specific companies and government agencies. In such exploits, attackers create email messages that are designed to look like they came from the recipient's company or organization, such as an information-technology or a human-resources department. More than 35 million of these targeted email messages to steal critical data and personal information were launched in the first half of the year, according to a report this month from International Business Machines Corp. And use of these scams is soaring: The number of such email messages sent rose more than 1,000% from January to June, the company said. The mock phishing exercises demonstrate how effective such attacks can be. In June 2004, more than 500 cadets at West Point received an email from Col. Robert Melville notifying them of a problem with their grade report and ordering them to click on a link to verify that the grades were correct. More than 80% of the students dutifully followed the instructions. But there is no Col. Robert Melville at West Point. The email was crafted by Aaron Ferguson, a computer-security expert with the National Security Agency who teaches at West Point. The gullible cadets received a "gotcha" email, alerting them they could easily have downloaded spyware, "Trojans" or other malicious programs and suggesting they be more careful in the future. Mr. Ferguson, who runs similar exercises each semester, said many cadets have been victimized by real online frauds. "There have been quite a few cadets who have been duped," he says. Nonetheless, he says the exercise upset some cadets, who felt it exploited their inclination to follow an order from a colonel, no questions asked. He says the new edict is, "Ask questions first, then execute." Some computer-security experts say the bogus phishing exercises can help "inoculate" users against falling for real phishing scams, much like vaccines use a broken version of a real disease to provide immunization. "This is a key defense against large-scale theft of confidential information," says Alan Paller, research director of the SANS Institute, a computer-security clearinghouse based in Bethesda, Md., who helped devise the New York state exercise. Still, there are potential pitfalls, including the possible loss of trust among employees for their organizations' own information-security staff. "My initial thoughts when I heard about it was 'Whoa, this sounds questionable,' " says David Jevans, chairman of the Anti-Phishing Working Group, an industry consortium. He says that although employers are within their rights to train their employees, companies should be careful before they intentionally use mock email on their customers. "You're playing with fire," he says. "Are people ever going to trust your email?" Mr. Jevans, chief executive of a computer-security firm called IronKey Inc., argues that technical methods for authenticating email are likely to be more effective than such user education. In New York, Mr. Pelgrin says he took pains to carefully design the exercise, including hiring an outside Web consultant to design the mock email pitch. "We wanted to make sure it was not too good," he says. He also enlisted AT&T Corp. to route the email messages so that they came from outside the state's own computer network, just like a real phishing attack. In the first phase, in March, nearly 10,000 employees received an email with the logo of the state's Office of Cyber Security and Critical Infrastructure Coordination. The note directed employees to a special "password checker" site. "You are required to check your password by clicking on the link below and entering your password and email address by close of business today." About 15% of the recipients tried to enter their passwords before being stopped by the automated program, which sent them a note explaining the exercise. An additional 3% tried to enter the Web address in their own browsers, a sound security practice that can deflect most attacks. In July, a second message, purportedly from the employee's own agency, asked for help fixing an Internet problem "due to a suspected cyber security event." A link took employees to a Web page that asked their email address, agency, network user name and password, and phone number. This time, only 8% of the recipients tried to interact with the fake Web site, while 5% were careful enough to enter the Web address themselves. It is too early to declare the program a complete success, but Mr. Pelgrin says he plans to repeat the exercises. "Repetition is important. Vigilance is critical," he says. "The bottom line lesson was: Even if the request comes from legitimate individuals, never give out personal information." From isn at c4i.org Thu Aug 18 03:06:42 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 18 03:17:59 2005 Subject: [ISN] Watch out for worm wars Message-ID: http://news.zdnet.com/2100-1009_22-5837147.html By Joris Evers CNET News.com August 17, 2005 The recent surge in worms could be part of an underground battle to hijack PCs for use in Net crimes, some security experts say--but others aren't convinced. Signs of a turf war between cybercrooks lie in the behavior of the worms that have emerged since Sunday, said Mikko Hypponen, chief research officer at F-Secure, a Finnish security software company. The dozen or so worms and variants all exploit a security hole in the plug-and-play feature in the Windows 2000 operating system. But some versions undo the effects of earlier worms, suggesting that the creators are battling to take over computers that others have already compromised, Hypponen said. "We seem to have a botwar on our hands," Hypponen said Wednesday. "There appear to be three different virus-writing gangs turning out new worms at an alarming rate, as if they were competing to build the biggest network of infected machines." The first worm, dubbed Zotob, appeared on Sunday and appeared to have faded Monday. However, several Zotob offshoots and another new worm, Bozori, were subsequently unleashed. New versions of pre-existing threats Rbot, Sdbot, CodBot and IRCBot also began wriggling their way into computers. Systems at CNN, ABC and The New York Times were hit. The worms include "bot" code, or a program that lets the attacker control a compromised system remotely. Criminals have typically organized these hijacked systems in networks called "botnets." These botnets are rented out to relay spam and launch phishing scams, which attempt to steal sensitive personal data for fraud. Botnets have also been used to mount denial-of-service attacks against online businesses targeted by extortion schemes, experts have said. The outbreak has a financial motive, according to Sophos, an antivirus company based in Abingdon, England. "Organized criminal gangs are behind attacks like these, and their motive is to make money. Owning a large network of compromised computers is a valuable asset to these criminals," said Graham Cluley, the senior technology consultant at Sophos. A botnet of about 5,500 "zombies," or compromised computers, typically costs spammers, phishers or other crooks about $350 a week, security company Symantec has said. The worm battle has likely only just begun, said Alex Shipp, a senior antivirus technologist at MessageLabs, an e-mail security company. He said we may well see a period of intense activity in malicious software attacks as these groups vie for "pole position." Battling worms are not new. Last year, the creators of Bagle, NetSky and MyDoom appeared to be in competition to gain control of large numbers of PCs for use in botnets. But not everybody is convinced that the same kind of turf war is happening now. Stefana Ribaudo, a director in the threat management sector at Computer Associates, said the company had not seen any viruses or worms that try to detect or remove other worms. Lysa Myers, a virus research engineer at security software maker McAfee, agreed that there were no real signs of a struggle to control botnets. "This particular worm outbreak is so small that there really is no room for an offensive strategy," she said. If there is anything going on, it is just an underground rivalry, said John Pironti, a principal security consultant at Unisys, an IT services company in Blue Bell, Penn. "Attackers like to boast about how many machines they have under their control," he said. "What you are potentially seeing is that it is a contest." If the purpose was really to expand botnets, attackers would use more sophisticated methods that fly under the radar of antivirus companies, Pironti said. Microsoft offered a fix for the Windows plug-and-play bug exploited by the worms in its monthly patching cycle last week. The software maker deemed the issue "critical," its most serious rating. The first Zotob variant appeared in record time after Microsoft's patch release, giving Windows users little time to fix their systems. The security issue affects Windows XP and Windows Server 2003, but only PCs running Windows 2000 are susceptible to a remote attack, Microsoft has said. There are desktop and server versions of Windows 2000, which was released in 2000 for business users rather than consumers. More recent editions of Windows are available, but Windows 2000 remains popular. The operating system ran on 48 percent of business PCs during the first quarter of 2005, according to a recent study by AssetMetrix. Infected machines can be cleaned up using tools available from antivirus software makers, including Symantec. Windows 2000 users who have not patched should do so as soon as possible, Microsoft has urged. From isn at c4i.org Thu Aug 18 03:07:36 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 18 03:18:28 2005 Subject: [ISN] Security UPDATE -- Proactive Honeypots -- August 17, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertiser, which offers products and services in which you might be interested. Please take a moment to visit this advertiser's Web site and show your support for Security UPDATE. Consolidate Your SQL Server Infrastructure http://list.windowsitpro.com/t?ctl=1116D:4FB69 ==================== 1. In Focus: Proactive Honeypots 2. Security News and Features - Recent Security Vulnerabilities - Recent Microsoft Security Bulletins: Exploits Already on the Loose - Identity Theft Ring Used a Powerful Keyboard Logger 3. Instant Poll 4. Security Toolkit - Security Matters Blog - FAQ 5. New and Improved - Filter Web and Email Content ==================== ==== Sponsor: PolyServe ==== Consolidate Your SQL Server Infrastructure Shared data clustering is the breakthrough consolidation solution for Microsoft Windows servers. In this free white paper learn how shared data clustering technology can reduce capital expenditures by at least 50 percent, improve management efficiency, reduce operational expense, ensure high availability across all SQL Server instances and more! Find out how you can reduce the overall Total Cost of Ownership (TCO) for SQL Server cluster deployments by as much as 60 percent over three years! Download your free copy now. http://list.windowsitpro.com/t?ctl=1116D:4FB69 ==================== ==== 1. In Focus: Proactive Honeypots ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Honeypots sit on a server and wait for intrusion attempts. When one occurs, they can perform a variety of actions. But what if a honeypot did the inverse--headed out on the Web to look for intruders? Microsoft has developed a new tool, Strider HoneyMonkey Exploit Detection System, that runs as a Web client by using "monkeys" to surf the Web for malicious Web-based content. HoneyMonkey's monkeys are programs that automate Web surfing and exploit detection. Instead of relying on databases of known exploits and malware, the monkeys launch a browser, connect to a site via its URL, and then wait for something to happen. The programs also monitor all file and registry access. Because the monkeys aren't designed to click links or dialog boxes on sites, it can be reasonably assumed that any executable file downloads or registry changes during monkey Web sessions might be hostile in one way or another. Microsoft says that HoneyMonkey also works in conjunction with Strider GhostBuster and Strider Gatekeeper to detect hidden processes and hooks that might use autostart features of the OS. HoneyMonkey runs inside a virtual machine (VM), which makes cleaning up after any potential exploit or infection much easier. When exploits are detected, HoneyMonkey alerts a controller, which destroys the VM, launches a new, fully patched VM, and passes the URL to another monkey. If an exploit is still detected, HoneyMonkey concludes that it's found a new (or zero-day, if you prefer) exploit and passes it on to Microsoft's Security Response Center for further research. HoneyMonkey works sort of like a search engine spider. It follows links and redirects at a detected exploit site to find more suspect sites. According to Microsoft, such sites often link to each other; if one site's exploit doesn't work, another site's might. Microsoft said that after a month of use, HoneyMonkey discovered 752 URLs at 287 sites that can infiltrate an unpatched system running Windows XP. Of that lot, 204 URLs at 115 sites can infiltrate a system running XP with Service Pack 2 (SP2) and no additional patches. Microsoft said that the first new exploit was detected in July. It used known vulnerabilities in javaprxy.dll, for which no patch was available. Microsoft then created a patch, which was released in conjunction with Microsoft Security Bulletin MS05-037, "Vulnerability in JView Profiler Could Allow Remote Code Execution (903235)." http://list.windowsitpro.com/t?ctl=11173:4FB69 Here's some interesting information: Of those 752 URLs, 102 of them were available via search results at Google and 100 of them were available at Yahoo!. As of June 1, 49 of them were available at MSN Search, but by June 10, Microsoft had removed all 49. The company didn't say whether it shared its information with other search engine operators so that they could remove the URLs from their respective engines. If you're interested in learning more about HoneyMonkey, visit the Microsoft Research Web site and click the link "Full research technical report on Strider HoneyMonkey" for a paper that contains a lot more detail. http://list.windowsitpro.com/t?ctl=11181:4FB69 ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=11172:4FB69 Recent Microsoft Security Bulletins: Exploits Already on the Loose Just 48 hours after Microsoft issued its monthly security bulletins last week, three proof-of-concept exploits were released that take advantage of critical problems. On August 9, Microsoft issued six bulletins that explain numerous problems in Microsoft Internet Explorer (IE) and Windows Plug and Play and several other problems--many of these problems are considered critical. Are worms built on these exploits only a matter of time? http://list.windowsitpro.com/t?ctl=11178:4FB69 Identity Theft Ring Used a Powerful Keyboard Logger Last week, we reported that Sunbelt Software uncovered an identity theft ring. This week, we learned how that ring managed to gather so much sensitive information: by using a powerful keystroke logger. Learn all about it in this news item on our Web site. http://list.windowsitpro.com/t?ctl=11177:4FB69 ==================== ==== Resources and Events ==== Reduce Downtime with Continuous Data Protection Continuous or real-time backup systems help avoid the danger of losing data if your system fails after the point of backup by providing real-time protection. In this free Web seminar, learn how to integrate them with your existing backup infrastructure, how to apply continuous protection technologies to your Windows-based servers, and more. Sign up today and learn how you can quickly roll back data not just to the last snapshot or backup, but to any point in time! http://list.windowsitpro.com/t?ctl=1116E:4FB69 Identify the Key Security Considerations for Wireless Mobility Wireless and mobile technologies are enabling enterprises to gain competitive advantage through accelerated responsiveness and increased productivity. In this free Web seminar, you'll receive a checklist of risks to factor in when considering your wireless mobility technology evaluations and design. Sign up today and learn all you need to know about Firewall security, Transmission security, OTA management, management of third-party security applications and more! http://list.windowsitpro.com/t?ctl=1116F:4FB69 Deadline Extended--2005 Windows IT Pro Innovators Contest! If you've used Windows technology in creative ways to devise specific, beneficial solutions to problems your business has faced, we want you! Now's your chance to get the recognition you deserve. Enter the 2005 Windows IT Pro Innovators Contest now! You could win a complimentary conference pass to Exchange Connections and Windows Connections in San Diego in late October 2005. http://list.windowsitpro.com/t?ctl=11174:4FB69 SQL Server 2005 Roadshow is Coming to a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=11170:4FB69 Avoid the 5 Major Compliance Pitfalls Based on real-world examples, this Web seminar will help C-level executives, as well as IT directors and managers, avoid common mistakes and give their organization a head start in ensuring a successful compliance implementation. Register today and find out how you can avoid the mistakes of others, improve IT security, and reduce the cost of continually maintaining and demonstrating compliance. http://list.windowsitpro.com/t?ctl=11171:4FB69 ==================== ==== 3. Instant Poll ==== Results of Previous Poll: Do you regularly scan your external network IP addresses for open ports on your network and compare the results against a known good baseline? The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 14 votes. - 7% Yes, I regularly scan my network and compare against a baseline. - 14% Yes, I periodically scan but merely review the results. - 64% No, I don't scan, but I think I should. - 14% No, I don't think scanning is useful. New Instant Poll: Does your company use an encryption product to protect files and folders on Windows systems? Go to the Security Hot Topic and submit your vote for - Yes, we use Microsoft Windows Encrypting File System (EFS). - Yes, we use a third-party product. - We haven't used encryption in the past, but we're considering it now. - No, we don't see any need to encrypt data. http://list.windowsitpro.com/t?ctl=1117C:4FB69 ==================== ==== Featured White Paper ==== Sort Through Sarbanes-Oxley, HIPAA, GLBA and Basel II Legislation Quicker and Easier! In this free white paper, get the tips you've been looking for to save time and money in achieving IT security and regulatory compliance. Find out how you can simplify these manually intensive, compliance- related tasks that reduce IT efficiency. Turn these mandates into automated and cost effective solutions today! http://list.windowsitpro.com/t?ctl=1116C:4FB69 ==================== ==== 4. Security Toolkit ==== Security Matters Blog: Lawyer's Perspective on Cisco, ISS, and Mike Lynn at Black Hat by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=1117F:4FB69 Controversy ensued at the recent Black Hat USA 2005 conference in Las Vegas. Internet Security Systems (ISS) researcher Mike Lynn was slated to give a presentation at the show to discuss vulnerabilities in Cisco Systems routers. Cisco tried to prevent the presentation, but the show went on. Read the blog entry to learn more. http://list.windowsitpro.com/t?ctl=11179:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=1117D:4FB69 Q: How can I use Group Policy to control the new Windows Firewall that's included with Windows Server 2003 Service Pack 1 (SP1) and Windows XP SP2? Find the answer at http://list.windowsitpro.com/t?ctl=1117A:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Try a Sample Issue of the Windows IT Security Newsletter! Security Administrator is now Windows IT Security. We've expanded our content to include even more fundamentals on building and maintaining a secure enterprise. Each issue also features product coverage of the best security tools available and expert advice on the best way to implement various security components. Plus, paid subscribers get online access to our entire online security article database! Sign up to try a sample issue today: http://list.windowsitpro.com/t?ctl=11176:4FB69 Windows IT Pro Gives IT Professionals What They Need The August issue is a must have! Subscribe now and find out the best ways to plan for Longhorn, what you need to know about VBScripts, and how to make sense of SQL Server. If you order today, you'll also gain exclusive access to the entire Windows IT Pro online article database (over 9000 articles) and save 44% off the cover price! http://list.windowsitpro.com/t?ctl=1117B:4FB69 ==================== ==== 5. New and Improved ==== by Renee Munshi, products@windowsitpro.com Filter Web and Email Content Aladdin Knowledge Systems offers eSafe 5.0, a gateway that checks Web content for spyware and blocks any malicious content. eSafe prevents downloads that use HTML vulnerability exploits and social engineering and downloads from known spyware sites, it uses signature and heuristic detection to identify and block spyware, and it prevents installed spyware from transmitting to its vendors and helps administrators identify infected PCs. eSafe also offers spam tagging, spam blocking, remote quarantine, and user-managed quarantine and reports, and its spam database is updated eight times a day. You can purchase eSafe pre-installed on a variety of hardware. For more information, visit http://list.windowsitpro.com/t?ctl=11180:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Professional and secure remote control from all major platforms http://list.windowsitpro.com/t?ctl=1116A:4FB69 Argent Versus MOM 2005 Experts Pick the Best Windows Monitoring Solution http://list.windowsitpro.com/t?ctl=11169:4FB69 Tech jobs at Dice Search 65K+ new IT jobs daily--Tech expert jobs at top companies! http://list.windowsitpro.com/t?ctl=1116B:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=11182:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=11175:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Aug 18 03:08:21 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 18 03:18:55 2005 Subject: [ISN] Adware Firm Accuses 7 Distributors of Using 'Botnets' Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/08/16/AR2005081600727.html By Brian Krebs washingtonpost.com Staff Writer August 16, 2005 A major online advertising company that has been accused by security experts of fueling the spyware problem says it is taking legal action against seven people in six countries who, it claims, used viruses to spread ad software to thousands of computers without their owners' consent. In a lawsuit filed yesterday in a federal court in Washington state, Bellevue-based 180Solutions names seven of its affiliates -- individuals whom it paid to distribute the company's software, which causes advertisements to "pop up" depending on which Web sites the users visit -- and accuses them of installing it on thousands of Microsoft Windows PCs that they had infected with computer viruses. The company seeks unspecified damages and a halt to their distribution of its software. The legal action is the latest effort by 180Solutions to clean up its image following years of criticism for failing to more closely monitor its distributors and crack down on those who profit from installing its software illegally. Since January, the company says, it has severed ties with more than 500 distributors who were found to have installed its "adware" without the recipient's knowledge or consent. 180Solutions claims the affiliates used "botnets" -- large groupings of hacked, remote-controlled computers or "bots" -- to distribute and install their software. A single botnet can consist of thousands of computers, most sitting on desktops of innocent users who have no idea that a virus infection is allowing a hacker to use their PCs for illegal purposes. Online criminals have long used such networks to steal sensitive information from their victims, distribute junk e-mail and to wage debilitating "denial of service" attacks that inundate Web sites with so much bogus traffic that they can no longer accommodate legitimate visitors. A Business Opportunity Increasingly, however, botnets are being used to install spyware and adware. McAfee Inc., a computer security company based in Santa Clara, Calif., said it witnessed a 12 percent increase in the number of adware programs installed on computers in the second quarter of 2005, an increase it said was driven heavily by the proliferation of bot programs configured to install the adware. The legitimate distribution method for 180Solutions contractors is to embed computer code into their Web sites that asks each visitor for consent to install, in exchange for access to content on the site. Each time a visitor agrees, the Web site owner earns a small commission, usually between 5 and 20 cents. 180Solutions requires its partner Web sites to prompt visitors for approval, but security experts have documented hundreds of sites that use security holes in the visitor's browser to quietly install the adware without permission. Armed with a botnet of several thousand computers, distributors can make big money, and fast. LoudCash.com, a Quebec-based distribution firm bought by 180Solutions earlier this year, promises affiliates "big league payouts" and claims to offer the best per-installation rates in the industry, currently 25 cents. LoudCash's site features a "revenue calculator" which prospective affiliates can use to estimate their monthly earnings. An enterprising hacker controlling a network of just 5,000 PCs -- and at least half of the target computers are located in the United States -- that bot master could make as much as $744 a day, or $22,346.25 a month, according to the company's calculator. That sort of easy money is a strong draw for hackers who already control botnets and are willing to use them as platforms for spyware and adware, said Sam Norris, president of San Marcos, Calif.-based Changeip.com, a company that helps Web sites remain reachable at the same domain name no matter how frequently their numerical Internet address changes. These "dynamic DNS services" allow botnet operators to periodically change the location of the Web servers used to control their networks, thus making them much harder to detect or shut down. Norris said that each week he terminates several new Changeip.com accounts that appear to be connected with botnet and spyware activity. In the spring, Norris began tracking one customer who was using Changeip.com's services to control a botnet of 40,000 computers. Norris obtained a copy of the virus the customer used to infect machines and install the 180Solutions software; the programming code also contained an affiliate ID number issued by LoudCash. Norris alerted 180Solutions to the activity, and the advertising company said it later traced that affiliate ID to one of the defendants. The bot program directed computers to download and install 14 different adware products, more than half of which were produced by 180Solutions, Norris said. The virus also included at least 30 other features, including the ability to capture all of the victim's Web traffic and keyboard keystrokes -- with a particular interest in Paypal user names and passwords. Other programs installed by the bot allow the attackers to peek through the user's Webcam, or steal PC game registration keys. The lawsuit alleges that the defendants -- Eric de Vogt of Breda, the Netherlands; Jesse Donohue of South Melbourne, Australia; Khalil Halel of Beirut; Imran Patel of Leicester, England; Zarox Souchi of Toronto; Youri van den Berg of Deventer, the Netherlands; and Anton Zagar of Trbovlje, Slovenia -- used botnets to install 180Solutions' software. The company has notified the FBI about its findings, but an FBI spokesman declined to say whether the agency was investigating the claims. Five of the defendants were contacted by washingtonpost.com but have not responded to requests for comment. 180Solutions attorney Kevin Osborn said the company does not know exactly how many illegal installations the seven former affiliates were responsible for, but estimates that in all they were paid at least $60,000 during the weeks and months that they worked for the company. Dealing With the 'Rogues' David DeLanoy, manager of partner development at 180Solutions, said the company's software is installed on about 20 million computers worldwide, but that so-called "rogue installs" account for just five percent of that user base. 180Solutions made more than $50 million in revenue last year through its software, which serves online advertisements for some of the nation's largest companies, including Cingular, Expedia.com, JP Morgan Chase, Monster.com and T-Mobile International. But 180Solutions' estimates don't sit well with Ben Edelman, a PhD candidate at Harvard University who has documented the most egregious practices in the adware industry. (Edelman was hired in 2003 as an expert witness by The Washington Post Co. and other news outlets in their lawsuit against the Gator Corp. -- now Claria Corp. -- one of 180Solutions' biggest competitors. The media companies accused Gator of serving pop-up ads over the Web publishers' pages without their permission. Gator later settled the suit.) "I'd estimate that more than half of [180Solutions'] 'users' have no idea they even have the software, let alone ever consented to installing it in the first place," Edelman said. "The company says in one breath that rogue installs account for just 5 percent of their user base, but they also say they have no real way of knowing which installs are legit, so I'm not sure how they could really draw that estimate." Edelman said that if the companies do know which installations were fraudulent, it should already have devised a way to remove them. "There is no reason for them to have waited this long, except to receive the revenue that those installs bring in," Edelman said. Eric Howes, a spyware researcher at the University of Illinois at Urbana-Champaign, said 180Solutions is not only a major cause of the spyware and adware problem, but that it also is in a position to significantly clean up the problem. Howes pointed to the turnaround in the past year of WhenU, once reviled for its aggressive adware installation tactics. Last year, for example, the company announced it would no longer allow partners to install its software through Microsoft ActiveX, a component of the Internet Explorer Web browser that adware company affiliates have long used to conduct illegal "drive-by" installations. "WhenU pretty much put an end to the problem of sleazy installs of its software, so we know it can be done," Howes said. "180's enforcement division has really got to get up to speed, because I've seen no evidence they have a robust enforcement division, other than when they occasionally track down leads that people in the anti-spyware community hand to them." DeLanoy said the company is putting new technologies in place that will allow it to better track how its software is installed and by whom, and ensure that users agree first. In the meantime, 180Solutions is using its ad-serving network to display pop-up notices warning customers that its software may have been installed on their computers without their consent and providing instructions on how to uninstall it. Later this year, the company also will begin uninstalling its software from computers on which it has reason to believe that the software was installed in violation of the company's terms, DeLanoy said. Changeip.com's Norris commended 180Solutions for its actions, but said the company and other adware vendors need to be far more aggressive in policing their affiliates. "Right now there are a lot of people distributing their software like this and getting away scot-free, and every day we're seeing more and more people getting into this," Norris said. Viruses and spyware have created a huge market for security software and services. At-home computer users invested more than $2.6 billion in software to protect their computers during the past two years, according to a study released this month by Consumer Reports. Even with those protections in place, however, consumers spent more than $9 billion on computer repairs and parts due to damage inflicted by viruses and spyware. ? 2005 Washingtonpost.Newsweek Interactive From isn at c4i.org Thu Aug 18 03:08:35 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 18 03:21:15 2005 Subject: [ISN] Seller of AOL Data Is Sentenced Message-ID: http://www.nytimes.com/2005/08/18/technology/18spam.html By THE ASSOCIATED PRESS August 18, 2005 A 25-year-old former employee of America Online was sentenced to a year and three months in prison yesterday after admitting that he became a cyberspace "outlaw" when he sold the screen names and e-mail addresses of 92 million subscribers to spammers "I know I've done something very wrong," the soft-spoken and teary-eyed former employee, Jason Smathers, told Judge Alvin K. Hellerstein of Federal District Court in New York as he apologized for a theft that resulted in spammers sending up to seven billion unsolicited e-mail messages. "The public at large has an interest in making sure people respect the same values that apply in everyday life on the Internet," David Siegal, an assistant United States attorney, said. A lawyer for Mr. Smathers, Jeffrey Hoffman, said the theft was a "dumb, stupid, insane act" that his client regretted. Mr. Smathers apologized to a half-dozen members of his family who had flown from California and Indiana to attend the sentencing. Judge Hellerstein acknowledged the defendant's contrition and efforts to help the government. Earlier this year, Mr. Smathers had pleaded guilty to conspiracy charges in a plea deal that had called for a sentence of at least a year and a half in prison. The judge imposed the reduced sentence of one year and three months, saying he recognized Mr. Smathers had cooperated fully but lacked information to build other criminal cases. In a letter to the court that was partially read into the record by Mr. Siegal, Mr. Smathers tried to explain the crimes that AOL has said cost the company at least $300,000 and possibly millions of dollars. Mr. Smathers was fired by AOL in June 2004. The authorities said he used another employee's access code to steal the list of AOL customers in 2003 from the company headquarters in Dulles, Va. He reportedly sold the list to Sean Dunaway, of Las Vegas, who used it to send unwanted gambling advertisements to subscribers of AOL. Charges are pending against Mr. Dunaway. From isn at c4i.org Thu Aug 18 03:08:46 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 18 03:21:44 2005 Subject: [ISN] CERT: Zotob, esbot not major attacks Message-ID: http://www.fcw.com/article90073-08-17-05-Web By Michael Arnone Aug. 17, 2005 The group of attacks that include the Zotob and esbot worms aren't major cyberattacks, the U.S. Computer Emergency Response Team (CERT) said today. "We're not in crisis mode at this time," said Jeff Havrilla, Internet security analyst at CERT. "We're nowhere near the same scale of activity" that occurred when the Blaster worm leveled computers worldwide in 2003, he said. Blaster affected hundreds of thousands of unique IP addresses, Havrilla said, while the number of addresses affected by the group of attacks including zotob and esbot has not yet reached 100,000. The attacks prey on vulnerabilities in Microsoft's Windows 2000 operating system, Havrilla said. CERT published an alert Aug. 9 to warn the public, but the intruder community created the worms before many users could protect themselves, he said. The attacks' effects on the federal government have not been large, Havrilla said. He said he has heard media reports that the attacks affected some computers on Capitol Hill, but CERT has not received any reports of attacks. News organizations were hit hard because they may not have understood the risks of patching systems on their corporate networks, Havrilla said. Now that they've been attacked, he said, they're spreading the news. From isn at c4i.org Thu Aug 18 03:09:06 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 18 03:23:03 2005 Subject: [ISN] India Blocks Chinese Telecom Expansion, Citing Security Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=168602118 By K.C. Krishnadas EE Times Aug. 16, 2005 BANGALORE, India - Chinese telecom equipment maker Huawei Technologies' expansion plans here have again drawn the attention of Indian security agencies. For the second time in the last five years, Indian security agencies have moved to slow Huawei's expansion plans out of concern for India's strategic telecom network. In 2001, U.S. intelligence sources reportedly tipped off the Indian government about Huawei's activities here. Huawei has been embroiled in several high-profile intellectual property disputes with telecom rivals in recent years. Indian authorities are also concerned about Chinese links to India's neighbor and long-time adversary Pakistan. According to a report in The Times of India on Tuesday (August 16), the Indian government has put on hold Huawei's plans to use $60 million in new equity for its Indian subsidiary, Huawei Technologies India Pvt. Ltd. The report quoted the Research and Analysis Wing, an Indian intelligence agency, as saying Huawei "has been responsible for sweeping and debugging operations in the Chinese embassy [in India]. In view of China's focus on cyber warfare, there is a risk in exposing our strategic telecom network to the Chinese." The report said senior officials from Indian intelligence agencies recently discussed the matter and formed a committee to review guidelines for foreign companies involved in projects in sensitive industries. The committee will submit a report in September, when Huawei's case for increasing its equity is likely to be decided. The report quoted officials in the Indian Ministry of External Affairs as saying that Huawei attracted "adverse notice" from India?s security agencies which expressed "reservations regarding the company?s links with the Chinese military." A Huawei spokesperson here could not be reached for comment. Huawei launched a small Indian software development operation in 1999, but formally opened a development center in 2001. About a 1,000 people work for the company in India, making it Huawei's largest software development center outside China. Earlier this year it announced plans to set up a $60 million manufacturing unit in Bangalore, with plans to spend an additional $40 million to expand its existing R & D center here. Huawei is believed to have so far invested $100 million in the R & D center. Huawei's manufacturing plan is designed to cash in on India?s expanding telecom infrastructure. The network expansion could eventually be worth billions of dollars to global telecom equipment suppliers. The Huawei probe illustrates the uneasy relationship between China and India. The regional rivals fought a war in 1962. Relations have improved over the last decade, but China's close military ties with Pakistan have fueled concerns here about Huawei's intentions. Meanwhile, a recent nuclear power deal between India and the United States has raised concerns in Beijing. From isn at c4i.org Fri Aug 19 03:38:48 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 19 03:48:09 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-33 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-08-11 - 2005-08-18 This week : 77 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: A vulnerability has been reported in Adobe Reader and Adobe Acrobat, which potentially can be exploited by malicious people to compromise a user's system. Adobe has released updated versions, which corrects this vulnerability. More information about affected versions can be found in the referenced Secunia advisory. Reference: http://secunia.com/SA16466 -- Apple has issued a security update for Mac OS X, which fixes more than 40 vulnerabilities. Please read the referenced Secunia advisory for a complete list of vulnerabilities fixed. Reference: http://secunia.com/SA16449 VIRUS ALERTS: During the last week, Secunia issued 2 MEDIUM RISK virus alerts. Please refer to the grouped virus profiles below for more information: RBOT.CBQ - MEDIUM RISK Virus Alert - 2005-08-17 02:34 GMT+1 http://secunia.com/virus_information/20737/rbot.cbq/ IRCBot.es - MEDIUM RISK Virus Alert - 2005-08-17 01:52 GMT+1 http://secunia.com/virus_information/20679/ircbot.es/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA16466] Adobe Acrobat / Reader Plug-in Buffer Overflow Vulnerability 2. [SA16373] Internet Explorer Three Vulnerabilities 3. [SA16372] Microsoft Windows Plug-and-Play Service Buffer Overflow 4. [SA16449] Mac OS X Security Update Fixes Multiple Vulnerabilities 5. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 6. [SA16403] VERITAS Backup Exec / NetBackup Arbitrary File Download Vulnerability 7. [SA16386] WordPress "cache_lastpostdate" PHP Code Insertion 8. