From isn at c4i.org Fri Dec 2 01:13:28 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 2 01:35:22 2005 Subject: [ISN] Security glitch aids IRS phishers Message-ID: http://www.computerworld.com/securitytopics/security/holes/story/0,10801,106645,00.html By Robert McMillan NOVEMBER 30, 2005 The U.S. Department of Labor said Wednesday it is working to fix a programming glitch in a U.S. government Web portal that makes it easier for phishers to trick people into disclosing sensitive information. The flaw was first exploited by phishers who, earlier this week, began sending out bogus e-mail messages asking for personal information, including social security and credit card numbers. The bug lets these phishers redirect URLs (Uniform Resource Locators) that use the GovBenefits.gov domain to fraudulent Web sites that are unconnected with the U.S. government. This redirecting flaw was first exploited just days ago by phishers masquerading as the U.S. Internal Revenue Service (IRS), said Graham Cluley, a senior technology consultant with Sophos PLC, a U.K. security firm that has been researching the matter. "The people behind GovBenefits.gov have implemented their software in such a way that leaves the Web site vulnerable to a phishing attack," he said. The technique is particularly effective because the link that users click on is, in fact, a genuine GovBenefits.gov link, he added. The fraudulent e-mail claims to require the sensitive information in order to process a tax refund, and claims to come from tax refunds@irs.gov, the IRS said. The GovBenefits.gov Web site is used by 16 federal agencies, including the IRS, and is designed to help users determine their eligibility for government-funded benefit and assistance programs. It is maintained by the Department of Labor. Though the site's redirect glitch is not common, Sophos has seen it before, usually made by programmers looking for a flexible way to move users around their Web sites, Cluley said. "It's a simple mistake to make, until you realize the consequences," he said. "They probably didn't see how it could be used." The Department of Labor is working to fix the glitch and hopes to resolve the problem as early as late Wednesday, a Labor spokeswoman said. Meanwhile, the IRS published a statement Wednesday, warning users of the scam http://www.irs.gov/newsroom/article/0,,id=151065,00.html . "What we want people to know is if you get an unsolicited e-mail that purports to be from the IRS and it's asking for personal information, that's bogus," said Eric Smith, an IRS spokesman. "We're not going to request that you provide this kind of information by e-mail." From isn at c4i.org Fri Dec 2 01:15:21 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 2 01:41:41 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-48 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-11-24 - 2005-12-01 This week : 83 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Some vulnerabilities have been reported in Sun Java JRE (Java Runtime Environment), which can be exploited by malicious people to compromise a user's system. Please refer to the referenced Secunia advisory below for additional information. Reference: http://secunia.com/SA17748 -- Apple has released a security update for Mac OS X, which fixes 13 vulnerabilities. A complete list and details about the vulnerabilities can be found in the Secunia advisory below. Reference: http://secunia.com/SA17813 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 2. [SA17748] Sun Java JRE Sandbox Security Bypass Vulnerabilities 3. [SA16907] Opera Command Line URL Shell Command Injection 4. [SA17437] Opera Macromedia Flash Player SWF Arbitrary Code Execution 5. [SA17430] Macromedia Flash Player SWF File Handling Arbitrary Code Execution 6. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability 7. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 8. [SA17786] Linux Kernel Multiple Denial of Service Vulnerabilities 9. [SA17813] Mac OS X Security Update Fixes Multiple Vulnerabilities 10. [SA17780] Cisco IOS HTTP Server Script Insertion Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA17765] Panda Antivirus ZOO Archive Decompression Buffer Overflow [SA17792] ASP-rider "referer" Header SQL Injection Vulnerability [SA17740] MailEnable "RENAME" Command Denial of Service Vulnerability [SA17737] Freeftpd PORT Command Denial of Service Vulnerability [SA17815] Cisco Security Agent Local Privilege Escalation Vulnerability UNIX/Linux: [SA17813] Mac OS X Security Update Fixes Multiple Vulnerabilities [SA17757] SGI Advanced Linux Environment Multiple Updates [SA17738] Gentoo update for netscape-flash [SA17778] Gentoo update for inkscape [SA17775] KchmViewer chmlib Buffer Overflow Vulnerabilities [SA17774] unalz Filename Handling Buffer Overflow Vulnerability [SA17770] Debian update for gtk+2.0 [SA17768] ktools VGETSTRING Buffer Overflow Vulnerability [SA17735] ShockBoard "offset" SQL Injection Vulnerability [SA17817] Usermin "miniserv.pl" Format String Denial of Service Vulnerability [SA17749] Webmin "miniserv.pl" Format String Denial of Service Vulnerability [SA17754] NuFW Packet Parsing Denial of Service Vulnerability [SA17781] QNX RTOS "phgrafx" Buffer Overflow Vulnerability [SA17818] Debian update for centericq [SA17798] Centericq Empty Packet Denial of Service Weakness [SA17764] Kadu Message Denial of Service Weakness [SA17739] Gaim-Encryption Malformed Encrypted Message Denial of Service [SA17787] Fedora update for kernel [SA17786] Linux Kernel Multiple Denial of Service Vulnerabilities [SA17761] Linux Kernel ptrace Denial of Service Vulnerability Other: [SA17780] Cisco IOS HTTP Server Script Insertion Vulnerability Cross Platform: [SA17790] GuppY PHP Code Injection and Local File Inclusion Vulnerabilities [SA17779] Ampache Snoopy "_httpsrequest()" Command Injection Vulnerability [SA17777] eFiction Multiple Vulnerabilities [SA17771] Q-News "id" File Inclusion Vulnerability [SA17748] Sun Java JRE Sandbox Security Bypass Vulnerabilities [SA17730] DeskLance "main" File Inclusion Vulnerability [SA17812] Atlantis Knowledge Base Software "searchStr" SQL Injection [SA17811] FAQRing "id" SQL Injection Vulnerability [SA17810] WSN Knowledge Base SQL Injection Vulnerabilities [SA17809] Softbiz FAQ Script SQL Injection Vulnerabilities [SA17808] Softbiz B2B Trading Marketplace Script "cid" SQL Injection [SA17807] SocketKB SQL Injection and Local File Inclusion Vulnerabilities [SA17806] KBase Express SQL Injection Vulnerabilities [SA17805] Orca Knowledgebase "qid" SQL Injection Vulnerability [SA17804] Orca Blog "msg" SQL Injection Vulnerability [SA17803] Orca Ringmaker "start" SQL Injection Vulnerability [SA17801] FAQ System SQL Injection Vulnerabilities [SA17800] Survey System "SURVEY_ID" SQL Injection Vulnerability [SA17799] ltwCalendar "id" SQL Injection Vulnerability [SA17796] 88Scripts Event Calendar "m" SQL Injection Vulnerability [SA17795] O-Kiraku Nikki "day_id" SQL Injection Vulnerability [SA17789] PHP Web Statistik Multiple Vulnerabilities and Security Issue [SA17788] Xaraya "module" Local File Inclusion Vulnerability [SA17785] N-13 News "id" SQL Injection Vulnerability [SA17783] FreeWebStat Script Insertion Vulnerabilities [SA17782] randshop SQL Injection Vulnerabilities [SA17776] Gentoo update for chmlib / kchmviewer [SA17773] OmniStar KBase SQL Injection Vulnerabilities [SA17772] Nephp Publisher SQL Injection Vulnerabilities [SA17769] DotClear Unspecified trackbacks Security Issue [SA17767] Babe Logger "gal" and "id" SQL Injection Vulnerabilities [SA17766] Zainu SQL Injection Vulnerabilities [SA17763] PHP "mb_send_mail()" "To:" Header Injection Vulnerability [SA17760] BedengPSP Multiple SQL Injection Vulnerabilities [SA17759] DMANews Multiple SQL Injection Vulnerabilities [SA17758] Fantastic News "category" SQL Injection Vulnerability [SA17753] Entergal MX SQL Injection Vulnerabilities [SA17752] BosDates SQL Injection Vulnerabilities [SA17747] Gallery Unspecified Vulnerability [SA17745] PHP Doc System Local File Inclusion Vulnerability [SA17744] ADC2000 NG Pro "cat" SQL Injection Vulnerability [SA17742] Netzbrett "p_entry" SQL Injection Vulnerability [SA17734] UGroup Multiple SQL Injection Vulnerabilities [SA17733] phpWordPress SQL Injection Vulnerabilities [SA17732] ActiveCampaign KnowledgeBuilder SQL Injection and Denial of Service [SA17731] ActiveCampaign SupportTrio "page" Local File Inclusion Vulnerability [SA17729] Nicecoder iDesk "cat_id" SQL Injection Vulnerability [SA17784] WebCalendar SQL Injection and Local File Overwrite Vulnerabilities [SA17756] ClientExec Multiple SQL Injection Vulnerabilities [SA17755] drzes HMS Cross-Site Scripting and SQL Injection Vulnerabilities [SA17751] Post Affiliate Pro "sortorder" SQL Injection Vulnerability [SA17750] GhostScripter Amazon Shop "query" Cross-Site Scripting Vulnerability [SA17746] Simple Document Management System SQL Injection Vulnerability [SA17743] Enterprise Connector "messageid" SQL Injection Vulnerabilities [SA17741] blogBuddies Cross-Site Scripting Vulnerabilities [SA17736] SmartPPC Pro "username" Cross-Site Scripting Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA17765] Panda Antivirus ZOO Archive Decompression Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-30 Alex Wheeler has reported a vulnerability in Panda Antivirus, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17765/ -- [SA17792] ASP-rider "referer" Header SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-30 info has reported a vulnerability in ASP-rider, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17792/ -- [SA17740] MailEnable "RENAME" Command Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-11-25 Josh Zlatin-Amishav has discovered a vulnerability in MailEnable Professional and MailEnable Enterprise, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17740/ -- [SA17737] Freeftpd PORT Command Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-11-25 Stefan Lochbihler has discovered a vulnerability in freeftpd, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17737/ -- [SA17815] Cisco Security Agent Local Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-30 A vulnerability has been reported in Cisco Security Agent (CSA), which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17815/ UNIX/Linux:-- [SA17813] Mac OS X Security Update Fixes Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2005-11-30 Apple has issued a security update for Mac OS X, which fixes 13 vulnerabilities. Full Advisory: http://secunia.com/advisories/17813/ -- [SA17757] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, DoS, System access Released: 2005-11-29 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, cause a DoS (Denial of Service), and to compromise a user's system. Full Advisory: http://secunia.com/advisories/17757/ -- [SA17738] Gentoo update for netscape-flash Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-25 Gentoo has issued an update for netscape-flash. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17738/ -- [SA17778] Gentoo update for inkscape Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-28 Gentoo has issued an update for inkscape. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17778/ -- [SA17775] KchmViewer chmlib Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-11-28 Some vulnerabilities have been reported in KchmViewer, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17775/ -- [SA17774] unalz Filename Handling Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-11-28 Ulf Harnhammar has reported a vulnerability in unalz, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17774/ -- [SA17770] Debian update for gtk+2.0 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-30 Debian has issued an update for gtk+2.0. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17770/ -- [SA17768] ktools VGETSTRING Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-11-28 Mehdi Oudad and Kevin Fernandez have reported a vulnerability in ktools, which has an unknown impact. Full Advisory: http://secunia.com/advisories/17768/ -- [SA17735] ShockBoard "offset" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-28 r0t has reported a vulnerability in ShockBoard, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17735/ -- [SA17817] Usermin "miniserv.pl" Format String Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-11-30 A vulnerability has been reported in Usermin, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17817/ -- [SA17749] Webmin "miniserv.pl" Format String Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-11-29 Jack Louis has discovered a vulnerability in Webmin, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17749/ -- [SA17754] NuFW Packet Parsing Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-11-29 A vulnerability has been reported in NuFW, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17754/ -- [SA17781] QNX RTOS "phgrafx" Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-30 Pasquale Minervini has reported a vulnerability in QNX RTOS, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17781/ -- [SA17818] Debian update for centericq Critical: Not critical Where: From remote Impact: DoS Released: 2005-11-30 Debian has issued an update for centericq. This fixes a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17818/ -- [SA17798] Centericq Empty Packet Denial of Service Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2005-11-30 Wernfried Haas has reported a vulnerability in Centericq, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17798/ -- [SA17764] Kadu Message Denial of Service Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2005-11-29 Michal Gizowski has reported a weakness in Kadu, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17764/ -- [SA17739] Gaim-Encryption Malformed Encrypted Message Denial of Service Critical: Not critical Where: From remote Impact: DoS Released: 2005-11-25 Joerg Kurlbaum has discovered a weakness in Gaim-Encryption, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17739/ -- [SA17787] Fedora update for kernel Critical: Not critical Where: Local system Impact: DoS Released: 2005-11-29 Fedora has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17787/ -- [SA17786] Linux Kernel Multiple Denial of Service Vulnerabilities Critical: Not critical Where: Local system Impact: DoS Released: 2005-11-29 Some vulnerabilities have been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17786/ -- [SA17761] Linux Kernel ptrace Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2005-11-29 A vulnerability has been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17761/ Other:-- [SA17780] Cisco IOS HTTP Server Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-29 Hugo Vazquez Carames has reported a vulnerability in Cisco IOS, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17780/ Cross Platform:-- [SA17790] GuppY PHP Code Injection and Local File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2005-11-29 rgod has reported some vulnerabilities in GuppY, which can be exploited by malicious people to disclose sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17790/ -- [SA17779] Ampache Snoopy "_httpsrequest()" Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-28 A vulnerability has been reported in Ampache, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17779/ -- [SA17777] eFiction Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of system information, System access Released: 2005-11-28 rgod has reported some vulnerabilities in eFiction, which can be exploited by malicious people to disclose system information, conduct cross-site scripting and SQL injection attacks, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17777/ -- [SA17771] Q-News "id" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-28 ][GB][ has discovered a vulnerability in Q-News, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17771/ -- [SA17748] Sun Java JRE Sandbox Security Bypass Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-29 Some vulnerabilities have been reported in Sun Java JRE (Java Runtime Environment), which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17748/ -- [SA17730] DeskLance "main" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-25 r0t has reported a vulnerability in DeskLance, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17730/ -- [SA17812] Atlantis Knowledge Base Software "searchStr" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-30 r0t has reported a vulnerability in Atlantis Knowledge Base Software, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17812/ -- [SA17811] FAQRing "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-30 r0t has reported a vulnerability in FAQRing, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17811/ -- [SA17810] WSN Knowledge Base SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-30 r0t has reported some vulnerabilities in WSN Knowledge Base, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17810/ -- [SA17809] Softbiz FAQ Script SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-30 r0t has reported some vulnerabilities in Softbiz FAQ Script, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17809/ -- [SA17808] Softbiz B2B Trading Marketplace Script "cid" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-30 r0t has reported a vulnerability in Softbiz B2B Trading Marketplace Script, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17808/ -- [SA17807] SocketKB SQL Injection and Local File Inclusion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2005-11-30 r0t has reported some vulnerabilities in SocketKB, which can be exploited by malicious people to conduct SQL injection attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/17807/ -- [SA17806] KBase Express SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported two vulnerabilities in KBase Express, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17806/ -- [SA17805] Orca Knowledgebase "qid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has discovered a vulnerability in Orca Knowledgebase, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17805/ -- [SA17804] Orca Blog "msg" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has discovered a vulnerability in Orca Blog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17804/ -- [SA17803] Orca Ringmaker "start" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has discovered a vulnerability in Orca Ringmaker, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17803/ -- [SA17801] FAQ System SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported two vulnerabilities in FAQ System, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17801/ -- [SA17800] Survey System "SURVEY_ID" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported a vulnerability in Survey System, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17800/ -- [SA17799] ltwCalendar "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported a vulnerability in ltwCalendar, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17799/ -- [SA17796] 88Scripts Event Calendar "m" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-30 r0t has reported a vulnerability in 88Scripts Event Calendar, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17796/ -- [SA17795] O-Kiraku Nikki "day_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-30 r0t has discovered a vulnerability in O-Kiraku Nikki, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17795/ -- [SA17789] PHP Web Statistik Multiple Vulnerabilities and Security Issue Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, DoS Released: 2005-11-29 Francesco "aScii" Ongaro has discovered some vulnerabilities and a security issue in PHP Web Statistik, which can be exploited by malicious people to disclose system information, cause a DoS (Denial of Service), and conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/17789/ -- [SA17788] Xaraya "module" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, DoS Released: 2005-11-30 rgod has discovered a vulnerability in Xaraya, which can be exploited by malicious people to disclose and manipulate sensitive information. Full Advisory: http://secunia.com/advisories/17788/ -- [SA17785] N-13 News "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-30 KingOfSka has discovered a vulnerability in N-13 News, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17785/ -- [SA17783] FreeWebStat Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-29 Francesco "aScii" Ongaro has reported some vulnerabilities in FreeWebStat, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17783/ -- [SA17782] randshop SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 Liz0ziM and wannacut have discovered two vulnerabilities in randshop, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17782/ -- [SA17776] Gentoo update for chmlib / kchmviewer Critical: Moderately critical Where: From remote Impact: System access Released: 2005-11-28 Gentoo has issued updates for chmlib / kchmviewer. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17776/ -- [SA17773] OmniStar KBase SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported some vulnerabilities in OmniStar KBase, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17773/ -- [SA17772] Nephp Publisher SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported some vulnerabilities in Nephp Publisher, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17772/ -- [SA17769] DotClear Unspecified trackbacks Security Issue Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-11-29 A security issue with an unknown impact has been reported in DotClear. Full Advisory: http://secunia.com/advisories/17769/ -- [SA17767] Babe Logger "gal" and "id" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported two vulnerabilities in Babe Logger, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17767/ -- [SA17766] Zainu SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported two vulnerabilities in Zainu, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17766/ -- [SA17763] PHP "mb_send_mail()" "To:" Header Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-11-28 s.masugata has reported a vulnerability in PHP, which potentially can be exploited by malicious people to use it as an open mail relay. Full Advisory: http://secunia.com/advisories/17763/ -- [SA17760] BedengPSP Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has discovered some vulnerabilities in BedengPSP, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17760/ -- [SA17759] DMANews Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has discovered some vulnerabilities in DMANews, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17759/ -- [SA17758] Fantastic News "category" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has discovered a vulnerability in Fantastic News, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17758/ -- [SA17753] Entergal MX SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported two vulnerabilities in Entergal MX, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17753/ -- [SA17752] BosDates SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported two vulnerabilities in BosDates, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17752/ -- [SA17747] Gallery Unspecified Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-11-29 A vulnerability with an unknown impact has been reported in Gallery. Full Advisory: http://secunia.com/advisories/17747/ -- [SA17745] PHP Doc System Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-11-28 r0t has discovered a vulnerability in PHP Doc System, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/17745/ -- [SA17744] ADC2000 NG Pro "cat" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-28 r0t has reported a vulnerability in ADC2000 NG Pro which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17744/ -- [SA17742] Netzbrett "p_entry" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-28 r0t has discovered a vulnerability in Netzbrett, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17742/ -- [SA17734] UGroup Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-28 r0t has reported some vulnerabilities in Ugroup, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17734/ -- [SA17733] phpWordPress SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-25 r0t has reported some vulnerabilities in phpWordPress, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17733/ -- [SA17732] ActiveCampaign KnowledgeBuilder SQL Injection and Denial of Service Critical: Moderately critical Where: From remote Impact: Manipulation of data, DoS Released: 2005-11-25 r0t has discovered two vulnerabilities in ActiveCampaign KnowledgeBuilder, which can be exploited by malicious people to cause a DoS (Denial of Service) and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17732/ -- [SA17731] ActiveCampaign SupportTrio "page" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-11-25 r0t has discovered a vulnerability in ActiveCampaign SupportTrio, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/17731/ -- [SA17729] Nicecoder iDesk "cat_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-25 r0t has discovered a vulnerability in iDesk, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17729/ -- [SA17784] WebCalendar SQL Injection and Local File Overwrite Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 Francesco "aScii" Ongaro has reported some vulnerabilities in WebCalendar, which can be exploited by malicious users to manipulate certain information and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17784/ -- [SA17756] ClientExec Multiple SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported some vulnerabilities in ClientExec, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17756/ -- [SA17755] drzes HMS Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-11-29 r0t has reported some vulnerabilities in drzes HMS, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17755/ -- [SA17751] Post Affiliate Pro "sortorder" SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported a vulnerability in Post Affiliate Pro, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17751/ -- [SA17750] GhostScripter Amazon Shop "query" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-29 r0t has reported a vulnerability in GhostScripter Amazon Shop, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17750/ -- [SA17746] Simple Document Management System SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-11-28 r0t has discovered a vulnerability in Simple Document Management System (SDMS), which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17746/ -- [SA17743] Enterprise Connector "messageid" SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-11-28 r0t has reported some vulnerabilities in Enterprise Connector, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17743/ -- [SA17741] blogBuddies Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-25 ][GB][ has discovered some vulnerabilities in blogBuddies, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17741/ -- [SA17736] SmartPPC Pro "username" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-25 BiPi_HaCk has reported a vulnerability in SmartPPC Pro, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17736/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Dec 2 01:15:35 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 2 01:42:24 2005 Subject: [ISN] Mac OS X security under scrutiny Message-ID: http://www.theregister.co.uk/2005/12/01/secfoc_macos/ By Robert Lemos Securityfocus 1st December 2005 When the SANS Institute, a computer-security training organization, released its Top-20 vulnerabilities last week, the rankings continued an annual ritual aimed at highlighting the worst flaws for network administrators. This year, the list had something different, however: the group flagged the collective vulnerabilities in Apple's Mac OS X operating system as a major threat. It's the first time that the SANS Institute called out an entire operating system for its vulnerabilities. While the move has raised questions about the value of such a general warning, highlighting recent vulnerabilities in Mac OS X was intended as a wake up call, said Rohit Dhamankar, security architect for TippingPoint, a subsidiary of networking firm 3Com, and the editor for the SANS Top-20 vulnerability list. "We are not pointing at the entire Mac OS X and saying you have to worry about the entire operating system," he said. "It is just that the Mac OS X is not entirely free of troubles." The naming of Apple's Mac OS X to the list is the latest warning from security experts to users that Apple's operating system is not immune to threats. In its last two bi-annual reports, security firm Symantec has warned Apple users that the perceived security strengths of Mac OS X will not withstand determined attackers, especially with mounting vulnerabilities and at least one known rootkit tailored to the system. Symantec is the owner of SecurityFocus. Such warnings, however, have to contend with the Mac OS X's impressive lack of major security incidents. While users of Microsoft Windows have to worry about the latest viruses, Trojan horse programs, spyware and phishing attacks, users of Apple's systems have significantly fewer threats about which to be concerned. Still, if would-be attackers begin to focus on the operating system, then it's likely that major security incidents will not be far behind, said Nicholas Raba, CEO of Mac OS X security information and software site SecureMac.com. "Mac OS X is currently more secure than Linux or Windows only for the fact that the shares of users is smaller thus the (number of) researchers discovering the flaws is smaller," Raba said. Others point out that the vulnerability landscape is already shifting. The number of vulnerabilities patched by Apple in the Mac OS X rivals the number fixed by Microsoft in its operating systems, according to data from the Open Source Vulnerability Database. So far in 2005, Microsoft has released patches for 89 vulnerabilities, while Apple has released patches for 81 vulnerabilities, according to Brian Martin, content editor for the OSVDB. Counting flaws offers little more than a rough approximation of the threat to a particular operating system, Martin said, but it does show that Apple has gained the attention of the security community. "A lot of the people who do vulnerability research started with Unix, and a lot of hackers have moved to Apple Mac OS X because it is cool and they can do anything they could do on Unix," he said. Apple adopted its variant of the Unix operating system, the Berkeley Software Distribution or BSD, as the basis for its revamped Mac OS, which it first released in March 2001. Since then the number of flaws discovered that affect the operating system has steadily increased, to 46 in 2004 from 5 in 2001, according to the OSVDB. However, Mac OS X does not have the same security problems that Windows does, Martin said. In many ways, Apple's operating system gains the advantages of Unix, but because Unix has not historically been a desktop operating system, many of the mistakes made by Microsoft - such as Active X controls' poor security model and unsecured services - are not present, he said. Instead, Apple users primarily need to worry about malicious Web sites that attack through the Safari browser and media files that exploit vulnerabilities in the operating system's applications. The SANS Top-20, for example, called out five different parts of the Windows operating system, including Internet Explorer, the broad Windows services category, and Windows configuration weaknesses. Poor configuration of Mac OS X computers is also a worry, according to some network administrators. "The problem is that there are enough OS X boxes on networks that are not patched, firewalled, and configured that they pose a clear and present danger to the networks they reside on," said one university information-technology specialist posting to the Full Disclosure security mailing list. Security researchers also worry about Apple's hesitation to speak publicly about its operating system's security. Apple has infrequently commented on the topic of its operating system security or the company's security policies. Apple also declined to comment for this article. Yet, including the entire operating system as a to-do item on a list of top-20 vulnerabilities is not entirely fair, OSVDB's Martin said. "In 2005, they have about the same number of vulnerabilities in the operating system as Windows, but Microsoft has a much greater market share," Martin said. "The Mac OS doesn't deserve a spot any more than any other operating system." SANS's Dhamankar stressed that the intent was not to call the Mac OS X operating system a threat, but to give Mac users a wake up call. If they have not been paying attention to security, then they should start today, he said. "There are some people that feel that, if they are running Mac OS X, then all is well," Dhamankar said. "That is no longer true." Copyright ? 2005, SecurityFocus From isn at c4i.org Fri Dec 2 01:13:43 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 2 01:43:09 2005 Subject: [ISN] ID theft, malware worry U.S. online shoppers Message-ID: Fowarded from: Melissa Shapiro http://www.infoworld.com/article/05/11/30/HNshoppingworries_1.html By Juan Carlos Perez IDG News Service November 30, 2005 More than one fifth of U.S. Internet users will take a pass on online shopping this holiday season due to security concerns, according to a new study released Wednesday. The concerns most cited by respondents were identity theft, spam, credit-card theft and spyware, according to a survey of 1,005 U.S. Internet users conducted by London-based market researcher Taylor Nelson Sofres PLC. Among the 78 percent of U.S. Internet users who will shop online during the holidays, 69 percent will curb their purchasing activities due to fears over possible misuse of their personal information, according to the survey. The poll was commissioned by nonprofit organization TRUSTe, which certifies Web sites that comply with the group's privacy protection principles. Specifically, security concerns will keep some shoppers away from smaller, lesser-known online retailers, out of fear that these vendors are more likely to misuse personal information than their larger, better known counterparts. The survey, conducted online between Oct. 27 and Nov. 1, has a margin of error of 3 percentage points. A study released last week reached similar conclusions. Commissioned by the Business Software Alliance and conducted by Forrester Research Inc.'s Custom Consumer Research, that study found that 25 percent of U.S. consumers won't shop online during the upcoming holiday season because of concerns over buying goods online. Still, online shopping is growing this holiday season, compared with last year's. Between Nov. 1 and Nov. 28, nontravel spending by consumers reached US$7.93 billion, a 24 percent increase compared with the same period last year, according to market researcher comScore Networks Inc. Specifically during the Thanksgiving weekend (between Thursday, Nov. 24 and Sunday, Nov. 27) and on the following so-called "Black Monday" (Nov. 28), spending grew 26 percent over the same period last year, comScore said Tuesday. From isn at c4i.org Fri Dec 2 01:13:56 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 2 01:47:22 2005 Subject: [ISN] Federal judge adds 7 years to prison term of 'Dr. Chaos' Message-ID: http://www.jsonline.com/news/metro/nov05/374384.asp By GINA BARTON gbarton @ journalsentinel.com Nov. 30, 2005 A computer expert who caused hundreds of thousands of dollars worth of damage in 13 Wisconsin counties won't get out of prison until 2022. Joseph D. Konopka, 29, who adopted the moniker "Dr. Chaos" during his crime spree, was sentenced on 11 felony charges Wednesday in federal court in Milwaukee. Konopka, formerly of De Pere, earlier was sentenced to 13 years in prison as a result of federal charges in Chicago, where he was convicted of two felonies for hiding cyanide in an underground tunnel near the subway system. During Wednesday's hearing, U.S. District Judge Lynn Adelman added seven years to that term. It was the second Milwaukee sentencing hearing for Konopka, who won a new sentence on appeal. Charges against Konopka included conspiracy, arson, creating counterfeit software and interfering with computers. Using the Internet, he recruited a group of teenage boys and young men known as "The Realm of Chaos" to help him in the crimes. The group's actions caused about 28 power failures and 20 other service interruptions at power plants throughout Wisconsin, court records show. The group also set buildings on fire, disrupted radio and television broadcasts, disabled an air traffic control system, sold counterfeit software and damaged the computer system of an Internet service provider, according to court records. In 2003, after reaching a plea agreement with prosecutors, Konopka pleaded guilty to six felonies in connection with the Wisconsin