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 9. [SA16406] Linux Kernel XDR Encode/Decode Buffer Overflow Vulnerability 10. [SA16418] SUSE update for mozilla / MozillaFirefox ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA16444] JaguarEditControl ActiveX Control Buffer Overflow Vulnerability [SA16408] MindAlign Multiple Unspecified Vulnerabilities [SA16403] VERITAS Backup Exec / NetBackup Arbitrary File Download Vulnerability [SA16393] Novell eDirectory iMonitor Buffer Overflow Vulnerability [SA16430] Hummingbird FTP User Password Encryption Weakness [SA16410] ePolicy Orchestrator / ProtectionPilot Insecure Directory Permissions [SA16396] Linksys WLAN Monitor Privilege Escalation Vulnerability [SA16422] Bloodshed Dev-Pascal NULL Character File Display Weakness [SA16420] Dev-PHP NULL Character File Display Weakness [SA16398] PHP Designer 2005 NULL Character File Display Weakness UNIX/Linux: [SA16460] Nucleus CMS XML-RPC Nested XML Tags PHP Code Execution [SA16458] Debian update for clamav [SA16455] Fedora update for evolution [SA16449] Mac OS X Security Update Fixes Multiple Vulnerabilities [SA16442] Mandriva update for gaim [SA16439] Gentoo update for awstats [SA16437] SGI Advanced Linux Environment Multiple Updates [SA16436] Gentoo update for gaim [SA16434] ezUpload "path" Arbitrary File Inclusion Vulnerability [SA16433] Discuz! Multiple File Extensions Script Upload Vulnerability [SA16423] Ubuntu update for gaim [SA16418] SUSE update for mozilla / MozillaFirefox [SA16413] Debian amd64 Update for Multiple Packages [SA16412] Ubuntu update for awstats [SA16399] Red Hat update for ethereal [SA16397] Ubuntu update for evolution [SA16394] GNOME Evolution Multiple Format String Vulnerabilities [SA16473] Debian update for mozilla [SA16453] BlueZ Arbitrary Command Execution Vulnerability [SA16448] Mandriva update for proftpd [SA16447] Kismet Multiple Vulnerabilities [SA16446] Debian update for mozilla-firefox [SA16443] PHPTB "mid" Parameter SQL Injection Vulnerability [SA16421] Debian update for fetchmail [SA16419] Fedora update for vim [SA16395] Mandriva update for netpbm [SA16470] Sun StorEdge Enterprise Backup Vulnerabilities [SA16426] SGI ProPack arrayd Authentication Spoofing Vulnerability [SA16406] Linux Kernel XDR Encode/Decode Buffer Overflow Vulnerability [SA16452] Fedora update for xpdf [SA16450] SUSE update for apache / apache2 [SA16440] Gentoo update for xpdf/kpdf/gpdf [SA16417] Mandriva update for cups [SA16415] Mandriva update for xpdf [SA16404] Red Hat update for gpdf [SA16401] HP Tru64 UNIX IPsec Tunnel ESP Mode Encrypted Data Disclosure [SA16400] GNOME gpdf Temporary File Writing Denial of Service [SA16456] HP Ignite-UX TFTP Service Two Vulnerabilities [SA16416] Mandriva update for ucd-snmp [SA16411] Sun Solaris Multiple MySQL Vulnerabilities [SA16451] Fedora update for kdeedu [SA16428] KDE langen2kvtml Insecure Temporary File Creation [SA16425] Kaspersky Anti-Virus Insecure Log Directory Security Issue Other: [SA16467] Xerox Document Centre MicroServer Web Server Vulnerabilities [SA16457] Linksys WRT54GS Wireless Encryption Security Bypass [SA16402] HP ProLiant DL585 Server Unspecified Access Vulnerability [SA16445] BONA ADSL-FR4II Multiple Vulnerabilities [SA16438] Grandstream BudgeTone Denial of Service Vulnerability [SA16409] Wyse Winterm 1125SE IP Option Length Denial of Service Cross Platform: [SA16469] phpPgAds Multiple Vulnerabilities [SA16468] phpAdsNew Multiple Vulnerabilities [SA16466] Adobe Acrobat / Reader Plug-in Buffer Overflow Vulnerability [SA16465] eGroupWare XML-RPC Nested XML Tags PHP Code Execution [SA16462] CPAINT Ajax Toolkit Unspecified Command Execution Vulnerability [SA16454] CPAINT Ajax Toolkit Command Execution Vulnerabilities [SA16441] phpMyFAQ XML-RPC Nested XML Tags PHP Code Execution [SA16432] Drupal XML-RPC PHP Code Execution Vulnerability [SA16431] XML-RPC for PHP Nested XML Tags PHP Code Execution [SA16429] PEAR XML_RPC Nested XML Tags PHP Code Execution [SA16471] phpWebSite "module" Parameter SQL Injection Vulnerability [SA16459] ECW-Shop SQL Injection and Cross-Site Scripting Vulnerabilities [SA16435] Dada Mail Archived Messages Script Insertion Vulnerability [SA16427] SafeHTML UTF-7 XSS and CSS Comments Handling Security Bypass [SA16414] FUDforum "Tree View" Security Bypass Vulnerability [SA16464] Legato NetWorker Multiple Vulnerabilities [SA16407] Dokeos Multiple Directory Traversal Vulnerabilities [SA16405] My Image Gallery Cross-Site Scripting Vulnerabilities ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA16444] JaguarEditControl ActiveX Control Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-08-16 Tacettin Karadeniz has discovered a vulnerability in JaguarEditControl, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16444/ -- [SA16408] MindAlign Multiple Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS Released: 2005-08-15 NISCC has reported some vulnerabilities in MindAlign, which can be exploited to enumerate valid users, gain knowledge of various information, conduct cross-site scripting attacks, cause a DoS (Denial of Service), or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16408/ -- [SA16403] VERITAS Backup Exec / NetBackup Arbitrary File Download Vulnerability Critical: Moderately critical Where: From local network Impact: Security Bypass Released: 2005-08-12 A vulnerability has been reported in VERITAS Backup Exec and NetBackup, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16403/ -- [SA16393] Novell eDirectory iMonitor Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-08-12 Peter Winter-Smith of NGSSoftware has reported a vulnerability in Novell eDirectory, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16393/ -- [SA16430] Hummingbird FTP User Password Encryption Weakness Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-08-15 nnposter has discovered a weakness in Hummingbird FTP, which can be exploited by malicious, local users to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/16430/ -- [SA16410] ePolicy Orchestrator / ProtectionPilot Insecure Directory Permissions Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-15 Reed Arvin has reported a security issue in ePolicy Orchestrator, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16410/ -- [SA16396] Linksys WLAN Monitor Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-11 Reed Arvin has discovered a vulnerability in Linksys WLAN Monitor, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16396/ -- [SA16422] Bloodshed Dev-Pascal NULL Character File Display Weakness Critical: Not critical Where: From remote Impact: Unknown Released: 2005-08-12 rgod has discovered a weakness in Bloodshed Dev-Pascal, which can be exploited by malicious people to hide the contents of certain source files. Full Advisory: http://secunia.com/advisories/16422/ -- [SA16420] Dev-PHP NULL Character File Display Weakness Critical: Not critical Where: From remote Impact: Unknown Released: 2005-08-12 rgod has discovered a weakness in Dev-PHP, which can be exploited by malicious people to hide the contents of certain source files. Full Advisory: http://secunia.com/advisories/16420/ -- [SA16398] PHP Designer 2005 NULL Character File Display Weakness Critical: Not critical Where: From remote Impact: Unknown Released: 2005-08-12 rgod has discovered a weakness in PHP Designer 2005, which can be exploited by malicious people to hide the contents of certain source files. Full Advisory: http://secunia.com/advisories/16398/ UNIX/Linux:-- [SA16460] Nucleus CMS XML-RPC Nested XML Tags PHP Code Execution Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-16 A vulnerability has been reported in Nucleus CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16460/ -- [SA16458] Debian update for clamav Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-08-16 Debian has issued an update for clamav. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16458/ -- [SA16455] Fedora update for evolution Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-16 Fedora has issued an update for evolution. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16455/ -- [SA16449] Mac OS X Security Update Fixes Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2005-08-16 Apple has issued a security update for Mac OS X, which fixes more than 40 vulnerabilities. Full Advisory: http://secunia.com/advisories/16449/ -- [SA16442] Mandriva update for gaim Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2005-08-16 Mandriva has issued an update for gaim. This fixes a vulnerability and two weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/16442/ -- [SA16439] Gentoo update for awstats Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-16 Gentoo has issued an update for awstats. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16439/ -- [SA16437] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: System access, DoS, Manipulation of data, Spoofing, Cross Site Scripting, Security Bypass Released: 2005-08-15 SGI has issued a patch for SGI Advanced Linux Environment, which fixes multiple vulnerabilities in various packages. Full Advisory: http://secunia.com/advisories/16437/ -- [SA16436] Gentoo update for gaim Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-08-15 Gentoo has issued an update for gaim. This fixes a vulnerability and a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/16436/ -- [SA16434] ezUpload "path" Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-16 Johnnie Walker has reported a vulnerability in ezUpload, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16434/ -- [SA16433] Discuz! Multiple File Extensions Script Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-16 Jeremy Bae has reported a vulnerability in Discuz!, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16433/ -- [SA16423] Ubuntu update for gaim Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-08-12 Ubuntu has issued an update for gaim. This fixes a vulnerability and two weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/16423/ -- [SA16418] SUSE update for mozilla / MozillaFirefox Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, System access Released: 2005-08-12 SUSE has issued an update for mozilla / MozillaFirefox. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, spoof the contents of web sites, spoof dialog boxes, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16418/ -- [SA16413] Debian amd64 Update for Multiple Packages Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2005-08-12 Debian has issued updates for multiple packages. These fix several vulnerabilities and covers all security updates since the release of sarge for the stable amd64 distribution. Full Advisory: http://secunia.com/advisories/16413/ -- [SA16412] Ubuntu update for awstats Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-12 Ubuntu has issued an update for awstats. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16412/ -- [SA16399] Red Hat update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-08-11 Red Hat has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16399/ -- [SA16397] Ubuntu update for evolution Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-08-11 Ubuntu has issued an update for evolution. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16397/ -- [SA16394] GNOME Evolution Multiple Format String Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-11 Ulf Harnhammar has reported some vulnerabilities in Evolution, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16394/ -- [SA16473] Debian update for mozilla Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-08-17 Debian has issued an update for mozilla. This fixes a vulnerability, which can be exploited by malicious people to spoof the contents of web sites. Full Advisory: http://secunia.com/advisories/16473/ -- [SA16453] BlueZ Arbitrary Command Execution Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, System access Released: 2005-08-16 Henryk Plotz has reported a vulnerability in BlueZ, which can be exploited by malicious people to bypass certain security restrictions or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16453/ -- [SA16448] Mandriva update for proftpd Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2005-08-16 Mandriva has issued an update for proftpd. This fixes two vulnerabilities, which can be exploited by malicious users to disclose certain sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16448/ -- [SA16447] Kismet Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, System access Released: 2005-08-16 Some vulnerabilities have been reported in Kismet, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16447/ -- [SA16446] Debian update for mozilla-firefox Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-08-15 Debian has issued an update for mozilla-firefox. This fixes a vulnerability, which can be exploited by malicious people to spoof the contents of web sites. Full Advisory: http://secunia.com/advisories/16446/ -- [SA16443] PHPTB "mid" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-08-15 aLMaSTeR HaCKeR has reported a vulnerability in PHPTB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16443/ -- [SA16421] Debian update for fetchmail Critical: Moderately critical Where: From remote Impact: System access Released: 2005-08-12 Debian has issued an update for fetchmail. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16421/ -- [SA16419] Fedora update for vim Critical: Moderately critical Where: From remote Impact: System access Released: 2005-08-12 Fedora has issued an update for vim. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16419/ -- [SA16395] Mandriva update for netpbm Critical: Moderately critical Where: From remote Impact: System access Released: 2005-08-11 Mandriva has issued an update for netpbm. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16395/ -- [SA16470] Sun StorEdge Enterprise Backup Vulnerabilities Critical: Moderately critical Where: From local network Impact: Security Bypass, Exposure of sensitive information, DoS Released: 2005-08-17 Sun Microsystems has acknowledged some vulnerabilities in Sun StorEdge Enterprise Backup / Solstice Backup, which can be exploited by malicious people to cause a DoS (Denial of Service), gain knowledge of sensitive information, or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16470/ -- [SA16426] SGI ProPack arrayd Authentication Spoofing Vulnerability Critical: Moderately critical Where: From local network Impact: Spoofing Released: 2005-08-15 SGI has acknowledged a vulnerability in SGI ProPack, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16426/ -- [SA16406] Linux Kernel XDR Encode/Decode Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2005-08-12 Florian Weimer has reported a vulnerability in the Linux kernel, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16406/ -- [SA16452] Fedora update for xpdf Critical: Less critical Where: From remote Impact: DoS Released: 2005-08-16 Fedora has issued an update for xpdf. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) on a vulnerable system. Full Advisory: http://secunia.com/advisories/16452/ -- [SA16450] SUSE update for apache / apache2 Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, DoS Released: 2005-08-16 SUSE has issued updates for apache and apache2. These fix two vulnerabilities, which can be exploited by malicious people to potentially cause a DoS (Denial of Service) and conduct HTTP request smuggling attacks. Full Advisory: http://secunia.com/advisories/16450/ -- [SA16440] Gentoo update for xpdf/kpdf/gpdf Critical: Less critical Where: From remote Impact: DoS Released: 2005-08-16 Gentoo has issued updates for xpdf, kpdf, and gpdf. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16440/ -- [SA16417] Mandriva update for cups Critical: Less critical Where: From remote Impact: DoS Released: 2005-08-12 Mandriva has issued an update for cups. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) on a vulnerable system. Full Advisory: http://secunia.com/advisories/16417/ -- [SA16415] Mandriva update for xpdf Critical: Less critical Where: From remote Impact: DoS Released: 2005-08-12 Mandriva has issued an update for xpdf. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16415/ -- [SA16404] Red Hat update for gpdf Critical: Less critical Where: From remote Impact: DoS Released: 2005-08-11 Red Hat has issued an update for gpdf. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16404/ -- [SA16401] HP Tru64 UNIX IPsec Tunnel ESP Mode Encrypted Data Disclosure Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-08-11 HP has acknowledged a vulnerability in HP Tru64 UNIX, which can be exploited by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/16401/ -- [SA16400] GNOME gpdf Temporary File Writing Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-08-11 A vulnerability has been reported in gpdf, which can be exploited by malicious people to cause a DoS (Denial of Service) on a vulnerable system. Full Advisory: http://secunia.com/advisories/16400/ -- [SA16456] HP Ignite-UX TFTP Service Two Vulnerabilities Critical: Less critical Where: From local network Impact: Manipulation of data, Exposure of sensitive information Released: 2005-08-16 Martin O'Neal of Corsaire has reported two vulnerabilities in HP Ignite-UX, which can be exploited by malicious people to gain access to the file system or disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/16456/ -- [SA16416] Mandriva update for ucd-snmp Critical: Less critical Where: From local network Impact: DoS Released: 2005-08-12 Mandriva has issued an update for ucd-snmp. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16416/ -- [SA16411] Sun Solaris Multiple MySQL Vulnerabilities Critical: Less critical Where: From local network Impact: Security Bypass, Privilege escalation, DoS Released: 2005-08-12 Sun Microsystems has acknowledged some vulnerabilities in the MySQL package bundled with Solaris, which can be exploited by malicious users to bypass certain security restrictions, cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16411/ -- [SA16451] Fedora update for kdeedu Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-16 Fedora has issued an update for kdeedu. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions with escalated privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/16451/ -- [SA16428] KDE langen2kvtml Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-15 A vulnerability has been reported in KDE, which can be exploited by malicious, local users to perform certain actions with escalated privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/16428/ -- [SA16425] Kaspersky Anti-Virus Insecure Log Directory Security Issue Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-15 Dr. Peter Bieringer has reported a security issue in Kaspersky Anti-Virus for Linux File Server, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16425/ Other:-- [SA16467] Xerox Document Centre MicroServer Web Server Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, DoS Released: 2005-08-17 Multiple vulnerabilities have been reported in Xerox Document Centre, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16467/ -- [SA16457] Linksys WRT54GS Wireless Encryption Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-08-17 Steve Scherf has reported a security issue in Linksys WRT54GS, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16457/ -- [SA16402] HP ProLiant DL585 Server Unspecified Access Vulnerability Critical: Moderately critical Where: From local network Impact: Security Bypass Released: 2005-08-11 A vulnerability has been reported in HP ProLiant DL585 Server, which can be exploited by malicious people to gain unauthorised access to the server controls. Full Advisory: http://secunia.com/advisories/16402/ -- [SA16445] BONA ADSL-FR4II Multiple Vulnerabilities Critical: Less critical Where: From local network Impact: Exposure of sensitive information, DoS Released: 2005-08-15 Tim Brown has reported some vulnerabilities in ADSL-FR4II, which can be exploited by malicious people to cause a DoS (Denial of Service) or gain knowledge of certain sensitive information. Full Advisory: http://secunia.com/advisories/16445/ -- [SA16438] Grandstream BudgeTone Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-08-15 Pierre Kroma has reported a vulnerability in Grandstream BudgeTone 100 Series SIP Phones, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16438/ -- [SA16409] Wyse Winterm 1125SE IP Option Length Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-08-12 Josh Zlatin-Amishav has reported a vulnerability in Wyse Winterm, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16409/ Cross Platform:-- [SA16469] phpPgAds Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, System access Released: 2005-08-17 Some vulnerabilities have been reported in phpPgAds, which can be exploited by malicious people to disclose certain sensitive information, conduct SQL injection attacks or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16469/ -- [SA16468] phpAdsNew Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, System access Released: 2005-08-17 Some vulnerabilities have been reported in phpAdsNew, which can be exploited by malicious people to disclose certain sensitive information, conduct SQL injection attacks, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16468/ -- [SA16466] Adobe Acrobat / Reader Plug-in Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-16 A vulnerability has been reported in Adobe Reader and Adobe Acrobat, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16466/ -- [SA16465] eGroupWare XML-RPC Nested XML Tags PHP Code Execution Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-16 A vulnerability has been reported in eGroupWare, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16465/ -- [SA16462] CPAINT Ajax Toolkit Unspecified Command Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-16 A vulnerability has been reported in CPAINT, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16462/ -- [SA16454] CPAINT Ajax Toolkit Command Execution Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-08-17 Thor Larholm has reported some vulnerabilities in CPAINT, which can be exploited by malicious people to conduct cross-site scripting attacks or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16454/ -- [SA16441] phpMyFAQ XML-RPC Nested XML Tags PHP Code Execution Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-15 A vulnerability has been reported in phpMyFAQ, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16441/ -- [SA16432] Drupal XML-RPC PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-15 A vulnerability has been reported in Drupal, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16432/ -- [SA16431] XML-RPC for PHP Nested XML Tags PHP Code Execution Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-15 Stefan Esser has reported a vulnerability in XML-RPC, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16431/ -- [SA16429] PEAR XML_RPC Nested XML Tags PHP Code Execution Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-15 Stefan Esser has reported a vulnerability in PEAR XML-RPC, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16429/ -- [SA16471] phpWebSite "module" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-08-17 matrix_killer has discovered a vulnerability in phpWebSite, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16471/ -- [SA16459] ECW-Shop SQL Injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-08-17 John Cobb has discovered some vulnerabilities in ECW-Shop, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/16459/ -- [SA16435] Dada Mail Archived Messages Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-16 A vulnerability has been reported in Dada Mail, which potentially can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16435/ -- [SA16427] SafeHTML UTF-7 XSS and CSS Comments Handling Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-08-16 A vulnerability has been reported in SafeHTML, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16427/ -- [SA16414] FUDforum "Tree View" Security Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-08-12 Alexander Heidenreich has discovered a vulnerability in FUDforum, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16414/ -- [SA16464] Legato NetWorker Multiple Vulnerabilities Critical: Moderately critical Where: From local network Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS Released: 2005-08-17 Three vulnerabilities have been reported in Legato NetWorker, which can be exploited by malicious people to cause a DoS (Denial of Service), gain knowledge of sensitive information, or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16464/ -- [SA16407] Dokeos Multiple Directory Traversal Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2005-08-15 Some vulnerabilities have been discovered in Dokeos, which can exploited by malicious users to conduct directory traversal attacks. Full Advisory: http://secunia.com/advisories/16407/ -- [SA16405] My Image Gallery Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-16 Two vulnerabilities have been reported in My Image Gallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16405/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Aug 19 03:39:05 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 19 03:48:24 2005 Subject: [ISN] Zotob, PnP Worms Slam 13 DaimlerChrysler Plants Message-ID: http://www.eweek.com/article2/0,1895,1849914,00.asp By Paul F. Roberts August 18, 2005 A round of Internet worm infections knocked 13 of DaimlerChrysler's U.S. auto manufacturing plants offline for almost an hour this week, stranding some 50,000 auto workers as infected Microsoft Windows systems were patched, a company spokesperson told eWEEK. Plants in Illinois, Indiana, Wisconsin, Ohio, Delaware and Michigan were knocked offline at around 3:00 PM on Tuesday, stopping vehicle production at those plants for up to 50 minutes, according to spokesperson Dave Elshoff. The company has patched the affected Windows 2000 systems, but is still mopping up after the attack and doesn't know whether deliveries from parts suppliers, who were also affected, might be delayed, he said. "The effect was not insignificant," he said. The news from DaimlerChrysler is just the latest in a string of announcements from major U.S. corporations who have been hit by worms with names such as Zotob, RBot and IRCBot. The New York Times, SBC Communications Inc., ABC Inc. and CNN (of 2005 Cable News Network LP, LLLP) have also said they were hit by the worms, and the full list of those affected is believed to be much longer. Customer support workers at SBC were forced to work without their computers while IT staff at the company patched Windows systems that kept rebooting as a result of worm infections that spread across the whole company, said Wes Warnick, a spokesperson at the San Antonio, Texas, telecommunications company. At DaimlerChrysler, the effects were more dramatic. Assembly lines at 13 plants stopped while staff attempted to patch Windows systems that are integral to the manufacturing process, he said. More than 50,000 assembly line workers were forced to cease work during the outages, which ranged from 5 to 50 minutes, but no workers were sent home. The impact of the shutdown was also mitigated by a shift change that normally happens at 3:00 PM, Warnick said. The company, which has headquarters in Stuttgart, Germany, is still counting the total number of vehicles that it lost as a result of the disruption, but plans to make up the lost production over time, he said. Elshoff said DaimlerChrysler believes its network was hit with more than one of the worms, and the company is still feeling the effects of the attacks. "I wouldn't characterize our operations as out of the woods yet," Elshoff said. The company's financial services group was also hit by the recent worms, which caused PC outages there, he said. The new malicious programs all rely on code that exploits a hole in the Windows PnP (Plug and Play) service, a common component that allows the operating system to detect new hardware on a Windows system. Microsoft addressed the PnP hole on Tuesday, issuing MS05-039 with its August patches, a fix rated "critical." On Wednesday, code for exploiting the hole in Windows 2000 systems appeared on a well-known security Web site. By late Saturday, somebody had combined that exploit with code for spreading across the Internet and created Zotob.A. To date, at least 19 different kinds of malicious software have been identified that exploit the PnP hole, including at least five variants of Zotob and new versions of malicious programs like IRCbot and SDbot, according to F-Secure Corp., an anti-virus software firm in Helsinki, Finland. The most recent worms caused the most damage to companies, which use Windows 2000 more than home users. DaimlerChrysler is still dealing with suppliers that are also dealing with infections, but does not know whether there will be any disruption in supplies and parts from those third-party companies, Elshoff said. Zotob isn't the first virus to hit the car maker, but Elshoff defended DaimlerChrysler's approach to security. "You're only as good as your IT security. I think we play pretty good defense," he said. However, the company is "Monday morning quarterbacking" and looking into the outbreak to see if changes need to be made in the way software patches are distributed, he said. Some companies may have deprioritized patching because of a recent draught of high-profile worms and viruses, said John Pescatore, a vice president at analyst firm Gartner Inc. "There hasn't been a major worm since Sasser [in April 2004]. We've been seeing signs of complacency about patching," he said. A similar drop-off in worms in 2002 is also believed to have lulled IT staff into relaxing about patches, which led to a number of widespread outbreaks in 2003, such as SQL Slammer and Blaster, he said. Flashy worms like Blaster and Sasser may have been scarce in the last year, but there has been no drought of automated attacks, said Alan Paller, director of research at The SANS Institute. Noisy attacks are easy to stop, so attackers just adopted stealthy, low-profile, means of compromising networks. "When all they want is 10,000 zombie machines, what difference does it make if it takes three years instead of three days?" Paller said. From isn at c4i.org Fri Aug 19 03:37:53 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 19 03:48:38 2005 Subject: [ISN] Purdue nurtures cyber infrastructure Message-ID: http://www.fcw.com/article90140-08-18-05-Web By Michael Arnone Aug. 18, 2005 Purdue University has started a new cyber infrastructure program to link all of its computer resources and enhance research, university officials announced today. The program -- the Cyber Center -- will beef up Purdue's networks and research computing, said Ahmed Elmagarmid, a professor of computer science and the center's director. The center will also serve as an incubator for new technologies that will help the economy, Elmagarmid said. The center "will take advantage of two important developments: the increasingly interdisciplinary nature of research and the use of information technology for the discovery process," said James Bottum, Purdue's vice president for IT, in a statement. A key focus will be collaboration to improve sensor technology and wireless sensor networks, Elmagarmid said. Through the center, Purdue scientists intend to work on improved radio-frequency identification, sensor and wireless technologies that could be used for homeland security and other purposes, he said. Purdue created the center on the recommendation of its cyber infrastructure advisory committee, formed two years ago to help the university determine how to improve its cyber infrastructure, Elmagarmid said. One-quarter of a $10 million grant from the Lilly Endowment will pay for the center's first three years of operation, Elmagarmid said. The university aims to acquire $25 million in outside funding for the center over the next three years. In related news, the National Science Foundation announced that it is creating an advisory committee to advise its Cyberinfrastructure Council. The Advisory Committee for Cyberinfrastructure will advise the council on what the NSF is doing to create and maintain cyber infrastructure that fosters cutting-edge developments in science and engineering, the Federal Register reported Aug. 10. From isn at c4i.org Fri Aug 19 03:38:10 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 19 03:48:55 2005 Subject: [ISN] Comcast Files Suit Against Ex-Manager Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/08/17/AR2005081701938.html By Cameron W. Barr Washington Post Staff Writer August 18, 2005 Comcast of Montgomery County has filed a federal lawsuit against a senior manager who resigned this month to join Verizon Communications, alleging that she e-mailed herself proprietary information about Comcast for use in her new job. Comcast, the dominant cable provider in Montgomery and many parts of the Washington area, is facing increased competition from Verizon, which is expanding access to its high-speed Internet service in the region and preparing to offer television service over its fiber-optic lines. Melody Khalatbari, who held the position of public affairs manager at Comcast until Aug. 8, began work at Verizon's Maryland offices Monday but is no longer employed by the company. "She is not on our payroll at this point," said Verizon spokesman Eric Rabe, who would not elaborate on how Khalatbari and the company parted ways. Comcast filed suit Tuesday in U.S. District Court in Alexandria against Khalatbari, an Arlington resident. Khalatbari did not respond to phone messages or an e-mail seeking comment yesterday, and no one answered the door at what is listed in public records as her address. Verizon is not named as a defendant in the lawsuit, and Rabe distanced the company from Comcast's allegations. "We're not engaged in any improper attempt . . . to get proprietary information," Rabe said. "As far as I know, that's a suit against her, and we have nothing to do with that," Rabe said. Comcast officials have blamed service disruptions in Montgomery and elsewhere on Verizon workers cutting Comcast lines as they install fiber-optic cable. Craig A. Snedeker, general manager of Comcast in Montgomery, said Comcast's infrastructure is under "tremendous attack" by Verizon. Verizon officials have responded that some cuts are unavoidable in a large-scale construction project. "I think all of us who work underground try our best not to hit anybody," Rabe said. Comcast alleges in court documents that Khalatbari prepared her resignation letter July 29, 10 days before she resigned. Snedeker, in a declaration that is part of the suit, said he gave regional communications manager Lisa Altman access to Khalatbari's company e-mail account the day after she left the company. Snedeker wrote: "Ms. Altman reported to me that in the course of searching for materials in Melody Khalatbari's email box she had found several emails, each with numerous attachments, that Melody Khalatbari had sent from her work computer to her personal computer in the days immediately preceding her resignation." The attachments, Snedeker wrote, "were all company property and many of the attachments consisted of highly sensitive, confidential subscriber lists, including lists of hundreds of Comcast's top customers and 'VIP' customers." Some of the e-mail attachments include titles such as "Happy Customers," "Additions to VIP list," and "Platinum subs 9.28.04," according to a declaration Altman made in support of the suit. The suit alleges breach of fiduciary duty and violation of the Virginia Uniform Trade Secrets Act and asserts that Khalatbari "improperly converted" Comcast documents and property to her own use. Comcast seeks compensatory damages of more than $75,000 and asks the court to prohibit Khalatbari from using the information to compete with or hurt Comcast. Although Comcast may maintain lists of its happy customers, Montgomery County keeps track of the other kind. During the first five months of this year, the office recorded an average of about 100 complaints about Comcast per month. This month, said county cable regulator Jane E. Lawton, the office is on track to receive about 500. Staff writer Jamie Stockwell contributed to this report. ? 2005 The Washington Post Company From isn at c4i.org Fri Aug 19 03:39:19 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 19 03:49:25 2005 Subject: [ISN] Worms meet corporations in legal minefield Message-ID: http://www.theinquirer.net/?article=25509 By Charlie Demerjian 18 August 2005 I SPENT MOST OF Tuesday morning at a financial services provider, and the talk of the morning was all about a large financial services giant and the Zotob worm. Any guesses why? It was claimed that said large financial giant was another notch in the Zotob author's belt, and while they were not down per se, it caused problems, slow networks, and downed services. Another day, another massive bot infection. When will these people learn trusted computing and Microsoft promissory press releases are not worth the paper they are printed on? And yes I know they are not on paper anymore. Here is when they'll learn, when someone notices that getting infected violates a whole bunch of laws, and that brings down the legal hammers on them. What do I mean? Well, for this said large financial organisation, there are several new regulations that are now in force, but the one that I am specifically thinking of is SarbOx. If they were an HMO or hospital, they would have HIPPA to contend with too. These laws have some pretty onerous data access and authenticity requirements backed up by civil and criminal penalties. Several states like California also have laws on notification and reporting on top of these. So, what's the problem? The large financial organisation just got potentially owned bad, it was infected by a bot carrying worm that allows outside access to the computers, the data carried within, and potentially the servers. Keyloggers? Maybe. Things riding on the back of Zotob? Maybe. I don't know, do you? Do you think the large financial organisation does either? So, on one side you have a company that got screwed through sloppy patch practices and an impossible task of keeping a Microsoft network patched. I do say impossible on purpose, I mean it in the literal sense, not the conversational one. On the other side, you have organisations like the SEC looking for heads to nail to the wall. They don't take excuses like 'we didn't know' or 'we didn't foresee that one' with a smile and a laugh, this is 'buy your way out with political contributions' territory. So, a large financial org got hit, and hundreds of computers were compromised. Did any of them have sensitive and/or customer data on them? Are you sure? Can you prove that? Has any of the data been tampered with? The answers most likely are a yes privately, no publicly, no, no and no clue respectively. To be honest, this is not just a big financial organisation's problem either, there are probably a bunch of others in the same boat, I just happened to overhear a phone call between someone and this said corporation. What will happen? Nothing this time. I am sure the SEC is way too busy picking up real bad guys to enforce the letter and intent of the law, but that will change as soon as something really bad happens on a future bot attack. That kind of thing can rewrite enforcement priorities in a stunningly short amount of time. So, what then? Then they go back with a give everyone they can think of the auditing equivalent of a body cavity search, and the questions like I am posing get asked. This is a legal time bomb people, and even the latest and greatest MS solutions put into place are rather impotent. This one only affected Win2K, but that is more a fluke than anything else, there have been several that ran rampant over the 'invulnerable' XP SP2 already, and it is a matter of time before the next one hits. Maybe this one will be enough to make companies and Microsoft take security seriously. If not, anyone have the phone number for the SEC? ? From isn at c4i.org Fri Aug 19 03:39:31 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 19 03:49:52 2005 Subject: [ISN] IE flaw affects Office, Visual Studio users Message-ID: http://www.networkworld.com/news/2005/081805-ie-flaw.html By Robert McMillan IDG News Service 08/18/05 An unpatched bug in a file installed with Microsoft 's Office and Visual Studio software could lead to some serious problems for Internet Explorer users, security researchers have reported. An attacker could seize control of a vulnerable system by exploiting the bug, which the French Security Incident Response Team (FrSIRT) reported in an alert [1] published Wednesday. This would be achieved by installing malicious code in a Web page that exploits a memory corruption error in a file that ships with Microsoft Office 2002 and Microsoft Visual Studio .Net 2002 products, the research organization said. Though the attack would be executed via the popular Internet Explorer (IE) browser, only systems that contain the file in question, called Msdds.dll, are vulnerable, FrSIRT said. The FrSIRT said it has not yet seen a patch for the vulnerability. Msdds.dll is software that is used for creating customized Office applications, according to Russ Cooper, senior information security analyst for Cybertrust. Cooper does not believe that this file has been installed on a large number of Windows systems. "I'm not concerned about it," he said via instant message. "I don't doubt it is shipped with the full Office Professional installation CD, but I highly doubt it is installed automatically." Neither Microsoft nor FrSIRT could say whether this file was installed by default with Office or Visual Studio. Microsoft has yet to see any attackers taking advantage of the flaw, a Microsoft spokeswoman said Thursday. But reports are circulating of Web sites that take advantage of another Internet Explorer bug, which Microsoft patched on Aug. 9. About a dozen Web sites have cropped up that take advantage of a flaw in IE's JPEG rendering engine, according to Dan Hubbard, senior director of security and research with Websense. If unpatched IE users go to these Web sites, their systems could be made to crash, or they could be made to run software that allows an attacker to gain control of the system, he said. Because users must first be tricked into clicking on the malicious Web site for the attack to work, this exploit is not considered as dangerous as the recent round of Windows Plug and Play worms that were widely reported earlier this week. But attackers are increasingly using Internet Explorer rather than e-mail viruses as a way of seizing control of systems, Hubbard said. "In the last year we've seen a huge trend toward malicious Web sites being used as an attack vector," he said. "E-mail is just not as effective as it used to be." A SANS Institute alert with instructions on how to check for the Msdds.dll file can be found here [2]. [1] http://www.frsirt.com/english/advisories/2005/1450 [2] http://isc.sans.org/diary.php?date=2005-08-18 From isn at c4i.org Fri Aug 19 03:39:45 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 19 03:50:19 2005 Subject: [ISN] Gmail, MSN, Flikr... struck by security hole Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=4245 By Matthew Broersma Techworld 18 August 2005 A security hole in a popular development tool has severe implications for a number of the Internet's most popular applications, including Gmail, Flikr and MSN Virtual Earth. Tens of thousands of companies including AOL, Google, Microsoft and Yahoo are likely to be affected by the flaw in CPAINT - a toolkit used to create applications using an approach known as AJAX - short for Asynchronous JavaScript and XML. Rather than a technology in itself, AJAX is an approach to putting more dynamic interactivity into Web applications using a combination of HTML, CSS, Document Object Model, JavaScript, and XMLHttpRequest. The CPAINT flaw could allow an attacker to execute malicious code on a server running CPAINT, or running an application built using CPAINT, the software's developers said in an advisory. The bug affects all existing versions