crimes. After his first sentencing hearing, during which Adelman handed down a 23-year prison term, Konopka asked to withdraw those pleas. Konopka argued that when he made the deal with prosecutors, he did not realize that one of the accusations - an explosives charge - carried a mandatory 10-year sentence that wouldn't begin until after he had served his 13 years on the Chicago counts. The appeals court ruled in Konopka's favor, after which he pleaded guilty to 11 counts. Prosecutors promised him nothing in exchange. At the sentencing hearing Tuesday, Konopka's attorney, Bridget Boyle-Saxton, asked for a 17-year prison term, with 13 of those years to be served at the same time as the Chicago sentence. In essence, Boyle-Saxton asked that Konopka do only four more years for the Wisconsin crimes. Assistant U.S. Attorney Stephen Ingraham asked for a completely consecutive sentence, pointing out that Konopka's actions had caused "damage, destruction, inconvenience and anguish" for thousands of people. Ingraham also told the judge that state prosecutors in the counties where Konopka committed crimes would only agree not to prosecute him there if he got at least a 20-year prison term. Adelman fashioned a sentence that will net Konopka 20 years in prison between the federal cases in Illinois and Wisconsin. Before imposing sentence, Adelman said it was hard to understand why Konopka had embarked on a crime spree. "It's extremely fortunate that no one was hurt or killed," he said. Konopka also must pay about $436,000 in restitution and spend three years on supervised release after prison. From isn at c4i.org Fri Dec 2 01:14:10 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 2 01:49:20 2005 Subject: [ISN] Redmond Mulls Emergency Patch for IE Attacks Message-ID: http://www.eweek.com/article2/0,1895,1894820,00.asp By Ryan Naraine November 30, 2005 Microsoft Corp. is working on a plan to release an out-of-cycle patch to cover a gaping hole in its dominant Internet Explorer browser. Sources say the MSRC (Microsoft Security Response Center) is aggressively aiming to release the emergency IE fix ahead of the December 13 Patch Tuesday schedule. Officially, the company isn't commenting on a timeline for the IE patch. A Microsoft spokeswoman said the creation of security updates is "an extensive process involving a series of sequential steps." "There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges." However, a source familiar with the company's thinking said the out-of-cycle update is dependent on the patch holding up through a "very rigorous" quality assurance testing process. "If the patch isn't ready from a quality standpoint, it won't be released. But with an attack already underway, I think you'll see an emergency patch," the source said. Microsoft late Tuesday updated its security advisory to confirm it was aware of a zero-day exploit and a drive-by malware attack targeting the unpatched vulnerability. Alex Eckelberry, president of anti-spyware vendor Sunbelt Software, said his company first detected the drive-by downloads earlier this week and reported its findings to Microsoft. "This is a pretty nasty exploit. You just have to visit the [malicious] site and your computer gets hosed. It's dropping a Trojan downloader that takes control of the victim's machine," Eckelberry said in an interview. Sunbelt Software researchers have confirmed the exploit is being launched from a handful of malicious Web sites. He said the drive-by exploit was successfully loading pornography-themed spyware programs on fully patched Windows XP SP2 machines. "If there's one time Microsoft needs to go out-of-cycle with a patch, this is it," Eckelberry declared. Stephen Toulouse, an MSRC program manager, said Microsoft's anti-virus engine has been updated to detect the latest attack, which drops a piece of malware called TrojanDownloader:Win32/Delf.DH. Anti-virus vendor McAfee Inc. identified it as JS/Exploit-BO.gen and confirmed it was using the zero-day "Window()" remote code execution exploit released last week by a UK-based group called "Computer Terrorism." Eckelberry said that he was aware that Kaspersky Lab and Symantec Corp. had updated its virus definitions to detect the latest attack. In Microsoft's advisory, the company recommends that customers can visit its new Windows Live Safety Center and use the "Complete Scan" option to check for and remove the malicious software and future variants. The Safety Center, which is part of the company's new 'Windows Live' initiative, lets customers run free Web-based computer scans to detect and remove viruses and other known malware. It currently works only on IE and uses an ActiveX Control to scan for and remove viruses. It is also capable of detecting vulnerabilities on Internet connections. Johannes Ullrich, chief research officer at the SANS ISC (Internet Storm Center), said in a recent interview that the severity of the vulnerability and the public release of exploit code should force Microsoft into releasing an out-of-cycle update. "This one certainly qualifies for an emergency patch. How much worse can it get? At this stage, you really can't wait for next month to get a fix out there," Ullrich said. Since moving to a monthly release cycle in late 2003, Microsoft has released three out-of-cycle patches, all for "critical" IE flaws. From isn at c4i.org Fri Dec 2 01:15:04 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 2 01:51:26 2005 Subject: [ISN] Information Battleground Message-ID: Forwarded from: William Knowles http://www.afa.org/magazine/Dec2005/1205info.asp By Adam J. Hebert Senior Editor December 2005 Across a range of unusual battle-spaces - global computer networks, human psychology, and electronic systems -the Air Force has become fully engaged in information warfare (IW), now deemed a critical element in the worldwide conflict with terrorists. USAF is concentrating on three IW thrusts: network - that is, computer - operations, "influence" operations, and electronic warfare operations. In these new combat arenas, adversaries, and consequences of their actions, are constantly shifting. Encounters rarely are unambiguous. Take, for example, an unidentified intruder's success in hacking into the Air Force Personnel Center's Assignment Management System database, used by airmen for assignment planning. The hacker, acting last June, used a legitimate user's log-in and access codes and downloaded the names, birth dates, and Social Security numbers of 33,000 airmen, mostly officers. In so doing, the miscreant, whoever he was, acquired vast amounts of data tailor-made for identity theft - or worse. Maj. Gen. Anthony F. Przybyslawski, commander of AFPC at Lackland AFB, Tex., said officials became aware of a problem as the information was being downloaded. Security officers shut down the system, but the damage was done. Przybyslawski said the center's security standards simply weren't high enough. This security breach did not pose a traditional military threat - apparently. However, it immediately focused attention on the difficulty the Air Force has in the ever-changing global information war. What if hackers, terrorists, or hostile nations could acquire something more sensitive? What if the stolen information was not personnel data but schedules for the movement of nuclear warheads or classified stealth aircraft designs? Building true information security is "indeed a monumental task," said Gen. William T. Hobbins, who led the Air Force's warfighting integration efforts before being confirmed to become the new commander of US Air Forces in Europe. "We have threats from multiple sources, ... everything from hostile attacks to inadvertent compromise." In the past, spies also have used legitimate access illegitimately to obtain sensitive military information. In one notorious case, retired Air Force MSgt. Brian P. Regan, working for the National Reconnaissance Office, penetrated a classified database and downloaded images and coordinates of Iraqi and Chinese missile sites. He then tried, unsuccessfully, to sell the information to Baghdad and Beijing. Growing Threat It is no secret that the US military has become highly dependent on its information systems. USAF defines these systems as including not only computer networks but also command, control, and communications equipment. Potential enemies believe that attacks on these systems constitute an effective way to strike at US military strength. More than 20 nations, including China and North Korea, possess dedicated computer attack programs. In a 2005 Pentagon report to Congress on Chinese military power, officials wrote that the People's Liberation Army (PLA) sees computer warfare as "critical to seize the initiative," early in a conflict. The goal: achieve "electromagnetic dominance." The PLA, warned the new Pentagon report, "likely" has established information warfare units able to "develop viruses to attack enemy computer systems and networks" as well as "tactics to protect friendly computer systems and networks." A Chinese information warfare concept of operations "outlines the integrated use of electronic warfare, [computer attacks], and limited kinetic strikes against key C4 nodes to disrupt the enemy's battlefield network information systems," the Pentagon report observed. US Strategic Command, DOD's lead organization for network warfare, contends that Pentagon-focused "intrusion attempts" have been growing quickly. In the first half of 2004, DOD suffered through more than 150 hostile intrusion attempts per day. In the first half of 2005, by contrast, there were more than 500 intrusion attempts per day. The Air Force has seen similar growth in network attacks, but it has generally fended off the threats so far. Both foreign and domestic hackers are responsible. The more the military comes to rely on network-based operations, the more it must defend those networks, said USAF Lt. Gen. C. Robert Keh?ler, STRATCOM deputy commander. Hobbins agreed. "The number and sophistication of attacks have increased," he said, but while "the number of suspected attempts to penetrate our systems has increased, ... the number of actual intrusions has decreased." Vulnerability Seen The Pentagon has been at this for a while. In the late 1990s, DOD exercises, plus a number of strange attacks on DOD computer systems, raised the military's awareness of its vulnerability. In 1997, Pentagon officials launched an internal exercise, code-named "Eligible Receiver." A Red Team of hackers organized by the National Security Agency was instructed to try to infiltrate Pentagon computer networks, using only publicly available computer equipment and hacking software. Although many details about Eligible Receiver are still classified, it is known that the Red Team was able to infiltrate and take control of some of US Pacific Command?s computers as well as emergency systems in major US cities. Eligible Receiver revealed the surprising vulnerability of supposedly secure military networks. Not long after Eligible Receiver, the US accidentally uncovered Moonlight Maze, a two-year-long pattern of probing of computer systems in the Pentagon, NASA, Energy Department, and university and research labs. Although the attacks, which were believed to have begun in March 1998, were traced to a mainframe computer in Russia, the perpetrators never have been publicly identified and may be unknown to the US. Russia denied any involvement. Military information could be better protected by moving everything from the public Internet to the SIPR Net, a secret military network, but "the benefits wouldn't outweigh the costs," said Hobbins. The Defense Department also must be careful not to go too far and make security so intense that it slows down military action. "We go too far when [infosec] restricts our ability to act and attack," said one official. "Our security system should resemble something more like a Kevlar body vest than full body armor." The trend today is definitely toward protection. "I can tell you that information assurance has clearly increased in budgeting priority," Hobbins said. "We live in a resource-constrained environment, but we do have the means to counter the threats we face." While the Air Force is continuously studying technologies and vulnerabilities, its IW effort is not completely devoted to fending off attacks. Defensive and offensive information warfare operations are "intrinsically linked and complementary," said Hobbins. He added, "Our efforts focus upon capabilities that will enable us to defend DOD assets and exploit, deny, degrade, disrupt, or destroy adversaries' information [resources]." STRATCOM would, if so ordered, conduct DOD's information warfare operations. "You can see the potential" for offensive information warfare, said Kehler, by looking at what already has happened to the United States. Unique Challenge Strategic Command today is embracing a "unique challenge," said Rear Adm. Thomas E. Zelibor, STRATCOM director of global operations. The command is using information warfare as a way to "get the desired effects without blowing something up." While officials offer few specifics about what they are trying to accomplish in offensive information warfare, Zelibor said the goal is to "delay or disrupt the decision-making process of your adversaries." This could mean subtly channeling an enemy toward doing "what we want them to do," said Zelibor. If the goal is to collect intelligence, DOD might want to observe an enemy network that it has compromised and not automatically shut the network down. Similarly, there is a critical need to be able to track lone individuals in the war on terror and not necessarily kill or capture them right away. Army Gen. Bryan D. Brown, head of US Special Operations Command, testified before Congress this year that his "No. 1 technological shortfall" is the inability to "persistently and remotely locate, track, and target a human." Seeing who terrorists interact with, listening in on their phone calls, and later swooping in to seize paperwork and laptops can yield a treasure trove of coveted "actionable" information. Kehler said the most dramatic near-term improvements in intelligence probably will come through fusion, not new sensors. The "big leverage today" will come by "bringing it all together," he said. Data mining, a relatively new intelligence tool, is a big part of the fusion effort. SOCOM has a standing intelligence collaboration center that "has been used extensively in supporting unique special operations requirements" in Iraq and Afghanistan, said Brown. The collaboration center uses "the equivalent of a Google search engine," explained Air Force Maj. Gen. Donald C. Wurster, deputy director of SOCOM's Center for Special Operations. "Whenever we have people go out around the world, they're bringing information back and plowing it into an infrastructure that enables us to mine it later," he said. Wurster told Congress this summer that as troops "were rolling guys up in Iraq," SOCOM would run the information on fugitives through SOJICC, the Special Operations Joint Interagency Collaboration Center. The center "printed out a notebook that would fit in a soldier's thigh pocket," Wurster continued. The information would tell the troops everything known about a captured terrorist or insurgent: "Here's who his family is, here's where he's from, here's who he's hooked up with." Wurster described SOJICC as "the most significant piece of horizontal integration we have ... as a consumer of other people's expertise." The Air Force plays a major role in gathering the tactical information needed for immediate use on the battlefield. Immediate Impact USAF's fleet of RC-135 Rivet Joint aircraft, for example, gathers signals intelligence and flies missions of up to 24 hours - seemingly making it ideal for the war on terror. Rivet Joint crews can listen in on enemy radio and cell phone conversations, providing immediate impact on the ground in Afghanistan and Iraq. Information gathered from the air is "key to how soldiers and marines do their jobs," said Col. Dennis R. Wier, commander of the 55th Operations Group at Offutt AFB, Neb. The RC-135 is so valuable, Wier said in an interview, that US Central Command and US Pacific Command have the Nebraska-based aircraft assigned to them around the clock, and Rivet Joints fly over Afghanistan every day. Lt. Col. Ron Machoian said the crews know they are making a difference. "We hear it," said Machoian, commander of the 38th Reconnaissance Squadron at Offutt. "I can listen to us informing an engagement on the ground, while I'm airborne." Intelligence personnel are in short supply, however. Maj. Jeff Lauth, acting director of operations for the 97th Intelligence Squadron at Offutt, said staffing for many positions is "critically low." The airmen have skills that are in high demand outside the Air Force. Enlisted airborne crypto-linguists are a particular concern. Wier said this summer that the 55th Wing was only 35 percent manned in linguists, partially because it takes up to three years to train new ones. To help fill the need, the Air Intelligence Agency recently created the Offutt Language Learning Center to help train linguists. Language needs are much broader than during the Cold War. In addition to the "traditional" Russian speakers, DOD needs fluency in Arabic, Pashtu, Farsi, Dari, Urdu, Korean, and Mandarin Chinese. RC-135s don't have weapons, noted the language center's 1st Lt. Brandon Middleton, so "language is the weapon it takes to the fight." Linguists cannot work without equipment, and obtaining the intelligence needed is an ongoing challenge. Wier noted that the RC-135s have their onboard equipment completely upgraded every year or two to ensure the US can continue to "get" enemy information. It "blows you away, ... the type of things you can do" with the latest airborne intelligence equipment, said Maj. Gen. John C. Koziol, who was then commander of the 55th Wing and now heads the Air Intelligence Agency. Constant upgrades and deployments make training difficult, he added. It is hard for Rivet Joint aircrews to keep current with the technology, Koziol said, because each RC-135 variant has its "own little quirks." This is a necessary evil. Lt. Col. John Rauch, commander of the 338th Combat Training Squadron, noted that upgrades come directly from operational lessons. Combat aircrews continually develop new tactics and ideas for better equipment. Protecting Data The Air Force Information Warfare Center's IW Battlelab is tasked with quickly