of CPAINT, both the ASP and PHP implementations, the CPAINT project said. The project issued a patch fixing the issue, CPAINT v1.3-SP, and is creating a more comprehensive fix for the forthcoming version 2.0.0. "We highly recommend that everyone running any version of CPAINT immediately upgrade to this patched version for security purposes," CPAINT's developers wrote in the advisory. The bug may affect more than just CPAINT. In an e-mail to the Bugtraq security mailing list, CPAINT developers warned that the same flaw is also likely to affect other AJAX toolkits, and urged other AJAX toolkit authors and users to test for security problems. "They are all very similar in the way they execute functions on the back-end," the developers wrote. The AJAX approach has been adopted by a number of Web developers, the best known of them being Google, whose Google Maps, Google Suggest, Gmail and other applications use AJAX. Other high-profile AJAX-based services include Microsoft's MSN Virtual Earth, Yahoo's Flickr and AOL's AIM Mail. Many lesser-known services have also adopted AJAX, such as Swiss mapping service map.search.ch and invoicing program Blinksale. The CPAINT security flaw doesn't automatically mean such applications are vulnerable, but should be a warning to developers using toolkits to create dynamic Web applications, CPAINT developers said. The term AJAX itself is contentious, having been coined by a consultancy firm, but has gained wide usage. Google itself calls its development approach simply JavaScript, while other Web developers have applauded the use of the new term. The AJAX model adds more dynamic interactivity to Web applications, making them feel more like desktop applications. On the down-side, because AJAX is made up of a number of different standards implemented in slightly different ways by browsers, it is very difficult to get AJAX applications working correctly with any browser, developers say. Scripting has become a significant source of security vulnerabilities for Web applications. In January Google patched a Gmail flaw that involved Perl script. PHP has been hit by several significant security flaws, including in April of this year and December 2004. In July of this year a serious vulnerability surfaced in a Web service protocol used by a large number of Web applications. The holes were found in XML-RPC For PHP and PEAR XML_RPC, which are implementations of XML-RPC for the PHP scripting language. XML-based RPC (Remote Procedure Call) systems such as XML-RPC are used with HTTP to power Web services, a simple and increasingly popular way of providing services online. From isn at c4i.org Mon Aug 22 04:14:10 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 22 04:23:10 2005 Subject: [ISN] Security Firm: Oracle Opatch Leaves Firms Uncovered Message-ID: http://www.eweek.com/article2/0,1895,1850287,00.asp By Lisa Vaas August 19, 2005 Think you're patched? Think you'll get the thumb's-up from the auditor when she comes knocking on your door to make sure you're in compliance with HIPAA (Health Insurance Portability and Accountability Act), or GLBA, or Visa CISP and MasterCard PCI? According to an upcoming paper from Next Generation Security Software Ltd., a majority of users of Oracle Corp. database servers are in fact mistaken in their perception of their patch levels and are actually not compliant with such regulations. David Litchfield, managing director of NGSS, said that out of a total of more than 100 recently surveyed database servers, a staggering 76 percent have anomalies between expected and actual patch levels. Surveyed database instances included a range of industries and company sizes. Size and industry are irrelevant with regards to the potential for database exposure, however, since Oracle software itself is causing the exposure, not what customers are doing with their databases, Litchfield said. "The fact is that Opatch is failing, or [an Oracle] patch failed to fix certain issues appropriately," he said. "Customers aren't doing anything wrong. It's the tools themselves that are faulty." The problems are manifold, according to NGSS. At times, Oracle's CPUs (Critical Patch Updates) fail to install updated, fixed copies of files. Both the April and July 2005 CPUs, for example, failed in multiple areas. In the April CPU, on all platforms, new Java classes supplied to fix SQL injection vulnerabilities in DBMS_SUBSCRIBE and DBMS_ISUBSCRIBE were not actually loaded, according to NGSS. In addition, on Windows platforms, a SQL script file with a fixed version of the CTXSYS-owned DRILOAD package was copied to the wrong directory and thus was never executed. Many other problems relate to Oracle's opatch utility. Opatch is a utility through which patches are applied to Oracle database servers. Information on patches and fixed bugs are stored in Oracle Inventory, a flat XML file. Opatch is used to query the inventory to determine whether a server is patched. After running Opatch, users are typically given the message "Opatch succeeded." However, necessary post-installation tasks include updating components such as PL/SQL packages and Java Class files in the database. If these post-installation steps aren't taken, the server remains vulnerable in spite of the Opatch utility having indicated that the server is in fact patched. In addition, according to NGSS, Opatch often fails for various reasons. "Permissions are wrong; files that are to be patched are still in use; environment variables are wrong; whatever the reason might be, and a quick search on Google reveals many more, Opatch can often fail to update the inventory," according to a preliminary draft of the search firm's paper, titled "Patch Verification of Oracle Database Servers." "If information in the inventory is wrong, then so too are any observations made about patch status and levels," the paper said. Does any of this matter? Oracle users tend to consider themselves generally safe from risk, given that their databases are typically locked down behind firewalls instead of being exposed to the Internet - as is often the case with installations of Microsoft Corp.'s SQL Server database. Carl Olofson, an analyst with IDC, said it's hard to get concerned, given that he's not hearing stories of SQL code injection or other types of security exploits. "If we were getting stories about people whose systems were brought to their knees or getting security breaches, if this were coming up in multiple places, that would be an area for concern," he said. But, according to Litchfield, there are ample numbers of unprotected Oracle database servers, particularly when it comes to universities, which often expose their servers to the Internet. In addition, back-end Oracle database servers are vulnerable to SQL injection via Web applications. "There is exposure, regardless of what Oracle would have you believe," he said. "Some people are running Web applications that are exposed to the Web, and we [have demonstrated that] we can gain control of the back end through SQL injection." Oracle, maker of what it has marketed as the "unbreakable" database, seldom addresses criticisms about its security. The move to quarterly patch releases a la Microsoft came only after a protracted silence on 34 vulnerabilities for which it reportedly had fixes in 2004. Recently, however, Oracle Chief Security Officer Mary Ann Davidson broke the silence by writing an article in which she said that self-interested security researchers who publish flaws before patches are available endanger the industry with their thirst for fame. In that article, Davidson said that getting fixes into customers' hands takes far longer than security researchers imagine. "Remediation may require the vendor to analyze whether the bug is specific to a particular version/platform or all versions/all platforms or analyze whether related code has a similar problem [to fix the problem everywhere]," Davidson said. "Vendors may also need to provide fixes on multiple versions/platforms or bundle multiple security fixes together to minimize patching costs to customers, not to mention peforming various testing on the products shipped to ensure the fix does not break anything else," she said. Litchfield dismisses this criticism by pointing to patches issued by Oracle that in fact don't fix what they were intended to fix. "You'd expect, if they take so long to write these patches, the patches would be robust," he said. "I'm absolutely appalled. Why do they take so long and still fail to patch? I'm gobsmacked. There are still SQL injection issues in the things Oracle supposedly fixed. If it took two years to fix these things, they should really have fixed these things. And they're not [fixing them]. "They built the Empire State Building in 14 months," he said. "If we can do that, surely Oracle can get out patches that work." From isn at c4i.org Mon Aug 22 04:14:25 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 22 04:23:28 2005 Subject: [ISN] Men Charged With Changing College Grades For Cash, Sex Message-ID: http://www.local10.com/news/4868830/detail.html August 19, 2005 MIAMI -- Two former Florida Memorial University employees and five students are charged in a grade-changing racket that involves cash payments, computer hacking and even sexual favors. According to court records, Ellis Peet and Clifton Franklin were paid $100 to $150 to change a single grade. They're accused of changing more than 600 grades for 122 students at FMU (until recently known as Florida Memorial College). One female student also allegedly had sex with Franklin in exchange for changed grades. "Apparently, she didn't have the financial means to pay for the grade change. So instead, they worked out a sexual agreement," said Mary Walters of the Miami-Dade County Police Department. Peet was a computer technician in the registrar's office and Franklin was a data entry clerk. Peet was fired and Franklin resigned during the investigation. School officials said Peet and Franklin were fraternity brothers and they acted on their own to organize the scheme. Officials said that they also believe that Peet and Franklin changed their own grades while attending the school. Peet's attorney says his client has pleaded not guilty to racketeering and violating intellectual property and computer access laws. Franklin faces identical charges but hasn't yet been located by police. Police say three of the five students who acted as middlemen have been arrested and charged with racketeering. Officials said that Peet and Franklin allegedly used generic passwords or those belonging to other registrar employees to make the switches. The five students are accused of conspiring to recruit other students who wanted their grades changed, and receiving cash payments for the switches and kickbacks from Peet in the process, court records showed. Pinkston, the school's director of governmental and public affairs, said the school has taken several safeguards to prevent a repeat of the scheme, including a mandatory change in passwords every 40 days, and the elimination of generic passwords. Copyright 2005 by The Associated Press. From isn at c4i.org Mon Aug 22 04:14:37 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 22 04:23:47 2005 Subject: [ISN] Air Force investigates data breach Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,104080,00.html By Linda Rosencrance AUGUST 19, 2005 COMPUTERWORLD The U.S. Air Force is notifying more than 33,000 officers that their personal data has been breached by a malicious hacker, the Air Force said [1] today. The hacker used a legitimate user's ID and password to access personal information on the officers contained in the Assignment Management System (AMS), an online program used for assignment preferences and career management, the Air Force said. That data included career information, birth dates and Social Security numbers. Lt. Col. Michele Dewerth, a spokeswoman for the Air Force Personnel Center (AFPC) at Randolph Air Force Base in Texas, said there has been no evidence of identify theft. A systems operator at the air base discovered the breach sometime between May and June, Dewerth said. She declined to be more specific because of the ongoing investigation. "Immediately upon discovery we put more security measures in place," she said. The personnel center also notified Air Force and federal investigators that there was unusually high activity on a single user's AMS account in June, according to the statement. "We notified airmen as quickly as we could while still following criminal investigation procedures with the [Air Force's Office of Special Investigations]," said Maj. Gen. Tony Przybyslawski , AFPC commander. "Protecting airmen's personal information is something we take very seriously, and we are doing everything we can to catch and prosecute those responsible under the law." The breach involved data on half of the force's approximately 70,000 officers. It also affected fewer than 20 enlisted personnel, the Air Force said. [1] http://www.afpc.randolph.af.mil/pubaffairs/release/2005/08/AMS.htm From isn at c4i.org Mon Aug 22 04:14:49 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 22 04:24:02 2005 Subject: [ISN] Cisco issues hacker patch Message-ID: http://www.vnunet.com/vnunet/news/2141302/cisco-issues-hacker-patch Iain Thomson vnunet.com 18 Aug 2005 Cisco has released a patch for its Cisco Clean Access (CCA) software, which is designed to seek out unsafe hardware on a network. The patch, rated less critical by Secunia, covers a flaw in the Application Program Interface (API) and would allow a hacker to use specially crafted code to gain control of the system. The compromised code could then be used to allow infected machines onto the network or to ban clean computers from access. "Cisco is not aware of any public announcements or malicious use of the vulnerability," said the company in a statement. "[We] would like to thank Troy Holder from the North Carolina State University for bringing this to our attention." Registered Cisco users can download the patch from here [1] and for those without a support contract, a workaround [2] has been posted on the company's website. [1] http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patche [2] http://www.cisco.com/warp/public/707/cisco-sa-20050817-cca.shtml From isn at c4i.org Mon Aug 22 04:13:26 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 22 04:24:24 2005 Subject: [ISN] Virus Shuts Down Customs Computer System Message-ID: http://apnews.myway.com/article/20050819/D8C2RE000.html By LISA ORKIN EMMANUEL Aug 19, 2005 MIAMI (AP) - Travelers arriving in the United States from abroad were stuck in long lines at airports nationwide when a virus shut down a U.S. Customs computer system for several hours, officials said. Homeland Security spokesman Russ Knocke said the virus impacted computer systems at a number of airports Thursday night, including those in New York, San Francisco, Miami, Los Angeles, Houston, Dallas and Laredo, Texas. Knocke said customs agents immediately switched to manual inspections. He declined to provide details on where the computer virus originated. The worst delays appeared to be at Miami International Airport, where as many as 2,000 people waited to clear immigration, airport spokesman Marc Henderson said. The passengers were not permitted to leave the area before then. Brian Hunt and his wife, who were visiting from Spain, said it took them nearly five hours to be processed. "The agent was very charming, very nice and greeted us with a smile," he told The Miami Herald. "It was just an unfortunate thing, but these things happen. Who do we blame?" The computer problem originated in database systems located in Virginia and lasted from around 6 p.m. until about 11:30 p.m., said Zachary Mann, spokesman for U.S. Customs and Border Protection in southern Florida. At New York's airports, customs officials processed passengers by hand. Officials used backup computer systems to keep passengers moving at Los Angeles International Airport, where the computers were only down for an hour and a half. "It was during a light time of travel for international passengers at LAX," said Mike Fleming, customs spokesman in Los Angeles. "All systems have been restored to full capacity." From isn at c4i.org Mon Aug 22 04:15:00 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 22 04:24:43 2005 Subject: [ISN] SHA-1 compromised further Message-ID: http://www.theregister.co.uk/2005/08/19/sha-1_attack/ By John Leyden 19th August 2005 Crypto researchers have discovered a new, much faster, attack against the widely-used SHA-1 hashing algorithm. Xiaoyun Wang, one of the team of Chinese cryptographers that demonstrated earlier attacks against SHA-0 and SHA-1, along with Andrew Yao and Frances Yao, have discovered a way to produce a collision in SHA-1 over just 263 hash operations compared to 269 hash operations previously. A brute force attack should take 280 operations. One-way hashing is used in many applications such as creating checksums used to validate files, creating digital certificates, authentication schemes and in VPN security hardware. Collisions occur when two different inputs produce the same output hash. In theory this might be used to forge digital certificates but it shouldn't be possible to find collisions except by blind chance. Wang and her team have discovered an algorithm for finding collisions much faster than brute force. The researchers released a paper (PDF) on their finding at the Crypto 2005 conference in Santa Barbara, California earlier this week. "The SHA-1 collision search is squarely in the realm of feasibility," writes noted cryptographer Bruce Schneier in a posting to his web log. "Some research group will try to implement it. Writing working software will both uncover hidden problems with the attack, and illuminate hidden improvements. And while a paper describing an attack against SHA-1 is damaging, software that produces actual collisions is even more so." The US National Institute of Standards and Technology (NIST) recently advised the US government to phase out SHA-1 in favor of SHA-256 and SHA-512. NIST is holding a workshop on the subject in late October. ? From isn at c4i.org Mon Aug 22 04:15:12 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 22 04:25:06 2005 Subject: [ISN] More worms likely: expert Message-ID: http://www.smh.com.au/news/breaking/more-worms-likely-expert/2005/08/19/1123958226299.html By Sam Varghese August 19, 2005 More worms could be in the works to exploit unpatched vulnerabilities in Microsoft's products, a US security professional says. Marc Maiffret, chief hacking officer of eEye Digital Security, said two critical flaws, among eight discovered by the company [1], could be exploited by worms. The details of all eight have been posted on the company's website. Maiffret would not specify which of the eight were open to remote exploits. "Two of them are remotely exploitable and they are also both on the magnitude of the PNP vulnerability," Maiffret said, referring to the flaw in Microsoft Windows which was exploited by the Zotob worm and numerous other variants over the past week. "But you never know with worms, (it) really just depends if there is someone that cares to write one." eEye follows a policy of releasing limited information about a vulnerability publicly while sending full details to the vendor. Although the company considers 60 days sufficient time to fix any flaw, it discloses full details of a bug only after the vendor has released a fix. Full details of the eight vulnerabilities in Microsoft products have been sent to the vendor, one as long as four months ago. Two vulnerabilities in the Real Audio player and one in Macromedia's products have also been listed. eEye first shot to prominence in 2001 when it discovered a vulnerability in Microsoft's IIS web server which was later exploited by a worm named Code Red, causing major problems on the internet. [1] http://www.eeye.com/html/research/upcoming/index.html From isn at c4i.org Tue Aug 23 14:17:05 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 23 14:30:08 2005 Subject: [ISN] The new Trojan war Message-ID: Forwarded from: William Knowles http://www.fcw.com/article90262-08-22-05 By Frank Tiboni Aug. 22, 2005 In mythology, the Greeks found an innovative way to avoid Troy's defenses. By offering the gift of a huge horse - hollowed out and filled with soldiers - the Greeks were able to bypass Troy's defenses and attack from the inside. Today the Pentagon faces a similar situation. Adversaries have been attacking Defense Department computer networks in attempts to bypass the United States' formidable defenses and attack from the inside out. Defense and industry officials describe DOD networks as the Achilles' heel of the powerful U.S. military. Securing military networks is even more critical in an increasingly transformed military in which information is as much a weapon as tanks and assault rifles. DOD networks have been breached. Department officials acknowledged hackers attacked military networks almost 300 times in 2003 - sometimes by cyber Trojan horses, which can operate within an organization's network. DOD officials say intrusions reduced the military's operational capabilities in 2004. The pace of the attacks has accelerated as adversaries honed in on this perceived weakness. DOD tallied almost 75,000 incidents on department networks last year, the most ever. Top U.S. military cyberwarriors recently said that adversaries probe DOD computers within minutes of the systems' coming online. The cyberwarriors described DOD's computer network defense strategy as a battle of attrition in which neither side has an advantage. Retired Army officers and industry officials say Chinese hackers are the primary culprits. During the past five years, Chinese hackers have successfully probed and penetrated DOD networks. In one intrusion, they used a Trojan horse - a program containing malicious code in an e-mail or adware - to obtain data on a future Army command and control system. DOD takes the intrusions seriously. One of the military's proposals to strengthen its networks is building fake networks, sometimes called "Honeynets," which divert attackers from critical systems. Yet some industry officials say Chinese hackers have already obtained the technology to challenge the U.S. military and its evolving network-centric warfare strategy, which connects systems to send information to warfighters faster. Many networks DOD operates 3.5 million PCs and 100,000 local-area networks at 1,500 sites in 65 countries, and it runs thousands of applications on 35, major voice, video and data networks, including the Non-Classified IP Router Network, which is connected to the Internet and the Secret IP Router Network, which is not. The networks provide combat information to civilians, warfighters and analysts in support or warfare roles, but the networks represent a key vulnerability. DOD networks were hacked 294 times in 2003, said retired Air Force Lt. Gen. Harry Raduege during an industry luncheon briefing in December 2004. He is the former commander of the Joint Task Force for Global Network Operations (JTF-GNO), the organization that operates and defends DOD networks. Department networks remained under attack in 2004, spurring Paul Wolfowitz, the former deputy secretary of Defense, to issue a memo telling the services to redouble cybersecurity efforts. "Recent exploits have reduced operational capabilities on our networks," he wrote in an Aug. 15, 2004, memo. "Our adversaries are able to inflict a substantial amount of harassment and a measurable amount of damage upon DOD communications networks at practically no cost to themselves," Army Col. Carl Hunt, JTF-GNO's director of technology and analysis, co-wrote in "Net Force Maneuver: A NetOps Construct." Hunt did not name those harassing or hacking DOD networks. However, Army officers and industry officials pointed to Chinese hackers as the primary culprits. "The Chinese were doing this on a regular basis," said Jack Keane, the former Army vice chief of staff who retired last year. He now works as a military consultant and advises URS. "That's a given. They're very aggressively getting capability." Keane said he received briefings on China's hacking of DOD networks. "It's common knowledge in the Pentagon," he said. He knew of no instances in which hackers penetrated DOD networks. However, a retired Army officer who worked in information assurance remembers a hacking three years ago at Aberdeen Proving Ground, Md., where the service tests weapon systems. The retired Army officer, who now works in systems integration in industry and requested anonymity, said a Chinese hacker used a Trojan horse to penetrate a network there and downloaded information on the capabilities of a future Army command and control system for eight months before the service detected a security breach. The system was a prototype under development testing at Aberdeen. The retired Army officer said the Aberdeen hacking is similar to intrusions during the past three years at other Army bases. The breaches caused the service to spend tens of millions of dollars to rebuild networks. In those incidents, hackers penetrated systems at Fort Campbell, Ky., home of the 101st Airborne Division; Fort Bragg, N.C., home of the 82nd Airborne Division; and Fort Hood, Texas, home of the 4th Infantry Division. DOD has also said that the Chinese have targeted military networks. "Beijing has focused on building the infrastructure to develop advanced space-based command, control, communications, computers, intelligence, surveillance and reconnaissance and targeting capabilities," the Pentagon said in a report issued last month. "The People's Liberation Army has likely established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics to protect friendly computer systems and networks." Army documents on weaknesses in its computer network defenses and vulnerabilities in 10 systems include one that appears to show networks under attack by China. Although DOD officials believe improved network management and vigilance would prevent 90 percent of hackings, 10 percent may still occur because they involve new intrusion methods. "The threat is becoming more aggressive and sophisticated," said Army Brig. Gen. Dennis Via, deputy commander of JTF-GNO. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Tue Aug 23 14:17:22 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 23 14:30:42 2005 Subject: [ISN] TOORCON 7 LINEUP FINALIZED & PRE-REGISTRATION ENDING Message-ID: TOORCON 7 LINEUP FINALIZED & PRE-REGISTRATION ENDING ToorCon 7 has finalized its speaker lineup with over 30 talks spanned across 2 days. ToorCon will be taking place this year at the San Diego Convention Center on September 16th-18th. ABOUT TOORCON ToorCon is just around the corner again this year. In its 7th running year, it is still San Diego's exclusive hacker convention, bringing together Southern California's hacker community year after year to attend the high quality presentations and participate in the annual festivities. This year we are still aiming to provide the same highly technical lectures you've come to know and love, but also set the theme as "Smoke & Mirrors" which will highlight the voodoo magic behind computer security and have a focus on Anonymity, Spoofing Techniques, Phishing, and other kung foo exploitation methods. We will also be offering an intensive full-day Deep Knowledge Seminar on Friday the 16th focused towards providing solutions to IT/IS managers and professionals. PRE-REGISTRATION Currently, pre-registration for the conference sessions this year is $60, which will increase to $70 on September 1st, close on September 7th, and will be $100 at the door. Seminar registration this year is $500 which will increase to $800 on September 1st and then $1,000 at the door. People that pre-register will also receive a free Official ToorCon 2005 T-Shirt! Don't miss out on the great deals for pre-registration and register today! To register, please visit http://www.toorcon.org/2005/registration.html NOTE: Payments for pre-registration must be received by September 7th! CONFERENCE SESSIONS This year ToorCon's theme is "Smoke & Mirrors" which is putting an emphasis on the advanced ninja techniques used in the computer security world today and the various tricks that are commonly played to deceive both the attacker and the defender. More detailed lineup information is available at http://www.toorcon.org/2005/conference.html Saturday, September 17th, 2005 - Keynote: Paul Vixie - Internet Survivability, Threats and Efforts - Keynote: Simple Nomad - How Hackers Get Caught - Bruce Potter, The Shmoo Group - Suicidal Linux - Greg Rose - Hacker vs. Mobile Phone - Luis Miras & Ken Steele - Static Malware Detection - Andrea Bittau - The Fragmentation Attack in Practice - Tom St Denis, Secure Science - Pluggable LibTomCrypt: Third Party Development - Foofus - How Big is that Foot in the Door? - Pedram Amini, TippingPoint - Process Stalking - Run Time Visual RCE - Dr. Spook - The Sixty Toolkit - Joe Grand, Grand Idea Studio, Inc. - Can You Really Trust Hardware? Exploring Security Problems in Hardware Devices - Michael Rash, Enterasys Networks - Netfilter and Encrypted, Non-replayable, Spoofable, Single Packet Remote Authorization - Skape - Exploitation Chronomancy: Temporal Return Addresses - Roger Dingledine - Anonymous communication for the U.S. Department of Defense...and you. - Jason Scott - BBS Documentary: Fidonet Episode (and others) + Q&A Session - Beetle, Bruce Potter, The Shmoo Group & Lance James - 802.11 Bait: Badass Tackle for Wireless Phishing Sunday, September 18th, 2005 - David Maynor - You Are the Trojan - Squidly1 - Alternative Uses For Portable Gaming Consoles - Jason Spence - Something Old, Something New: Hiding Behind Antiquity. - Mark Grimes - SCADA Exposed - Major Malfunction - Old Skewl Hacking - Infrared - Christopher Abad - Applied Data Profiling, Classification, and Analysis Methods and Lo-Fi Graphics Demos - bunnie - Hacking Silicon: Secrets From Behind the Epoxy Curtain - Brenda Larcom & Paul Saitta - Hands-On Threat Modeling with Trike v1 - Sysmin & QuiGon - Hacking with the WRT54GS and Custom Firmware - Franck Veysset & Laurent Butti - Enhanced Stateful Filtering Thanks to OS Fingerprinting (and how this can apply to wifi security) - Richard Johnson - Disassembler Internals - Acidus - The Phuture of Phishing - Vinnie Liu & James C. Foster - Catch Me If You Can: Windows Anti-Forensics - Jay Beale, Bastille Linux - Introducing the Bastille Hardening Assessment Tool - Matt Granet - Rage Against the Platform: PalmOS - Law Enforcement Panel - Running a Small Hacker Conference Panel DEEP KNOWLEDGE SEMINARS ToorCon's 3rd annual intensive seminar sessions are aimed to provide the best information for decision makers and IT/IS professionals. Pre-registered admissions to the Friday Deep Knowledge Seminars currently cost only $500 and includes free admission to the receptions and general lectures on Saturday and Sunday. More detailed information on the seminars is available at http://www.toorcon.org/2005/seminars.html Friday, September 16th, 2005 - Jay Beale, Bastille Linux - Introducing the Bastille Hardening Assessment Tool - Joseph McCray, Learn Security Online - Learning & Teaching Computer Security - Lance James, Secure Science - Phishing: An Evolution - David Maynor & Robert Graham - Evading Common Security Tools - Mike Lynn - Reverse Engineering 101 ROOTWARS ToorCon is once again having the OpenInfreno Project run the annual RootWars contest for the 3rd year in a row now. RootWars will only be accepting teams for a limited time, so if you're interested in starting a team please visit the rootwars information page at http://www.toorcon.org/2005/rootwars.html FURTHER INFORMATION Please visit http://www.toorcon.org for further conference information. LOCATION INFORMATION This year's event will be held at the San Diego Convention Center. The reception and conference will take place on September 16th-18th in meeting rooms 27A-B, 30A-E, and the East Terrace at the San Diego Convention Center's upper level. September 16th-18th, 2005 San Diego Convention Center 111 W. Harbor Drive San Diego, CA 92101 http://www.sdccc.org IMPORTANT DATES September 1st, 2005: Conference pre-registration increases to $70, Seminar to $800 September 7th, 2005: Pre-registration ends. Payments must be received by this date. September 16-18th, 2005: ToorCon 2005 From isn at c4i.org Tue Aug 23 14:17:45 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 23 14:32:42 2005 Subject: [ISN] Sarbanes-Oxley seen as biggest IT time waster Message-ID: http://www.networkworld.com/news/2005/082305-sarbanes-oxley.html By China Martens IDG News Service 08/23/05 IBM users expect compliance with the Sarbanes-Oxley rules governing U.S. public companies to prove to be the least effective or the most wasteful use of their IT resources, according to the results of an online poll of Share members released late Monday. Share, the oldest independent IBM user group, which is celebrating its 50th birthday this month, polled individuals between Aug. 4 and 15, who were preregistering for its Boston conference. The organization received 444 responses to a short online survey containing five questions. The conference is taking place in Boston through Friday Aug. 26. One of the survey's questions asked respondents to imagine themselves being transported to 2015 and then looking back at 2005 and what they thought in retrospect would prove to be either an ineffective or wasteful use of their IT time. Twenty-eight percent of those polled cited Sarbanes-Oxley compliance, followed by deployment of unproven technologies (23%), purchase of unneeded technologies (19%), and continuing support for outdated technologies (17%). The fifth-rated bugbear cited by 10% of respondents was external consultants, with software upgrades only distressing one percent of those polled. Robert Rosen, the current president of Share, wasn't surprised that Sarbanes-Oxley is proving to be a major headache. "It's occupying a lot of people's time and they can't figure out what the return on investment is there," he said. Rosen is hearing that some smaller firms are talking to their venture capitalists and looking to return their businesses to private operations specifically because they can't afford to comply with the Sarbannes-Oxley rules. "It's the law of unintended consequences," he said. Information security is the dominant emerging trend most likely to impact business computing over the next five years, according to 31% of those answering the Share survey. Two other significant trends cited by respondents are the shortage of qualified enterprise-class IT professionals (17%) and the outsourcing or offshoring of application development and maintenance (14%). Not surprisingly, the one technological innovation respondents rate as having had the most significant impact on business computing over the past 50 years is the Internet, followed by PCs, IBM's System/360 (S/360) mainframe which debuted in 1964, and the World Wide Web. Turning to IBM specifically, respondents named Big Blue's DB2 Universal Database as the company's most significant offering over the last 25 years, followed by CICS, MVS and z/OS. The IBM PC was in fifth position followed by the company's WebSphere software. Users have really responded positively to DB2 Universal Database because they can run the software on lower cost servers as well as mainframes, according to Rosen. The final question posed to respondents asked them which three of a list of named people they believe have had the greatest impact on business computing over the past half century. Microsoft's Bill Gates was No. 1 (55%), followed by IBM founder Thomas J. Watson (40%), and then Gene Amdahl (39%), the chief architect of Big Blue's S/360 mainframe. While Amdahl is in Rosen's top three, Grace Hopper, placed sixth by respondents (19%), was his number one pick. She developed the first compiler for a computer programming language. Rosen referred to her anecdotal claim to fame, that she coined the term "bug" in relation to a computer system that wasn't functioning properly due to an actual bug, a moth, logged in the machinery. Rosen's third pick, not on the list, is Fred Brooks, an IBMer who headed up the development of OS/360, the operating system for the S/360 mainframe, which he detailed in his 1975 book "The Mythical Man-Month." The book expounds on a principle the author observed, dubbed Brooks' Law, that adding more people to a delayed software project doesn't solve the issue any quicker. Instead, the additional manpower actually delays the project still further as time is spent in educating those new to the project on what needs to be done. "I've seen the thing in action so many times," Rosen said. "It's as valid today as it was then." From isn at c4i.org Tue Aug 23 14:16:45 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 23 14:33:07 2005 Subject: [ISN] Hackers Beating Efforts to Patch Software Flaws Message-ID: http://www.computerworld.com/securitytopics/security/holes/story/0,10801,104092,00.html By Jaikumar Vijayan AUGUST 22, 2005 COMPUTERWORLD The speed at which hackers are taking advantage of newly disclosed software flaws should be prompting companies to adopt stronger measures for dealing with such vulnerabilities, according to IT managers and analysts. Several security experts last week said that IT departments need to look beyond just patching defects and devise broader and more holistic strategies to defend themselves against attacks seeking to quickly exploit new flaws. The advice comes in the wake of an onslaught of worms that targeted a flaw in a plug-and-play component of Windows 2000. The worms hit several large companies, including The New York Times Co., Cable News Network LP, Caterpillar Inc., DaimlerChrysler AG and General Electric Co., when hackers made use of the hole disclosed less than a week earlier by Microsoft Corp. as part of its monthly patch release. The rapid exploitation of the Windows 2000 vulnerability left some IT managers acutely aware of the need to be vigilant about keeping their systems up to date. "We are going to have to fast-track the latest security upgrades, maybe the same day, unfortunately," said Satish Ajmani, CIO of California's Santa Clara County. "It is scary." The trend has prompted Uline Inc. to accelerate its patching of desktops and servers, said Robert Olson, a systems administrator at the Waukegan, Ill.