developing solutions to many of these operational needs. One recently fielded example is "Lockjaw," a device to quickly destroy computer hard drives so that US information does not fall into enemy hands. Col. David D. Watt, AFIWC commander, said the unit is working to build within USAF an awareness of the importance of defending and exploiting information. The center has an aggressor squadron conducting vulnerability assessments, Watt said, trying to get in base gates, access computers, and see what it can "piece together" from various sources. Officials are often surprised to learn what is found even in open sources. A study on information operations in Iraq by the Air Force Command and Control and Intelligence, Surveillance, and Reconnaissance Center at Langley AFB, Va., described one security risk that came from an unlikely place - the Pentagon. A B-1B bomber mission targeting Saddam Hussein received much publicity in the early days of Operation Iraqi Freedom. Details of the mission and crew members' full names, commanding officer, and home base were widely reported. This was "an egregious OPSEC [operations security] violation [that] potentially put the family members ... at risk," stated the study. AFIWC commander Watt said influence ops in particular are still on "the ground floor" doctrinally, and the center is trying to get the rest of the Air Force to understand what information warfare brings to the fight. Even something as simple as "the truth" can be applied in different ways, noted Maj. Tadd Sholtis in the fall 2005 Air & Space Power Journal. If it is a military objective to deter an enemy from taking action, both an information operation and a public affairs tactic can be engaged. The "IO influence tactic" would be to broadcast radio and television messages describing the futility of challenging the superior US military. The "PA tactic," meanwhile, would "demonstrate military resolve by promoting media coverage of the deployment of combat-capable forces to the region," Sholtis wrote. STRATCOM's Zelibor said it is difficult to create metrics - battle damage assessment, if you will - judging the effectiveness of DOD's information efforts. Even so, he noted, strategists can tune in to foreign news sources to "look for the effects." Copyright Air Force Association *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Dec 2 01:14:22 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 2 01:57:48 2005 Subject: [ISN] Cisco IOS security hole surfaces in Web server code Message-ID: http://www.networkworld.com/news/2005/113005-cisco-ios.html By Phil Hochmuth NetworkWorld.com 11/30/05 Security researchers this week said they discovered a hole in the Web server code in Cisco's IOS software. The flaw could allow attackers - armed only with knowledge of the Cisco device's IP address - to gain administrative control of a Cisco device or run arbitrary code on the machine, according to claims. The vulnerability - as reported by the security organizations Secunia and SecurityFocus - could allow a potential attacker to view a memory dump (a record of the data in a router's memory) of an IOS router via the HTTP server and inject script code into the router through the HTTP server. Attackers could use this method to get administrator-level access to a Cisco router or switch or run code on the device. The vulnerability only affects Cisco routers running IOS HTTP servers, which are used as an alternative management interface to the text-based command line for configuring routers. Cisco IOS versions 11.0 and higher are vulnerable, due to the fact that they ship with the HTTP server software. The HTTP server is not enabled by default in most IOS versions installed on routers shipped from Cisco, according to the company's Web site. However resellers, carriers and other partners could enable the HTTP for management purposes when deploying the device in customer networks. Cisco is aware of the claims of the IOS HTTP vulnerability, a company spokesperson says, and is investigating the issue. An advisory will be sent to customers if deemed necessary by the company. From isn at c4i.org Fri Dec 2 01:30:50 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 2 02:04:44 2005 Subject: [ISN] Ex-Gov't Worker Sentenced In Prostitution Case Message-ID: http://www.thekansascitychannel.com/news/5439171/detail.html December 1, 2005 KANSAS CITY, Mo. -- A federal judge on Wednesday sentenced a former employee of the U.S. Department of Health and Human Services to four years probation for using her computer access at work to promote prostitution. Candice Smith, 44, of Blue Springs, pleaded guilty in July to unauthorized computer intrusion. Her sentence includes four months of home detention. As part of her plea, Smith admitted making illegal inquiries into the LexisNexis database, which was available to her in her job as a payment recovery specialist for the Center for Medicaid Services, an agency of the Department of Health and Human Services. According to prosecutors, Smith had been working as a prostitute and used information from LexisNexis to help her avoid arrest and prosecution. Candice Smith told KMBC by phone that she wants to go on with her life and raise her children, but she can't get a job. She said the media coverage of her case has destroyed her life and hurt her family. Her ex-husband, Tom Smith, wants custody of the boys, ages 8 and 11. "There are two boys involved. Why now, when you get caught, do you think of the children?" Tom Smith told KMBC's Maria Antonia. Tom Smith said he had hoped his ex-wife would end up in prison. "She just got away with it," Tom Smith said. He was in the courtroom Wednesday to raise his concerns about Candice raising their boys. "We took our case to social services, and they said unless she was making the children watch her perform sexual acts, there was nothing they could do to help us out," Tom Smith said. He said he will fight for custody of the children in court. Meanwhile, the federal judge said Smith's case is not about prostitution -- it's about a federal employee using a computer illegally. From isn at c4i.org Mon Dec 5 04:08:56 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 5 04:23:02 2005 Subject: [ISN] Gartner: 2005 hurricanes prompt more companies to store data off-site Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,106641,00.html By Lucas Mearian DECEMBER 01, 2005 COMPUTERWORLD The number of companies making copies of data to protect it has dramatically risen in the wake of hurricanes Katrina and Wilma this year, but most of those companies are keeping that duplicate data locally where it's still vulnerable to disasters, according to a survey released yesterday by Gartner Inc. The September survey of 104 North American IT managers showed that 45% of respondents back up or replicate data to another disk, up from just 6% who did so in 2004. But 70% of the respondents who make backups do so to a local device. Adam Couture, an analyst at Stamford, Conn.-based Gartner, said that if companies hope to truly protect their data, they have to electronically copy it to an off-site facility either owned by the company or a service provider. Dale Caldwell, a systems programmer at Grange Insurance Group in Seattle, said that until a year ago, his company performed nightly tape backups that took four hours to complete and stored the tapes at an office in another part of the city. But after 9/11 and a recent spate of natural disasters, regulators pushed the company to establish disaster recovery plans that include off-site data replication. As a result, Caldwell chose to replicate data between a virtual tape library (VTL) in his main data center and one in an off-site location in Spokane, Wash. -- 230 miles away. He is using a VTL controller from Bus-Tech Inc. in Burlington, Mass., to store and retrieve mainframe tape data sets, eliminating most of his tape infrastructure. "The [off-site replication] has been really wonderful. There's a lot of time savings to it," Caldwell said. Caldwell said the disk-to-disk replication knocked two hours off his nightly backups and allowed him to trim the time needed for data restorations from two hours with tape to 45 minutes with disk. Christopher Varner, chief technology officer at DDJ Capital Management LLC in Wellesley, Mass., said he is considering a move away from tape backup to an electronic backup scheme using an online data backup and recovery service from EVault Inc. in Emeryville, Calif., and protection services from SunGard Data Systems Inc. in Wayne, Pa. DDJ Capital plans to install a backup storage server on its LAN running EVault software for regular backups to restore deleted files locally. The firm also plans to have a duplicate backup server making copies over the Internet to a SunGard data center also running EVault. "This enhances our disaster recovery capabilities and also makes backups easier for my staff," Varner said. "No more taking tapes home every night or dealing with the hassle of rotating our tape library in the bank safe deposit box." The local vault will be used as necessary to restore deleted files, and the off-site backup will be used for disaster recovery. The Gartner survey also showed that IT managers are more comfortable considering managed storage services to copy data off-site. Over the past two years, Couture said, surveys have shown that between 30% and 40% of IT managers would never use a third-party service provider. But in the most recent survey, that number had plummeted to just 6%. "The survey showed me the barriers to managed service providers are really coming down," he said. The survey also showed that security is becoming a priority for IT managers because of a number of highly publicized data-loss incidents this year. Fifty-five percent of those surveyed said they encrypt all backup files, and 50% said they will review internal policies surrounding access to backup data. "One of the advantages of using a service provider for remote backup service is they encrypt everything before it's set, and of course, nobody is touching a physical tape or putting it on the truck," Couture said. The prospect of service-provider culpability is also a top concern for many respondents, with 40% saying they plan to review the security policies and procedures of their physical tape archiving service providers. Another one-third said they may switch to another service provider. The physical loss of tapes can often be blamed on the fact that the physical transportation of tapes involves many "hands" moving them from their silo slots to bins to transport trucks to a physical archive location, to their storage slots and back again, Gartner said in its report. Eliminating all touch points also eliminates the possibility of human error or theft, Couture said. In light of that, 35% of survey respondents said they plan to switch to network-based backups, while another 20% cited plans to move to disk-to-disk-based storage. From isn at c4i.org Mon Dec 5 04:07:19 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 5 04:23:28 2005 Subject: [ISN] 7,800 linked to USD told of network security breach Message-ID: http://www.signonsandiego.com/news/business/20051203-9999-1b3breach.html By Bruce V. Bigelow UNION-TRIBUNE STAFF WRITER December 3, 2005 The University of San Diego has notified almost 7,800 individuals, including some faculty members, students and vendors, that hackers gained illicit access to computers containing their personal income tax data. The compromised data included names, Social Security numbers and addresses, according to a letter signed by Douglas Burke, the private Catholic university's director of network and systems operations. The undated letter aggravated many recipients, though, because it provided no details about the breach and offered no specific recommendations on steps they could take to protect their personal banking and credit accounts. "It's one of the worst security breach notice letters I've ever seen," said Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego nonprofit consumer group once affiliated with USD. "I'm outraged," said Michael Shames, who teaches part-time at USD's law school and shares an office with Givens as executive director of the Utility Consumers' Action Network, a nonprofit consumer advocacy group. "I was just astounded that a university would go to such lengths to keep their own people in the dark about something like this." A USD spokeswoman voiced regret about the shortcomings of the letter, which was mailed Wednesday, and the breach in USD's computer network, which was discovered Nov. 14. "It's a very unfortunate situation, and we're very empathetic to the folks who have been impacted by this," said the spokeswoman, Pamela Gray Payton. She said it was USD's first computer security breach. A hacker or hackers gained access for an unknown period to a computer server on campus that is used to print W-2, 1099 and 1098T tax forms, Payton said. The compromised data included information from 2003 and 2004 for certain vendors, consultants, student aid recipients and employees. Payton could not say if any administrators or trustees were affected, saying the computers containing the data were used to generate the letters automatically. "If a trustee received a check or W-2 form, then they were affected," said Payton, who noted she received a copy of the letter yesterday afternoon. Under California law, companies and organizations that operate computerized databases with sensitive personal information are required to alert people whose data has been compromised by computer break-ins. The law was intended to help people prevent identity theft, a crime in which thieves use stolen personal data to get credit cards and loans and make purchases using someone else's name. Once alerted, consumers can monitor their bank and credit accounts more closely and request that a fraud alert be posted on their credit reports. But the law does not specify what information should be included in the notice, or when it must be sent. "If you're somewhat Web-savvy and you read the news, you'll know that there is nothing new about these security breaches," Givens said. In April 2004, for example, hackers pierced network security at the University of California San Diego and accessed personal data on an estimated 380,000 students, alumni, faculty, employees and applicants. But Givens said the required notice letter really is an opportunity to tell people what they need to do. "A good letter will say, this is how you contact the three credit reporting bureaus, and this is how you put a fraud alert on your accounts," Givens said. Such information is available online at her group's Web site, www.privacyrights.org , and from the Federal Trade Commission www.consumer.gov/idtheft. "Not having had this experience before, what we're willing to do now in retrospect is make that information available to people who call the university," Payton said. University officials also were investigating the feasibility of putting the information on USD's Web site. From isn at c4i.org Mon Dec 5 04:07:49 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 5 04:24:14 2005 Subject: [ISN] Mac OS X security under scrutiny Message-ID: Forwarded from: "Thor (Hammer of God)" > SANS's Dhamankar stressed that the intent was not to call the Mac OS > X operating system a threat, but to give Mac users a wake up call. > If they have not been paying attention to security, then they should > start today, he said. If the intent was simply a "wake up call," then why is it listed as one of "The Twenty Most Critical Internet Security Vulnerabilites???" Classifying it as "Most Critical" doesn't really fit when one claims to be mearly increasing awareness for "some people that feel that, if they are running Mac OS X, then all is well." It brings the validity of the entire list into question. But then again, so does claiming that AV software itself is one of the most critical vulnerabilites when any real-world experience still shows that outdated AV, not the AV itself, is a far greater concern. t From isn at c4i.org Mon Dec 5 04:08:13 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 5 04:25:18 2005 Subject: [ISN] Linux Advisory Watch - December 2nd Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | December 2nd, 2005 Volume 6, Number 49a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for zope, gtk, certericq, gdk-pixbuf, horde2, inkscape, chmlib, fuse, netpbm, and the kernel. The distributors include Debian, Gentoo, and Mandriva. ---- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec ---- Hacks From Pax: SELinux Policy Development Hi, and welcome to the final entry in my series of articles on SELinux. My last three articles have provided an overview and history of SELinux, discussed how SELinux makes access decisions, and explained how to administer an SELinux system. Today we'll build on the SELinux knowledge we've gained and learn how to perform basic customization of our system's security policy. Customizing your system's SELinux policy can be necessary when running an application your policy is unaware of. Particularly, web based applications might need customization of Apache policy in order to run properly. Setting Up a Policy Development Environment For the purposes of this article, I'll assume you have a server running EnGarde Secure Community 3.0 (a free downloadable ISO image is available). Engarde Secure Linux is a good base for learning SELinux policy since it is a server system only, which allows for a policy that is easier to understand than distributions such as Fedora which include many policy modules for X11 and other desktop applications. First, log in as root and transition to the sysadm_r role. Generally policy development is best done with SELinux in permissive mode, so use the setenforce command to set the proper mode. Be sure your system is upgraded to the latest release by issuing the apt-get update command, and then install the necessary policy development packages by entering apt-get install make m4 gcc python engarde- policy-sources. Other packages may be installed due to dependencies. Compiling Policy Once this is done, you should change to the policy sources directory which is /etc/selinux/engarde/src/policy/. The main part of the policy sources is the policy/modules directory, which contains directories that contain your actual policy source modules for all services and applications constrained by SELinux. The first time you compile a policy, you must make the configuration files by typing make conf in the main policy directory. This creates the modules.conf and policy.conf files. Now you can compile the policy by entering make policy. This gathers all the modules and compiles them into a binary policy that is directly used by SELinux. The next step is to install the newly compiled policy by issuing the make install command. Next, you must reload the policy by typing make reload. If you have changed file specifications, you also need to relabel based on the new policy, this is done by typing make relabel. Finally, return to enforcing mode using the setenforce command. One way to speed up this process is to issue all of the compilation commands in a single command line, as shown below. # setenforce 0 && make policy install reload relabel reload && setenforce 1 Read Entire Aricle: http://www.linuxsecurity.com/content/view/120837/49/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New zope2.7 packages fix arbitrary file inclusion 24th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120884 * Debian: New gtk+2.0 packages fix several vulnerabilities 29th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120908 * Debian: New centericq packages fix denial of service 30th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120909 * Debian: New gdk-pixbuf packages fix several vulnerabilities 1st, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120917 * Debian: New horde2 packages fix cross-site scripting 1st, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120918 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Macromedia Flash Player Remote arbitrary code 25th, November, 2005 A vulnerability has been identified that allows arbitrary code execution on a user's system via the handling of malicious SWF files. http://www.linuxsecurity.com/content/view/120893 * Gentoo: Inkscape Buffer overflow 28th, November, 2005 A vulnerability has been identified that allows a specially crafted SVG file to exploit a buffer overflow and potentially execute arbitrary code when opened. http://www.linuxsecurity.com/content/view/120900 * Gentoo: chmlib, KchmViewer Stack-based buffer overflow 28th, November, 2005 chmlib and KchmViewer contain a buffer overflow vulnerability which may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120901 * Gentoo: chmlib, KchmViewer Stack-based buffer overflow 28th, November, 2005 chmlib and KchmViewer contain a buffer overflow vulnerability which may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120903 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated fuse packages fix vulnerability 24th, November, 2005 Thomas Beige found that fusermount failed to securely handle special characters specified in mount points, which could allow a local attacker to corrupt the contents of /etc/mtab by mounting over a maliciously-named directory using fusermount. http://www.linuxsecurity.com/content/view/120891 * Mandriva: Updated netpbm packages fix pnmtopng vulnerabilities 30th, November, 2005 Greg Roelofs discovered and fixed several buffer overflows in pnmtopng which is also included in netpbm, a collection of graphic conversion utilities, that can lead to the execution of arbitrary code via a specially crafted PNM file. http://www.linuxsecurity.com/content/view/120913 * Mandriva: Updated kernel packages fix numerous vulnerabilities 30th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120914 * Mandriva: Updated kernel packages fix numerous vulnerabilities 30th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120915 * Mandriva: Updated kernel packages fix numerous vulnerabilities 30th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120916 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Dec 5 04:08:31 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 5 04:26:39 2005 Subject: [ISN] FBI Delays Awarding Contract For Computer-System Overhaul Message-ID: http://online.wsj.com/public/article/SB113357762116313178-d8t1EtVGKdN0tsFNRNNcqn9AbtE_20061203.html By ANNE MARIE SQUEO Staff Reporter of THE WALL STREET JOURNAL December 3, 2005 FBI officials, nervous about making another costly mistake overhauling the agency's antiquated computer system, have postponed awarding the contract for the high-profile job until next year. Two of the nation's biggest defense contractors -- Lockheed Martin Corp. and Northrop Grumman Corp. -- are competing for the information-technology system, dubbed Sentinel. Federal Bureau of Investigation officials were scheduled to announce the winner last month. But they have postponed the selection until at least early next year, according to two government officials. The delay is in part because of a desire to avoid the mistakes that plagued Sentinel's disastrous predecessor, the Virtual Case File system. FBI Director Robert Mueller pulled the plug on that project in April after four years and about $170 million. "At this time, we are currently in the middle of source selection, so it would be inappropriate to provide a specific release date," said FBI spokesman Richard Kolko. FBI officials have been seeking additional information for weeks from the two companies and haven't yet made a recommendation to senior FBI officials. Much is riding on the project's success. Congress and other overseers pilloried the FBI for its reliance on paper records, forms and file cabinets. The FBI only last year completed the rollout of the Internet to its agents and analysts. And even though the bureau installed a computerized case-management system in the mid-1990s, it relied largely on aging, less-agile technology to do so. And it did little to eliminate the department's notorious number of paper forms -- currently numbering more than 1,000. Having been hauled before Congress numerous times to explain the bureau's technology problems, Mr. Mueller has staked his legacy on installing a system that will streamline internal processes, speed investigations and improve information-sharing with other agencies. The Sept. 11 commission criticized the FBI's lack of information sharing that could have helped prevent the terrorist attacks. "There is no agency that needs the best information-sharing mechanisms more than the FBI," Attorney General Alberto Gonzales said in a press briefing on Friday. "Bob [Mueller's] focused on it. I'm focused on it. The president is focused on it and so are members of Congress." Lockheed, of Bethesda, Md., and Los Angeles-based Northrop are the only two bidders for the project, which likely would total in the hundreds of millions of dollars. No target price has been released. Industry and government officials have expressed surprise that no other bidders emerged but said the intense scrutiny of the project may have been a disincentive. Science Applications International Corp., which handled the earlier project, was criticized publicly when Mr. Mueller canceled it. Also, the window of opportunity to bid was fairly narrow -- the request for proposals went out in August with responses due in October. Further, bidders had to put together a working prototype. FBI Chief Information Officer Zalmai Azmi said some potential vendors decided to team up rather than compete on their own. The Lockheed team, for example, includes Accenture Ltd., Computer Sciences Corp., CACI International Inc. and others. Northrop hasn't disclosed its teammates. Industry officials acknowledge the job is enormous. "This is a big complicated system" because of the variety of issues the FBI investigates -- such as terrorism, white-collar crime, kidnappings and insurance fraud, said one industry executive who asked not to be identified because of the ongoing competition. In white-collar investigations, for example, often "bank records all have to be pulled into the case-file system, and some of these cases have 13 million financial transactions," this person said. With a wide variety of investigations, the FBI must be able to collect and store information in several different systems -- top secret, secret, classified, and sensitive but unclassified -- and any given document might contain information that falls into all four categories. Thus, the new system needs strict security controls to prevent information from falling into the wrong hands, such as in the case of rogue FBI agent Robert Hanssen, sentenced to life in prison for stealing and selling secrets to the Russians over two decades. Lockheed and Northrop are banking on their expertise integrating sophisticated weapons systems for the military to give them an edge on the FBI's problems. And both companies also have experience working with the Justice Department and the FBI on other projects. Write to Anne Marie Squeo at annemarie.squeo @ wsj.com From isn at c4i.org Mon Dec 5 04:08:41 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 5 04:27:58 2005 Subject: [ISN] DSW to beef up computer security in US settlement Message-ID: http://www.localnewsleader.com/brocktown/stories/news-00107611.html Staff and agencies 03 December, 2005 WASHINGTON - Shoe retailer DSW Inc. (NYSE:DSW - news) agreed to beef up its computer security to settle U.S. charges that it did not adequately protect customers' credit cards and checking accounts, the Federal Trade Commission said on Thursday. DSW said this spring that identity thieves had gained access to debit card, credit card and checking account information of more than 1.4 million customers, one of a string of such security breaches announced by U.S. companies this year. Identity thieves have generated fraudulent activity on some of those accounts, resulting in out-of-pocket charges for some customers, the FTC said. The FTC said the company engaged in an unfair business practice because it created unnecessary risks by storing customer information in an unencrypted manner without adequate protection. As part of the settlement, DSW set up a comprehensive data-security program and will undergo audits every two years for the next 20 years. DSW operates approximately 190 stores in 32 states. It had been a subsidiary of Retail Ventures Inc. (NYSE:RVI - news) until June, when it was spun off in an initial public offering. DSW issued a statement on Thursday saying it did not agree with all the allegations made by the FTC. But it said the settlement "validates the importance we place on security and brings closure to this matter." The company has said information was stolen from 108 stores. The transaction information stolen involved 1.4 million credit cards and 96,000 checks. Other companies to report such problems include Bank of America Corp. (NYSE:BAC - news) and ChoicePoint Inc. (NYSE:CPS - news), where the thefts involved thousands of individuals' data. From isn at c4i.org Mon Dec 5 04:09:08 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 5 04:29:17 2005 Subject: [ISN] Fremont Man Busted for Fake Prescriptions Message-ID: http://www.nbc24.com/Global/story.asp?S=4195206 Kevin Milliken kmilliken @ nbc24.com December 2, 2005 (Fremont, OH) --- You could say 27-year old Chad Mockensturm had a bad week. Now he's spending his birthday behind bars. Fremont police say Mockensturm recently got fired from a car audio dealer and ended up living in a Fremont motel. But detectives call Mockensturm a "gadget guy" who cooked up an elaborate computer scheme to make fake prescriptions and feed an addiction to painkillers. "I wouldn't say he's a computer genius, but I would say fairly intelligent," said Tony Emrich, a Fremont police detective. "This is not your average prescription fraudulent activity." Police say the scheme started with a keychain gadget known as a wi-fi finder, which scans for wireless Internet service. Once Mockensturm found a signal, detectives say would park his van in front of someone's house, steal their wireless Internet access, and download the prescription painkiller information he needed --- without them ever knowing it. Once he returned to his motel room, detectives say Mockensturm would plug the painkiller information into his computer, then scan an actual prescription, rewrite it, and print out a bogus batch. Police say the real prescription was for a name-brand drug. But without medical insurance, Mockensturm could only afford a cheap high-- so he went for generic painkillers. Mockensturm got busted waiting in line at Kroger, when workers at the pharmacy smelled fraud. "We're glad we picked this up fairly early on, because I think in time he would have realized what he was capable of doing with his intelligence and it could have been a real big headache for us," Emrich admitted. Police call the case a warning shot for all wireless Internet users, especially those that don't protect their access with security measures. Detectives admit Mockensturm could have stolen all sorts of personal information from people, but only wanted drugs. From isn at c4i.org Mon Dec 5 04:09:37 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 5 04:38:05 2005 Subject: [ISN] Federal flaw database commits to grading system Message-ID: http://www.theregister.co.uk/2005/12/04/common_vulnerability_database/ By Robert Lemos SecurityFocus 4th December 2005 A federal database of software vulnerabilities funded by the US Department of Homeland Security has decided on a common method of ranking flaw severity and has assigned scores to the more than 13,000 vulnerabilities currently contained in its database, the group announced last week. The National Vulnerability Database, unveiled in August, completed its conversion over to the Common Vulnerability Scoring System, a industry initiative aimed at standardizing the severity rankings of flaws. The CVSS gives vulnerabilities a base score based on their severity, a temporal score that measures the current danger - which could be lessened by a widely available patch, for example - and an environmental score that measures an organization's reliance on the vulnerable systems. "There does not exist or ever will exist a perfect technique for scoring vulnerability impact," Mell said. "CVSS appears to work very effectively and it was better than my current scoring system and so it made sense to adopt it." The move to the Common Vulnerability Scoring System gives the flaw-ranking initiative a major boost. Created by security researchers at networking giant Cisco, vulnerability management software provider Qualys and security company Symantec, the CVSS has not been used widely, though many companies are considering scoring flaws with the system. (SecurityFocus is owned by Symantec.) The grading of the previous vulnerabilities on the CVE list solves a problem that hampered adoption of the Common Vulnerability Scoring System, said Gerhard Eschelbeck, chief technology officer for Qualys and one of the founding members of the CVSS team. "With the introduction of CVSS as a standardized vulnerability scoring system, the question appeared, how do we go back and score all the historical vulnerabilities released?" he said. "It is very encouraging to see NVD has taken on this big task, providing comprehensive CVSS scoring for even historical vulnerabilities." To date, no software vendor has yet graded vulnerabilities in its product using the Common Vulnerability Scoring System. Microsoft, for example, has its own severity-grading system and has considered but not committed to supporting the CVSS. Microsoft's current scoring system - rating flaws as one of four levels of severity - works well for its customers, said a spokesperson for the software giant. The company did not rule out a future move to the ranking system, however. Some software makers worry that rating vulnerabilities could have some legal implications. For example, if a company gave a flaw a low rating and then that issue was used as an avenue for a costly attack, the firm could be held liable for its severity ranking. Such worries have caused companies to take their time debating the merits of adopting the Common Vulnerability Scoring System, said Gavin Reid, team lead for the CVSS program at the Forum of Incident Response and Security Teams (FIRST), which was chosen to host the CVSS project. "I think there is significant hurdles for people adopting the scoring system," said Reid, who also works for Cisco, one of the companies that supported the creation of the CVSS. "But once one or two of them start using it, I think we will see a lot more adopting CVSS." For that reason, the National Vulnerability Database's decision to use the scoring system and the group's ranking of more than 13,000 previous vulnerabilities has given CVSS a major boost, Reid said. The NVD is managed by National Institute of Standards and Technology (NIST) but funded through the Department of Homeland Security. The group's staff adds 16 new vulnerabilities to the the database each day, up from 8 per day in August, and keeps a variety of current statistics, including a measure of the workload that the release of such flaws has on network administrators. The National Vulnerability Database (NVD) is an initiative funded by the US Department of Homeland Security to boost the preparedness of the nation's Internet and computer infrastructure, as called for by the Bush Administration's National Strategy to Secure Cyberspace. Other DHS initiatives, such as the US Computer Emergency Readiness Team (US-CERT), release some information on serious vulnerabilities, but do not try to create a complete collection of critical and non-critical flaws. The NVD piggybacks on the Common Vulnerability and Exposures (CVE) to do just that. The CVE, a listing of serious vulnerabilities maintained by the Mitre Corporation, expands on the Internet Catalog (ICAT)--a previous NIST project--that archived the vulnerabilities defined by the Common Vulnerability and Exposures list. The NVD team scored the vulnerabilities using an automated process. The CVE database only had about 80 percent of the information needed to give an exact score, Mell said, so the group has generated the scores based on the information at hand and labeled each one "approximate." The CVE definitions are one of the standards that the National Vulnerability Database depends on. The database also uses the Open Vulnerability and Assessment Language (OVAL) to describe the security issues in a standard language, NIST's Mell said. "The reason we chose CVSS as opposed to another scoring system was that we believe in standards," Mell said. "If everyone uses a different scoring system, then the effectiveness of each scoring system is limited." Currently, the database gets nearly 1.5 million hits a month from the private sector as well as government and academic users, Mell said. The group also provides a calculator for companies to generate an environmental score based on the vulnerable systems and the company's use of those systems. Copyright ? 