-based distributor of packing and shipping materials. The Windows 2000 bugs caused infected systems to restart repeatedly and could allow remote attackers to take control of compromised systems. According to vendors of antivirus software, the malware targeted only older, Windows 2000-based systems. Although none of those 11 or so worms are considered particularly serious by most security experts, they serve as a sobering illustration that hackers can take advantage of new flaws before many companies can patch them, said John Pironti, a principal security consultant at Unisys Inc. in Blue Bell, Pa. "I think these attacks show that there is still a fair bit of latency" between patch release and deployment in a lot of companies, agreed Fred Rica, a partner at PricewaterhouseCoopers in New York. "Hackers have adopted new attack techniques," Pironti said. "Instead of going out and looking for vulnerabilities on their own, they are waiting for patches to be released to see what holes are being fixed." Then they go after those holes as quickly as they can, he said. The trend could leave many companies dangerously exposed, especially large ones that typically test and analyze patches before deploying them, Pironti said. "They have to assume that they are going to be vulnerable to attack from the moment a patch is out," he said. "They need to have countermeasures in place while the patches are tested" and deployed. Enterprises should look at implementing the equivalent of the color-coded threat system used by the U.S. Department of Homeland Security when dealing with newly disclosed flaws, said Dave Jordan, chief information security officer for the government of Arlington County, Va. Once new flaws are disclosed, Jordan said, IT security personnel "should conduct business differently than they would day to day." They need to implement countermeasures as soon as possible to mitigate risk, he said. Measures can include conducting thorough threat analysis, gaining an understanding of specific risks of new flaws, shutting down systems where possible, blocking access to affected ports and using intrusion-detection and -prevention systems to monitor for unusual activity and network behaviors, security experts said. A vast majority of worms and viruses, including those launched this week, use common methods and take advantage of common flaws?such as buffer overflows?to attack vulnerable systems, said Thor Larholm, a senior security researcher at PivX Solutions Inc. in Newport Beach, Calif. Instead of relying solely on patches to fix every new flaw, it's better to address some common underlying vulnerabilities, he said. "There are multiple ways to protect against entire classes" of vulnerabilities without having to apply patches for each one, he said. PivX is one of several vendors, including Immunix Inc. and eEye Digital Security, that sell tools to repair generic buffer overflows in the absence of vendor patches. "About 90% of the worms out there can be mitigated just by hardening your systems," Larholm said. For instance, disabling so-called null-session accounts, which are enabled by default on Windows 2000 systems, would have prevented this week's worms from taking advantage of the plug-and-play flaw, though it is not always practical, he said. From isn at c4i.org Tue Aug 23 14:17:33 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 23 14:35:22 2005 Subject: [ISN] Hotel hacking could pump smut into every room Message-ID: http://www.theregister.co.uk/2005/08/22/hotel_hacking_reloaded/ By John Leyden 22nd August 2005 Hotel hybrid broadband internet and TV-on-demand entertainment systems are open to attack, security researchers warn. Penetration testing firm SecureTest has identified a number of vulnerabilities in the implementation of hotel broadband systems delivered using Cisco's LRE (long-reach Ethernet) technology. Using a laptop connected to a hotel network, SecureTest found it was possible to control the TV streams sent to each room or gain access to other user's laptops. The security holes uncovered call to mind the security exploits in hotel infra-red controls recently uncovered by Adam Laurie, technical director at secure hosting outfit The Bunker. Ken Munro, managing director of SecureTest, said that its research covered security weaknesses in IP (as opposed to infra-red) systems. During a stay in a hotel belonging to an unnamed worldwide chain, a SecureTest staffer paid for internet connectivity. He found TCP port 5001 open on the in-room IP enabled TV providing the service. Connecting to this port a full TV maintenance menu was displayed over which it was possible to carry out test procedures, change channels or turn the TV on and off. According to SecureTest, a hacker might be able to access this menu and configure the system to display adult content on every TV channel. The port could also be used to broadcast content directly from a laptop over the TV. In theory, this could enable hackers to download and broadcast any material throughout the hotel complex. Another vulnerability revolved around insecure network configuration. There appeared to be no segregation between client devices, creating a means for a user to access other devices connected to the same hotel network. The system scrutinised used a Cisco 575 LRE box, which allows existing CAT2 (telephone) cabling to carry on-demand services avoiding the need to roll out CAT5 (twisted pair) cabling to each room. The security risk lies not in terms of this technology but in how it was implemented, problems SecureTest has seen replicated at other hotels. During a previous investigation, SecureTest used a different fixed internet/TV hotel system implemented by another hotel chain and located a connection to an internal FTP server. This provided open access to information such as a backup database of TV usage. "A hacker or disgruntled employee could get their kicks by accessing and manipulating the TV menu, but this breach has much wider implications. An individual could broadcast their own advertising or an activist their own political message to every room," said SecureTest's Munro. "Moreover, fixed internet access is inadequately protected in many cases. People plug into a hotel network assuming it's a trusted connection but it's not. Unless they have a personal firewall running, fraudsters can snoop on desktops at leisure. Hotels and suppliers of guest entertainment systems need to act now to prevent these scenarios." ? From isn at c4i.org Wed Aug 24 05:44:10 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 24 05:53:55 2005 Subject: [ISN] REVIEW: "CISSP Practice Questions Exam Cram 2", Michael C. Gregg Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKCISPE2.RVW 20050614 "CISSP Practice Questions Exam Cram 2", Michael C. Gregg, 2005, 0-7897-3305-6, U$29.99/C$42.99/UK#21.99 %A Michael C. Gregg %C 201 W. 103rd Street, Indianapolis, IN 46290 %D 2005 %G 0-7897-3305-6 %I Macmillan Computer Publishing (MCP) %O U$29.99/C$42.99/UK#21.99 800-858-7674 info@mcp.com pr@mcp.com %O http://www.amazon.com/exec/obidos/ASIN/0789733056/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0789733056/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0789733056/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 202 p. + CD-ROM %T "CISSP Practice Questions Exam Cram 2" All CISSP (Certified Information Systems Security Professional) candidates want sample questions to practice on before they write the exam. This set is not the worst I've seen (that would have been the question volume of the "CISSP Examination Textbooks" [cf. BKCISPET.RVW]), but it comes close. As usual, the book is divided into chapters by the domains of the CISSP CBK (Common Body of Knowledge). The questions are on the simplest level of the questioning taxonomy; fact based; rather than occupying the analytical and critical thinking levels that most actual CISSP exam questions represent. (Krutz and Vines' "Advanced CISSP Prep Guide: Exam Q & A" [cf. BKADCIPG.RVW] is as simplistic, but also tends to veer off-topic.) Wording on the questions is careless: a question that asks about "effectiveness" probably really means efficiency, otherwise the answer given is incorrect. Gregg seems to have decided and doctrinaire opinions, probably based on a quick reading of one of the less accurate CISSP exam guides. There is an attempt to make many of these simplistic questions more "complex" by creating scenarios: generally the scenarios have nothing to do with the point of the question and are simply excess verbiage. Major concepts are left out: in access controls, for example, Gregg seems to have no idea of the difference between access controls and overall security control types, and there is nothing to address the major topics of identification, authentication, authorization, and accountability. The telecommunications chapter has almost no questions on basic data communications concepts. (And Ethernet is *not* synchronous communication: a frame can be transmitted at any time. I suspect Gregg thinks any block communication is synchronous, and it's been a long time since that was true.) Building construction and layered defence issues are missing from physical security. Lots of stuff is missing from the cryptography section, and there is a larger number of errors than in other domains. Astoundingly, the security management quiz has almost nothing on policy. Investigations are the primary concern in that domain, with very little relating to law (or ethics). Malware gets all of one question in application security. The majority of answers given are not wrong as such: a qualified security professional would probably get most of them right, albeit with much head-scratching. (In this, the book is similar to "The Total CISSP Exam Prep Book" [cf. BKTCIEPB.RVW].) However, this set of questions would not provide a good basis for assessing your chances of passing the CISSP exam. copyright Robert M. Slade, 2005 BKCISPE2.RVW 20050614 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Book review menus: http://victoria.tc.ca/techrev/mnbk.htm http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed Aug 24 05:44:30 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 24 05:54:14 2005 Subject: [ISN] Schoolboy Detained for Hacking Russian State Banks Website Message-ID: http://www.mosnews.com/news/2005/08/23/bankhacker.shtml 23.08.2005 MosNews Police have detained a schoolboy in the Russian internal republic of Mordovia for hacking one of the websites of the Sberbank savings bank. The 17-year-old is suspected of infecting the website with a virus which affected dozens of Internet users in various Russian regions. One Internet user reported the virus to the Moscow police department?s interior directorate, who in turn informed their colleagues in Mordovia. The boy, quoted by the Komsomolskaya Pravda newspaper, said he only wanted to have fun. The head of the police?s high-tech crimes department said the suspected hacker may get a suspended sentence. In 2004, 98 similar crimes were registered; in the first half of 2005 over 150 were reported. From isn at c4i.org Wed Aug 24 05:44:54 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 24 05:54:36 2005 Subject: [ISN] Finnish Wi-Fi bank robber snaffled by own laptop Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=4256 By James Niccolai IDG News Service 22 August 2005 An electronic bank robber in Finland has been caught stealing 200,000 euros (?135,000) by using his corporate laptop to hack into his own bank's network. Police believe that GE Money's 26-year-old head of data security in Helsinki stole banking software from the company along with passwords for its bank account. Accomplices then accessed the account from a laptop using an unprotected Wi-Fi network at a nearby apartment building. They used the passwords to transfer money to a different corporate account they had set up six months earlier, and thought that using someone else's wireless network would cover their tracks. Suspicion initially fell on the owner of the Wi-Fi network until police searched his apartment and determined he was not involved, said an investigating officer. However, searching through the network logs, they discovered a laptop MAC address belonging to GE Money, and fingers started to point toward the bank's security officer. "After a while there were too many leads pointing against him, and after we found the laptop, that was it," said Jukkapekka Risu. Police are still completing their investigation and the security officer, along with three other suspects, have not yet been charged, Risu said. The case will be sent to prosecutors next week and charges will follow in about two months, Risu said. Despite not having been charged at the moment, the security officer was immediately dismissed, said Pekka Pattiniemi, general manager for GE Money in Finland. "I can confirm that our local security officer was involved," Pattiniemi said. "No harm was caused because our very good internal control mechanisms caught that the money was missing the next morning. We got it all back," he said. Juha-Matti Laurio of MikroPC contributed to this report. From isn at c4i.org Wed Aug 24 05:44:42 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 24 05:54:59 2005 Subject: [ISN] PHP hit by another critical flaw Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,104124,00.html By Matthew Broersma AUGUST 23, 2005 TECHWORLD.COM A fresh security flaw has surfaced in the PHP Web service protocol that could allow attackers to take control of vulnerable servers. The bug was found in XML-RPC for PHP and PEAR XML_RPC as the result of a security audit by the Hardened-PHP Project. The group said it decided to carry out its own audit after other flaws were disclosed in the two libraries earlier this summer. The new flaw takes advantage of a technique similar to the earlier vulnerabilities, which involved eval() statements, according to Hardened-PHP. "To get rid of this and future eval() injection vulnerabilities, the Hardened-PHP Project has developed, together with the maintainers of both libraries, a fix that completely eliminates the use of eval() from the library," Hardened-PHP said in an advisory. XML-based Remote Procedure Call (RPC) systems, such as XML-RPC, are used with HTTP to power Web services, a simple and increasingly popular way of providing services online. XML-RPC for PHP (also called PHPXMLRPC) and PEAR XML_RPC use XML-RPC as the PHP scripting language. The bug affects a large number of Web applications, particularly PHP-based blogging, Wiki and content management programs, according to security experts. The PHPXMLRPC and PEAR XML_RPC libraries are used in many popular Web applications, such as PostNuke, Drupal, b2evolution and TikiWiki. Content-management systems and blogs are increasingly used by large corporations as a way of interacting with customers and other members of the public. IBM even jumped into the enterprise blogging game recently. Version 1.4.0 of PEAR XML_RPC fixes the problem in PEAR XML_RPC; it is available from the PEAR Web site. PHPXMLRPC is fixed with Version 1.2, which is available at the PHPXMLRPC project site. Software projects using the libraries have issued their own updates fixing the problem; these include the PHP packages included with the Red Hat and Ubuntu Linux distributions. The French Security Incident Response Team, rated the flaw as "high-risk," while independent security firm Secunia labeled it "highly critical." From isn at c4i.org Wed Aug 24 05:45:07 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 24 05:55:17 2005 Subject: [ISN] Zotob worm hole also affects Windows XP Message-ID: http://news.com.com/Zotob+worm+hole+also+affects+Windows+XP/2100-1002_3-5842359.html By Joris Evers Staff Writer, CNET News.com August 23, 2005 The plug-and-play vulnerability that caused havoc for Windows 2000 users last week also holds a serious risk for some Windows XP users, Microsoft said Tuesday. Computers running Windows XP with Service Pack 1 in a specific configuration are vulnerable to worm attacks similar to the ones that hit Windows 2000 systems, Microsoft said in a security advisory published Tuesday. The Zotob worm and its offshoots, plus several other worms, downed Windows 2000 computers, including systems at ABC, CNN and The New York Times. All the worms exploited a security hole in the plug-and-play feature in Windows, for which Microsoft provided a fix earlier this month and rated as "critical" for Windows 2000. It was previously thought that only Windows 2000 machines were vulnerable to remote attack using the plug-and-play flaw. However, Microsoft in its security advisory on Tuesday specified one scenario that also exposes select Windows XP users. Also vulnerable are systems that run Windows XP with SP1 with file and printer sharing and the Windows guest user account enabled, according to Microsoft. This would likely be home users, because PCs are not vulnerable if connected to a network domain, which is common in business environments, Microsoft said. Previous Next "This is a minor and narrow attack scenario," said Debby Fry Wilson, a director at Microsoft's Security Response Center. "However, because Windows 2000 customers were attacked last week, we wanted to take the extra precaution of offering customers this clarifying information." The probability that there are many vulnerable systems out there "is very remote," Fry Wilson said. Most consumers have upgraded their Windows XP machines to Service Pack 2, she said. In businesses, where Windows XP SP1 is more common, computers are not vulnerable because they are typically connected to a domain, she said. Microsoft was made aware of the Windows XP attack possibility by security vendor Symantec, Fry Wilson said. Microsoft urges users to apply the security patches it provided earlier this month. Also, Microsoft is not aware of any attack exploiting the plug-and-play flaw that targets Windows XP. From isn at c4i.org Thu Aug 25 06:44:48 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 25 06:52:42 2005 Subject: [ISN] From Melissa to Zotob: 10 Years of Windows Worms Message-ID: http://www.eweek.com/article2/0,1895,1851792,00.asp By Ryan Naraine August 24, 2005 The names roll of the tongue like characters in an episode of "American Gladiators." Klez. Blaster. Slammer. Sasser. Zotob. Computer viruses and worms, all targeting users of Microsoft Corp.'s Windows operating system. The first sign of computer worm activity dates back to 1982, when a program called Elk Cloner squirmed through Apple II systems. The SCA virus and Brain, written for IBM PC compatibles and Amigas, would pop up in the late 1980s, followed by the Morris Worm, the first documented "in the wild" proof-of-concept that infected DEC VAX machines. Those worms hardly registered on the mainstream media radar but, with the arrival of Windows 95, all that changed in a hurry. The computer world has never been the same. March 1999: Melissa Strikes Named after a lap dancer in Florida, the Melissa worm is the considered the first destructive mass-mailer targeting Microsoft customers. The worm was programmed to spread via Microsoft Word- and Outlook-based systems, and the infection rate was startling. Melissa, created by a New Jersey hacker who would go to jail for the attack, was released on a Usenet discussion group inside a Microsoft Word file. It spread quickly via e-mail, sending anti-virus vendors scrambling to add detections and prompting immediate warnings from the CERT Coordination Center. May 2000: ILOVEYOU Still widely considered one of the most costly viruses to enterprises, the ILOVEYOU worm, also known as VBS/Loveletter or Love Bug, used social engineering and catchy subject lines to trick Windows users into launching the executable. The worm spread rapidly by sending out copies of itself to all entries in the Microsoft Outlook address book. Anti-virus researchers also discovered an additional?and dangerous?component called "WIN-BUGSFIX.EXE" that was a password-stealing program that e-mailed cached passwords back to the attacker. The worm also gained the attention of the mainstream press when it launched a denial-of-service attack against the White House Web site. To this day, anti-virus vendors report ILOVEYOU sightings in the wild. 2001: A Triple-Barreled Barrage This was the year that malicious worm activity exploded, with three high-profile attacks bombarding Windows users. First up was SirCam, malicious code that spread through e-mail and unprotected network shares. The damage from SirCam was somewhat limited, but what was to follow would set the tone for a spate of network worms that caused billions of dollars in business costs. What will get Windows 95 die-hards to upgrade to Vista? Click here to read more. In July 2001, the appearance of Code Red again set the cat among the pigeons, spreading via a flaw in Microsoft's Internet Information Server (IIS) Web server. The worm exploited a vulnerability in the indexing software distributed with IIS and caused widespread panic by defacing Web sites with the stock phrase "Hacked By Chinese!" Code Red spread itself by looking for more vulnerable IIS servers on the Internet and, in August, launched a denial-of-service attack against several U.S. government Web sites, including the White House portal. Less than a month later, a new mutant identified as Code Red II appeared and wreaked even more havoc. Still reeling from the effects of SirCam and Code Red, Windows users would soon have to deal with Klez, an e-mail borne virus that exploited a flaw in Microsoft's Internet Explorer browser and targeted both Outlook and Outlook Express users. Because Klez required users to click on an embedded e-mail attachment, the damage was limited, but when later variants appeared with spoofed sender addresses, it provided the first sign that virus writers would change tactics to avoid detection. The spoofing of e-mail addresses would later become a standard trick to attack non-technical e-mail (and Windows) users. Slammer, Sobig and Blaster After a worm-free 2002, Windows users had to contend with another three-pronged threat - Slammer in January 2003 and the Sobig and Blaster attacks in the summer. Reminiscent of the Code Red worm, Slammer exploited two buffer overflow vulnerabilities in Microsoft's SQL Server database, causing major congestion of Internet traffic throughout Asia, Europe and North America. The worm infected about 75,000 hosts in the first 10 minutes and knocked several ISPs around the world offline for extended periods of time. As Microsoft struggled to cope with the Slammer fallout, there were two new outbreaks in the summer with Sobig and Blaster squirming through millions of unpatched Windows machines. The fast-spreading worms crippled network infrastructure globally and the cleanup and recovery were estimated to be tens of billions of dollars. Blaster was particularly nasty. The worm spread by exploiting a buffer overflow in the DCOM RPC service on Windows 2000 and Windows XP and also launched a SYN flood attack against port 80 of Microsoft's windowsupdate.com site that is used to distribute security patches. Microsoft was able to dodge the bullet by temporarily redirecting the site, but the media latched onto the story and forced the company to make major changes to its patching schedule to help customers cope with the patch management nightmare. 2004: Sasser Strikes After Slammer and Blaster, Microsoft customers complained bitterly that the company's unpredictable patching schedule was causing hiccups in the patch deployment process. In October 2003, chief executive Steve Ballmer announced a plan to release security bulletins on a monthly cycle, except for emergency situations. The new plan is greeted warmly, but the worm attacks showed no sign of letting up. In January 2004, the MyDoom worm was spotted. A mass-mailer with a payload targeting the Windows operating system, MyDoom quickly surpassed Sobig as the fastest-spreading e-mail worm ever. In addition to seeding Windows machines to create botnets, MyDoom was programmed to launch DDoS (distributed denial-of-service) attacks on Microsoft's Web site. In early May, Sasser hit. Exploiting a flaw in the LSASS (Local Security Authority Subsystem Service) component, the Sasser worm squirmed through unpatched Windows 2000 and Windows XP machines. Sasser was particularly dangerous and spread rapidly through vulnerable network ports. Microsoft is credited with reacting swiftly to contain the Sasser spread but, as the latest Zotob attacks prove, the time to exploit an unpatched flaw has narrowed significantly since the launch of Windows 95 10 years ago. From isn at c4i.org Thu Aug 25 06:41:42 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 25 06:52:57 2005 Subject: [ISN] Cisco warns of sensor flaw Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=4274 By Matthew Broersma Techworld 24 August 2005 Networking giant Cisco Systems has warned of a security flaw affecting two of its widely used security systems. The flaw, involving SSL (Secure Sockets Layer), affects CiscoWorks Management Center for IDS Sensors, known as IDSMC, and a related product, Monitoring Center for Security, also called Security Monitor or Secmon. In an advisory, Cisco said an attacker could use the bug to pretend to be a legitimate Cisco Intrusion Detection Sensor (IDS) or Intrusion Prevention System (IPS). That could allow the attacker to collect login credentials, submit false data to IDSMC and Secmon or filter what data the two products see. Filtering could be used, for instance, to keep the security products from detecting an attack. "If exploited, the attacker may be able to gather login credentials, submit false data to IDSMC and Secmon or filter legitimate data from IDSMC and Secmon, thus impacting the integrity of the device and the reporting capabilities of it," Cisco stated. IDSMC provides configuration and signature management for IDS and IPS systems. Secmon provides event collection, viewing and reporting functions for Cisco network devices. The affected versions include IDSMC versions 2.0 and 2.1 and Secmon versions 1.1 to 2.0 and version 2.1, Cisco said. Not affected are IDSMC versions 1.0 to 1.2 and Secmon version 1.0. Cisco said it isn't aware of any exploit code currently circulating for the vulnerability. The bug is only exploitable locally, limiting their impact, according to security researchers. Separately, Cisco warned of a bug in its Intrusion Prevention System (IPS) that could allow a local user to gain full administrator privileges. Although the flaws aren't highly serious, the fact that Cisco's products are so widely used gives them more potential impact. Cisco offered patching instructions for the flaws in its advisories. Most major security vendors have been hit with significant security glitches this year, including Symantec, McAfee and Computer Associates. From isn at c4i.org Thu Aug 25 06:42:38 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 25 06:53:19 2005 Subject: [ISN] Security UPDATE -- Proactive Honeypots, Part 2 -- August 24, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Symantec LiveState Patch Manager http://list.windowsitpro.com/t?ctl=11B86:4FB69 Get Rapid and Reliable Data and System Recovery http://list.windowsitpro.com/t?ctl=11B71:4FB69 ==================== 1. In Focus: Proactive Honeypots, Part 2 2. Security News and Features - Recent Security Vulnerabilities - Symantec to Acquire Sygate - 180solutions Sues Seven Former Distributors - Microsoft Ships Windows 2000 Worm Removal Tool 3. Security Toolkit - Security Matters Blog - FAQ 4. New and Improved - Fight Phishing Attacks ==================== ==== Sponsor: Symantec ==== Symantec LiveState Patch Manager Symantec LiveState Patch Manager allows you to reliably protect your infrastructure from vulnerabilities. Its intuitive interface allows organizations to scan, identify and install missing patches on hundreds of clients and servers in minutes. Flexible grouping capabilities allow the targeting of patches to specific groups of users. Provides detailed patch status reports. Persistent delivery assures patches are successfully delivered and applied, helping ensure clients are secure and protected. LiveState Patch Manager is a member of a family of modular solutions that work on their own - with tools you may already have - and can be assembled into a broader suite if desired, leveraging a common look-and-feel, management database and agent deployment infrastructure. To learn more, visit us at: http://list.windowsitpro.com/t?ctl=11B86:4FB69 ==================== ==== 1. In Focus: Proactive Honeypots, Part 2 ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Last week, I wrote about Microsoft's Strider HoneyMonkey Exploit Detection System, which is software that tries to find new exploits by surfing the Web and waiting for something to infiltrate the system. I don't know of many other such tools, but I have heard of two other client-based honeypot projects. One is being developed by Bing Yuan at the Laboratory for Dependable Distributed Systems. Yuan is pursuing the technology as his diploma project at the laboratory, and so far, no working code seems to be available to the public. His project is Windows-based, will integrate with Microsoft Internet Explorer (IE), and will work with other software such as the Honeywall CD-ROM. I'm not sure how far along Yuan is in the development process or whether the tool will eventually be released to the public. You can however read more about it at the lab's Web site. http://list.windowsitpro.com/t?ctl=11B7B:4FB69 The second tool I know about is called Honeyclient. The tool is being developed by Kathy Wang, who gave a related presentation at the recent REcon 2005 conference (see the first URL below) in Montreal. You can see the slides from the presentation at the second URL below. Honeyclient is written in Perl and is designed to run on Windows systems. It surfs the Web by using IE and tries to detect any file or registry changes. As it stands now, the tool is made up of two Perl scripts: one is a proxy and the other uses IE to drive a Web-surfing session. http://list.windowsitpro.com/t?ctl=11B89:4FB69 http://list.windowsitpro.com/t?ctl=11B77:4FB69 Wang's project isn't extensively documented, but the two Perl scripts that make up Honeyclient contain a few comments that help you better understand what it actually does. Of course, if you can read Perl code, then you'll get an even better understanding. Honeyclient isn't nearly as functional as HoneyMonkey, but it's similar and a good start. You can learn more about Honeyclient and download the latest version at Wang's Honeyclient Development Project Web site. http://list.windowsitpro.com/t?ctl=11B84:4FB69 If you want to test Honeyclient, the readme file contains the basic installation and usage instructions. One thing I learned when testing the software (which isn't stated in the readme file) is that the directories in the checklist.txt file (which you need to create) are completely parsed, including any subdirectories. Another thing I noticed is that Honeyclient has a lengthy startup time because it also parses the registry HKEY_CLASSES_ROOT tree into a hash so that it can later detect any modifications. A word of caution is in order too: Be sure to use an isolated test machine or an OS running in a virtual machine when testing the tool. If you know of any other tools similar to these, send me an email message with a link or details. ==================== ==== Sponsor: Symantec ==== Get Rapid and Reliable Data and System Recovery Even under the best circumstances, performing a bare metal recovery from tape is tedious and unreliable. In this free white paper, learn how you can achieve unprecedented speed and reliability in recovering systems and data. http://list.windowsitpro.com/t?ctl=11B71:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=11B76:4FB69 Symantec to Acquire Sygate Symantec announced a deal to acquire Sygate Technologies, maker of policy compliance solutions. The deal will close shortly after the companies receive regulatory approval. Terms of the pending acquisition weren't disclosed. http://list.windowsitpro.com/t?ctl=11B7E:4FB69 180solutions Sues Seven Former Distributors 180solutions filed suit against seven former distributors of its search software for allegedly causing the software to be installed on people's computers without proper notice and consent. 180solutions claims the distributors used botnets to facilitate the software installations. http://list.windowsitpro.com/t?ctl=11B7D:4FB69 Microsoft Ships Windows 2000 Worm Removal Tool In response to widespread Windows 2000-based worm attacks last week, Microsoft updated its Malicious Software Removal Tool (MSRT) to remove the worms and updated its statement about the attacks. http://list.windowsitpro.com/t?ctl=11B7F:4FB69 ==================== ==== Resources and Events ==== SQL Server 2005 Roadshow Is Coming to a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=11B74:4FB69 Microsoft Exchange Connections Conference October 31 - November 3, 2005, Manchester Grand Hyatt, San Diego. Microsoft and Exchange experts present over 40 in-depth sessions with real-world solutions you can take back and apply today. Register by September 12 to save $100 off your conference registration and attend sessions at Windows Connections free! http://list.windowsitpro.com/t?ctl=11B88:4FB69 Avoid the 5 Major Compliance Pitfalls Based on real-world examples, this Web seminar will help C-level executives, as well as IT directors and managers, avoid common mistakes and give their organization a head start in ensuring a successful compliance implementation. Register today and find out how you can avoid the mistakes of others, improve IT security, and reduce the cost of continually maintaining and demonstrating compliance. http://list.windowsitpro.com/t?ctl=11B75:4FB69 Roll Back Data to Any Point in Time: Not Just the Last Snapshot or Backup Have you lost data because it was saved right after your last backup? Most of us have been in this situation. Continuous, or real- time, backup systems provide real-time protection, but are they right for you? In this free Web seminar, you'll learn about the design principles that underlie continuous data protection solutions, how to integrate them with your existing backup infrastructure, and how to best apply continuous protection technologies to your Windows-based servers. http://list.windowsitpro.com/t?ctl=11B72:4FB69 High Risk Internet Access: Are You in Control? Defending against Internet criminals, spyware, phishing and addressing the points of risk that Internet-enabled applications expose your organization to can seem like an epic battle with Medusa. So how do you take control of these valuable resources? In this free Web seminar, you'll get the tools you need to help you analyze the impact Internet-based threats have on your organization, and tools to aid you in the construction of Acceptable-Use Policies (AUPs). http://list.windowsitpro.com/t?ctl=11B73:4FB69 ==================== ==== Featured White Paper ==== Consolidate Your SQL Server Infrastructure Shared data clustering is the breakthrough consolidation solution for Microsoft Windows servers. In this free white paper, learn how shared data clustering technology can reduce capital expenditures by at least 50 percent, improve management efficiency, reduce operational expense, ensure high availability across all SQL Server instances and more! Download your free copy now. http://list.windowsitpro.com/t?ctl=11B70:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Mac OS X Security Update Fixes Dozens of Vulnerabilities by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=11B83:4FB69 Apple released a major security update for Mac OS X. Security Update 2005-007 fixes dozens of vulnerabilities, including problems in Apache, Kerberos, MySQL, OpenSSL, and many other system components. Apple pulled the update to correct problems it caused with 64-bit applications on the Tiger OS, then reissued it as Security Update 2005- 007 v1.1. If you loaded the initial release on Tiger, be sure to load v1.1. http://list.windowsitpro.com/t?ctl=11B78:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=11B82:4FB69 Q: How can I determine which groups I'm a member of for my current logon session? Find the answer at http://list.windowsitpro.com/t?ctl=11B80:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Try a Sample Issue of the Windows IT Security Newsletter! Security Administrator is now Windows IT Security. We've expanded our content to include even more fundamentals on building and maintaining a secure enterprise. Each issue also features product coverage of the best security tools available and expert advice on the best way to implement various security components. Plus, paid subscribers get online access to our entire online security article database! Sign up to try a sample issue today: http://list.windowsitpro.com/t?ctl=11B7C:4FB69 Windows IT Pro Gives IT Professionals What They Need The August issue is a must have! Subscribe now and find out the best ways to plan for Longhorn, what you need to know about VBScripts, and how to make sense of SQL Server. If you order today, you'll also gain exclusive access to the entire Windows IT Pro online article database (over 9000 articles) and save 44% off the cover price! http://list.windowsitpro.com/t?ctl=11B81:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Fight Phishing Attacks CollectiveTrust has released ScamAlarm, a Windows application that protects users from phishing, identity theft, and fraud. ScamAlarm protects against all types of phishing attacks that try to collect personal information by pretending to be the Web site of a legitimate bank or investment firm. ScamAlarm uses a combination of contextual analysis, a robust set of rules, and a continuously updated list of dangerous sites. With ScamAlarm, users are notified immediately if the site that they're trying to visit is on the list of suspicious sites or if the Web site fails the program's security checks. ScamAlarm runs on Windows 98/2000/XP/2003, currently supports Microsoft Internet Explorer (IE) 5.5 or later, and costs $29.95 for a single-user license (volume discounts are available). You can purchase ScamAlarm securely online or download a free 30-day trial version at http://list.windowsitpro.com/t?ctl=11B87:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Professional and secure remote control from all major platforms http://list.windowsitpro.com/t?ctl=11B6E:4FB69 Argent Versus MOM 2005 Experts Pick the Best Windows Monitoring Solution http://list.windowsitpro.com/t?ctl=11B6D:4FB69 Tech jobs at Dice Search 65K+ new IT jobs daily--Tech expert jobs at top companies! http://list.windowsitpro.com/t?ctl=11B6F:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=11B85:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=11B7A:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Aug 25 06:43:29 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 25 06:53:38 2005 Subject: [ISN] Hackers' Chinese Staging Ground Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/08/24/AR2005082402318.html By Bradley Graham Washington Post Staff Writer August 25, 2005 Web sites in China are being used heavily to target computer networks in the Defense Department and other U.S. agencies, successfully breaching hundreds of unclassified networks, according to several U.S. officials. Classified systems have not been compromised, the officials added. But U.S. authorities remain concerned because, as one official said, even seemingly innocuous information, when pulled together from various sources, can yield useful intelligence to an adversary. "The scope of this thing is surprisingly big," said one of four government officials who spoke separately about the incidents, which stretch back as far as two or three years and have been code-named Titan Rain by U.S. investigators. All officials insisted on anonymity, given the sensitivity of the matter. Whether the attacks constitute a coordinated Chinese government campaign to penetrate U.S. networks and spy on government databanks has divided U.S. analysts. Some in the Pentagon are said to be convinced of official Chinese involvement; others see the electronic probing as the work of other hackers simply using Chinese networks to disguise the origins of the attacks. "It's not just the Defense Department but a wide variety of networks that have been hit," including the departments of State, Energy and Homeland Security as well as defense contractors, the official said. "This is an ongoing, organized attempt to siphon off information from our unclassified systems." Another official, however, cautioned against exaggerating the severity of the intrusions. He said the attacks, while constituting "a large volume," were "not the biggest thing going on out there." Apart from acknowledging the existence of Titan Rain and providing a sketchy account of its scope, the officials who were interviewed declined to offer further details, citing legal and political considerations and a desire to avoid giving any advantage to the hackers. One official said the FBI has opened an investigation into the incidents. The FBI declined to comment. One official familiar with the investigation said it has not provided definitive evidence of who is behind the attacks. "Is this an orchestrated campaign by PRC or just a bunch of disconnected hackers? We just can't say at this point," the official said, referring to the People's Republic of China. With the threat of computer intrusions on the rise generally among Internet users, U.S. government officials have made no secret that their systems, like commercial and household ones, are subject to attack. Because the Pentagon has more computers than any other agency -- about 5 million worldwide -- it is the most exposed to foreign as well as domestic hackers, the officials said. Over the past few years, the Defense Department has taken steps to better organize what had been a rather disjointed approach to cyber security by individual branches of the armed forces. Last year, responsibility for managing the Pentagon's computer networks was assigned to the new Joint Task Force for Global Network Operations under the U.S. Strategic Command. "Like everybody connected to the Internet, we're seeing a huge spike" in outside scanning of Pentagon systems, said Lt. Col. Mike VanPutte, vice director of operations at the task force. "That's really for two reasons. One is, the tools are much simpler today. Anyone can download an attack tool and target any block on the Internet. The second is, the intrusion detection systems in place today," which are more sophisticated and can identify more attacks. Pentagon figures show that more attempts to scan Defense Department systems come from China, which has 119 million Internet users, than from any other country. VanPutte said this does not mean that China is where all the probes start, only that it is "the last hop" before they reach their targets. He noted that China is a convenient "steppingstone" for hackers because of the large number of computers there that can be compromised. Also, tracing hackers who use Chinese networks is complicated by the lack of cyber investigation agreements between China and the United States, another task force official said. The number of attempted intrusions from all sources identified by the Pentagon last year totaled about 79,000, defense officials said, up from about 54,000 in 2003. Of those, hackers succeeded in gaining access to a Defense Department computer in about 1,300 cases. The vast majority of these instances involved what VanPutte called "low risk" computers. Concern about computer attacks from China comes amid heightened U.S. worry generally about Chinese military activities. Defense Secretary Donald H. Rumsfeld warned in June that China's military spending threatened the security balance in Asia, and the Pentagon's latest annual report on Chinese military power, released last month, described the ongoing modernization of Beijing's armed forces. The report contained a separate section on development of computer attack systems by China's military. It said the People's Liberation Army (PLA) sees computer network operations as "critical to seize the initiative" in establishing "electromagnetic dominance" early in a conflict to increase effectiveness in battle. "The PLA has likely established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics to protect friendly computer systems and networks," the report said. "The PLA has increased the role of CNO [computer network operations] in its military exercises," the report added. "Although initial training efforts focused on increasing the PLA's proficiency in defensive measures, recent exercises have incorporated offensive operations, primarily as first strikes against enemy networks." The computer attacks from China have given added impetus to Pentagon moves to adopt new detection software programs and improve training of computer security specialists, several officials said. "It's a constant game of staying one step ahead," one said. Staff writer Dan Eggen contributed to this report. ? 