2005, SecurityFocus From isn at c4i.org Mon Dec 5 04:09:22 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 5 04:38:37 2005 Subject: [ISN] Cybersecurity czar concept meets resistance in Britain Message-ID: http://www.washingtontechnology.com/news/1_1/daily_news/27522-1.html By Alice Lipowicz Staff Writer 12/02/05 Calls from a Member of Parliament to appoint a British cybersecurity czar are being greeted with skepticism from the U.K. information technology industry. Mark Pritchard, a Conservative MP for The Wrekin parliamentary constituency, is urging the government to name a cybersecurity czar to address the growing threat against online commerce and national security in the United Kingdom. "The rise of the professional hacker has serious implications for the UK, particularly in relation to national defense," Pritchard said in a speech [1] posted on his Web site. "I just wondered whether the Government would consider...appointing a cybersecurity czar and having a cybersecurity day or week, which would include the private and public sectors." Pritchard also noted the danger of cyberattacks against key critical infrastructures such as energy, transport, finance, telecommunications and aviation. "A penetration of any of those networks would be a serious threat to national security - not least when it comes to the potential to access Britain's 14 nuclear power stations," Pritchard said. Initial IT industry reaction to Pritchard's request appeared to be negative, with the argument that the United Kingdom already has a sufficient number of protections in place to protect the cyberenvironment. "As security experts said on Tuesday, there are already plenty of organizations charged with protecting us online," stated a Dec. 1 editorial [2] in ZDNetUK, an online IT publication. Instead of a cybersecurity czar, the newspaper calls for stronger anti-cybercrime legislation, less red tape for reporting cybercrimes, and more resources for cyber law enforcement as more effective measures to strengthen cybersecurity. [1] http://www.markpritchard.com/search/article.php?id=144 [2] http://comment.zdnet.co.uk/other/0,39020682,39239299,00.htm From isn at c4i.org Tue Dec 6 05:33:11 2005 From: isn at c4i.org (InfoSec News) Date: Tue Dec 6 05:54:41 2005 Subject: [ISN] Computer security incidents cost NZ businesses millions Message-ID: http://www.nbr.co.nz/home/column_article.asp?id=13723 December 5, 2005 Internet security breaches are costing New Zealand businesses between $140 million and $240 million a year, a new study shows. According to an Internet Security Survey conducted by the Employers and Manufacturers Association Northern in November, the range was "conservatively estimated" from the lowest to the median costs of the disruptions reported by 356 businesses, extrapolated across the country's 123,000 businesses employing more than one person. About half the sample's respondents said the cost in the last 12 months was between $500 to $10,000, including rework, lost work, repairs and lost business. Despite the cost of vulnerability, many businesses are failing to protect themselves in even the most rudimentary of ways, the study shows. "For instance, 91 per cent of companies employing 20 people or less have antivirus software installed compared to 84 per cent of companies employing more than 20 people. 55 per cent of smaller companies have deployed anti-spyware compared to 49 per cent of larger firms," said EMA communications manager Gilbert Peterson. Investment in IT remained static from 2004 to 2005, the survey said, with 51.2 per cent of respondents spending less than $19,000 this year, compared to 51.8 per cent in the last survey in March 2004. Of that relatively modest investment, 55.8 per cent invested five per cent or less on security in 2005 -- level pegging with the 55.7 per cent that spent five per cent or less in 2004. Nor are businesses taking advantage of the automatic security upgrades that are widely seen as essential to combatting fast-evolving internet threats. "It's disturbing that the number automatically updating their internet security systems has dropped," Mr Peterson said, down from 90.3 per cent in 2004 down to 75.2 per cent in 2005. "If these systems products are not regularly updated there is little point in having them. "Though more businesses are allowing staff access to the internet at work - now up to 65 per cent - staff internet policies have not kept pace, while training on safe internet practices has dropped from 67.2 per cent in 2004 to 55.9 per cent in 2005. "Nonetheless the survey shows the great majority of businesses are using security software at some level. Overall 88 per cent of respondents have installed antivirus software; 77 per cent have in place firewall software or appliance; and overall 63 per cent have spam filtering. However, only 26 per cent use intrusion prevention software and 24 per cent URL blocking," he said. "This year's survey attracted a far higher response rate than last time, over double with 530 respondents in all compared to 230 previously keeping pace with the growth of internet threats. "The range of internet security breaches has become broader and more complex. Twenty one months ago, the top security concerns were limited to viruses, hackers and spam. Now the list includes Trojans, worms, spyware and email scams such as phishing, and others," said Mr Peterson. Fifty-one per cent of total respondents have been the target of a phishing expedition, the study showed and businesses are receiving an average of 98 spam emails per day. That's down from 21 months ago, the survey said, as spam filtering appears to be working. This year, five per cent of the survey sample report getting 51-100 spam emails a day compared with 12 per cent reporting the same volume in the last survey. Only 9.1 per cent of businesses are still on a dial up internet with 34 per cent on high speed broadband connections though many are dissatisfied with its reliability, speed and cost. Nearly 11 per cent of respondents cited broadband reliability, speed and cost as one of their top two IT issues. Handheld devices are now a pervasive part of the mix, the study showed. In 2004 just 12 per cent had a hand held device in their business, now 49 per cent have them with 51.8 per cent using one or more converged devices. From isn at c4i.org Tue Dec 6 05:33:24 2005 From: isn at c4i.org (InfoSec News) Date: Tue Dec 6 05:55:25 2005 Subject: [ISN] ID thieves try to steal millions from U.K. taxman Message-ID: http://news.com.com/ID+thieves+try+to+steal+millions+from+U.K.+taxman/2100-7348_3-5983318.html By Andy McCue Special to CNET News.com December 5, 2005 The British government has come under fire after it emerged ministers have known for months that criminals were using stolen identities to make fraudulent online tax credit claims worth millions of pounds. HM Revenue and Customs, the U.K.'s tax authority, was warned about the flaw more than six months ago. However, it only closed the tax credit Web portal down last week after it discovered criminals had used the identities of 1,500 government employees at the Department of Work and Pensions to make fraudulent claims. The tax credit Web site handles around half-a-million transactions a year. The fraudsters were able to change claim details and redirect the money into their own bank accounts by getting hold of a genuine claimant's name, date of birth and National Insurance number, which is the U.K. version of a Social Security number. The fraud involving innocent staff at the Department of Work and Pensions only came to light during compliance checks by HM Revenue and Customs. British lawmakers were told that the tax credit Web site has been hit by more than 30 million pounds, or about $52 million, in fraudulent claims. The police have now been called in, and a representative for the tax agency declined to comment further while the criminal investigation is going on. However, the representative said the tax credit Web site will remain down until the review of its security is completed. David Laws, the Work and Pensions secretary for the Liberal Democratic party, slammed the Labour government and said ministers must make a statement as to why they took so long to take action to stop the fraud. "This complicated and chaotic system is wide open to fraud," he said. "Ministers have known for some time that organized criminals were using the Internet to defraud the system." The debacle is yet another embarrassment for the U.K. government's flagship tax credits program, which has suffered from problems since it was launched in 2003. Much of that has been down to an IT system described as a "nightmare" by British lawmakers. EDS was last month forced to shell out 71 million pounds, or about $123.5 million, to HM Revenue and Customs to settle a dispute over problems with the tax credits IT system. Copyright ?1995-2005 CNET Networks From isn at c4i.org Tue Dec 6 05:33:48 2005 From: isn at c4i.org (InfoSec News) Date: Tue Dec 6 05:56:15 2005 Subject: [ISN] Security 'head honcho' role divides firms Message-ID: http://software.silicon.com/security/0,39024655,39154826,00.htm By Will Sturgeon 5 December 2005 The noise being made about the importance of having a dedicated security professional within organisations and the actual number of such appointments appear greatly at odds. Recent figures show only a quarter of companies currently have a chief security officer (CSO), leading some to say the resistance is a result of businesses recognising a fad when they see one. Jay Heiser, research VP at Gartner, told silicon.com he believes companies still need to better understand the security challenge and said many companies will begin to realise the value of a dedicated "figurehead" in helping them grasp concepts such as risk. "There are more and more companies putting them in place," said Heiser of the slow but steady growth in popularity of CSOs and chief information security officers (CISO). But he admits many may be put off by what sounds like yet another vanity job title. "Today lots of organisations see the way to jumpstart and manage a process is to put a 'C' in front of somebody's job title," said Heiser. "But I wouldn't say it's a fad." But nor is a CSO or CISO right for every firm. Heiser said the size, complexity and connectivity of the organisation are all going to be factors in determining whether such an appointment is a necessary addition to the workforce. As such Heiser said banks and other financial services firms are ahead of the curve in terms of adopting a high-level dedicated information security professional. He said ecommerce and other highly web-dependent businesses are also leading the way. The CSO is charged with gaining a greater understanding of how business and security are complementary, rather than the latter being a restriction on the former, with MBAs a favoured qualification over more technical letters after their name, said Heiser. Heiser added he was surprised by a recent MORI poll which found that only 24 per cent of organisations have appointed a CSO. This was despite the fact 30 per cent believe they face a high risk of being targeted or hit by a security breach. Companies with 500-plus employees are beginning to acknowlede the need for a CSO - or at least more so than their smaller peers, with 41 per cent saying they do employ a dedicated security chief. At smaller companies the figure fluctuated around the mid-teens in percentage terms. Within these results there is also a further breakdown in terms of what companies expect from their security chief. Gartner's Heiser said the distinction between CISO and CSO is important, as the former tends to deal solely with the safeguarding of data and information while the latter may also have a role which encompasses physical security of premises and employees. Of those respondents to the MORI survey who do have a CSO, 58 per cent employ that person to manage all security policy and processes within the enterprise - both physical and digital. Simon Perry, VP security strategy at CA, who commissioned the MORI survey, told silicon.com: "The presence of a CSO is usually indicative of a sense of maturity in the approach to security." "Good security implementation comes first and foremost from the fostering of a secure culture in an organisation. It's not about the technology it's the people and processes too." The CSO is responsible for creating and steering that culture, said Perry. From isn at c4i.org Tue Dec 6 05:34:15 2005 From: isn at c4i.org (InfoSec News) Date: Tue Dec 6 05:57:15 2005 Subject: [ISN] Security's Shaky State Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=174900279 By Ted Kemp, Secure Enterprise InformationWeek Dec. 5, 2005 Resourceful I.T. security professionals are getting the job done, but their efforts have been hampered by undersized staffs and underfunded budgets that limit choices ranging from what products they buy to the vendors they work with. The third annual Strategic Deployment Survey conducted by Secure Enterprise, an InformationWeek sister publication, polled more than 1,500 IT-security pros about their companies' security and their tactics for dealing with challenges. Follow-up interviews provided even more details on the state of IT security. Shortfalls in security staffing and budgets aren't new, of course. But what makes the situation more nerve-racking are the regulatory risks and compliance requirements that fall to the IT security department, adding cost and work at a time when budgets are growing only moderately, if at all. Case in point: One multibank holding company with 500 employees and assets of almost $2 billion recently implemented monitoring, encryption, and intrusion-prevention technologies to assist its adherence to the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, the Bank Secrecy Act, and the Health Insurance Portability and Accountability Act. But the company's chief information security officer, who asked to remain unidentified, still has a bleak security outlook. "Our staffing levels are inadequate and have an impact on our ability to maintain systems in accordance with our policies and standards," he says. "This problem won't improve. Hopefully, we can do more automation and less hands-on administration and monitoring." He's not alone in his pessimism. The survey shows IT security staffing almost unchanged from last year--and, in a word, deficient. Forty-four percent of this year's respondents describe their security groups as moderately understaffed, with 21% saying they're severely understaffed. Last year, those numbers were 45% and 20%, respectively. "I've yet to meet anyone who has all the staff and money they need," says Peter Clissold, information security manager at the Edmonton Police Service, one of Canada's largest law-enforcement agencies. The agency lacks well-segregated IT security roles and doesn't have the staff to carry out demonstrable audit or review exercises, Clissold says. However, he adds, the organization has identified its security gaps and has managed to get support from executives to address those shortfalls. Managing expectations is important for handling staffing inadequacies, Clissold says. It's vital to define what should be expected from IT security groups--and what they expect from management--to deliver an expected level of service. Security managers must know their business and be innovative and resourceful. "We must be skilled communicators and negotiators with those in senior positions," he says. Being resourceful often means having users take more responsibility for security measures, says Justin Bell, a security specialist at a Wisconsin engineering consulting firm. Bell's IT staff sends out a monthly security newsletter and E-mail messages that get users to perform tasks that IT might normally handle. For example, during a recent switch from static IP addresses to the Dynamic Host Configuration Protocol, Bell's group took advantage of users' efforts and cut its workload to 30 machines from 360. Linked to frustration about understaffing is concern that not enough IT dollars are earmarked for security. And sometimes, IT-security managers say, that translates directly to greater organizational vulnerability. Shrinking Dollars The survey shows shrinking numbers at both the high and low ends of IT security budgets. Significantly, only 16% of this year's respondents say less than 1% of their IT budget is spent on security, down from 19% who made the same claim last year. However, the portion of readers who put their security budgets at 16% or more of their IT spending shrank as well, down to 7% this year from 9% last year. "Budgets are increasing, but they're still a sliver of the overall budget," says Kelly Hansen, CEO of information-security consulting firm Neohapsis and a columnist for Secure Enterprise. Around 38% of respondents say 1% to 5% of their IT dollars go to security. But the majority of security professionals aren't satisfied with their budgets--to the point of sometimes feeling helpless. For Jody Simmonds, IT security architect at the Washington state Department of Health, part of the problem is that her security office doesn't have its own budget. Instead, security must draw money from the agency's network-services budget. "Security should have its own budget," she says. "We're at the mercy of another section, and they may have different priorities." Although Neohapsis' Hansen sees security budgets increasing somewhat, she acknowledges the compliance onus that has fallen on security managers. Moreover, she says, vulnerabilities unrelated to compliance are increasing. External attackers, for instance, "used to be 15-year-old kids but are now sometimes linked to organized crime." Several diverse factors influence how security managers spend the money they have based on a diverse set of drivers. The top five drivers in this year's survey were improved business practices, auditing regulations, industry standards, security breaches from external sources, and legislative regulations. Despite staffing and budgetary shortfalls, IT security managers continue to implement new security procedures and dedicate staff specifically to security. Twenty-nine percent of respondents, up 1% from last year, describe their IT security structure as a formal dedicated team. The portion of organizations that use individuals