2005 The Washington Post Company From isn at c4i.org Thu Aug 25 06:45:12 2005 From: isn at c4i.org (InfoSec News) Date: Thu Aug 25 06:54:08 2005 Subject: [ISN] IM worm speaks your language Message-ID: http://news.com.com/IM+worm+speaks+your+language/2100-7349_3-5842767.html By Joris Evers Staff Writer, CNET News.com August 24, 2005 A new MSN Messenger worm often talks to people in their own tongue as it hunts for new victims, security experts have warned. The worm, dubbed Kelvir.HI, tailors the language of its attack message to the compromised system, said David Jaros, the director of product marketing at security vendor Akonix Systems, on Wednesday. It can send messages in English, Dutch, French, German, Greek (English alphabet), Italian, Portuguese, Swedish, Spanish and Turkish, he noted. "It appears to check which language the Windows client is configured to use," he said. "This is the first time that we have seen a worm that checks the system settings and then sends a specific message." When it hits an English system, the worm sends out the following message: "haha i found your picture!" The message is sent to everybody on a user's contacts list. The message includes a Web link that when clicked on will download malicious software that installs a backdoor and furthers the spread of the worm, Jaros said. The worm is a variant of the Kelvir pest that first surfaced in February. To date, there have been 103 variants of Kelvir, according to IM security company Akonix. The worm spreads via Microsoft's MSN Messenger instant-messaging service and affects computers running Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP, according to a Symantec advisory. Previous Next The multilingual Kelvir is a sign that virus developers are getting more inventive and more global in terms of their target market, Jaros said. "They go after not only English speakers, but also other languages. I think we will definitely see more worms that cast a wider net." Threats to instant messaging and peer-to-peer systems are on the rise, Akonix said. The threats are not only more frequent, but attackers are increasingly morphing their software to circumvent security measures, the company said. From isn at c4i.org Fri Aug 26 04:20:28 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 26 04:35:56 2005 Subject: [ISN] DOD's 'Manhattan Project' Message-ID: Forwarded from: William Knowles http://www.fcw.com/article90416-08-25-05 By Frank Tiboni Aug. 25, 2005 Taking a page from the past and one from the future, the Defense Department is devising ways to fight a new kind of threat that requires the strategic tricks of ancient warriors and the untested tools of network-centric warfare. Unless DOD changes how it operates and learns to defend its cyber networks, many military experts say it will not be able to wage an effective battle in the cyberwar that is emerging as the 21st century's biggest challenge. The Pentagon is at a crossroads, said Air Force Lt. Gen. Charles Croom, the new director of the Defense Information Systems Agency and commander of the Joint Task Force for Global Network Operations (JTF-GNO). "Networks are too important to the warfighter to not have them when the warfight begins," he said. Croom said DOD approaches computer network defense by emphasizing convenience to users, but the department's future information assurance strategy should tilt toward adding security. "The threat is great," Croom said. "It requires constant vigilance." Other countries - for example, China - crime gangs and thrill-seeking hackers could steal information about U.S. military war plans and weapon systems to gain intelligence and embarrass the Pentagon. The threat has caused DOD to re-evaluate information assurance policies and acknowledge that such reviews will continue. In the past year, DOD implemented new policies to strengthen computer network defense. In 2004, DOD created JTF-GNO to operate and defend networks that operate under Strategic Command (Stratcom). The department also approved a new command structure that identifies four military officials who will report to Croom. The National Security Agency published a new technical architecture guiding DOD's acquisition and use of information assurance technology. DOD also issued directives on managing ports, protocols and services, and requiring periodic computer security training for all department employees. DOD turned to procurement to support these policies and develop new kinds of defenses for cyberattacks. First, the department chose Retina from eEye Digital Security to scan computers for vulnerabilities. Then, DOD selected Hercules from Citadel to patch computers. Next, the department built a new multimillion-dollar command center to monitor global network operations and picked PestPatrol, antispyware from Computer Associates International. DOD will soon begin testing Pest Patrol before introducing it later in the year. DOD identified nine new procurements to fill information assurance gaps and improve security analyses and responses departmentwide, said a DISA official who requested anonymity. The procurements include: * Tier 3 Security Information Manager, a comprehensive system that tracks and analyzes data produced by scanning and sensing products. * Insider Threat, technology that prevents spies and double agents from installing malicious hardware and software. * Secret IP Network Security Enhancements, a system that strengthens protection of the U.S. military's classified network. * Honeynets, fake networks that draw adversaries away from the U.S. military's real networks, keep them occupied and collect intelligence on their attack methods. The DISA official said the Computer Network Defense Enterprise Solutions Steering Group oversees those new procurements. It is led by Stratcom and the Office of the Assistant Secretary of Defense for Networks and Information Integration and Chief Information Officer. That office develops DOD information technology policy and administers the department's $2 billion annual budget for information assurance products and services. Bob Lentz, director of information assurance in the DOD CIO's office, said he agrees with Croom that the department is at a crossroads as it tries to operate and defend a complex of networks known as the Global Information Grid (GIG). "This is the equivalent of the Manhattan Project," Lentz said. "I will say we are at that level of seriousness of securing this massive network." Every four hours, he said, the equivalent of the entire Library of Congress' archives travels on DOD networks. To wage network-centric warfare, he said, the department's 4 million users must trust the confidentiality of the information that crosses GIG and be assured of its availability. Adversaries, however, recognize the U.S. military's dependence on networks and electronic information and the importance of sharing data - all of which are main principles of the evolving net-centric warfare strategy. Enemies view that dependency as an opportunity to challenge the most powerful fighting force in the world on an even battlefield, military experts say. Industry officials worry that all the steps the military will take might not be enough. They argue that net-centric warfare opens the services to hidden dangers. "We tend to assume we will have a technological edge over our adversaries," said Loren Thompson, chief operating officer at the Lexington Institute, a public-policy think tank. "That quite possibly may not happen because digital networking technology is readily available in global markets." Alan Paller, director of research at the SANS Institute, a nonprofit organization that monitors computer security, warned that U.S. warfighters are becoming dependent on IT rather than using it as an enhancer. "The risk of losing the engagement because the systems were hacked grows explosively," Paller said. President Bush has pledged to defend Taiwan if China attacks. And DOD has said the new local warfighting strategy of China's People's Liberation Army is to use computer network operations to seize the initiative and gain electromagnetic dominance early. Jack Keane, the retired Army vice chief of staff who is now a military consultant and advises URS Corp., a federal contractor, said the new warfighting strategies of the United States and China play off each other. He said they could collide if China attacks Taiwan to unify it with the mainland. Paul Wolfowitz, former deputy secretary of Defense, did not name China as one of the adversaries exploiting vulnerabilities in DOD networks in a memo to agency officials and military leaders last year. But "failure to secure our networks will weaken our warfighting ability and potentially put lives at risk," he said. -=- A network defense strategy: Honeynets Army Col. Carl Hunt, director of technology and analysis at the Joint Task Force for Global Network Operations, has recommended that the Defense Department fundamentally change how it protects its networks by building fake networks, or honeynets. Honeynets would draw adversaries away from real U.S. military networks and gather intelligence on enemies' attack methods. "These systems will collect information on methodologies, techniques and tools while providing a realistic playground for the intruder," Hunt said. By adopting a new set of maneuvers, DOD can lead persistent adversaries "to the terrain of our choosing." Honeynets, however, will not solve all of DOD's computer network defense problems, Hunt said, adding that the department must also better understand its networks and the technologies available to protect them. Hunt's comments appeared in "Net Force Maneuver: A NetOps Construct," a paper he co-wrote for the Institute of Electrical and Electronics Engineers Computer Society's Systems, Man and Cybernetics workshop. The workshop was held in June at the U.S. Military Academy at West Point, N.Y. - Frank Tiboni -=- From horseback, soldiers call for bombs John Luddy, an adjunct fellow at the Lexington Institute, a public-policy think tank, said no better illustration of network-centric warfare's potential exists than the image of an Army Special Forces soldier on horseback in Afghanistan sending location data via satellite from his notebook computer to an Air Force B-52 bomber crew. In less than 20 minutes, the crew could drop precision-guided bombs on Taliban troops. Luddy describes network-centric warfare as "getting the right information faster to the right forces so they can take the right action faster against the right objective." Afghanistan and Iraq show that the new warfighting strategy works, he said. In "The Challenge and Promise of Network-Centric Warfare," a report published by the institute in February, Luddy writes that "albeit it against markedly inferior military forces, American forces were able to integrate information and communications systems and procedures to accomplish more with less, and faster, than would have been possible even a decade ago." - Frank Tiboni *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Aug 26 04:19:24 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 26 04:36:29 2005 Subject: [ISN] New Cybersecurity Center To Warn Law Enforcement Of Critical Infrastructure Attacks Message-ID: http://informationweek.com/story/showArticle.jhtml?articleID=170000319 By Larry Greenemeier InformationWeek Aug. 24, 2005 With about 85% of the nation's critical infrastructure--energy utilities, manufacturing and transportation facilities, telecommunication and data networks, and financial services--in the private sector, it's no wonder there have been so many attempts to create services that keep these companies apprised of threats to their IT networks. But there's a problem: Most companies aren't eager to share their adventures in cybersecurity with each other or the government. Keeping this in mind, several Philadelphia-area businesses and organizations are testing out a new model called the Cyber Incident Detection & Data Analysis Center, or CIDDAC, which lets private-sector entities anonymously share cyberthreat and attack data with their peers and government agencies such as the Homeland Security Department and the FBI without that data being subject to law-enforcement audits. CIDDAC arose out of the deficiencies in the different organizations already working on cybersecurity, says Brad Rawling, a CIDDAC board member. A major sticking point that has hindered other attempts to create cyberattack-reporting infrastructures is the concern by businesses and other organizations that their proprietary information will be made public. Once information about a company's inner workings and security issues is documented by the government, that proprietary information may become fair game for Freedom Of Information Act requests by the press and public. CIDDAC circumvents this sticky situation because it's not a government entity and it doesn't provide specific information to members or law enforcement about the identity of the organization reporting a cyberattack. Participation in CIDDAC is voluntary. Since its April debut, the effort has been funded with about $100,000 in contributions from members, as well as $200,000 from the Homeland Security Department's Science and Technology Directorate. CIDDAC is searching for an additional $400,000 in funding to move it from the pilot stage to a point where data can be collected and shared and the program can sustain itself. Membership will cost $10,000 per year and will include one sensor, a year of monitoring service, and access to CIDDAC reports. CIDDAC's services are expected to be fully functional by the end of the year. The organization is piloting its sensor technology and reporting system at test locations in Philadelphia, southern New Jersey, and North Carolina. The next phase of testing, as CIDDAC receives production models of its network sensors over the next month and a half, will include as many as 10 large companies and institutions that have volunteered to participate and to whom CIDDAC has promised anonymity. The University of Pennsylvania has donated lab space, E-mail listserv services, and Internet access via its Institute of Strategy Threat Analysis and Response for the CIDDAC's pilot phase, although the initiative may have to look elsewhere for a permanent home. A company called AdminForce Remote LLC has developed the underlying real-time cyberattack-detection sensor technology that CIDDAC uses to gather information from its members' networks, and AdminForce chairman and CEO Charles Fleming serves as CIDDAC's executive director. Board members include Liberty Bell Bank chief technology officer Brian Schaeffer, Federal Reserve Bank of Philadelphia directory of information security Keith Morales, Air Products and Chemicals Inc. computer crime investigator Lance Hawk, and Kema Inc. senior principal consultant Scott Mix. FBI special agent John Chesson and Homeland Security Department director of privacy technology Peter Sand have served as advisers to the CIDDAC effort. As envisioned, a CIDDAC member connects AdminForce's sensors within their corporate network. If an intruder attempts to hack or penetrate the system, this intrusion-monitoring device sends a message to law enforcement and to other CIDDAC participants but protects the identity of the reporting entity. CIDDAC's plan is to provide members with trend-analysis information about specific intrusion activity that they can use to assess risks to their own networks. CIDDAC's arrival is timely. This year's FBI Computer Security Institute computer crime and security survey results, based on the responses of 700 computer security practitioners in U.S. companies, government agencies, financial institutions, medical institutions, and universities, indicates that the percentage of organizations reporting computer intrusions to law enforcement continues to decline. Only 20% of organizations reported cyberattacks to law enforcement, while only 12% reported such attacks to legal counsel. The key reason cited for not reporting intrusions to law enforcement is the concern for negative publicity. FBI Director Robert Mueller has acknowledged this reluctance that organizations have to air their dirty cyber laundry in public, thus hurting their image and giving rivals an edge. Mueller made these comments earlier this month at a conference hosted by InfraGard, an FBI program begun in 1996 in Cleveland as a local effort to gain support from the IT industry and academia for the FBI's cybersecurity investigative efforts. The program expanded nationally through the late 1990s. At the conference, Mueller likened a malicious command sent over a network to harm a power station's control computer to being as deadly as a backpack full of explosives. The FBI is expected to receive CIDDAC-generated law-enforcement incident reports when different criminal thresholds are exceeded. Homeland Security is likewise expected to be a consumer of CIDDAC reports. The FBI will use CIDDAC incident reports to initiate preliminary investigations to determine the magnitude of the cyberthreat, Rawling says. Such reports could be used as a basis to justify opening a criminal or intelligence case, for example, but are not expected to be used as evidence to be presented in a court of law. "The FBI must use the tools they have to build a case without revealing the identity of the source," Rawling adds. CIDDAC is by no means the only organization established to provide business-technology managers with information about cyberthreats. The new effort most closely resembles the SANS Institute's Internet Storm Center, although that service has no direct link with federal law enforcement. CIDDAC also is targeting large companies with similar IT security needs. Internet Storm Center uses the DShield distributed intrusion-detection system technology to collect data from users' intrusion-detection logs and disseminate this information to other users. DShield is a piece of freeware maintained by the SANS Institute. The Internet Storm Center, a free service, lets users submit firewall logs anonymously, but they must register with the SANS Institute to view an archive of firewall logs they submitted to the DShield database in the past 30 days and get confirmation of log submissions. From isn at c4i.org Fri Aug 26 04:19:38 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 26 04:36:49 2005 Subject: [ISN] 40,000 euros offered for identities of online blackmailers Message-ID: http://www.heise.de/english/newsticker/news/63238 Craig Morris 25.08.2005 The online gambling site jaxx.de operated by Fluxx AG of Hamburg has been blackmailed since Sunday with a distributed denial-of-service (DDoS) attack for payment of 40,000 euros to the perpetrators, who are probably in eastern Europe. The company did not give in to the demand, but instead immediately contacted the Federal Criminal Police Office (BKA) and the German Bureau for Security in Information Technology (BSI) to put an end to the criminal actions. In a press release [1] on the issue, the company quoted the blackmailers' letter: "... we demand payment of 40,000 euros. This money has to be wired via Western Union. This transaction is a minute transferal. In other words, if you transfer today and we are not prevented from withdrawing the money, we will stop the attack tonight. You will, no doubt, call the police, which you have the right to do. But I would like to inform you that your no. 1 competitor has already paid. ..." Fluxx AG has apologized to its customers for any limited access to the site and offered a bonus. It also points out that the defensive measures taken by the company's administrators in cooperation with Internet providers have not succeeded in stopping the DDoS attacks. The company did, however, state that the security of the data on the online systems was at no time in danger. It is offering 40,000 euros to anyone who can lead the police to the blackmailers. Last year, various gambling websites were blackmailed just before the World Football Cup, though the amount demanded was less: 15,000 US dollars. [1] http://fluxx.de/fluxx_content.php?page=presse/details/20050824_523.html From isn at c4i.org Fri Aug 26 04:19:51 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 26 04:37:35 2005 Subject: [ISN] Book review: SPIES AMONG US Message-ID: http://www.apcmag.com/apc/v3.nsf/0/971D0650BF457073CA25706700822769 [ http://www.amazon.com/exec/obidos/ASIN/0764584685/c4iorg - WK] By David Emberton 25, August 2005 Spies Among Us asserts that 99% of successful security attacks are preventable. Author Ira Winkler tests and breaks security for a living, having gotten his start in undercover work with the US National Security Agency. He claims that today's victims are often too caught up with media-hyped boogie men to see who or what is really harming them. The book promises to help us protect ourselves from the world's "super spies", as well as the burglar next door. Typical recommendations of installing spyware and virus detection are given, but the advice goes far beyond locking down a PC -- all information is valuable, whether it's stored on a computer or not, and yours is there for the taking. Winkler doesn't propose to eliminate all security threats. Rather, he gives measured suggestions about assessing risk, deciding the value of what's likely to be stolen at any given time and then setting security expenditure accordingly. The ideas work on an individual and company level, although the focus of Spies Among Us is decidedly corporate. The book comes in three parts. In the first, Winkler pimps his experience in the world of espionage to explain how spying works. The second part features Winkler on safari, stealing nuclear power plans and other fancy items from his rich clients. The third and final section gets down to the details of creating and implementing a security program, in broad but shallow detail. Probably the weakest aspect of Spies Among Us is the theme of post-911 "terror hype." The publisher had asked that this be de-emphasised for fear of dating the rest of the material, but apparently the author didn't listen. However, if you can endure the occasional rant against popular culture, Winkler's information and stories of true spying are well worth the cover price and a few quiet evenings. Local Price: $42.95 Publisher: Wiley ISBN: 0-7645-8468-5 From isn at c4i.org Fri Aug 26 04:20:00 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 26 04:38:32 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-34 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-08-18 - 2005-08-25 This week : 78 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: A vulnerability has been reported in Internet Explorer, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error when the "msdds.dll" (Microsoft DDS Library Shape Control) COM object is instantiated in the Internet Explorer browser. Information about products, which include the vulnerable COM object, can be found in the referenced Secunia advisory below. Reference: http://secunia.com/SA16480 -- Secunia Research has discovered a vulnerability in various HAURI anti-virus products, which can be exploited by malicious people to compromise a vulnerable system. Additional information can be found in the referenced Secunia advisory below. Reference: http://secunia.com/SA16488 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA16480] Microsoft DDS Library Shape Control Code Execution Vulnerability 2. [SA16466] Adobe Acrobat / Reader Plug-in Buffer Overflow Vulnerability 3. [SA16548] Microsoft IIS "500-100.asp" Source Code Disclosure 4. [SA16560] Windows Registry Editor Utility String Concealment Weakness 5. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 6. [SA16545] Cisco Intrusion Prevention System Privilege Escalation 7. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 8. [SA16449] Mac OS X Security Update Fixes Multiple Vulnerabilities 9. [SA16463] OpenVPN Multiple DoS Vulnerabilities 10. [SA16513] CA Various Products Message Queuing Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA16480] Microsoft DDS Library Shape Control Code Execution Vulnerability [SA16478] Chris Moneymaker's World Poker Championship Buffer Overflow [SA16556] Home Ftp Server Directory Traversal Vulnerability [SA16552] LeapFTP Site Queue File Buffer Overflow Vulnerability [SA16489] Emefa Guestbook Script Insertion Vulnerability [SA16548] Microsoft IIS "500-100.asp" Source Code Disclosure [SA16530] Cisco Clean Access Host-based Check Bypass Security Issue [SA16542] ZipTorrent Proxy Password Disclosure Security Issue [SA16525] Process Explorer "CompanyName" Buffer Overflow [SA16560] Windows Registry Editor Utility String Concealment Weakness UNIX/Linux: [SA16554] Red Hat update for elm [SA16550] Gentoo update for PEAR-XML_RPC / phpxmlrpc [SA16535] SUSE Updates for Multiple Packages [SA16533] Red Hat update for php [SA16527] Debian update for mozilla-thunderbird [SA16524] Mandriva update for php-pear [SA16520] Gentoo update for evolution [SA16512] Ubuntu update for php4 [SA16511] AreaEdit SpellChecker Plugin Code Execution Vulnerability [SA16510] SUSE update for acroread [SA16508] ELM "Expires" Header Parsing Buffer Overflow Vulnerability [SA16507] Debian update for mozilla-firefox [SA16505] Gentoo update for acroread [SA16504] Zorum prod.php Arbitrary Command Execution Vulnerability [SA16483] Fedora update for gaim [SA16572] Fedora update for pcre [SA16547] Fedora update for squirrelmail [SA16543] Ubuntu update for libpcre3/apache2 [SA16539] SqWebMail Attached File Script Insertion Vulnerability [SA16536] Debian update for mantis [SA16532] Debian update for bluez-utils [SA16529] Mandriva update for vim [SA16526] UnixWare update for zlib [SA16519] Red Hat update for vim [SA16517] Red Hat update for netpbm [SA16506] Mantis Cross-Site Scripting and SQL Injection Vulnerabilities [SA16499] Coppermine Photo Gallery EXIF Data Script Insertion [SA16485] mutt Attachment Decoding Buffer Overflow Vulnerability [SA16481] Fedora update for netpbm [SA16521] Sun Solaris DHCP Client Arbitrary Code Execution Vulnerability [SA16540] Gentoo update for tor [SA16537] Debian update for kdegraphics [SA16518] pam_ldap Client Authentication Security Bypass [SA16500] Ubuntu update for kernel [SA16498] Mandriva update for wxPythonGTK [SA16495] UnixWare update for cpio [SA16487] Mandriva update for kdegraphics [SA16486] Mandriva update for libtiff [SA16482] Fedora update for cups [SA16546] Avaya CMS / IR Solaris printd Daemon Arbitrary File Deletion [SA16484] Fedora update for ncpfs [SA16549] Ubuntu update for lm-sensors [SA16541] Adobe Version Cue VCNative Privilege Escalation [SA16515] Debian update for mysql-dfsg [SA16501] LM Sensors Insecure Temporary File Creation Vulnerability [SA16557] Fedora update for cvs [SA16553] CVS Insecure Temporary File Usage Security Issue Other: [SA16545] Cisco Intrusion Prevention System Privilege Escalation Cross Platform: [SA16528] WebCalendar "includedir" Arbitrary File Inclusion Vulnerability [SA16523] Netquery "host" Parameter Arbitrary Command Execution [SA16522] SaveWebPortal Multiple Vulnerabilities [SA16492] PHPTB "absolutepath" Arbitrary File Inclusion Vulnerability [SA16491] MailWatch for MailScanner XML-RPC PHP Code Execution [SA16488] HAURI Anti-Virus ACE Archive Handling Buffer Overflow [SA16551] Ventrilo Server Denial of Service Vulnerability [SA16538] BEA WebLogic Portal User-Entitlement Security Bypass [SA16531] PHPKit SQL Injection Vulnerabilities [SA16514] RunCMS SQL Injection and Arbitrary Variable Overwrite Vulnerability [SA16503] BBCaffe Email Address Script Insertion Vulnerability [SA16502] PCRE Quantifier Values Integer Overflow Vulnerability [SA16497] w-Agora "site" Local File Inclusion Vulnerability [SA16493] MediaBox404 Admin Logon SQL Injection Vulnerability [SA16490] PHPFreeNews SQL Injection and Cross-Site Scripting [SA16513] CA Various Products Message Queuing Vulnerabilities [SA16534] PostNuke "show" Parameter SQL Injection Vulnerability [SA16516] vBulletin BBCode IMG Tag Cross-Site Request Forgery [SA16496] ATutor Cross-Site Scripting Vulnerabilities [SA16544] Cisco IDS Management Software SSL Certificate Validation Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA16480] Microsoft DDS Library Shape Control Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-18 A vulnerability has been reported in Internet Explorer, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16480/ -- [SA16478] Chris Moneymaker's World Poker Championship Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-18 Luigi Auriemma has reported a vulnerability in Chris Moneymaker's World Poker Championship, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16478/ -- [SA16556] Home Ftp Server Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-08-25 Donato Ferrante has discovered a vulnerability in Home FTP Server, which can be exploited by malicious users to access arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/16556/ -- [SA16552] LeapFTP Site Queue File Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-08-24 Sowhat has reported a vulnerability in LeapFTP, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16552/ -- [SA16489] Emefa Guestbook Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-18 David Sopas Ferreira has discovered a vulnerability in Emefa Guestbook, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16489/ -- [SA16548] Microsoft IIS "500-100.asp" Source Code Disclosure Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-08-23 Inge Henriksen has discovered a vulnerability in Microsoft Internet Information Services (IIS), which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/16548/ -- [SA16530] Cisco Clean Access Host-based Check Bypass Security Issue Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-08-23 llhansen has reported a security issue in CCA (Cisco Clean Access), which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16530/ -- [SA16542] ZipTorrent Proxy Password Disclosure Security Issue Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-08-24 Kozan has discovered a security issue in ZipTorrent, which can be exploited by malicious, local users to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/16542/ -- [SA16525] Process Explorer "CompanyName" Buffer Overflow Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-22 ATmaCA has discovered a vulnerability in Process Explorer, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16525/ -- [SA16560] Windows Registry Editor Utility String Concealment Weakness Critical: Not critical Where: Local system Impact: Spoofing Released: 2005-08-24 Igor Franchuk has discovered a weakness in Microsoft Windows, which can be exploited to hide certain information. Full Advisory: http://secunia.com/advisories/16560/ UNIX/Linux:-- [SA16554] Red Hat update for elm Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-24 Red Hat has issued an update for elm. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16554/ -- [SA16550] Gentoo update for PEAR-XML_RPC / phpxmlrpc Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-24 Gentoo has issued an update for PEAR-XML_RPC / phpxmlrpc. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16550/ -- [SA16535] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2005-08-22 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16535/ -- [SA16533] Red Hat update for php Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-22 Red Hat has issued an update for php. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16533/ -- [SA16527] Debian update for mozilla-thunderbird Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access Released: 2005-08-23 Debian has issued an update for mozilla-thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, gain knowledge of potentially sensitive information, conduct cross-site scripting attacks and compromise a user's system. Full Advisory: http://secunia.com/advisories/16527/ -- [SA16524] Mandriva update for php-pear Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-23 Mandriva has issued an update for php-pear. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16524/ -- [SA16520] Gentoo update for evolution Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-23 Gentoo has issued an update for evolution. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16520/ -- [SA16512] Ubuntu update for php4 Critical: Highly critical Where: From remote Impact: Privilege escalation, System access Released: 2005-08-22 Ubuntu has issued updates for php4-dev and php4-pear. These fix some vulnerabilities, which can be exploited by malicious, local users to perform certain actions with escalated privileges or by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16512/ -- [SA16511] AreaEdit SpellChecker Plugin Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-22 A vulnerability has been reported in AreaEdit, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16511/ -- [SA16510] SUSE update for acroread Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-22 SUSE has issued an update for acroread. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16510/ -- [SA16508] ELM "Expires" Header Parsing Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-22 Ulf Harnhammar has reported a vulnerability in ELM, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16508/ -- [SA16507] Debian update for mozilla-firefox Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, System access Released: 2005-08-22 Debian has issued an update for mozilla-firefox. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and spoofing attacks, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16507/ -- [SA16505] Gentoo update for acroread Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-19 Gentoo has issued an update for acroread. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16505/ -- [SA16504] Zorum prod.php Arbitrary Command Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-19 rgod has discovered a vulnerability in Zorum, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16504/ -- [SA16483] Fedora update for gaim Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-08-18 Fedora has issued an update for gaim. This fixes a vulnerability and two weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/16483/ -- [SA16572] Fedora update for pcre Critical: Moderately critical Where: From remote Impact: System access Released: 2005-08-25 Fedora has issued an update for pcre. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16572/ -- [SA16547] Fedora update for squirrelmail Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-23 Fedora has issued an update for squirrelmail. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose or manipulate sensitive information. Full Advisory: http://secunia.com/advisories/16547/ -- [SA16543] Ubuntu update for libpcre3/apache2 Critical: Moderately critical Where: From remote Impact: System access Released: 2005-08-24 Ubuntu has issued updates for libpcre3, apache2, apache2-mpm-perchild, apache2-mpm-prefork, apache2-mpm-threadpool, and apache2-mpm-worker. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16543/ -- [SA16539] SqWebMail Attached File Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-24 Secunia Research has discovered a vulnerability in SqWebMail, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16539/ -- [SA16536] Debian update for mantis Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-08-22 Debian has issued an update for mantis. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/16536/ -- [SA16532] Debian update for bluez-utils Critical: Moderately critical Where: From remote Impact: Security Bypass, System access Released: 2005-08-23 Debian has issued an update for bluez-utils. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16532/ -- [SA16529] Mandriva update for vim Critical: Moderately critical Where: From remote Impact: System access Released: 2005-08-23 Mandriva has issued an update for vim. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16529/ -- [SA16526] UnixWare update for zlib Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-08-22 SCO has acknowledged some vulnerabilities in zlib included with UnixWare. These can be exploited by malicious, local users to cause a DoS (Denial of Service), or by malicious people to cause a DoS or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16526/ -- [SA16519] Red Hat update for vim Critical: Moderately critical Where: From remote Impact: System access Released: 2005-08-23 Red Hat has issued an update for vim. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16519/ -- [SA16517] Red Hat update for netpbm Critical: Moderately critical Where: From remote Impact: System access Released: 2005-08-22 Red Hat has issued an update for netpbm. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16517/ -- [SA16506] Mantis Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-08-22 Some vulnerabilities have been reported in Mantis, which can be exploited by malicious people to conduct cross-site scripting, script insertion, and SQL injection attacks. Full Advisory: http://secunia.com/advisories/16506/ -- [SA16499] Coppermine Photo Gallery EXIF Data Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-22 A vulnerability has been reported in Coppermine Photo Gallery, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16499/ -- [SA16485] mutt Attachment Decoding Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-08-22 Frank Denis and Peter Valchev have reported a vulnerability in mutt, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16485/ -- [SA16481] Fedora update for netpbm Critical: Moderately critical Where: From remote Impact: System access Released: 2005-08-18 Fedora has issued an update for netpbm. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16481/ -- [SA16521] Sun Solaris DHCP Client Arbitrary Code Execution Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-08-24 A vulnerability has been reported in Solaris, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16521/ -- [SA16540] Gentoo update for tor Critical: Less critical Where: From remote Impact: Exposure of sensitive information, Manipulation of data Released: 2005-08-25 Gentoo has issued an update for tor. This fixes a vulnerability, which potentially can be exploited by malicious people to disclose or modify certain sensitive information. Full Advisory: http://secunia.com/advisories/16540/ -- [SA16537] Debian update for kdegraphics Critical: Less critical Where: From remote Impact: DoS Released: 2005-08-22 Debian has issued an update for kdegraphics. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) on a user's system. Full Advisory: http://secunia.com/advisories/16537/ -- [SA16518] pam_ldap Client Authentication Security Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-08-24 A security issue has been reported in pam_ldap, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16518/ -- [SA16500] Ubuntu update for kernel Critical: Less critical Where: From remote Impact: DoS Released: 2005-08-19 Ubuntu has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users or malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16500/ -- [SA16498] Mandriva update for wxPythonGTK Critical: Less critical Where: From remote Impact: DoS Released: 2005-08-19 Mandriva has issued an update for wxPythonGTK. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) on an application linked against the library. Full Advisory: http://secunia.com/advisories/16498/ -- [SA16495] UnixWare update for cpio Critical: Less critical Where: From remote Impact: System access Released: 2005-08-18 UnixWare has issued an update for cpio. This fixes a vulnerability, which can be exploited by malicious people to cause files to be unpacked to arbitrary locations on a user's system. Full Advisory: http://secunia.com/advisories/16495/ -- [SA16487] Mandriva update for kdegraphics Critical: Less critical Where: From remote Impact: DoS Released: 2005-08-18 Mandriva has issued an update for kdegraphics. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) on an application linked against the library. Full Advisory: http://secunia.com/advisories/16487/ -- [SA16486] Mandriva update for libtiff Critical: Less critical Where: From remote Impact: DoS Released: 2005-08-18 Mandriva has issued an update for libtiff. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) on an application linked against the library. Full Advisory: http://secunia.com/advisories/16486/ -- [SA16482] Fedora update for cups Critical: Less critical Where: From remote Impact: DoS Released: 2005-08-18 Fedora has issued an update for cups. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) on a vulnerable system. Full Advisory: http://secunia.com/advisories/16482/ -- [SA16546] Avaya CMS / IR Solaris printd Daemon Arbitrary File Deletion Critical: Less critical Where: From local network Impact: Manipulation of data Released: 2005-08-23 Avaya has acknowledged a vulnerability in CMS and IR, which can be exploited by malicious users to delete files on a vulnerable system. Full Advisory: http://secunia.com/advisories/16546/ -- [SA16484] Fedora update for ncpfs Critical: Less critical Where: From local network Impact: Privilege escalation, System access Released: 2005-08-18 Fedora has issued an update for ncpfs. This fixes two vulnerabilities and a potential issue, which can be exploited to perform certain actions on a vulnerable system with escalated privileges or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/16484/ -- [SA16549] Ubuntu update for lm-sensors Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-24 Ubuntu has issued an update for lm-sensors. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16549/ -- [SA16541] Adobe Version Cue VCNative Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-23 A vulnerability has been reported in Adobe Version Cue, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16541/ -- [SA16515] Debian update for mysql-dfsg Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-24 Debian has issued an update for mysql-dfsg. This fixes a vulnerability, which can be exploited by malicious, local users to conduct various actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16515/ -- [SA16501] LM Sensors Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-22 Javier Fernandez-Sanguino Pena has reported a vulnerability in LM Sensors, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16501/ -- [SA16557] Fedora update for cvs Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-08-24 Fedora has issued an update for cvs. This fixes a security issue, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16557/ -- [SA16553] CVS Insecure Temporary File Usage Security Issue Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-08-24 Josh Bressers has reported a security issue in cvs, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16553/ Other:-- [SA16545] Cisco Intrusion Prevention System Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-08-23 A vulnerability has been reported in Cisco Intrusion Prevention System, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16545/ Cross Platform:-- [SA16528] WebCalendar "includedir" Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-24 A vulnerability has been reported in WebCalendar, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16528/ -- [SA16523] Netquery "host" Parameter Arbitrary Command Execution Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-23 rgod has discovered a vulnerability in Netquery, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16523/ -- [SA16522] SaveWebPortal Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-08-23 rgod has discovered some vulnerabilities in SaveWebPortal, which can be exploited by malicious people to conduct cross-site scripting attacks or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16522/ -- [SA16492] PHPTB "absolutepath" Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-18 Filip Groszynski has discovered a vulnerability in PHPTB, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16492/ -- [SA16491] MailWatch for MailScanner XML-RPC PHP Code Execution Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-18 A vulnerability has been reported in MailWatch for MailScanner, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16491/ -- [SA16488] HAURI Anti-Virus ACE Archive Handling Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-08-24 Secunia Research has discovered a vulnerability in various HAURI anti-virus products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16488/ -- [SA16551] Ventrilo Server Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-08-24 Luigi Auriemma has discovered a vulnerability in Ventrilo Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16551/ -- [SA16538] BEA WebLogic Portal User-Entitlement Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-08-23 A vulnerability has been reported in WebLogic Portal, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16538/ -- [SA16531] PHPKit SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-08-24 Phuket has discovered some vulnerabilities in PHPKit, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16531/ -- [SA16514] RunCMS SQL Injection and Arbitrary Variable Overwrite Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-08-22 James Bercegay has reported some vulnerabilities in RunCMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16514/ -- [SA16503] BBCaffe Email Address Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-19 rgod has discovered a vulnerability in BBCaffe, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16503/ -- [SA16502] PCRE Quantifier Values Integer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-08-22 A vulnerability has been reported in PCRE, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16502/ -- [SA16497] w-Agora "site" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-08-19 matrix_killer has discovered a vulnerability in w-Agora, which can be exploited by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/16497/ -- [SA16493] MediaBox404 Admin Logon SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-08-18 Cedric Tissieres has reported a vulnerability in MediaBox404, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16493/ -- [SA16490] PHPFreeNews SQL Injection and Cross-Site Scripting Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-08-18 matrix_killer has discovered some vulnerabilities in PHPFreeNews, which can be exploited by malicious people to conduct SQL injection and cross-site scripting vulnerabilities. Full Advisory: http://secunia.com/advisories/16490/ -- [SA16513] CA Various Products Message Queuing Vulnerabilities Critical: Moderately critical Where: From local network Impact: Spoofing, DoS, System access Released: 2005-08-22 Some vulnerabilities have been reported in various products within the CA Message Queuing (CAM / CAFT) software, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16513/ -- [SA16534] PostNuke "show" Parameter SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-08-25 Maksymilian Arciemowicz has discovered a vulnerability in PostNuke, which can be exploited by malicious administrative users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16534/ -- [SA16516] vBulletin BBCode IMG Tag Cross-Site Request Forgery Critical: Less critical Where: From remote Impact: Hijacking Released: 2005-08-24 A vulnerability has been discovered in vBulletin, which can be exploited by malicious users to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/16516/ -- [SA16496] ATutor Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-08-19 matrix_killer has discovered some vulnerabilities in ATutor, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16496/ -- [SA16544] Cisco IDS Management Software SSL Certificate Validation Vulnerability Critical: Less critical Where: From local network Impact: Spoofing Released: 2005-08-23 A vulnerability has been reported in CiscoWorks Monitoring Center for Security and CiscoWorks Management Center for IDS Sensors (IDSMC), which can be exploited by malicious people to spoof certain information. Full Advisory: http://secunia.com/advisories/16544/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Aug 26 04:20:44 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 26 04:39:43 2005 Subject: [ISN] Internet sieges can cost businesses a bundle Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,104168,00.html By Robert McMillan AUGUST 25, 2005 IDG NEWS SERVICE When the first extortion e-mail popped into Michael Alculumbre's in-box, he had no idea it was about to cost his business nearly $500,000. The note arrived in early November of last year, as Alculumbre's London-based transaction processing company, Protx, was being hit by a nasty distributed denial-of-service (DDoS) attack. Zombie PCs from around the world were flooding, the company's Web site, Protx.com, and the transaction processing server that was the commercial heart of the business. In the extortion e-mail's broken English, someone identifying himself as Tony Martino proposed a classic organized-crime protection scheme. "You should pay $10,000," Martino wrote. "When we receive money, we stop attack immediately." The e-mail even promised one year's protection from other attackers for the $10,000 fee. "Many companies paid us, and use our protection right now," Martino's message said. "Think about how much money you lose, while your servers are down." The attackers had one thing right: Online attacks can be expensive. A 2004 PricewaterhouseCoopers survey of more than 1,000 businesses in the U.K. found that companies spent an average of more than $17,000 on their worst security incident that year. For large companies, that amount was closer to $210,000, the study found. For companies of all sizes, most of the loss was due to the disruption in their ability to do business, with expenses for troubleshooting the incident and actual cash spent responding to it accounting for considerably less. It's Expensive Law enforcement authorities told Protx that it was the victim of Russian organized crime, Alculumbre says, but criminal extortion is not the only motivation for such attacks. In April, Australian antispyware vendor PC Tools Pty. became a target of spyware companies that didn't want users who were interested in PC Tools' spyware-cleansing software to reach the actual PC Tools Web site. Customers whose PCs had already been infected by spyware were greeted with fake pop-up windows and shopping carts when they tried to purchase the company's Spyware Doctor product, said Simon Clausen, PC Tools' CEO. Instead of buying his company's antispyware software, they were tricked into purchasing useless products that left their computers infected, he said. Even links that appeared to be from legitimate Web sites like Google or Download.com were modified on fake pages displayed to users, Clausen said. "Any link that said Spyware Doctor would be redirected to the attackers' sites." Clausen estimates that as much as 15% of his company's business was lost, representing hundreds of thousands of dollars in missed sales. But the real cost was in lost productivity for his software development team, which was forced to spend hundreds of hours changing PC Tools' products and its Web site in an effort to stay one step ahead of the attackers. "We probably had a dozen people involved pretty heavily in it for about a month or two," he said. By the time PC Tools developed a way of handling the attack, the company had taken major hits in employee time and in lost business opportunities because of product delays, he said. Online Cat and Mouse For its part, Protx managed to survive the first wave of the attack against it by scrambling its IT staff and prohibiting traffic from zombie servers (at one point, the company simply blocked all traffic originating from the western U.S.). But the 13-person company's biggest cost involved preparing for the next assaults, consisting of thousands of server requests, which came in January and April. The April attack, which lasted for more than five days, was the most severe, as Protx and the attackers engaged in a kind of online cat and mouse. Just as Alculumbre's technicians found one way to block the flood of unwanted server messages, the attackers would switch to another tack. At one point, the cybercriminals used a new exploit of Microsoft's Internet Information Services server that caused the Protx Web site to crash whenever certain types of secure messages got through. Protx responded by installing an SSL accelerator and analyzing the messages before letting them through. On the final day of the April assault, the attackers hit Protx with everything they had. At the peak of the assault, the company's servers were processing 800Mb of traffic per second, the equivalent of more than 530 T1 lines firing at full capacity. Protx's administrators spent some long, tense hours over that weekend, scrambling with technicians from the company's Internet service provider to keep the company's Web and transaction processing server online. "It's like being in a war," Alculumbre said. "My three guys were working with three other technicians in extremely tight hosting facilities, trying to put all this bloody machinery in and wire it up... it looked like Spaghetti Junction. How they ever knew what they were doing was beyond me." Expanding Horizons Just a few years ago, financially motivated attackers tended to focus on fringe businesses like online gaming sites. But transaction processors like Protx are now choice prey for extortionists, according to Peter Rendall, CEO of Top Layer Networks Inc., a security vendor based in Westboro, Mass. "If you bring down your payment processor, you can bring down hundreds of [online] processors," he said. " Transaction processors like Protx will do everything in their power not to be off-line; therefore, they are investing heavily in security and bandwidth." Proportionately, online security costs are greater for smaller companies than for larger ones. According to the 2005 Computer Crime and Security Survey conducted by the Computer Security Institute and the FBI, companies with sales of less than $10 million per year spent $643 per employee on computer security each year. For the largest companies -- those with more than $1 billion in annual revenue -- the amount spent on security was $247 per employee. The survey found that companies in the utilities business spent the most on computer security -- an average of $190 per employee per year. Next on the list were transportation and telecommunication companies, with average annual costs per employee of $187 and $132, respectively. But for companies under targeted attack, the costs are decidedly higher. Protx, for example, ended up spending a whopping $38,000 per employee on security over the past year. Protx's Alculumbre says that he once thought that his company was too small to draw the attention of organized crime, but the events of the last year have taught him otherwise. "It's very alarming for us that an unknown assailant can do so much to a business that I've spent so many years trying to build," he said. Though the first days of the assaults were stressful, Alculumbre said that he's grown more accustomed to the high costs involved. "If you're going to be in business, then you have to accept that DDoS attacks are a part of this," he said. From isn at c4i.org Fri Aug 26 04:20:57 2005 From: isn at c4i.org (InfoSec News) Date: Fri Aug 26 04:40:45 2005 Subject: [ISN] Islamists seek to organize hackers' jihad in cyberspace Message-ID: http://washingtontimes.com/national/20050825-111136-2852r.htm By Shaun Waterman UNITED PRESS INTERNATIONAL August 26, 2005 A Web forum for Muslim extremists is calling on its members to organize an Islamist hackers' army to carry out Internet attacks against the U.S. government. The site has posted tips, software and links to other resources to help would-be cyber-warriors. The Jamestown Foundation, a District-based nonprofit with a history of extensive ties to the CIA, said that it has monitored postings on a new section of an extremist bulletin board called al-Farooq. According to Jeffrey Poole, a researcher for the foundation, the forum "represents a how-to manual for the disruption and/or destruction of enemy electronic resources, including e-mail, Web sites and computer hardware." The new section was set up two weeks ago, according to a briefing written by Mr. Poole and distributed by the foundation, which added that one member of the forum has called for the creation of an Islamist organization, which he dubbed "Jaish al-Hacker al-Islami," the Islamic Hacker's Army. The would-be Islamist cyber-warrior, who calls himself "Achrafe," pointed out that organization of large numbers of attackers is a key force multiplier in some forms of Web warfare -- such as denial-of- service attacks in which the target's servers are bombarded with so many requests for information from other parts of the Internet that they effectively are shut down. The foundation described in detail a "hacker library" maintained on the al-Farooq site, offering special software that can be used to steal passwords; tools and tips on anonymous Web surfing; and programs the site says can destroy or disable a target computer if installed on it. Ron Gula, a former National Security Agency official who worked on computer security issues, said that many of the hacking efforts made by such groups are "amateurish" and "lost in the background noise" of other hackers and Internet criminals. "Between 1 and 5 percent of the Internet is infected [with viruses, spyware, worms or other malicious software] at any one time," Mr. Gula said. So-called keystroke logs -- which record every letter typed into a computer -- were among the programs offered for download on al-Farooq. The software can be used to learn passwords and log-in information. Once the program is clandestinely installed on a computer, typically via a virus or an unwitting download, the records of the key strokes are transmitted to the hacker, giving him access to password-protected computer systems. From isn at c4i.org Mon Aug 29 14:05:43 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 29 14:36:07 2005 Subject: [ISN] Two Suspected in Computer Worm Attacks Are Arrested Message-ID: http://www.nytimes.com/2005/08/27/technology/27worm.html By ROBEN FARZAD August 27, 2005 Two men were arrested overseas on Thursday on charges of unleashing a computer worm that infected networks across the United States nearly two weeks ago, the Federal Bureau of Investigation and Microsoft announced yesterday. The men, Farid Essebar, 18, of Morocco, and Atilla Ekici, 21, of Turkey, were said to be responsible for the Zotob worm, which hampered computer operations at more than 100 companies, including news organizations like CNN, The New York Times and ABC News. The computers were running a version of Microsoft's Windows operating system, prompting the company's Internet crime investigations unit to collaborate with the F.B.I. to locate the source. "The swift resolution of this matter is the direct result of effective coordination and serves as a good example of what we can achieve when we work together," Louis M. Reigel III, assistant director of the F.B.I. Cyber Division, said in a news release. In a conference call with reporters, Mr. Reigel said Mr. Ekici, who went by the online alias Coder, paid Mr. Essebar, operating under the name Diabl0, to create Zotob and another worm, called Mytob. But he would not comment on whether they were part of a broader operation. "They certainly knew each other via the Internet," Mr. Reigel said, but it was not clear whether they had met in person. The state news agency in Morocco reported that the motive was financial and that Mr. Essebar acted in league with groups involved in bank card forgery. Some computer worms can be used to compromise computer security and make it easier to steal passwords, identification data and financial records in ways that are hard to trace. Mr. Reigel declined to specify yesterday whether any data was compromised in the Zotob episode. The Zotob worm was notable for how quickly it was released after Microsoft's announcement of a flaw in its Windows 2000 operating system. Within days of Microsoft's releasing a security patch in early August, the worm was infecting computers that had not installed the update. Bradford L. Smith, Microsoft's general counsel, said in an interview yesterday that the company was able to help authorities as the attack was going on by monitoring its path and then charting its trail and dissecting the code behind the worm. "You learn things in real time that you just cannot reconstruct later," he said. In the earlier conference call, he was asked why Microsoft's operating systems have been so prone to attack. "The reality is that any company that has popular products has to recognize that it's a fact of life," he said. "Security remains our highest priority." From isn at c4i.org Mon Aug 29 14:06:08 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 29 14:36:27 2005 Subject: [ISN] 5 indicted in spyware e-mail case Message-ID: http://www.signonsandiego.com/news/business/20050827-9999-1b27spy.html By Onell R. Soto UNION-TRIBUNE STAFF WRITER August 27, 2005 The spyware program was designed for private detectives, authorities said, but it really took off when it was marketed to jealous lovers. "Catch a cheating lover," the San Diego company's Web site boasted. "Send them an e-Greeting card!" The cards, Lover Spy promised, deployed software to track everything that unsuspecting recipients did on their computers. About 1,000 people signed up before the FBI shut the company down in October 2003. One Laguna Beach man targeted his former girlfriend. A Long Beach woman went after her ex-fiance. An Irvine man wanted to know more about his estranged sister. And a Pennsylvania woman wanted to check out whether her boyfriend was cheating on her. Federal prosecutors announced computer hacking indictments yesterday against all four and against Carlos Enrique Perez Melara, the 25-year-old former San Diego man who prosecutors say created the software they used. Perez, a native of El Salvador, probably is in the Los Angeles area, said Stewart Roberts, the second highest-ranking agent at the San Diego FBI office. Crime Stoppers has offered a $1,000 reward. Perez is charged with 35 crimes, each of which carries a potential five-year prison sentence if he is convicted. Spyware is one of the fastest-growing examples of malicious software, a computer security expert said. It is designed to track what computer users do. Some types - the fastest-growing segment - use such information to select which pop-up ads users see when using the Internet. However, other software can be used by identity thieves to get account numbers and passwords, said David Cole, director of Symantec Security Response, part of the company that produces the Norton anti-virus software. More than half the malicious software submitted to his company by suspicious users and computer security professionals is designed to aid identity theft, he said. "We're seeing more spyware," he said. The FBI has not found any instances of identity theft linked to the Lover Spy software. The agency has notified all 2,000 victims via e-mail. One of the victims of the program said yesterday she was shocked by the invasion of her privacy. "I didn't know it was on my computer until the FBI contacted me," she said. The resident of a small town in central Pennsylvania said she didn't want her name used because her privacy had been breached enough by the woman who was spying on her. "She contacted me because she thought that I was dating her boyfriend, but it wasn't true," she said. "I had never met him. I didn't know who he was." She said she was sympathetic with the suspicious girlfriend and struck up a friendly e-mail relationship. "She sent me a greeting card on the Internet through my e-mail and that's how she got into my computer," she said. "She had access to everything." She said she regularly updated her anti-virus software and checked for malicious programs, but none of those measures detected the program when her computer was infected. Such programs have since been updated to catch the Lover Spy software, which tracked Internet use, e-mail and everything typed on infected computers and could be used to turn on cameras hooked up to the personal computers, said the FBI's Roberts. Employers and parents use similar surveillance software on computers they own to keep track of their workers and children, he said. Perez advertised the $89 software on a Web site and through unsolicited e-mail. The software was deployed on computers around the world, which would send information to Perez's customers and to him at his downtown San Diego apartment, prosecutor Mitch Dembin said. "People were spying on others simply to learn what they were doing," he said. The FBI began investigating after getting a tip from someone who got e-mail spam from the company. Perez was present when agents raided his apartment and took his computers Oct. 10, 2003, but has since disappeared, Roberts said. From isn at c4i.org Mon Aug 29 14:06:30 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 29 14:37:58 2005 Subject: [ISN] UK court approves extradition of Trojan Horse couple Message-ID: http://www.globes.co.il/serveen/globes/DocView.asp?did=1000005627&fid=1725 Ron Stein 28 Aug 05 The investigation into the Trojan Horse industrial espionage affair continues to widen following indictments of private investigators. On Friday, a London court approved the extradition of Michael Haephrati (44) and Ruth Brier-Haephrati (28), arrested in May in London at the request of Israel Police on charges of industrial espionage in Israel. Michael Haephrati is suspected of designing software enabling many companies, through private investigative agencies, to hack into the computers of their competitors. A British judge ruled that there was prima facie evidence that the couple received payment from Israeli private investigative agencies. UK Home Secretary Charles Clark must now decide whether to extradite the Haephratis to Israel. Under British law, the Home Secretary has 60 days to decide. On August 19, the Haephratis? attorney said that they did not design the software with criminal intent. He added that Ruth Brier-Haephrati was the person in contact with the Israeli private investigative agencies. "Bloomberg" reports that the Haephratis face eight counts in Israel, six of which carry the maximum punishment of five years in prison, and two of which carry the maximum punishment of two years. Published by Globes [online], Israel business news - www.globes.co.il - on August 28, 2005 From isn at c4i.org Mon Aug 29 14:06:55 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 29 14:38:27 2005 Subject: [ISN] Linux Security Week - August 29th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 29th, 2005 Volume 6, Number 36n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Storm brewing over SHA-1 as further breaks are found," "Linux Kernel Denial of Service and IPsec Policy Bypass," and "Information Security in Campus and Open Environments. --- ## Master of Science in Information Security ## Earn your Master of Science in Information Security online from Norwich University. Designated a "Center of Excellence", the program offers a solid education in the management of information assurance, and the unique case study method melds theory into practice. Using today's e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. LEARN MORE: http://www.msia.norwich.edu/linux_en --- LINUX ADVISORY WATCH This week, advisories were releaed for bluez-utils, thunderbird, mysql, epiphany, system-config-netboot, kdbg, doxygen, kdeedu, ncpfs, gaim, system-config-bind, tar, vnc, metacity, cups, pygtk, slocate, myodbc, xpdf, libgal2, dhcpv, diskdumputils, kdebase, cvs, hwdata, eject, pcre, kismet, wikiwiki, apache, tor, netpbm, vim, and elm. The distributors include Debian, Fedora, Gentoo, and Red Hat. http://www.linuxsecurity.com/content/view/120226/150/ --- Hacks From Pax: PHP Web Application Security By: Pax Dickinson Today on Hacks From Pax we'll be discussing PHP web application security. PHP is a great language for rapidly developing web applications, and is very friendly to beginning programmers, but some of its design can make it difficult to write web apps that are properly secure. We'll discuss some of the main security "gotchas" when developing PHP web applications, from proper user input sanitization to avoiding SQL injection vulnerabilities. http://www.linuxsecurity.com/content/view/120043/49/ --- Network Server Monitoring With Nmap Portscanning, for the uninitiated, involves sending connection requests to a remote host to determine what ports are open for connections and possibly what services they are exporting. Portscanning is the first step a hacker will take when attempting to penetrate your system, so you should be preemptively scanning your own servers and networks to discover vulnerabilities before someone unfriendly gets there first. http://www.linuxsecurity.com/content/view/119864/150/ --- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Storm brewing over SHA-1 as further breaks are found 24th, August, 2005 Three Chinese researchers have further refined an attack on the encryption standard frequently used to digitally sign documents, making the attack 64 times faster and leaving cryptographers to debate whether the standard, known as the Secure Hash Algorithm, should be phased out more quickly than planned. http://www.linuxsecurity.com/content/view/120200 * Storage and data encryption 25th, August, 2005 Data security is a major concern for all CIOs. This has been addressed from access and identity controls through encrypting data in transmission through to securing data at rest, on disk or on tape. http://www.linuxsecurity.com/content/view/120211 * Host Integrity Monitoring Using Osiris and Samhain 22nd, August, 2005 Host integrity monitoring is the process by which system and network administrators validate and enforce the security of their systems. This can be a complex suite of approaches, tools, and methodologies, and it can be as simple as looking at loggin output. In the past, tools like Tripwire were used to check the configurations on hosts. The freeware version of this tool was limited in its manageability, which was available mainly in the commercial version. http://www.linuxsecurity.com/content/view/120181 * Why You Need To Add .Protect Domain Name. To The Security Checklist 25th, August, 2005 Domain name hijacking broadly refers to acts where a registered domain name is misused or stolen from the rightful name holder. A domain hijacking is a security risk many organizations overlook when they develop security policy and business continuity plans. While name holders can take measures to protect their domain names against theft and loss, many measures are not generally known. http://www.linuxsecurity.com/content/view/120214 * Linux/Unix e-mail flaw leaves system open to attack 26th, August, 2005 Two serious security flaws have turned up in software widely distributed with Linux and Unix. The bugs affect Elm (Electronic Mail for Unix), a venerable e-mail client still used by many Linux and Unix sysadmins, and Mplayer, a cross-platform movie player that is one of the most popular of its kind on Linux. http://www.linuxsecurity.com/content/view/120230 * Linux Kernel Denial of Service and IPsec Policy Bypass 25th, August, 2005 Two vulnerabilities have been reported in the Linux kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or bypass certain security restrictions. http://www.linuxsecurity.com/content/view/120212 * Flexible, safe and secure? 24th, August, 2005 This article looks beyond the hype of mobile working to consider some of the practical issues of an organisation implementing an ICT strategy that ensures data security wherever employees connect to corporate systems. http://www.linuxsecurity.com/content/view/120085 * Information Security in Campus and Open Environments 23rd, August, 2005 This article is geared towards techies at libraries and schools and will attempt to address common security problems that may pop up at these institutions. The author gears the solutions towards Open Source, freeware, and base operating system security in a Windows XP/2k environment. http://www.linuxsecurity.com/content/view/120186 * Legal disassembly 23rd, August, 2005 The question for security researchers going forward is modeled by the Lynn saga. Is it legal to decompile source code to find vulnerabilities? Of course, the answer is mixed. Maybe it is, maybe it's not. http://www.linuxsecurity.com/content/view/120188 * Be prepared to pay for security 24th, August, 2005 When one million of your customers have their IP addresses added to a spam blacklist, there is clearly something wrong with your security systems. Just ask Telewest, this is exactly what it experienced in May after 17,000 of its users saw their computers turn into spam bots. http://www.linuxsecurity.com/content/view/120198 * Banks Abandoning SSL On Home Page Log-Ins 24th, August, 2005 Some of the biggest banks have abandoned the practice of posting their online account log-in screens on SSL-protected pages in an effort to boost page response time and guide users to more memorable URLs, a U.K. Web performance firm said Tuesday. http://www.linuxsecurity.com/content/view/120201 * The Real Problem of Linux: The Userbase? 25th, August, 2005 True, a normal Linux installation and setting up basic internet access and email settings is proven to be equally easy under Windows as under Linux- if not easier under Linux. But I've been using Linux distributions for several years now, and I must say that for advanced problems it's harder to get things worked out under Linux. http://www.linuxsecurity.com/content/view/120210 * Industry Survey Shows SMBs Lack Minimal Security 25th, August, 2005 Sean Stenovich often sees his small and midsize business clients pick and choose their security solutions based on what they think they need and can afford. http://www.linuxsecurity.com/content/view/120215 * Sarbanes-Oxley will be 2005's biggest time waster 23rd, August, 2005 The Sarbanes-Oxley rules will be the biggest waste of IT resources for public companies this year, according to a poll of 444 US companies by IBM user group Share. http://www.linuxsecurity.com/content/view/120187 * Hacker underground erupts in virtual turf wars 24th, August, 2005 In the early days of computer attacks, when bright teens could bring down corporate systems, the point was often to trumpet a hacker's success. No longer. http://www.linuxsecurity.com/content/view/120199 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Aug 29 14:07:49 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 29 14:39:03 2005 Subject: [ISN] The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them) Message-ID: Forwarded from: William Knowles http://www.time.com/time/magazine/article/0,9171,1098961,00.html By NATHAN THORNBURGH August 29, 2005 It was another routine night for Shawn Carpenter. After a long day analyzing computer-network security for Sandia National Laboratories, where much of the U.S. nuclear arsenal is designed, Carpenter, 36, retreated to his ranch house in the hills overlooking Albuquerque, N.M., for a quick dinner and an early bedtime. He set his alarm for 2 a.m. Waking in the dark, he took a thermos of coffee and a pack of Nicorette gum to the cluster of computer terminals in his home office. As he had almost every night for the previous four months, he worked at his secret volunteer job until dawn, not as Shawn Carpenter, mid-level analyst, but as Spiderman--the apt nickname his military-intelligence handlers gave him--tirelessly pursuing a group of suspected Chinese cyberspies all over the world. Inside the machines, on a mission he believed the U.S. government supported, he clung unseen to the walls of their chat rooms and servers, secretly recording every move the snoopers made, passing the information to the Army and later to the FBI. The hackers he was stalking, part of a cyberespionage ring that federal investigators code-named Titan Rain, first caught Carpenter's eye a year earlier when he helped investigate a network break-in at Lockheed Martin in September 2003. A strikingly similar attack hit Sandia several months later, but it wasn't until Carpenter compared notes with a counterpart in Army cyberintelligence that he suspected the scope of the threat. Methodical and voracious, these hackers wanted all the files they could find, and they were getting them by penetrating secure computer networks at the country's most sensitive military bases, defense contractors and aerospace companies. Carpenter had never seen hackers work so quickly, with such a sense of purpose. They would commandeer a hidden section of a hard drive, zip up as many files as possible and immediately transmit the data to way stations in South Korea, Hong Kong or Taiwan before sending them to mainland China. They always made a silent escape, wiping their electronic fingerprints clean and leaving behind an almost undetectable beacon allowing them to re-enter the machine at will. An entire attack took 10 to 30 minutes. "Most hackers, if they actually get into a government network, get excited and make mistakes," says Carpenter. "Not these guys. They never hit a wrong key." Goaded by curiosity and a sense that he could help the U.S. defend itself against a new breed of enemy, Carpenter gave chase to the attackers. He hopped just as stealthily from computer to computer across the globe, chasing the spies as they hijacked a web of far-flung computers. Eventually he followed the trail to its apparent end, in the southern Chinese province of Guangdong. He found that the attacks emanated from just three Chinese routers that acted as the first connection point from a local network to the Internet. It was a stunning breakthrough. In the world of cyberspying, locating the attackers' country of origin is rare. China, in particular, is known for having poorly defended servers that outsiders from around the world commandeer as their unwitting launchpads. Now Chinese computers appeared to be the aggressors. If so, the implications for U.S. security are disturbing. In recent years, the counterintelligence community has grown increasingly anxious that Chinese spies are poking into all sorts of American technology to compete with the U.S. But tracking virtual enemies presents a different kind of challenge to U.S. spy hunters. Foreign hackers invade a secure network with a flick of a wrist, but if the feds want to track them back and shut them down, they have to go through a cumbersome authorization process that can be as tough as sending covert agents into foreign lands. Adding in extreme sensitivity to anything involving possible Chinese espionage--remember the debacle over alleged Los Alamos spy Wen Ho Lee?--and the fear of igniting an international incident, it's not surprising the U.S. has found it difficult and delicate to crack these cases. In Washington, officials are tight-lipped about Titan Rain, insisting all details of the case are classified. But high-level officials at three agencies told TIME the penetration is considered serious. A federal law-enforcement official familiar with the investigation says the FBI is "aggressively" pursuing the possibility that the Chinese government is behind the attacks. Yet they all caution that they don't yet know whether the spying is official, a private-sector job or the work of many independent, unrelated hands. The law-enforcement source says China has not been cooperating with U.S. investigations of Titan Rain. China's State Council Information Office, speaking for the government, told TIME the charges about cyberspying and Titan Rain are "totally groundless, irresponsible and unworthy of refute." Despite the official U.S. silence, several government analysts who protect the networks at military, nuclear-lab and defense- contractor facilities tell TIME that Titan Rain is thought to rank among the most pervasive cyberespionage threats that U.S. computer networks have ever faced. TIME has obtained documents showing that since 2003, the hackers, eager to access American know-how, have compromised secure networks ranging from the Redstone Arsenal military base to NASA to the World Bank. In one case, the hackers stole flight-planning software from the Army. So far, the files they have vacuumed up are not classified secrets, but many are sensitive and subject to strict export-control laws, which means they are strategically important enough to require U.S. government licenses for foreign use. Beyond worries about the sheer quantity of stolen data, a Department of Defense (DOD) alert obtained by TIME raises the concern that Titan Rain could be a point patrol for more serious assaults that could shut down or even take over a number of U.S. military networks. Although he would not comment on Titan Rain specifically, Pentagon spokesman Bryan Whitman says any attacks on military computers are a concern. "When we have breaches of our networks, it puts lives at stake," he says. "We take it very seriously." As cyberspying metastasizes, frustrated network protectors say that the FBI in particular doesn't have enough top-notch computer gumshoes to track down the foreign rings and that their hands are often tied by the strict rules of engagement. That's where independents--some call them vigilantes--like Carpenter come in. After he made his first discoveries about Titan Rain in March 2004, he began taking the information to unofficial contacts he had in Army intelligence. Federal rules prohibit military-intelligence officers from working with U.S. civilians, however, and by October, the Army passed Carpenter and his late-night operation to the FBI. He says he was a confidential informant for the FBI for the next five months. Reports from his cybersurveillance eventually reached the highest levels of the bureau's counterintelligence division, which says his work was folded into an existing task force on the attacks. But his FBI connection didn't help when his employers at Sandia found out what he was doing. They fired him and stripped him of his Q clearance, the Department of Energy equivalent of top-secret clearance. Carpenter's after-hours sleuthing, they said, was an inappropriate use of confidential information he had gathered at his day job. Under U.S. law, it is illegal for Americans to hack into foreign computers. Carpenter is speaking out about his case, he says, not just because he feels personally maligned--although he filed suit in New Mexico last week for defamation and wrongful termination. The FBI has acknowledged working with him: evidence collected by TIME shows that FBI agents repeatedly assured him he was providing important information to them. Less clear is whether he was sleuthing with the tacit consent of the government or operating as a rogue hacker. At the same time, the bureau was also investigating his actions before ultimately deciding not to prosecute him. The FBI would not tell TIME exactly what, if anything, it thought Carpenter had done wrong. Federal cyberintelligence agents use information from freelance sources like Carpenter at times but are also extremely leery about doing so, afraid that the independent trackers may jeopardize investigations by trailing foes too noisily or, even worse, may be bad guys themselves. When Carpenter deputized himself to delve into the Titan Rain group, he put his career in jeopardy. But he remains defiant, saying he's a whistle-blower whose case demonstrates the need for reforms that would enable the U.S. to respond more effectively and forcefully against the gathering storm of cyberthreats. A TIME investigation into the case reveals how the Titan Rain attacks were uncovered, why they are considered a significant threat now under investigation by the Pentagon, the FBI and the Department of Homeland Security and why the U.S. government has yet to stop them. Carpenter thought he was making progress. When he uncovered the Titan Rain routers in Guangdong, he carefully installed a homemade bugging code in the primary router's software. It sent him an e-mail alert at an anonymous Yahoo! account every time the gang made a move on the Net. Within two weeks, his Yahoo! account was filled with almost 23,000 messages, one for each connection the Titan Rain router made in its quest for files. He estimates there were six to 10 workstations behind each of the three routers, staffed around the clock. The gang stashed its stolen files in zombie servers in South Korea, for example, before sending them back to Guangdong. In one, Carpenter found a stockpile of aerospace documents with hundreds of detailed schematics about propulsion systems, solar paneling and fuel tanks for the Mars Reconnaissance Orbiter, the NASA probe launched in August. On the night he woke at 2, Carpenter copied a huge collection of files that had been stolen from Redstone Arsenal, home to the Army Aviation and Missile Command. The attackers had grabbed specs for the aviation-mission-planning system for Army helicopters, as well as Falconview 3.2, the flight-planning software used by the Army and Air Force. Even if official Washington is not certain, Carpenter and other network-security analysts believe that the attacks are Chinese government spying. "It's a hard thing to prove," says a network-intrusion-detection analyst at a major U.S. defense contractor who has been studying Titan Rain since 2003, "but this has been going on so long and it's so well organized that the whole thing is state sponsored, I think." When it comes to advancing their military by stealing data, "the Chinese are more aggressive" than anyone else, David Szady, head of the FBI's counterintelligence unit, told TIME earlier this year. "If they can steal it and do it in five years, why [take longer] to develop it?" Within the U.S. military, Titan Rain is raising alarms. A November 2003 government alert obtained by TIME details what a source close to the investigation says was an early indication of Titan Rain's ability to cause widespread havoc. Hundreds of Defense Department computer systems had been penetrated by an insidious program known as a "trojan," the alert warned. "These compromises ... allow an unknown adversary not only control over the DOD hosts, but also the capability to use the DOD hosts in malicious activity. The potential also exists for the perpetrator to potentially shut down each host." The attacks were also stinging allies, including Britain, Canada, Australia and New Zealand, where an unprecedented string of public alerts issued in June 2005, two U.S. network-intrusion analysts tell TIME, also referred to Titan Rain--related activity. "These electronic attacks have been under way for a significant period of time, with a recent increase in sophistication," warned Britain's National Infrastructure Security Co-Ordination Center. Titan Rain presents a severe test for the patchwork of agencies digging into the problem. Both the cybercrime and counterintelligence divisions of the FBI are investigating, the law-enforcement source tells TIME. But while the FBI has a solid track record cajoling foreign governments into cooperating in catching garden-variety hackers, the source says that China is not cooperating with the U.S. on Titan Rain. The FBI would need high-level diplomatic and Department of Justice authorization to do what Carpenter did in sneaking into foreign computers. The military would have more flexibility in hacking back against the Chinese, says a former high-ranking Administration official, under a protocol called "preparation of the battlefield." But if any U.S. agency got caught, it could spark an international incident. That's why Carpenter felt he could be useful to the FBI. Frustrated in gathering cyberinfo, some agencies have in the past turned a blind eye to free-lancers--or even encouraged them--to do the job. After he hooked up with the FBI, Carpenter was assured by the agents assigned to him that he had done important and justified work in tracking Titan Rain attackers. Within a couple of weeks, FBI agents asked him to stop sleuthing while they got more authorization, but they still showered him with praise over the next four months as he fed them technical analyses of what he had found earlier. "This could very well impact national security at the highest levels," Albuquerque field agent Christine Paz told him during one of their many information-gathering sessions in Carpenter's home. His other main FBI contact, special agent David Raymond, chimed in: "You're very important to us," Raymond said. "I've got eight open cases throughout the United States that your information is going to. And that's a lot." And in a letter obtained by TIME, the FBI's Szady responded to a Senate investigator's inquiry about Carpenter, saying, "The [FBI] is aggressively pursuing the investigative leads provided by Mr. Carpenter." Given such assurances, Carpenter was surprised when, in March 2005, his FBI handlers stopped communicating with him altogether. Now the federal law-enforcement source tells TIME that the bureau was actually investigating Carpenter while it was working with him. Agents are supposed to check out their informants, and intruding into foreign computers is illegal, regardless of intent. But two sources familiar with Carpenter's story say there is a gray area in cybersecurity, and Carpenter apparently felt he had been unofficially encouraged by the military and, at least initially, by the FBI. Although the U.S. Attorney declined to pursue charges against him, Carpenter feels betrayed. "It's just ridiculous. I was tracking real bad guys," he says. "But they are so afraid of taking risks that they wasted all this time investigating me instead of going after Titan Rain." Worse, he adds, they never asked for the passwords and other tools that could enable them to pick up the investigative trail at the Guangdong router. Carpenter was even more dismayed to find that his work with the FBI had got him in trouble at Sandia. He says that when he first started tracking Titan Rain to chase down Sandia's attackers, he told his superiors that he thought he should share his findings with the Army, since it had been repeatedly hit by Titan Rain as well. A March 2004 Sandia memo that Carpenter gave TIME shows that he and his colleagues had been told to think like "World Class Hackers" and to retrieve tools that other attackers had used against Sandia. That's why Carpenter did not expect the answer he claims he got from his bosses in response to Titan Rain: Not only should he not be trailing Titan Rain but he was also expressly forbidden to share what he had learned with anyone. As a Navy veteran whose wife is a major in the Army Reserve, Carpenter felt he could not accept that injunction. After several weeks of angry meetings--including one in which Carpenter says Sandia counterintelligence chief Bruce Held fumed that Carpenter should have been "decapitated" or "at least left my office bloody" for having disobeyed his bosses--he was fired. Citing Carpenter's civil lawsuit, Sandia was reluctant to discuss specifics but responded to TIME with a statement: "Sandia does its work in the national interest lawfully. When people step beyond clear boundaries in a national security setting, there are consequences." Carpenter says he has honored the FBI's request to stop following the attackers. But he can't get Titan Rain out of his mind. Although he was recently hired as a network-security analyst for another federal contractor and his security clearance has been restored, "I'm not sleeping well," he says. "I know the Titan Rain group is out there working, now more than ever." --With reporting by Matthew Forney/Beijing and Brian Bennett, Timothy J. Burger and Elaine Shannon/Washington Copyright ? 2005 Time Inc. All rights reserved. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Aug 29 14:04:21 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 29 14:39:43 2005 Subject: [ISN] LANL computers weather daily cyber assaults Message-ID: http://www.lamonitor.com/articles/2005/08/25/headline_news/news03.txt ROGER SNODGRASS roger at lamonitor.com Monitor Assistant Editor August 26, 2005 On a $15 million a year budget, Los Alamos National Laboratory is waging a daily battle against a barrage of threats to its computer network. Alexander D. Kent, deputy group leader for the lab's network engineering group, said 25,000 computers processing about 850 gigabytes of data in 20 million legitimate sessions a day are facing a growing risk. A graph of Internet sessions between May and mid-August this year shows at least five million "malicious" sessions on slow days and 10-15 million during peaks. On weekends, when LANL activity slows, 90 percent or more of the computer activity appears to be malicious. Malicious activity could mean anything from a sophisticated hacker or terrorist or a foreign intelligence operative to unsophisticated pranksters and adolescent mischief. The lab protects itself with network firewalls for its public network and "air gaps" - compartmentalization - for its classified net. Passwords are cryptographically generated for one-time use. Cyber-defenders employ a "defense in depth" bulwark that includes educating each individual user, detecting and preventing intrusion, patching software quickly and setting unexpected traps and alarms, among many other techniques. An around-the-clock response team and close coordination with law enforcement and counter-intelligence organizations are also important parts of the job. Kent briefed members of the legislature Wednesday in a joint hearing of the Information Technology Oversight and LANL Oversight committees at Fuller Lodge. Rep. William Payne, R-Bernalillo, said he thought there was too much defense and not enough offense. "It would seem to me that some simple changes in federal laws could be made that would allow you to have an offense," he said. He suggested return messages that would place a small American flag on the offender's monitor with the message, 'You've been placed on the FBI website,' or a reverse worm that would destroy the hacker's computer. Rep. Janice E. Arnold-Jones, R-Bernalillo, compared the problem to the identity-theft epidemic and called for leveling the playing field. "They have to be right once; we have to be right all the time." she said. "If we catch a hacker, our laws have no teeth." The character of ordinary perpetrators is also changing, Kent told the state legislators. Five years ago, hackers were out to make a name for themselves. Now people are in it for the money "It's probably going to get worse before it gets better," Kent said. He compared the stunning advances in computer networking to the invention of the printing press. But, he added, the printing press not only powered a communication revolution, it also enabled forgeries. The problem is widespread and growing. The President's Information Technology Advisory Committee said in a report last year that information technology in the U.S. is "highly vulnerable" to attacks. "The data show that the total number of attacks - including viruses, worms, cyber fraud and insider attacks in corporations - is rising by over 20 percent annually, with many types of attacks doubling," the committee wrote. The study said more than 10 percent of PCs were infected by viruses monthly in 2003 and 92 percent of organizations reported virus disasters that year. A Government Accounting Office report released in May said government officials are increasingly concerned about computer attacks, which may rise to level of "acts of war." In a speech in Washington, D.C., on Aug. 9, FBI Director Robert Mueller put the issue in an international context: * In Australia, a two-way radio hacked into a sewage system computer system that released more than 250 million tons of raw sewage onto the grounds of a luxury resort hotel. * Hackers seized a gas pipeline in Russia for an entire day by infiltrating electronic control systems. * A Slammer worm computer virus blocked a nuclear power plant's computer network in Ohio, disrupting safety systems for more than five hours. Mueller said cybersecurity is hampered by organizations' refusal to acknowledge problems and work together. "Maintaining a code of silence will not benefit you or your company in the long run," he said. From isn at c4i.org Mon Aug 29 14:05:29 2005 From: isn at c4i.org (InfoSec News) Date: Mon Aug 29 14:40:29 2005 Subject: [ISN] States face difficulties keeping up with cyberthreats Message-ID: http://www.freep.com/news/statewire/sw120363_20050825.htm August 25, 2005 LANSING, Mich. (AP) -- Obtaining a driver's license got a lot tougher recently when a cyberworm hit government computers in Massachusetts, forcing customers to wait until technicians got infected computers running again. The Zotob virus and its variations also attacked businesses such as automaker DaimlerChrysler AG, idling up to 50,000 workers at 13 plants, and media companies such as CNN, ABC and The Associated Press. The scramble in Massachusetts, Michigan, Kansas and elsewhere to fend off the virus shows the vulnerability of states to potential shutdowns in service now that they offer everything from hunting licenses to physician discipline reports on the Internet and keep millions of computerized tax, voter registration and driving records. Most states, including Michigan, suffered little damage from the attack. But risks remain. Compounding the problem is the relatively little that states spend to protect those systems from hackers and other threats. James Krouse, manager of state and local analysis for the information technology research firm INPUT in Reston, Va., estimates states spend about $1.9 billion a year on such security, about 4 percent of their IT budgets. The federal government spends about 7 percent. The private sector does even better, spending nearly 9 percent of its $700 billion-plus IT budgets on security, according to Natalie Lambert, security analyst with Forrester Research in Cambridge, Mass. That ranges from a low of just over 7 percent in retail and wholesale trade to a high of more than 10 percent in business services. Chris Dixon, issues coordinator for the National Association of State Chief Information Officers, says some states spend as little as 1 percent of their IT budgets on security. State IT directors often find security needs aren't considered as critical as taking care of the poor or paying for schools when budgets are approved. He noted, though, that most states are beginning to see the need to spend more. "Cybersecurity is just now getting the attention it's due," Dixon said. Ann Garrett, North Carolina's chief information security officer, said protecting data is critical because states hold so much confidential information. To find their way into a state's computer database, all people have to do is register a boat or motor vehicle, receive an unemployment or welfare check, apply for an occupational license, pay state taxes, get state-paid health benefits or buy a fishing license, among many other avenues. "I take very seriously that we as the government force people to give up information," Garrett said. "We've got to take that responsibility to guard it seriously." Michigan, which controls 55,000 desktop computers and 2,300 servers, fends off nearly 22,000 attempted e-mail virus attacks each day, as well as 35,000 tries to break into state computers and 4,000 attempts to deface government Web sites. The state blocks about half the 4.8 million e-mails that arrive each month to keep out spam. As the winner of the National Association of State Chief Information Officers' top security award for the past two years, Michigan is considered a leader among states fighting to protect sensitive information and educate tens of thousands of state employees about the dangers of viruses and spyware. But Dan Lohrmann, Michigan's chief information security officer and a former National Security Agency network systems analyst, said getting the money to protect state computer systems and data isn't easy. Ask most citizens if they'd prefer states to spend money in already tight budgets on schools and roads or computer security, and the latter generally will lose out, Lohrmann said. "It's just tough at a time of budget cuts," he said. Tom Jarrett, NASCIO president and chief information officer for the state of Delaware, told a U.S. Senate subcommittee last month that not having enough protection can lead to disaster. "New threats appear almost daily and they can, in a matter of seconds, render services we've all come to depend upon, like e-mail and Web browsing, completely unusable," Jarrett told the subcommittee. "In the worst case scenario, without proper protection and due diligence, an attack could potentially cripple or completely shut down an entire state government." Lohrmann has been able to use federal homeland security money to beef up protection for Michigan's computer system. The money has helped buy backup generators to run computers if a blackout hits and to put protections in place the state otherwise couldn't afford. "A big part of this becomes how do you protect your data centers," he said. Larry Kettlewell, Kansas' chief information security officer, said states are growing increasingly sophisticated about handling threats to their computer systems. But he agrees most state CISOs would like to have more money to deal with the rising barrage of worms and viruses. "Until a whole network gets taken down for a week, 10 days ... it's not going to make a difference," Kettlewell said. "That's when people will wake up." -=- On the Net: National Association of State Chief Information Officers: http://www.nascio.org From isn at c4i.org Tue Aug 30 02:31:52 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 30 02:48:46 2005 Subject: [ISN] ITL Bulletin for August 2005 Message-ID: Forwarded from: Elizabeth Lennon ITL BULLETIN FOR AUGUST 2005 IMPLEMENTATION OF FIPS 201, PERSONAL IDENTITY VERIFICATION (PIV) OF FEDERAL EMPLOYEES AND CONTRACTORS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) has several efforts underway to help federal agencies implement Federal Information Processing Standard (FIPS) 201, Personal Identity Verification (PIV) of Federal Employees and Contractors. The standard, which was approved by the Secretary of Commerce in February 2005, supports improved security for the forms of identification that are used to gain access to government facilities and information. Citing the need for better quality and security of the processes for identifying individuals, Homeland Security Presidential Directive (HSPD) 12, issued in August 2004, called for the development of a mandatory, government-wide standard for secure and reliable forms of identification for government employees and contractors. FIPS 201 specifies technical and operational requirements for interoperable PIV systems that issue PIV cards as identification credentials and that use the cards to authenticate an individual?s identity. Authentication of an individual?s identity is an essential component of secure access control to facilities and to information systems. NIST recently developed supplementary guidelines and recommendations that support agencies in implementing the technical and administrative requirements of FIPS 201. Some of these publications are available in final form, and some are currently available as draft documents that will be finalized in the near future. To help agencies acquire PIV systems that correctly implement FIPS 201, NIST has started a conformance testing program for the standard. Requirements for PIV Accreditation In implementing FIPS 201, agencies must assure that the PIV cards which are issued are secure and reliable means of identification, and that the cards have been issued only by providers whose reliability has been established by an official accreditation process. This requirement for an accreditation process was included in HSPD 12, Policy for a Common Identification Standard for Federal Employees and Contractors. HSPD 12 affirmed the government?s requirements for a common government-wide identification system to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy. The directive stated that secure and reliable forms of identification should be: * Based on sound criteria for verifying an individual's identity; * Strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; * Rapidly authenticated electronically; and * Issued only by providers whose reliability has been established by an official accreditation process. NIST developed Special Publication (SP) 800-79, Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations, by Dennis Branstad, Alicia Clay, and Joan Hash, to help agencies that are preparing to issue PIV cards. The guidelines describe how to conduct processes for assuring the reliability of the PIV card issuer (PCI). The PCI may be a federal organization or a contractor that works under the direction and authorization of a federal organization. The PCI must be authorized by the head of an agency or department to perform the services specified in FIPS 201 for identity proofing, for enrolling approved applicants in the PIV system, and for issuing PIV cards. Applicants for these cards may be employees, future employees, contractors, and guests. Each agency is expected to authorize at least one PCI, but agencies may wish to cooperatively establish a joint PCI. Large, dispersed organizations may establish several PCIs to provide needed services in the various geographic areas that are served. To assure the reliability of the PCI, NIST recommends that agencies use certification and accreditation processes that have been employed to assess the security of information systems. These recommended processes have been detailed in NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, by Ron Ross, Marianne Swanson, Gary Stoneburner, Stu Katzke, and Arnold Johnson, and in NIST SP 800-53, Recommended Security Controls for Federal Information Systems, by Ron Ross, Stu Katzke, Arnold Johnson, Marianne Swanson, Gary Stoneburner, George Rogers, and Annabelle Lee. The certification and accreditation processes defined in NIST SP 800-37 and in NIST SP 800-53 should be used to accredit the information systems that are used by the PCI. In addition, NIST SP 800-79 outlines the processes that establish the reliability of the PCI to provide the needed PIV services. NIST SP 800-79 and the other special publications mentioned in this bulletin are available on NIST's web pages: http://csrc.nist.gov/publications/nistpubs/index.html Links to information about the PIV program, including the standard, supporting documents, answers to frequently asked questions, and contact information are also available on NIST web pages: http://csrc.nist.gov/piv-program/index.html Certification and Accreditation Processes NIST SP 800-79 describes the fundamentals of PCI certification and accreditation, including the roles and responsibilities of the key participants of the PCI and the agency that it supports, the types of accreditation decisions that can be made, and requirements for supporting documentation. The required and desired attributes of the PCI are explained, and methods are suggested for assessing the presence of the attributes. The major functions, services, and operations of PCIs are discussed. The appendices include a comprehensive list of references, a list of definitions, acronyms, summaries of tasks and subtasks to be carried out in the certification and accreditation processes, and sample accreditation transmittal and decision documents. Agencies need complete, accurate, and trustworthy information about their PCI in order to make informed decisions about whether to accredit the PCI. Certification is the formal process for assessing the attributes of the PCI to verify that the PCI is reliable and capable of enrolling approved applicants and issuing PIV cards. Attributes include organization structure, policies, capabilities, facilities, and availability, and methods of assessment including interviews, document reviews, laboratory test results, procedure evaluations, and component validation reports. Accreditation of a PCI is the official management decision of a Designated Accreditation Authority (DAA) to authorize operation of a PCI after that official determines that the reliability of the PCI has been satisfactorily established through appropriate assessment and certification processes. The recommended certification and accreditation processes are conducted in four phases: In the Initiation Phase, responsible agency officials prepare for certification and accreditation by reviewing the PCI's operations plan and confirming that the plan is consistent with FIPS 201, and that the provided services and operations comply with the standard. The resources needed for certification and accreditation are identified, and a schedule and milestones are established. The operations plan is analyzed and accepted. In the Certification Phase, the agency officials determine whether services and specifications required by FIPS 201 are provided and whether they are implemented correctly and as intended. The officials also determine if the requirements of the agency are being met by the PCI. Needed actions are identified to correct any deficiencies that are noted in the operations of the PCI in order to minimize risks and mitigate vulnerabilities. When this phase is successfully completed, the DAA should have the information that is needed to recommend an appropriate accreditation decision. In the Accreditation Phase, the DAA makes the decision whether to accredit the PCI and completes the accreditation documentation. After accreditation, the PCI is authorized to conduct the PCI services defined in its operations plan, or to conduct the PCI services on an interim basis under specific terms and conditions. Accreditation of the PCI could also be denied. In the Monitoring Phase, agency officials oversee and monitor the operations of the PCI, and notify the DAA if there are changes that affect the reliability of the PIV systems or its components. The certification and accreditation processes should be conducted at least every three years. Implementation of Technical Requirements FIPS 201 incorporates three technical publications that specify interface and other technical requirements. NIST SP 800-73, Interfaces for Personal Identity Verification, by James F. Dray, Scott B. Guthery, and Teresa Schwarzhoff, specifies interface requirements for retrieving and using identity credentials from the PIV card. It specifies the PIV data model, card interface requirements, and the Application Programming Interface. It designates requirements when the standards that are applied include options and branches. The goal is to assure that client application programs, compliant card applications, and compliant integrated circuit cards can be used interchangeably throughout federal agencies. Two specifications are included in NIST SP 800-73. One is a transitional card specification that is derived from the Government Smart Card Interoperability Specification, which agencies with existing identity card systems may continue to use as an optional and intermediate step toward the government-wide uniformity and interoperability specifications. These interoperability specifications, designated as Part 2 card specifications in FIPS 201, are to be used by agencies that do not have an existing PIV system. The Part 2 specifications also may be used by those agencies that wish to make the transition to uniformity and interoperability specifications now. Part 2 provides details for the many components and processes that will support a smart-card-based platform, including the PIV card, and the card and biometric readers. The specifications for PIV components support interoperability between components in systems and enable the systems of different departments and agencies to work together. Draft NIST SP 800-76, Biometric Data Specification for Personal Identity Verification, by Charles Wilson, Patrick Grother, and Ramaswamy Chandramouli, helps federal agencies and implementers of PIV systems to apply the technical specifications for biometric data that are included in FIPS 201. This publication provides requirements for capturing and formatting fingerprint and facial images information. It is based on voluntary industry standards, and provides the proper selection when there are options in the standards that would interfere with interoperability if implemented in different ways. The goal is to ease implementation, facilitate interoperability, and assure the performance of PIV systems. SP 800-78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, by W. Timothy Polk, Donna F. Dodson, and William E. Burr, provides the technical specifications for the mandatory and optional cryptographic keys specified in FIPS 201. These specifications support the PIV card, the infrastructure components that manage the issuance and management of the PIV card, and applications that rely on credentials used by the PIV card to provide security services. The publication identifies symmetric and asymmetric encryption algorithms, digital signature algorithms, and message digest algorithms. Mechanisms are provided to identify the algorithms associated with PIV cards or digital signatures. Other NIST Special Publications that support the implementation of the technical requirements of FIPS 201 include: Draft NIST SP 800-85, PIV Middleware and PIV Card Application Conformance Test Guidelines, by Ramaswamy Chandramouli, Levent Eyuboglu, and Ketan Mehta, provides test plans, processes, and a test suite that can be used to verify the conformance of PIV components to the specifications contained in NIST SP 800-73. The conformance tests for the interoperability of PIV middleware and PIV card applications were developed to meet the overall interoperability goals of FIPS 201. Draft NIST SP 800-87, Codes for the Identification of Federal and Federally Assisted Organizations, by William C. Barker and Hildegard Ferraiolo, provides the organizational codes that are necessary to establish the Federal Agency Smart Credential Number (FASC-N). This number is included in the Card Holder-Unique Identifier (CHUID), one of the specified requirements in FIPS 201. The CHUID identifies the individual within the PIV system. Designation of NIST Personal Identity Verification Program (NPIVP) Test Facilities Conformance tests are important to the correct implementation of FIPS 201. Since August 8, 2005, NIST has designated five organizations as interim NIST Personal Identity Verification Program (NPIVP) test facilities. The designated organizations include COACT, Inc. CAF? Laboratory, InfoGard Laboratories, Inc., DOMUS IT Security Laboratory, BKP Security Labs, and BT Cryptographic Module Testing Laboratory. These organizations may employ NIST-provided test suites to validate PIV components, subsystems, and integrated systems as required by FIPS 201 to meet the NPIVP requirements. Additional information regarding the laboratories is available at http://csrc.nist.gov/cryptval/. NIST expects to add other facilities to the list of NPIVP test facilities in the near future. During the next year, the designated laboratories will be assessed by NIST?s National Voluntary Laboratory Accreditation Program (NVLAP) for accreditation for PIV testing. Once NVLAP accreditation is achieved, the "Interim" designation will be removed. Testing under the NPIVP will begin with a limited scope of tests based on FIPS 201, but the scope of tests will be increased as the testing program moves forward. Other Government Activities Supporting the Implementation of FIPS 201 In August, the Office of Management and Budget issued a Memorandum for the Heads of All Agencies and Departments (M-05-24), detailing the steps that should be taken to implement FIPS 201 and HSPD 12. The memorandum is available from the NIST web page http://csrc.nist.gov/piv-program/index.html. Some of the requirements include: * Agencies and departments must adopt and accredit a registration process consistent with identify proofing, registration, and accreditation requirements of FIPS 201 for all new employees, contractors, and other applicable individuals. This process applying to the new identity credentials issued must be established by October 27, 2005. Background investigations, conducted as the National Agency Check with Written Inquiries (NACI), should be initiated before the issuance of credentials. All new contracts involving contractor access to federal facilities and information must include requirements for the application of FIPS 201 to contractor personnel. * For all current employees, contractors, and other applicable individuals, agencies and departments must develop a plan and start the required background investigations. These activities also should be established by October 27, 2005. * By October 27, 2006, agencies and department must begin deploying products and operational systems that are compliant with Parts 1 and 2 of FIPS 201 for all new employees and contractors. For current employees, agencies and departments must phase in the issuance and use of identity credentials that meet the standard by October 27, 2007. Agencies and departments also must implement the technical requirements of the standard in the areas of personal authentication, access controls, and card management. Card authentication mechanisms described in the standard should be used, and at least one digital certificate should be used on the identity credential for access control. * The General Services Administration will develop acquisition services to enable agencies and departments to acquire products and services that are interoperable to help agencies that are preparing to issue PIV cards, and compliant with FIPS 201. Future Needs The efforts of agencies and department to implement FIPS 201 will help to improve the security of federal facilities and information systems, and will strengthen the trust in the credentials issued by all federal organizations to their employees and contractors. To enable continued effective implementation of the standard, NIST has identified other needed guidelines, reference implementations, and conformance tests: * Additional guidance on implementing and using the PIV system; * Methods for protecting the personal privacy of all subscribers of the PIV system; * Methods for authenticating identity source documents to obtain the correct legal name of the person applying for a PIV card; * Techniques for electronically obtaining and storing required biometric data such as fingerprints and facial images from the PIV system subscriber; * Techniques for creating a PIV card that is personalized with data needed by the PIV system to later grant access to the subscriber to federal facilities and information systems; * Ways to assure appropriate levels of security for all applicable federal applications; and * Methods to provide for interoperability among federal organizations using the standard. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 975-2378 From isn at c4i.org Tue Aug 30 02:33:48 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 30 02:49:05 2005 Subject: [ISN] Revised CICA 5900 standards and CICA 5310 (services organizations) set for approval on January 1st, 2006 Message-ID: Forwarded from: Mark Bernard Dear Associates, The tentative date for approval of amendments to the Canadian Institute of Chartered Accountants (CICA) audit standards CICA 5900 now is January 1st, 2006. Amendments to standards CICA 5900 and CICA 5310 will bring Canadian auditing standards up to par with the Sarbanes Oxley Act (SOX) and the revised Canadian Securities Act - bill 198. Summary of proposed changes include: a.. Section 5970, Audit Reports on Controls at a Service Organization, which replaces Section 5900; and b.. Section 5310, Audit Evidence Considerations when an Entity uses a Service Organization, which revises the requirements of Section 5310. Will organizations be ready? Many Canadian business have already made changes to comply with SAS No. 70 and SOX due to our interwoven economies. However some business always wait until the last minute, so it is likely that there will be many projects initiated from new budgets in January 2006. ======beginning of excerpt ========= http://www.cica.ca/index.cfm/ci_id/19365/la_id/1.htm Status: Final Handbook Sections approved. Assurance and Related Services Guideline approved subject to written ballot. Effective date for the standards and guideline is January 1, 2006. Objectives of this Project This project will update and expand auditing and assurance standards and guidance for engagements to provide assurance on controls at a service organization, and for the use of assurance reports as evidence, in a financial statement audit as well as in assurance engagements to report on internal control over financial reporting. This project will respond to the need for updated standards in light of the increased use of outsourcing and the increased scrutiny of internal control by securities regulators and other stakeholders. At the same time, it will ensure that Canadian standards for auditor-to-auditor communications for service organizations engagements are harmonized with equivalent US standards. Scope It is not currently possible to satisfy the needs of all stakeholders with either a SAS 70 or a Section 5900 report alone. Nor is it desirable to simply combine elements of SAS 70 with Section 5900. The project will therefore result in the issuance of a new standard harmonized with US Statement on Auditing Standards No. 70, Service Organizations (SAS 70), and with updated Handbook Sections 5900, Opinions on Control Procedures at a Service Organization and 5310, Audit Evidence Considerations when an Enterprise uses a Service Organization. Specifically, the project will do the following: a.. Harmonize with SAS 70 for the immediate specific regulatory issues related to the Sarbanes-Oxley Act of 2002 (Sarbanes) and the proposed Ontario Securities Commission (OSC) Investor Confidence Rules, and for auditor-to-auditor communications in financial statement audits. This standard will also consider the need for additional guidance to reflect environmental changes (e.g., privacy legislation, and the issuance of the US Public Company Accounting Oversight Board's (PCAOB) Exposure Draft, Reporting on Internal Control Over Financial Reporting in Conjunction with an Audit of Financial Statements) since the issuance of SAS 70. The project will also undertake revisions to Section 5310, Audit Evidence Considerations When an Entity Uses a Service Organization, to harmonize with SAS 70 material. b.. Consider the need for additional guidance to reflect environmental changes (e.g., privacy legislation, and the issuance of the PCAOB's Exposure Draft, Reporting on Internal Control over Financial Reporting in Conjunction with an Audit of Financial Statements) since the issuance of SAS 70. c.. Undertake revisions to Section 5310 to harmonize with SAS 70 material for financial statement audits. d.. Update Section 5900 for other uses of service auditor reports to reflect Section 5025, Standards for Assurance Engagements, and conform terminology with Section 5025, SAS 70 and the proposed audit risk framework. ====== end of excerpt ============ Best regards, Mark. Mark E. S. Bernard, CISM, CISSP, PM, Principal, Risk Management Services, e-mail: Mark.Bernard@TechSecure.ca Web: http://www.TechSecure.ca Phone: (506) 325-0444 Leadership Quotes by Warren Bennis: "The manager asks how and when; the leader asks what and why?" From isn at c4i.org Tue Aug 30 02:34:00 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 30 02:49:25 2005 Subject: [ISN] Reports: Long Registry Names Could Hide Malware Message-ID: http://www.eweek.com/article2/0,1895,1853561,00.asp By Larry Seltzer August 29, 2005 Reports on the Full-Disclosure research list and by the SANS Internet Storm Center indicate a common bug in software that interacts with the Windows registry. The bug could allow malicious programs to hide values there, obscuring evidence of their presence on the system. The problem involves registry values with names between 256 and 260 characters long, although there may be additional problems with names at the outer limits of length restrictions for Microsoft's and other registry editors. As the Full-Disclosure report [1] indicates, the existence of such a key can hide not only its own presence, but also other values in the same key. The Full-Disclosure report demonstrated the effect in the Microsoft Registry editing program that comes with Windows. Further research by the Internet Storm Center [2] indicated several other programs, including security-related programs, are similarly-incapable of seeing or modifying these values. The main security concern relates to the "Run" keys, which are specific keys that contain the names and locations of programs that Windows should load at boot- and login-time. By using a value name greater than 256 characters, a malicious program could possibly hide its presence from security software, which usually checks these keys for malicious use. The use of such a key could not stop the security software from scanning the file system and finding the programs being loaded through these registry keys, and it could not stop intrusion prevention and other behavior-monitoring software from taking note of the fact that a value was being written to the Run keys, an action that usually raises red flags. The Internet Storm Center notes many programs that cannot read the keys, including Lavasoft's Ad-Aware (no version specified), the Microsoft AntiSpyware Beta and WinDoctor v. 7.00.22. Other tools, including other versions of Microsoft registry tools, behave appropriately. The Internet Storm Center page also includes links to a free tool that searches a computer's registry for value names that could cause the problem noted in the reports. [1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-August/036448.html [2] http://isc.sans.org/diary.php?date=2005-08-25 From isn at c4i.org Tue Aug 30 02:34:14 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 30 02:49:44 2005 Subject: [ISN] =?iso-8859-1?q?IT_draft_law_deletes=91=22hacking=22_in_Indi?= =?iso-8859-1?q?a_?