within IT to carry out security as only a secondary part of their jobs fell to 35%, down from 40% last year. Other organizations are building an overall "culture of security." Even when a dedicated security staff exists, the job often involves educating IT and non-IT staff about security risks and needs. "Everyone plays a role in security, and security is everyone's responsibility," says Kim Milford, information security officer at the University of Rochester. Training and awareness are critical aspects of the school's security program. Part of the university's IT security staff's work is helping employees understand their roles and responsibilities, providing guidance on risk assessment, and implementing controls. Complex But Secure Sometimes security managers find themselves working within complex security structures, answering to various supervisors and drawing on myriad sources of assistance. That's the situation for Tim Donahue, security manager for the U.S. Army's Distributed Learning System, which conducts online training for soldiers. "Our structure is complex, but it's complex in that the Army places extraordinary emphasis on information security," says Donahue, who is the sole person dedicated to security within the learning system. A contracting firm runs the enterprise-management center, however, and lends its own security engineer. Various entities in the Department of the Army handle information security, and Donahue can reach out to them as necessary on issues from troubleshooting to compliance monitoring. Survey results also show a growing commitment to put higher-level people in charge of security. Last year, only 12% of survey respondents reported that their organizations had a chief security officer. This year, that number rose to 18%. Similarly, only 12% of last year's respondents said they had a chief information security officer; this year, that figure climbed to 22%. One pronounced shift from last year: the importance of compliance issues for assessing risk before information-security purchases. Regulatory compliance and noncompliance issues ranked fifth among methods for assessing risk in 2004, with just less than half of respondents saying they look at compliance before making security purchases. This year, compliance ranked first at more than 60%, leapfrogging input from peers, internal audits, informal risk analyses, and penetration as a method for gauging risk. Neohapsis' Hansen isn't surprised that compliance hit the top spot as a risk-assessment driver. Rather, she's perplexed it took this long. "There's a general lack of awareness among IT security professionals about what role they're going to play in compliance," she says. Part of the problem is that IT security pros still haven't learned how to "talk the talk" of compliance, Hansen says. Once they do, they'll find they have a bigger voice when it comes to getting budget outlays and the support they need to do their jobs. IT gets more clout when it's the company arm delivering adherence to regulations for which executives are sometimes held personally responsible. "The emergence of HIPAA and other laws that regulate security and privacy also has helped to move information security from a technical control to a business control," says the University of Rochester's Milford. "Prior to HIPAA, info security was considered a binary switch: 'Just make it secure.' But now it has become part of the risk assessment an organization must go through to determine how best to conduct business." The Sarbanes-Oxley Act leads the way when it comes to regulations with which organizations must comply. About 42% of readers say they have to adhere to Sarbanes-Oxley, followed by HIPAA at 38%; the Federal Privacy Act of 1974 at 35%; and the USA Patriot Act at 26%. Winner: Integration It's not surprising that, strapped as they are for resources and time, security professionals want products and suppliers that let them do their jobs with minimal hassle. Integration with existing networks is the capability survey respondents say they most look for in a product. Tools that don't work well within an existing architecture can be worse than ineffective--they can create new risks. The next-most-sought-after features were performance, second; and high availability, third. When it comes to choosing a vendor, reliability is again key. The most highly desired quality in a vendor is responsiveness to product security problems, followed by reputation. Readers rank E-mail-borne viruses and worms as carrying the highest risk among the threats listed in this year's survey, followed by unknown vulnerabilities in commercial products and Web and custom applications. Hansen is surprised that E-mail viruses and worms rank so high. Most antivirus software does a good job, she says, though browser-based attacks present a major and growing problem. Perceived Threats Respondents rank internal attacks as a relatively low threat, despite the plethora of research that shows that internal attacks, or those committed by employees, are a major threat. Last year's poll showed similar results, with external attacks being ranked riskier than internal ones by a wide margin. While internal threats may in fact be a greater risk than external threats, Donahue says that's only because the organization has managed to eliminate or mitigate serious external threats. "We've spent so much time and effort on containing external risk that we have brought it down to the point that it's become more likely that we'll be exposed to an internal risk," he says. There's a level of trust that's part of the IT-employee relationship, he says, and if background checks come back clean, Donahue has done his due diligence and it's reasonable for him to assume the best from his staff. There's more than that at work in security managers' thinking, Hansen says. Quite often, it's the external breaches, not the internal ones, that get IT security professionals fired. Other times, IT security staff might not even be made aware of how serious internal threats can be. Also, security managers sometimes tend to see internal threats as more of a human-resources problem than an IT one. Among the technologies deployed by readers, antivirus ranks highest on the perimeter, on internal networks, on desktops, and for messaging security. Antivirus software and similarly older, more-robust applications are common within organizations because they're "low-hanging fruit," Hansen says. Moreover, they present good metrics that can be shown to higher management. "Those are the kinds of things that allow you to say, 'Hey, I'm providing value to the organization,' " she says. And to a large extent, being able to show value is the name of the game for IT security managers who are struggling to meet intensifying threats and surging compliance requirements with inadequate staff and budgets. Still, most IT security experts continue to find workarounds and fixes to handle their security needs, despite the lack of support they sometimes receive from executive management. -=- How The Survey Was Conducted Secure Enterprise posted its third annual deployment survey on the Web from Aug. 3 to Aug. 17. It also provided links to the poll on networkcomputing.com, secureenterprisemag.com, and in newsletters and the print magazine. E-mail messages also were sent with an embedded link to the poll to subscribers of Secure Enterprise, Network Computing, and IT Architect (formerly Network Magazine), and members of the Computer Security Institute. The survey received 1,522 valid responses from IT security administrators, managers, midlevel executives, and corporate execs. Approximately 20% were chief security officers, chief information security officers, or senior security managers. Roughly 22% were executive managers; the rest were administrators. -=- Download: More Reader Survey Results Third Annual Strategic Deployment Survey Results http://i.cmpnet.com/nc/1619/graphics/Poll_Results.zip From isn at c4i.org Tue Dec 6 05:41:51 2005 From: isn at c4i.org (InfoSec News) Date: Tue Dec 6 05:59:24 2005 Subject: [ISN] Thieves in the site Message-ID: http://www.smh.com.au/news/banking/thieves-in-the-site/2005/12/05/1133631195585.html By Peter Weekes December 6, 2005 Regulators and financial institutions are finally starting to realise what security specialists have warned for a long time: the internet is not a particularly secure place to do your banking. Over the past few years financial institutions have encouraged consumers to move online, as it is cheaper for them to operate a website than a local branch network. The strategy has worked. Last year the number of people with online banking accounts doubled to seven million, according to the Market Intelligence Strategy Centre. But financial institutions have been slow to provide customers with secure transactions. Instead, organisations such as the Australian Bankers Association have put the onus on consumers to buy firewalls and anti-virus software to protect their computers. This attitude is slowly changing, with overseas regulators calling on banks to adopt more stringent security than a simple - and highly susceptible - password. Internet fraud cost Australian banks about $25 million last year, and that doesn't include the country's 60-odd credit unions that may have been affected. In a paper presented at the recent Information Warfare and Security Conference, Matt Warren, head of the school of information systems at Deakin University, said only 23 of the 181 institutions that offer internet banking provide customers with security stronger than a password. "The concern that I have is the duty of care that the banks have to protect their customers," he told Money. "Banks are focusing on maximising profit, they aren't focusing on maximising security." He concedes that any method of protection is a temporary solution, as the internet was not created to transmit sensitive personal information, but adds that banks still have an ethical responsibility to ensure it is safe to do business with them online. However, banks are reluctant to adopt high-protection measures such as biometrics (retina scans and fingerprints) because of the cost to the bottom line, he says. Warren doubts that regulation forcing banks to provide certain types of protection will be successful in stopping fraud. By the time the regulation is implemented in the fast-moving world of internet technology, he argues, hackers will have developed new techniques to beat the system, and the consumer will be left with antiquated protection. Nonetheless, US federal regulators say passwords are no longer sufficient. They have told the banks they must provide additional identity verification by the end of next year. Similar moves are under way in Britain and Europe. The Australian Bankers Association is encouraging its members to voluntarily introduce two-factor authentication systems. This means customers must identify themselves twice, first with something they know and then with something they have. For example, to use the website they might enter a password and then a randomly generated one-time-only string of numbers. This can be sent to the user by SMS, an approach adopted by the National Australia Bank, or by a security token, used by HSBC and others. "The idea of that is that if someone has captured your password, they won't have obtained the other information, so they can't masquerade as you," Warren says. The security tokens are small digital devices that customers can carry around on their key rings. On a home computer, passwords could be captured by trojan programs, which record the key strokes you have entered and send them back to the hacker. Because the tokens generate a real-time, one-time-only sequence of numbers, the captured keystrokes are worthless to any fraudster. Neal Wise is a professional hacker. He co-founded Assurance.com.au and worked with a number of banks to test the tokens before they were introduced. "They certainly do make a contribution," he says. "When you use a password that you have agreed upon with your financial institution, it is a static value and, if you don't frequently change it, it could be compromised. "Even if you do change it, it is done in the internet banking site. "The tokens provide more randomisation that would prevent an attacker from being able to guess the string of values that you enter in from the token as well as your password and user name." A number of banks offer customers such tokens, but HSBC is the only one willing to foot the bill. "We take the view that ensuring adequate levels of protection for customers is the bank's responsibility," says HSBC's Australian head of direct banking, Liz Kimber. "We thought it appropriate that we fund it. Other banks see it in a different light, but that's what we decided." The Australian Consumers Association agrees. Its senior finance policy officer, Nick Coates, says extra security is needed and the cost should be picked up by the banks. "You don't expect customers to pay for the security guards outside a bricks-and-mortar bank, so you wouldn't expect consumers to pay for the upgraded IT," he says. Wise doesn't think new technology is the only answer. He is most concerned about an online facility known as "pay-anyone". Until recently most banks didn't put a limit on the amount that could be transferred out of a fund. This meant that a hacker could clear out an entire account without alerting anyone until it was too late. "The pay-anyone facility is dangerous," Wise says. "That is why banks are now putting reasonable limits on the daily amounts that can be transferred." Wise says there are also problems with two-factor authentication: the SMS approach is dependent on the reception of the mobile phone, while tokens can be expensive and cumbersome if people have multiple accounts, each of which will require its own different device. For more information on secure online banking, visit the following websites: http://www.bankers.asn.au; http://www.choice.com.au SECURITY CHEAT SHEET * Regularly change passwords. Don't use one that's easily guessed, such as a birthdate. * Use a different password for each site. * Never respond to any email requesting your details and passwords and don't follow links in an email. * Always enter the web address in your browser to go to your bank's site. To make sure you're at a legitimate site, click/double click on the padlock symbol and check the security certificate. * Ensure your operating system (for example, Windows), email program and browser have the latest security updates and patches. * Install antivirus, anti-spyware and firewall software and keep them up to date. New threats are created every day. * Avoid using public computers, such as those in internet cafes, for online banking. * Don't give your account details, PINs or access codes to anyone, including family or friends, or anyone who calls asking for them, even if they say they're from your bank. * Don't select "save password" on computer programs or websites. * Log off as soon as you finish internet banking and close your browser. * Regularly check account statements and notify your bank immediately if you believe your password has been compromised or you notice unauthorised transactions. Source: Australian Consumers Association From isn at c4i.org Wed Dec 7 01:17:33 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 7 01:38:36 2005 Subject: [ISN] Hackers Steal Sensitive Data using Digital Cameras Message-ID: http://www.it-observer.com/articles.php?id=966 By IT Observer Staff 6 December 2005 Following a spate of reports about Bluetooth and iPods devices being used to steal sensitive data from organizations, businesses are now urging to be vigilant as hackers use digital cameras to sidestep security measures. "Camsnuffling", the latest IT managers headache being used to computer attackers to extract and store data with the help of digital camera. The digital camera device, just like iPod and Bluetooth, is a simple digital storage devices. Hence, simply plugging it into a computer's USB can allow hackers to obtain sensitive data. Ian Callens, Icomm Technologies, explains: "This is a very difficult issue to manage and a real threat to business continuity and data security. If someone is seen in the workplace using an iPod it's more than likely that it's for the wrong reasons - either podslurping or downloading music without permission. This is relatively easier to police." Many companies use digital cameras as part of their working day. This fact makes it difficult at first glance to determine if cameras are being used for work, or for hacking. In these businesses it's very hard to enforce USB usage policies and not feasible to simply block USB port. "There are, however, steps that can be taken to reduce rogue behaviour," said Callens. "Firstly, regularly change system passwords that employ both letters and numerals. Secondly, issue internal memo's to ask all to be vigilant, stating that observations are being undertaken. Thirdly, consider adopting specific software to monitor activity to actively manage the access rights to removable storage devices. This should ensure that business productivity is not affected, while actively guarding against the removal of data or the introduction of inappropriate or malicious content to the network." From isn at c4i.org Wed Dec 7 01:17:44 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 7 01:39:18 2005 Subject: [ISN] Hacker posts image on Foreign Office website Message-ID: http://www.computerweekly.com/Articles/2005/12/06/213289/HackerpostsimageonForeignOfficewebsite.htm By Bill Goodwin 6 December 2005 A Foreign and Commonwealth Office website was defaced by a hacker last week, raising questions about the department's security procedures. The hacker, using the alias Shadow Moon, bypassed the department's firewalls to post a picture of a space alien on the website http://forms.fco.gov.uk in the early hours of Monday morning. The hacker is believed to have exploited vulnerabilities either in the Windows 2000 operating system or in applications running on the site. Web defacement was common three years ago, but today it is unusual for high-profile websites to leave themselves open, said Phil Robinson, technical director at security firm IRM. "The government has got very capable security policies in place, led by its Computer Electronic Security Group. There is not really an excuse for falling prey to these attacks," he said. A Foreign Office spokesman said an auxiliary server had been defaced by the hacker, but