= Message-ID: http://www.indianexpress.com/full_story.php?content_id=77204 ENS ECONOMIC BUREAU August 30, 2005 NEW DELHI, The Expert Committee on Cyber Law set up to amend the Information Technology (IT) Act has deleted "hacking" from its list of offences. In what IT and legal experts say seems to be a knee-jerk reaction to the recent spate of MMS porn and BPO-hacking cases, the committee has installed video-porn and child porn as two separate entities, both with higher punishments. In fact, the committee has suggested that apart from digital signatures, electronic signatures should be accepted, which will help identify the correct person sending an e-mail or other electronic documents. The committee has also proposed making encryption standards technology-neutral, meaning that no single standard needs to be used by all Indians. "But where is the data protection law? The Committee has diluted punishments, deleted the very word "hacking" from the IT Act and given the government sweeping powers to intercept cyber networks," says IT lawyer Pavan Duggal. This, when the PM had expressly stated after the Karan Bahree expose, that a new IT law must be framed to give BPOs an international-standard data protection law. For instance, take Section 66. In its new form, it deletes the words "hacker" and "hacking" making it impossible for an ordinary ciziten to file a hacking complaint. It also installs a one to two-year sentence and Rs 5 lakh fine for breaking into a computer network, instead of the present Rs 3 lakh year sentence and Rs 2 lakh fine. "By reducing the punishment, though the fine has increased, the government is sending the signal: "Please go ahead and hack", says Duggal. Similarly, under Section 67, which deals with punishment for obscenity in electronic form, the new proposal has halved fines while keeping prison terms constant. But from here on, the flavour of the proposed amendments turn distinctly Orwellian. Under Section 43, the Committee has inserted a fresh requirement to prove that someone accused under the IT Act is guilty: His action must be proved as "dishonest and fraudulent" as well. Besides, Section 66, which relates to computer-related offences has now been revised to fall in line with Section 43, which deals with penalty for damage to a computer resource. Here, new terms such as "negligence" "dishonest" and "fraudulent" have been introduced, which has the lawyers in a tizzy. "These words will make the task of punishing people like Karan Bahree even more difficult. If it is proved that I introduced a harmful virus into a network, I should be punishable by law. Why should anyone have to prove that I was "dishonest" and "fraudulent" as well... The offence speaks for itself, explains Duggal. If your e-mail account is hacked, only your e-mail service provider will be able to file a case for redressal. An ordinary citizen will be rendered remediless, he adds. The recommedations defend the changes: "Sometimes because of lack of knowledge or for curiosity, new learners... unintentionally or without knowing... do certain undesirable act on the Net. ..it need(s) to be ensured that new users do not get scared away because of publicity of computer related offences. Section 43 acts as a reassuring Section to a common Netizen (sic)." However, the Committee does comes down hard on pornography. Taking pictures of an individual without his knowledge and transmitting them without consent is to be considered a violation of privacy. Changes are also proposed in electronic-obscenity provisions to bring in line with the Indian Penal Code, and two new sections will address child pornography and video voyuerism, and recommendations have been made for higher punishment. CTRL+ALT+DELETE: PROPOSED CHANGES * Section 66: Earlier dealt with hacking, now with computer-related offences. * Section 67: Obscenity in electronic form. Revised to bring in line with IPC. Fines increased. * New section added to address child pornography with higher punishment, video voyeurism specifically addressed. * Section 69: Amended, power to issue directions for interception or monitoring or decryption of any information through any computer resource * Section 78A: New, to help the Judiciary in handling technical issues. * Section 79: Revised, to bring out the extent of liability of intermediary in certain cases. * Normal provisions of CrPC will apply, only DSPs and above will be authorised to investigate. * Electronic signatures to be allowed apart from digital signatures. * New section for "Formulation and Validity of Electronic Contracts" * More stringent norms for data protection and privacy. From isn at c4i.org Tue Aug 30 02:34:25 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 30 02:50:05 2005 Subject: [ISN] Safeguarding IT against the next Katrina Message-ID: http://news.com.com/Safeguarding+IT+against+the+next+Katrina/2100-7350_3-5844041.html By Dawn Kawamoto Staff Writer, CNET News.com August 29, 2005 IT managers nationwide should take a cue from Hurricane Katrina's destructive power and develop disaster-recovery plans to safeguard their computer systems against catastrophe, security experts advise. "For people in New Orleans and Mississippi, it's too late to begin disaster recovery plans. But this hurricane will probably rattle others up and get them thinking about their own disaster recovery," said Johannes Ullrich, chief research officer for security training and research company Sans Institute. To make the best use of disaster-recovery plans, businesses not only need to take time to develop the plans but also test them before a catastrophe, said Ullrich, whose company re-released a list of preparation tips to consider when faced with a hurricane. Companies should conduct a full system backup four days before the expected arrival of a storm and have the data shipped off-site and out of harm's way. Subsequent, incremental backups should also be sent off-site, Sans advised. And, if possible, a final full system backup should be conducted just before the storm's arrival, with the data retained locally. Previous Next Main phone numbers for the affected offices can be redirected to an off-site voice mailbox once electric power to the facilities is turned off. This step is designed to keep customers and employees informed of the company's status with voice mail messages. Sans advised devising an alternate arrangement for handling companywide help-desk issues and removing necessary equipment from datacenters. For critical systems in the path of an approaching storm, companies should consider encasing the equipment in plastic, Sans said. And for satellite offices in the storm's path, Sans suggested dispensing loaner laptops to key personnel and maintaining loaner laptops that house complete content images, or ghost images, of the desktops and laptops in that particular office. While Hurricane Katrina is expected to cause extensive damage to the Louisiana coastal region, it is not expected to affect the infrastructure that keeps the Internet up and running, Ullrich said. "There is nothing real big in that area, so we don't expect to see any effects outside of there," Ullrich said. Copyright ?1995-2005 CNET Networks, Inc. From isn at c4i.org Tue Aug 30 02:34:37 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 30 02:50:36 2005 Subject: [ISN] Cal State combats thieves in cyberspace Message-ID: http://www.insidebayarea.com/trivalleyherald/localnews/ci_2982853 By Katy Murphy STAFF WRITER 08/29/2005 HAYWARD Every morning, Thomas Dixon goes into his office at California State University, East Bay, knowing that a million attempts will be made - each hour - to break into the computer system he is charged with protecting. Dixon is a quiet, seemingly unflappable man who didnt blink at the break-ins reported this month at Sonoma State University and California State University, Stanislaus, that potentially compromised the personal information of tens of thousands of students. But the information security specialists biggest fear, which he shares with others in the know on campus, is that someone will manage to break into the main system containing student data and financial records. Do I get nervous? Of course, he said. To prevent such a catastrophe, Dixons team installs firewalls to keep unwanted users out of the main system. They keep their ears open about the latest threats and how to keep them at bay. And they give critical self-defense instructions and controls to the 10 to 20 faculty and staff whose laptops contain sensitive data about the university. Sometimes their efforts are not enough. Last September, a hacker gained access to a server in a Warren Hall office, later boasting about the conquest on the offices home page. As mandated by state law, the university sent letters to about 2,300 people, warning them that their personal information could have been stolen. Shortly after that attack, someone struck again, leaving a similar mark on the home page. Since Dixon already had scrubbed the hard drive of data, no information could have been taken. Dick Metz, vice president of administration and business affairs for the university, said he didnt know whether the phisher was simply gaming the system or trying to steal information. As far as he knows, no reports of fraud or misuse of data have been made in connection with the break-in, he said. Metz considers the September hack a minor incident. A major one, by his standards, would affect at least 10,000 people. At the time, many students went about their lives, oblivious to the invasion. Kelly Lunsford, a freshman last year, said Thursday that she wasnt aware of it - or of the recent problems at other universities, including the University of California, Berkeley. Lunsford said she assumed her information was safe at Cal State East Bay. I guess Ill trust them until something happens, she said. Likewise, incoming freshman Larry Ornellas said he wasnt too worried. I feel the school is a secure enough place, and they have thousands - and maybe tens of thousands - of records on file. It would have to be a secure enough domain for them to stay there, he said, although he added that the threat of identity theft is always in the back of his mind. When students return to dormitories next month for the fall quarter, their laptops will be checked for infection. Software and other protections will be given to on-campus students connected to the network, Dixon said, because someone could get to us through them. Despite the countless barriers they have erected, Dixon and Metz are keenly aware that all a hacker needs is a tiny opening. Weve come to the conclusion that it isnt a matter of whether we get breached again, Metz said. Its when. From isn at c4i.org Tue Aug 30 02:31:28 2005 From: isn at c4i.org (InfoSec News) Date: Tue Aug 30 02:53:33 2005 Subject: [ISN] Arrested Zotob Hacker Also Wrote Mytob Worms Message-ID: http://informationweek.com/story/showArticle.jhtml?articleID=170101362 By Gregg Keizer TechWeb News Aug. 29, 2005 One of the two men arrested last week on charges of creating and mailing the Zotob bot worm also authored some, but not all, of the many Mytob worms in circulation, a security firm said Monday. Finnish anti-virus vendor F-Secure identified Farid Essebar, 18, who was arrested by Moroccan authorities, as the author of some Mytobs. "We know that [Essebar] had also authored several of the Mytob variants since February this year," F-Secure's Mikko Hypponen wrote on the company's blog. "However, he's not behind all of them." Early analysis by others, including Ken Dunham, senior engineer with VeriSign iDefense, pegged Zotob and Mytob as close relations. "Hackers took the Mytob worm code and replaced the e-mail function in Mytob with the exploit of the MS05-039 vulnerability," said Dunham two weeks ago when the Zotob attack first began. While there have been too many variants of Mytob for one individual to create -- Symantec's count is above 200 -- Hypponen made note of other clues that tie Essebar, who went by the hacker nickname of 'Diabl0,' to Mytob. "We know Diablo aka Farid Essebar, was associated with '0x90-Team.' For example, some earlier Mytob variants downloaded additional components"said Hypponen. The 0x90-Team had been operating as an underground gathering place for bot authors, Hypponen added. As of Monday, however, the site was inaccessible. That Essebar/Diabl0 wasn't the only Mytob hacker was evident Monday as several security firms, including Symantec, identified a brand-new Mytob variant. Dubbed "Mytob.jh," the worm opens a backdoor to the infected PC, blocks access to numerous security sites, and tries to disable more than 560 different security programs. The arrest of Essebar and his cohort, Atilla Ekici, won't put a stop to either Mytob or similar bots, such as the pervasive IRCbot. "Several people have access to Mytob source code and have been making their own variants," said Hypponen. "And there are the competing groups, such as "m00p," who seem to be behind several of the IRCbot variants that were using PnP [Plug and Play] vulnerability to spread." From isn at c4i.org Wed Aug 31 04:02:05 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 31 04:07:38 2005 Subject: [ISN] Accused Zotob Hacker May Be Behind 21 Other Worms Message-ID: http://informationweek.com/story/showArticle.jhtml?articleID=170101991 By Gregg Keizer TechWeb News Aug. 30, 2005 More details are emerging about the hacker history of one of the two men arrested last week on suspicion of creating and distributing the Zotob bot worm earlier in August. According to the analysis conducted by U.K.-based security vendor Sophos, Farid Essebar, 18, also known as "Diabl0," may have written 20 variations of the Mytob mass-mailed worm and one version of the MyDoom worm. "It is not unusual for malware authors to leave their handles inside their malicious code, sometimes alongside other messages," said Sophos in a statement. The company said its researchers had found 21 other worms with the Diabl0 handle included in their code. Of the 21, 20 are Mytob variants, ranging from Mytob.a to Mytob.gz; two of Sophos' most recent Top 10 list of viruses and worms appear to have been authored by Essebar, said Sophos. "The Mytob worms have made a significant impact on the virus outbreak charts this year, so anything which may prevent future variants from being developed and released must be welcomed," said Graham Cluley, senior technology consultant for Sophos, in a statement. However, Cluley cautioned -- as have other analysts -- that it's probable other hackers have access to the Mytob source code, a fact that many think is the root cause of the more than 200 variants seen so far this year. "It appears whoever wrote Zotob had access to the Mytob source code, ripped out the email-spreading section and plugged in the Microsoft exploit," added Cluley. From isn at c4i.org Wed Aug 31 04:02:17 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 31 04:08:13 2005 Subject: [ISN] Microsoft Investigates New IE Hole Message-ID: http://www.eweek.com/article2/0,1895,1854038,00.asp By Paul F. Roberts August 30, 2005 Microsoft is investigating another critical hole in its Internet Explorer Web browser. The hole, if left unpatched, could allow remote attackers to take control of Windows XP machines running Service Pack 2 and Internet Explorer 6 using silent attacks that are launched from malicious Web pages. The remotely exploitable hole can be used to compromise fully patched Windows XP SP2 computers and there is no way to block attacks, according to Tom Ferris, the independent researcher who found the vulnerability. News of the critical, unpatched hole comes just weeks after a report on another critical Windows hole [1] from Ferris, who uses the online name "badpack3t." "It's a pretty nasty flaw," Ferris said on Tuesday. "If a user visits a malicious Web site, the [attack] code can be executed without them even knowing about it?there's no pop-up or crash screen," he said. Microsoft Corp. acknowledged in an e-mail that it received Ferris's report and is "aggressively investigating" the flaw. The Redmond, Wash., company is not aware of attacks that try to use the reported vulnerabilities or of any customer impact, according to a company spokesperson. Ferris declined to give details about where in IE he found the hole, but said it is not a variant of other known flaws in the widely used Web browser. "It's not like any other flaw in IE?it's definitely different," Ferris said. Ferris, an independent security researcher who lives in Mission Viejo, Calif., and operates the SecurityProtocols.com Web site, said he told Microsoft about it on Aug. 14 using the secure@microsoft.com e-mail address and has exchanged e-mail with a company researcher since then, but hasn't heard anything from the company in a week. He said staff at Microsoft appeared to be struggling to understand the flaw. "I've given them more than enough information to understand it but they keep asking for more details," he said. Ferris did not provide proof-of-concept code that shows how the hole can be used to gain remote access to affected machines, but did provide proof-of-concept code that crashes IE. "It's a blatant access violation crash," he said. Microsoft said it would take action to address Ferris's report when it completes its investigation. If Ferris's reported vulnerability holds up, possible remedies could include an unscheduled security patch or a patch released on the company's regular monthly schedule, according to the Microsoft spokeswoman. Ferris hasn't tested the hole on other versions of Windows XP or Internet Explorer and doesn't know if it will work on other versions of those products. He said he doesn't believe that other people have discovered the hole, though he acknowledged that he might not be the only researcher who had discovered it. Windows XP SP2 users who also use Internet Explorer Version 6 have few options for protecting themselves from attacks that use the vulnerability. Changing the Internet Explorer security settings will not stop attack code from executing on affected systems, and firewall and host intrusion detection products that Ferris tested did not detect the exploit, he said. Ferris suggested IE users concerned about being attacked using the flaw should switch to other Web browsers until Microsoft has patched the hole. Microsoft encourages security researchers like Ferris to follow "responsible disclosure" practices and not to publicize holes before a patch is available. Ferris said he is aware of the company's position and considers himself in a "grey area," because he has not released any details about the vulnerability he found. Ferris said that he publicized the existence of a hole to warn IE users, who might consider refraining from using the browser until the hole is fixed. [1] http://security-protocols.com/modules.php?name=News&file=article&sid=2783 From isn at c4i.org Wed Aug 31 04:03:25 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 31 04:10:54 2005 Subject: [ISN] Cal State combats thieves in cyberspace Message-ID: Forwarded from: security curmudgeon : http://www.insidebayarea.com/trivalleyherald/localnews/ci_2982853 : : By Katy Murphy : STAFF WRITER : 08/29/2005 : HAYWARD Every morning, Thomas Dixon goes into his office at California : State University, East Bay, knowing that a million attempts will be made : - each hour - to break into the computer system he is charged with : protecting. So he gets 277 "attempts to break into the computer system" PER SECOND. That's over 150 megs of logs per hour at the absolute minimum, over 3.6 gigs of logs a day. Again, how often do we have to read these bogus stats in news articles? Why can't they simply explain what an "attempt" means exactly? I know the net is a bad place, and a significant percentage of traffic is malicious, but this stat seems completely out of line. : Dick Metz, vice president of administration and business affairs for the : university, said he didnt know whether the phisher was simply gaming the : system or trying to steal information. As far as he knows, no reports of : fraud or misuse of data have been made in connection with the break-in, : he said. Someone breaks into the machine, potentially steals 2,300 personal records, and he is called a 'phisher'?! Even buying into all the stupid buzz words for every type of computer crime, this isn't phishing. From isn at c4i.org Wed Aug 31 04:04:04 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 31 04:11:37 2005 Subject: [ISN] Microsoft Investigates New IE Hole Message-ID: http://www.eweek.com/article2/0,1895,1854038,00.asp By Paul F. Roberts August 30, 2005 Microsoft is investigating another critical hole in its Internet Explorer Web browser. The hole, if left unpatched, could allow remote attackers to take control of Windows XP machines running Service Pack 2 and Internet Explorer 6 using silent attacks that are launched from malicious Web pages. The remotely exploitable hole can be used to compromise fully patched Windows XP SP2 computers and there is no way to block attacks, according to Tom Ferris, the independent researcher who found the vulnerability. News of the critical, unpatched hole comes just weeks after a report on another critical Windows hole [1] from Ferris, who uses the online name "badpack3t." "It's a pretty nasty flaw," Ferris said on Tuesday. "If a user visits a malicious Web site, the [attack] code can be executed without them even knowing about it?there's no pop-up or crash screen," he said. Microsoft Corp. acknowledged in an e-mail that it received Ferris's report and is "aggressively investigating" the flaw. The Redmond, Wash., company is not aware of attacks that try to use the reported vulnerabilities or of any customer impact, according to a company spokesperson. Ferris declined to give details about where in IE he found the hole, but said it is not a variant of other known flaws in the widely used Web browser. "It's not like any other flaw in IE?it's definitely different," Ferris said. Ferris, an independent security researcher who lives in Mission Viejo, Calif., and operates the SecurityProtocols.com Web site, said he told Microsoft about it on Aug. 14 using the secure@microsoft.com e-mail address and has exchanged e-mail with a company researcher since then, but hasn't heard anything from the company in a week. He said staff at Microsoft appeared to be struggling to understand the flaw. "I've given them more than enough information to understand it but they keep asking for more details," he said. Ferris did not provide proof-of-concept code that shows how the hole can be used to gain remote access to affected machines, but did provide proof-of-concept code that crashes IE. "It's a blatant access violation crash," he said. Microsoft said it would take action to address Ferris's report when it completes its investigation. If Ferris's reported vulnerability holds up, possible remedies could include an unscheduled security patch or a patch released on the company's regular monthly schedule, according to the Microsoft spokeswoman. Ferris hasn't tested the hole on other versions of Windows XP or Internet Explorer and doesn't know if it will work on other versions of those products. He said he doesn't believe that other people have discovered the hole, though he acknowledged that he might not be the only researcher who had discovered it. Windows XP SP2 users who also use Internet Explorer Version 6 have few options for protecting themselves from attacks that use the vulnerability. Changing the Internet Explorer security settings will not stop attack code from executing on affected systems, and firewall and host intrusion detection products that Ferris tested did not detect the exploit, he said. Ferris suggested IE users concerned about being attacked using the flaw should switch to other Web browsers until Microsoft has patched the hole. Microsoft encourages security researchers like Ferris to follow "responsible disclosure" practices and not to publicize holes before a patch is available. Ferris said he is aware of the company's position and considers himself in a "grey area," because he has not released any details about the vulnerability he found. Ferris said that he publicized the existence of a hole to warn IE users, who might consider refraining from using the browser until the hole is fixed. [1] http://security-protocols.com/modules.php?name=News&file=article&sid=2783 From isn at c4i.org Wed Aug 31 04:01:26 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 31 04:12:27 2005 Subject: [ISN] I was a teenage crybercriminal Message-ID: http://www.techworld.com/security/features/index.cfm?FeatureID=1711 By Tom Spring PC World.com August 29, 05 In 2004, after months of putting a virtual tail on a hacker who called himself Pherk, FBI agent Timothy Nestor had the guy right where he wanted him. Though unsure of Pherk's identity, Special Agent Nestor was tracking every digital footstep the hacker took as he wreaked havoc on dozens of businesses by shutting down their online storefronts. Pherk's modus operandi was to commandeer an army of 2000 zombie computers and use those PCs simultaneously and repeatedly to request Web pages from the sites; the surge in queries would overwhelm the sites' servers, knocking the businesses offline. What the hacker didn't know was that Nestor, supervisor of the FBI's Cyber Crime Squad in New Jersey, had isolated one of the zombies and was now following the perpetrator's every online move. Eventually the accumulating evidence of these illegal Web activities enabled the FBI to trace the attacks to 17-year-old Jasmine Singh Cheema. Nestor then obtained a search warrant; and in early December 2004, six FBI agents and two New Jersey state police officers barged into the Edison, New Jersey, home of Cheema's parents. According to Nestor, the 17-year-old Cheema sat at the family's dining room table and confessed everything to the FBI as his mother hovered nearby. On the increase Pherk's technique of crippling a Web site by flooding it with information is called a distributed denial of service (DDoS) attack. Despite being illegal, such attacks are on the rise. And not surprisingly, the number of PCs infected with malicious code that turns PCs into zombies has risen as well - from 3,000 during the first quarter of 2005 to 13,000 during the second quarter, according to a report from anti-virus firm McAfee. Big-time criminals aren't always responsible for these crimes. Authorities said Cheema's attacks were aimed at a handful of Web sites that competed with CustomLeader.com, a small online sports memorabilia business. Business owner Jason Arabo, himself only 18 at the time, is alleged to have given Cheema some of his company's imitation classic sportswear as payment for Cheema's work. Arabo, was arrested in March and charged with conspiracy to commit the attacks. If convicted, he faces up to five years in prison and fines totaling as much as US$250,000. The agency said that it obtained the image from an online dating site. Cheema pleaded guilty in New Jersey Superior Court to two counts of computer theft by hacking online businesses; on August 12, he was ordered to serve five years in youth detention and to pay $32,000 in restitution. According to the New Jersey state attorney general's office, Cheema generated the attacks by compromising PCs throughout the world with a virus. The infected PCs then sent the victims' systems trillions of packets of data per hour, overwhelming them. What disturbed law enforcement officials most about the Cheema case was the extent of the damage his attacks caused in spite of their simplicity. Investigators report that Cheema infected 2000 computers just by making available on a file-swapping network a file advertised to be a picture of Jennifer Lopez naked. Instead of opening an image, though, people who clicked the file installed a Trojan horse that exploited PCs with poor virus and firewall protection. The PCs then became clandestine members of Cheema's zombie army. Catching a cybercrook The FBI's number three national priority today (after terrorism and counterintelligence) is cybercrime. In one of the FBI's sixteen U.S. cybercrime squads, located in a nondescript office building in Somerset, New Jersey, members spend their workdays tracking down crimes ranging from Web site defacement to network break-ins to DDoS attacks to child pornography to the online sale of pirated software, music, or videos. Other types of cybercrime are more common than zombie PC attacks, sometimes called botnet attacks. But because armies of zombie PCs are often massive and have the potential to inflict severe damage on victims, some law enforcement officials say that thwarting botnet infections and attacks have become their number one priority. "The number of cases we see, like the Singh [Cheema] case, are becoming far more frequent," Nestor says. According the FBI, most of the PCs Cheema hijacked were located on college campuses in Massachusetts and Pennsylvania. He directed those PCs to go after a handful of sites, probably without realizing that his attacks would have such widespread consequences. The ripple effect from the attacks launched by Cheema's so-called botnet army of PCs ultimately reached 120 online companies, including major retailers, banks, and pharmaceutical businesses as far away as Europe, according to the FBI. "If one teenager can jeopardize over a hundred Web sites from his parent's house, imagine what groups of seasoned cybergangs can do," Nestor says. Global problem Some botnets consist of phalanxes of from 15,000 to 50,000 zombie PCs that are controlled by groups of people dispersed around the world, says Christopher Painter, deputy chief of the Computer Crime section of the U.S. Department of Justice. Most perpetrators are adults who execute extremely sophisticated assaults. "They don't brag, and they cover their tracks very well," Painter says. One notorious cybergang, called Shadowcrew, reportedly had 4,000 members scattered across the United States, Brazil, Spain, and Russia. Money is these cybergangs' primary motivation, says Larry Johnson, special agent in charge of the Criminal Investigative Division of the U.S. Secret Service. The asking price for temporary use of an army of 20,000 zombie PCs today is $2000 to $3000, according to a June posting on SpecialHam.com, an electronic forum for hackers. Marshalling their armies of zombie PCs, online extortionists may threaten to crash a company's Web site unless they are paid off. "Hackers are not shy about asking for $20,000 to $30,000 from companies. The [companies] know it's far cheaper to pay the hackers than to get knocked offline and lose hundreds of thousands of dollars in lost business," Johnson says. Many of these extortionists may go unreported because businesses are unwilling to volunteer evidence of their coercion to law enforcement officials, Johnson says. Commonly, corporations don't want to admit to their customers, stockholders, and business partners their networks were ever vulnerable to an attack. According to a 2004 survey conducted by the Computer Security Institute, a membership association and education provider that serves the information security community, only about 20 percent of computer intrusions are ever reported to law enforcement agencies. The Secret Service, Johnson says, receives between 10 and 15 inquiries per week from businesses owners who believe they may be the target of a cyberattack. Cooperation is key Despite the low percentage of attacks that are reported to law enforcement officials, the evidence needed to arrest the perpetrators is often available, says James Burrell, supervisory special agent of the Boston FBI's cybersquad. In labs like his, agents conduct high-level computer forensics on PCs, analyze malicious code, break encrypted files, and pore over server logs looking for clues. "For us, it's all about traceability," Burrell says. The evidence the FBI needs may be available for only a short time, and it may be located on a server halfway across the globe. For these reasons, he says, it's vital that local, state, federal, and foreign agencies share information. The FBI has 48 legal attache offices across the globe, and agents in those offices can assist with cybercrime investigations when leads take the case outside of the United States. The Justice Department says that cracking cross-boarder cases involves using international organizations like the G8 24/7 High Tech Point of Contact Group, whose member countries designate an always-available contact for providing investigative assistance in computer crime cases. Started in 1998 by eight highly industrialized nations, the group now consists of more than 40 countries that share data and coordinate field work. When cases are cracked, international organizations like the International Criminal Police Organization (Interpol) help with extraditing criminal defendants across borders. According to the U.S. Secret Service, its investigations take it outside the United States in about half of the botnet cases it pursues. Though the agency relies on existing relationships with foreign law enforcement agencies, it also works with the CERT Coordination Center, a federally funded computer security incident response team and with the International Botnet Task Force, whose members include private and governmental agencies. Can they be stopped? Despite some success, law enforcement officials say that cybercrime is extremely hard to get a handle on. That's because it thrives in countries like Russia and China that have weak computer crime laws or lax enforcement. In such cases, catching cybercriminals outside U.S. jurisdiction becomes nearly impossible. When U.S. prosecutors do bring cybercrooks to justice, they increasingly file charges under updates to the federal criminal code. The Computer Fraud and Abuse Act, for example, provides for a maximum sentence of 20 years in prison. Still, some critics argue that too few computer crime laws exist and that the government underfunds cyber-security programs. Congressman Dan Lungren, R-California, chairman of the Homeland Security Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity, says that U.S. business interests aren't the only thing at stake. Lungren worries that hackers who control botnets might attempt to carry out terrorist acts online to take down the nation's electric utilities or tamper with air traffic control systems. "We have seen a progression from hackers to hackers with criminal intent," Lungren says. "We are naturally concerned with any hacker with terrorist intent." Cyber criminals have been technologically two steps ahead of law enforcement for a long time. But that may be changing, according to Robert Villanueva, criminal investigator within the U.S. Secret Service. "Hackers used to think they couldn't be touched on IRC channels and using VPN networks," Villanueva says. "We know they are out there, and we are infiltrating their groups and taking notes," he says. In the future, FBI special agent Nestor says, attacks will get more sophisticated. "It's a cat-and-mouse game. It always has been. As soon as we figure out who the bad guy is and how he operates, the cybercrooks come up with something new." From isn at c4i.org Wed Aug 31 04:01:50 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 31 04:13:26 2005 Subject: [ISN] Compliance taking over IT security chiefs' schedules Message-ID: http://www.govexec.com/story_page.cfm?articleid=32119 By Daniel Pulliam dpulliam at govexec.com August 30, 2005 Agency chief information security officers are spending more time complying with laws governing the safekeeping of computer and network systems, according to a survey. With the burden of complying with the 2002 Federal Information Security Management Act growing, CISOs are spending an average of 3.75 hours per day on FISMA, a law written to bolster agencies' computer and network security. Last year, the survey found that CISOs spent an average of 3.06 hours on FISMA compliance. Intelligent Decisions Inc., a technology firm based in Ashburn, Va., commissioned the 21-question [1] survey, which was conducted through online and telephone interviews with 29 top government security officials from both large and small civilian and Defense Department agencies. This was the second CISO survey that Intelligent Decisions conducted. The first survey [2] found that agencies with smaller information technology budgets were spending far more time on FISMA compliance than agencies with large budgets. Smaller agencies were those with less than $1 million in annual IT expenditures. The 2005 survey found that gap shrinking, with CISOs with smaller budgets spending between 51 percent and 59 percent of their time complying with FISMA and CISOs at larger agencies spending between 38 percent and 40 percent of their time on compliance. "You will still see that a majority of their time is managing that compliance reporting," said Roy Stephan, Intelligent Decisions' cybersecurity director. "We've seen them come back into alignment, where larger agencies and smaller agencies are spending about the same amount of time on compliance." According to the survey, about three-quarters of a CISO's typical day is spent on administrative tasks, which is down by about 33 percent from 2004. Strategic management tasks take up the other quarter. Intelligent Decisions speculates that IT security is becoming less like a technology program and more of a policy and process challenge for managers. The top trends identified by the survey were the increase of wireless and mobile devices, the rise of single sign-on and multifactor authentication, and the convergence of database and network security. Other trends included the convergence of physical security and cybersecurity, the growing interest in biometric systems, outsourcing of security functions to the private sector, and an increase in public-private partnerships. CISOs' top three concerns, according to the survey, were network security, system and application maintenance, and fulfilling FISMA requirements. Basing its information on a Government Accountability Office report on wireless security [3] released earlier this year, the survey found that chief among CISOs' concerns were unauthorized wireless access points and wireless devices. Of those surveyed, 46 percent said their agency used a wireless network, but there was inconsistent implementation among agencies of basic wireless security controls. [1] http://www.intelligent.net/publicweb/about/cisoSurvey.htm [2] http://www.govexec.com/dailyfed/1204/120604p1.htm [3] http://www.govexec.com/dailyfed/0505/052005p1.htm From isn at c4i.org Wed Aug 31 04:02:28 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 31 04:15:18 2005 Subject: [ISN] CSU: Computer holding student financial data breached Message-ID: http://www.siliconvalley.com/mld/siliconvalley/12516737.htm Aug. 30, 2005 LONG BEACH, Calif. (AP) - Computer virus attacks against a California State University computer storing financial data may have exposed the names and Social Security numbers of 154 people to hackers. The computer was left momentarily vulnerable following a series of virus attacks earlier this month, but investigators had not determined whether any of the data was accessed, Clara Potes-Fellow, CSU's media relations manager, said Tuesday. ``There is a potential computer security breach,'' Potes-Fellow said. ``We don't know exactly whether they were successful.'' The computer was used by a financial administrator at CSU's Office of the Chancellor in Long Beach and housed records related to student financial aid programs. Two of the data files pertained to financial aid administrators, the rest to students -- most of them enrolled at campuses in Chico, San Bernardino and San Marcos, the university said. As required by California law, the university notified the individuals whose records were on the hacked computer. The university was also advising them to contact credit-reporting agencies and consider placing a fraud alert on their credit reports. Potes-Fellow said the viruses had only affected the one computer in the chancellor's office. She said investigators had not determined whether the incident was linked to a similar computer break-in at CSU Stanislaus in Turlock. A hacker broke into a computer file server there containing the names and Social Security numbers of nearly 900 student workers. Campus officials did not know when the hacker broke into the computer or whether any unencrypted personal information was stolen. From isn at c4i.org Wed Aug 31 04:02:44 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 31 04:16:32 2005 Subject: [ISN] Pitt offers courses in cyber security Message-ID: http://www.pittnews.com/vnews/display.v/ART/2005/08/30/4313eda8d64d4 By MALLORY WOMER Staff Writer August 30, 2005 Being one of only 65 institutions in the country that has been declared a National Center of Academic Excellence in Information Education by the National Security Agency simply wasn't enough for Pitt. After achieving this status in 2004, Pitt kept working to join the elite league of institutions that meet five Committee on National Security Systems standards. This allows the University to grant five certifications to its students. When Pitt recently achieved this status, it became one of 12 universities in the country - and the only one in Pennsylvania - that offers all five certifications. Now students seeking a master's degree in either information science or telecommunications through Pitt's School of Information Sciences have the opportunity to take classes in an area known as Security Assured Information System education. Courses in this field satisfy the requirements needed to receive anywhere from one to all five of the certifications, depending on the combination in which they are taken. James Joshi, cofounder of this field and assistant professor in the School of Information Sciences, joined the department when it tried to design a curriculum that would satisfy the committees' standards. After being hired by Pitt two years ago, he immediately began to work on designing this curriculum because Pitt had not yet received any formal recognition for its information education track. "As soon as I got here, that was my main job, my main mission here," Joshi said. Joshi helped to develop a proposal for a track in security courses that he sent both to the National Science Foundation and later to the NSA for certifications. In 2003, the program was first approved for three standards. Later, upon a recent reapplication, the final two were granted. "Once you go into developing a curriculum, you want it to be the best," Joshi said. "How do you do that? By following the CNSS standards." By participating in the NSA-sponsored educational standards, students have access to Information Assurance Scholarship opportunities, which include special scholarships through the Department of Defense as well as equipment grants. According to Joshi, these nationwide standards serve as a basis for educating students in security and help applicants get higher entry-level positions during interviews, when employers look for these certifications David Tipper, an SAIS instructor and associate professor in telecommunications, agreed with Joshi on the benefits of having a certification granted by NSA. He believes that the certifications make students more marketable. Tipper teaches courses in infrastructure protection, which, if completed, can lead to certification in one of the five standards. "We need a bigger talent pool to protect from catastrophic events," Tipper said. "A lot of infrastructure isn't protected very well." For some students, the benefits of the program do not outweigh the cost. Rick Anderson, a telecommunications graduate, does not have any certifications. "I just really wanted my degree," Anderson said. "It's a lot of work." Anderson had about two more core courses in security and at least two more electives in the field that needed to be completed in order to receive a certification. Nevertheless, Anderson agrees that there are some benefits to receiving the certifications. "I do see where they can definitely be useful, especially when you are in the security field," Anderson said. "I do see their importance. But to me, I was trying to for a broader [education in] telecommunications, like cellular or wireless." From isn at c4i.org Wed Aug 31 04:02:58 2005 From: isn at c4i.org (InfoSec News) Date: Wed Aug 31 04:19:22 2005 Subject: [ISN] Cyber police gather at Hyatt Message-ID: http://www.montereyherald.com/mld/montereyherald/news/local/12512687.htm By ANDRE BRISCOE Herald Staff Writer Aug. 30, 2005 "Cybersleuths" from around the world are gathered in Monterey this week to share the latest techniques for rooting out high-tech crime, including such things as cyber-terrorism, eBay fraud, software piracy and computerized kiddie porn. The 650 representatives of police and private agencies include delegates from Great Britain, the Netherlands, Korea and Japan, said Mark McLaughlin, chairman of the event at the sold-out Hyatt Regency. McLaughlin and others, including keynote speaker Louis Reigel, said computerized crime is such a growth industry that law enforcement officials are compelled to exchange information regularly. "It's absolutely critical for keeping ahead of criminal activity and technology," said Reigel, who heads the FBI's high-tech crime operations. "It's absolutely essential to develop these relationships with each other so they can pick up the phone and contact somebody when they need to." Also involved is Christopher Painter, deputy chief of the U.S. Department of Justice's Computer Crime and Intellectual Property Division. The event is sponsored by the High Technology Crime Investigation Association. During the three-day event, a series of lectures and more than 120 labs will be available to investigators. Topics include such things as cracking passwords, electronic surveillance countermeasures, Internet issues for parents, electronic lock picking and identity theft. "A lot of this changes so fast that every three to six months we have find new ways to stay on top of it," said Houston police officer Nick Drehel. "We're always behind the curve. As law enforcement officers, we're always reacting to new things they (the criminals) are coming up with. We try to stay as close as we can with new technology." "That's what these conferences are about," said Drehel. "They give us insight. We learn what works and what doesn't."