the image was swiftly removed. "It did not affect service to the public or in any way endanger government information," he said. From isn at c4i.org Wed Dec 7 01:17:54 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 7 01:39:59 2005 Subject: [ISN] Symantec bites the hand that feeds.. Message-ID: http://www.osvdb.org/blog/?p=70 December 6th, 2005 Just over ten years ago (95-09-15) *Hobbit* wrote a little tool called netcat (aka nc), swiftly dubbed the "TCP/IP Swiss Army knife". *Hobbit* was affiliated with the l0pht, which was later purchased by @stake, which was later purchased by Symantec. At some point (circa 1998), Weld Pond ported the netcat utility to Windows. Weld was an original member of the l0pht and later the Director of Research and Development with @stake. Weld's version was distributed at @stake for some time. Suffice it to say, the l0pht, @stake and its members/employees supported netcat's use and distribution. Jump forward to today, and Symantec now classifies netcat on a system as a High Risk Impact. As aj reznor asked, "is that to say that SYM bought a company known then for offering naughty things?" Let us also remember that Symantec owns SecurityFocus which conveniently offers the tool in their tool repository. Also amusing are Symantec's "technical details" for this "hacker tool": Hacktool.NetCat arrives as a tool commonly carried by malicious components and dropped on the compromised computer for remote exploitation. When Hacktool.NetCat is executed, it performs the following actions: 1. Transmits data across network connections. Yes, there is no number two on the list. Hopefully Symantec will have the foresight to classify TCP/IP stacks as "Hacktool.TCPIP" and label it a "High Risk Impact" if found on a system. From isn at c4i.org Wed Dec 7 01:17:01 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 7 01:44:02 2005 Subject: [ISN] New Sony CD security risk found Message-ID: http://news.zdnet.com/2100-1009_22-5984764.html By John Borland ZDNet News December 6, 2005 Sony BMG Music Entertainment and the Electronic Frontier Foundation digital rights group jointly announced Tuesday that they had found, and fixed, a new computer security risk associated with some of the record label's CDs. The danger is associated with copy-protection software included on some Sony discs created by a company called SunnComm Technologies. The vulnerability could allow malicious programmers to gain control of computers that have run the software, which is typically installed automatically when a disc is put in a computer's CD drive. The issue affects a different set of CDs than the ones involved in the copy-protection gaffe that led Sony to recall 4.7 million CDs last month, and which has triggered several lawsuits against the record label. "We're pleased that Sony BMG responded quickly and responsibly when we drew their attention to this security problem," EFF staff attorney Kurt Opsahl said in a statement. "Consumers should take immediate steps to protect their computers." The announcement is the latest result of the detailed scrutiny applied by the technical community to Sony's copy-protected discs, after a string of serious security issues were found to be associated with the label's antipiracy efforts. The record label's copy-protected discs have been on the market for more than eight months. But in late October, blogger Mark Russinovich discovered that they surreptitiously installed a "rootkit" programming tool. Rootkit tools are typically used by hackers to hide viruses on hard drives, so Sony's move opened up a potentially serious security hole. The controversy escalated as other researchers discovered new security flaws associated with the copy-protected CDs, which used technology from British company First 4 Internet. Virus writers began distributing malicious code that took advantage of the holes. The label recalled all the discs with the First 4 Internet technology installed, offering an exchange program for consumers who had purchased any of the 52 CDs affected. Following those revelations, the EFF asked computer security company iSec Partners to study the SunnComm copy protection technology, which Sony said has been distributed with 27 of its CDs in the United States. iSec found the hole announced Tuesday and notified Sony, but news of the risk was not released until SunnComm had created a patch. Sony said another security company, NGS Software, has tested the patch and certified that it addresses the vulnerability. The patch can be downloaded from Sony's site. A list of the CDs affected in the United States, and a slightly different list in Canada, is also posted on the site. Sony said it will notify customers though a banner advertisement directly in the SunnComm software, as well as through an Internet advertising campaign. From isn at c4i.org Wed Dec 7 01:17:12 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 7 01:44:42 2005 Subject: [ISN] 9/11 panel faults government on cybersecurity Message-ID: http://news.com.com/911+panel+faults+government+on+cybersecurity/2100-7348_3-5984743.html By Joris Evers Staff Writer, CNET News.com December 6, 2005 The federal government is not making enough progress in protecting critical infrastructures such as communications networks and the Internet, said former members of the commission that investigated the attacks of Sept. 11, 2001. Progress also is lacking in airline security and providing radio spectrum to first responders, according to the 9/11 Public Discourse Project [1], which is made up of the 10 individuals--five Republicans and five Democrats--who served on the Sept. 11 commission. The 9/11 Public Discourse Project on Monday issued a report card with an A- for battling terrorist financing, but all 40 of the other grades (see PDF [2]) were lower. There are far too many C's, D's and F's in the report card we will issue today. Many obvious steps that the American people assume have been completed have not been. Our leadership is distracted," the project leaders said in a statement. Critical infrastructure protection initiatives [3] received a D: No risk and vulnerability assessments have been made; no national priorities have been established; and no recommendations have been made on allocation of scarce resources, according to the report. "All key decisions are at least a year away. It is time that we stop talking about setting priorities, and actually set some," the former commissioners wrote. The shortcomings are "shocking" and "scandalous," according to the 9/11 Public Discourse Project. The government also was faulted for a lack of agency information-sharing that's needed to strengthen intelligence, members said. The former commissioners also critiqued the work on new, more secure ID cards according to the Real ID Act [4]. New standards for issuing birth certificates continue to be delayed until at least early 2006. "Without movement on the birth certificate issue, state-issued IDs are still not secure," according to the report. In addition, Congress has failed to take a leading role in passport security, the report said. The system to check foreign visitors is not working as it should, according to the 9/11 Public Discourse Project. The US-Visit (U.S. Visitor and Immigrant Status Indicator Technology [5]) screening system is running, but not yet at all borders and the exit component has not been widely deployed, the commissioners wrote. The 9/11 Public Discourse Project has now been disbanded. The commissioners have called on the public and government to act on the recommendations. [1] http://www.9-11pdp.org/ [2] http://www.9-11pdp.org/press/2005-12-05_report.pdf [3] http://news.com.com/Homeland+Securitys+vague+cyber+plan/2100-7348_3-5937715.html [4] http://news.com.com/FAQ+How+Real+ID+will+affect+you/2100-1028_3-5697111.html [5] http://news.com.com/Biometric+pilot+program+to+tighten+U.S.+borders/2100-7348_3-5456989.html From isn at c4i.org Wed Dec 7 01:16:04 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 7 01:46:39 2005 Subject: [ISN] Firm Allegedly Hiding Cisco Bugs Message-ID: http://www.wired.com/news/technology/0,1282,69762,00.html By Kim Zetter Dec. 06, 2005 The computer security researcher who revealed a serious vulnerability in the operating system for Cisco Systems routers this year says he discovered 15 additional flaws in the software that have gone unreported until now, one of which is more serious than the bug he made public last summer. Mike Lynn, a former security researcher with Internet Security Systems, or ISS, said three of the flaws can give an attacker remote control of Cisco's routing and gateway hardware, essentially allowing an intruder to run malicious code on the hardware. The most serious of the three would affect nearly every configuration of a Cisco router, he said. "That's the one that really scares me," Lynn said, noting that the bug he revealed in July only affected routers configured in certain ways or with certain features. The new one, he said, "is in a piece of code that is so critical to the system that just about every configuration will have it. It's more part of the core code and less of a feature set," Lynn said. Like the earlier bug, the more serious of the new bugs is in Cisco's Internet Operating System, or IOS, said Lynn. Another dozen unpublished vulnerabilities can allow someone to conduct a denial-of-service attack against the router, crashing it over the internet, he said. Lynn, who now works for Cisco competitor Juniper Networks, told Wired News that ISS has known about additional flaws in the Cisco software for months but hasn't told Cisco about them. This is serious, Lynn said, because attackers may already be developing exploits for the vulnerabilities. Cisco's source code was reportedly stolen in 2004 and, while doing research on the IOS software, Lynn found information on a Chinese-language website that indicated to him that Chinese attackers were aware of the security flaws in IOS and could be exploiting them. ISS offers intrusion-detection products and security services to help businesses and the government protect their computer systems from attack. The company's X-Force research and development team, where Lynn worked, examines ways in which attackers can infiltrate a computer network and provides customers with information about the latest security threats. Lynn said he discussed the security vulnerabilities with his former bosses at ISS after the company asked him to reverse-engineer the Cisco operating system. Lynn said that details about the vulnerabilities were also in notes and documents that ISS lawyers seized from him in July after he presented information about the first Cisco flaw at the Black Hat security conference in Las Vegas. Although Lynn said Cisco and ISS initially approved his Black Hat presentation, the companies reversed their support hours before his talk, and sued him when he gave the presentation anyway. Many security professionals, including some who protect government and military networks, praised Lynn for disclosing the information. ISS accused Lynn of stealing trade secrets, but an FBI investigation ended with the government taking no action against the researcher. Mike Caudill, who manages Cisco's Product Security Incident Response Team, told Wired News that ISS has not told Cisco about any additional flaws that Lynn had found in Cisco's software. As head of the security team, Caudill would be the primary person with whom ISS would discuss vulnerabilities. Caudill wouldn't discuss the matter further but directed Wired News to Cisco spokesman John Noh. Noh was surprised by the news of the vulnerabilities and said his company encouraged security researchers to come to them with important information in a timely manner. "If there is legitimate information that will impact our customers, then we'd like to know about that. We'd want to be aware of anything that could impact our products and our customers," Noh said. But he also said that Cisco has a process for reporting vulnerabilities that involved working with its PSIRT team. "By working with us, it benefits everyone involved." Lynn said he sent an e-mail to Cisco's Mike Caudill last week but that he didn't go into detail about the vulnerabilities. He said it was important that ISS not sit on the information. A permanent injunction arising from Lynn's settlement of the lawsuit brought by ISS and Cisco now prevents Lynn from publicly discussing details about the original vulnerability or the new vulnerabilities other than to acknowledge their existence. "Essentially there are more bugs, and they've gagged me from telling anyone the details of what they are," Lynn said. Pete Allor, director of intelligence at ISS and a special assistant to the CEO, said he knows nothing about additional vulnerabilities in IOS and that there was no information in notes seized from Lynn discussing additional remote-control or denial-of-service flaws in Cisco's IOS. "Since I'm responsible for vulnerability disclosure, that would be something that would come to my attention, and I don't have anything that shows that we know anything about remote execution," Allor said. Allor added that ISS had theories in general about where it might investigate possible additional flaws in the Cisco system and other software, but he said many perceived flaws don't stand up under close examination. "It takes a substantive amount of research to prove that point unequivocally," Allor said. "(Until) there's no doubt in your mind that you can reproduce and show that to others, then it's nothing more than a theoretical thought." He added that once ISS determined that flaws existed, it would be the company's responsibility to work with the vendor to determine how to address the problem "so that no infrastructure network or customer would ever be at risk. It's not for the researcher to speculate and then publish speculation." Lynn disputed Allor's statements about what ISS knows about the flaws. He said he told the company's CTO as well as other members of the X-Force research team about the vulnerabilities he found. So plentiful were the bugs, he said, that it became a running joke at ISS each time he found another denial-of-service flaw. Additionally, Lynn gave ISS two notebooks filled with information about the flaws as well as pages of digital notes that he wrote while he reverse-engineered the software. "It's pretty meticulous. There's lots of notes because it's very complicated stuff," Lynn said. "I gave the most details for the ones that are the most critical -- those are all spelled out." With regard to Allor's statement suggesting that any flaws ISS found are theoretical, Lynn said, "We're not dealing with an iffy thing when I actually have the code that I'm disassembling." "At the very least," he said, "even if ISS only suspected there were flaws, you'd think they'd want to talk to Cisco about it even if they think maybe it's not true. If I'm totally wrong, great, but I have a pretty good track record on this, and you'd think they'd want to be talking to Cisco to be sure." Chris Wysopal, an independent security consultant who previously directed research and development for Atstake and Symantec, said it was a mystery why ISS would sit on such critical information. "There are no more critical vulnerabilities than the ones in routers and firewalls, since that's the fundamental basic infrastructure of the internet," said Wysopal. "A denial-of-service attack is enough (to make it critical). If you can just knock people off the net or keep the whole net down, that can be very valuable to people who want to wage some sort of cyberwar. "If I were a customer, I wouldn't be happy if the vendors I dealt with had information that could help me ... and they didn't (tell me)," Wysopal said. From isn at c4i.org Wed Dec 7 01:16:28 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 7 01:47:39 2005 Subject: [ISN] FBI Delays Awarding Contract For Computer-System Overhaul Message-ID: Forwarded from: matthew patton > investigations, for example, often "bank records all have to be > pulled into the case-file system, and some of these cases have 13 > million financial transactions," this person said. So? It's called a hyper-link and a file of a few MB in size. I could have a 1000 pieces of evidence each one a tens of GB's in size. Aside from buying disks, the case management software only needs 1000 records to keep track of it. Data-mining the actual financial records is a whole different ball of wax. If the FBI can't distinguish between case management and evidence sleuthing, we've got another train wreck brewing. > With a wide variety of investigations, the FBI must be able to > collect and store information in several different systems -- top > secret, secret, classified, and sensitive but unclassified -- and > any given document might contain information that falls into all > four categories. Unless I was dozing off in the classification HOWTO class, this one is easy. Tag the document at the highlest level of classification - called system high. Oh sure, it would be really nice to have key words and other data-mining fields available at lower classification levels. Based on user credentials and profiles (CAC/PKI cards come in handy for this) the "search" queries could join against the appropriate classification table. Except last I remember there was a very hard and fast rule about everybody posessing a TS clearance to work cases so there was no notion of a multi-level system. There are all kinds of messy regs that anybody in their right mind would want to steer clear of. so the only real issue is one of 'visibility' of data elements. Maybe the FBI et. al. would like to have a SECRET or FOUO meta-data repository for local law enforcement to look at, but that should be a totally separate thing. Since before any data can flow downward, it's gotta get thru a whole process of declassification and that takes some serious manpower and time. > Thus, the new system needs strict security controls to prevent > information from falling into the wrong hands, such as in the case > of rogue FBI agent Robert Hanssen I guess the reporter doesn't realize "rogue agents" have TS clearances. The WHOLE POINT of VCF, er Sentinel is for agents to look at the material across a wide number of cases and connect dots if they can. This REQUIRES a fairly open system - sure, some really sensitive details that need to be closely held, can still be closely held. But if one adopts the "gotta prevent Hanssen v2.0" attitude you end up with the current system's 'solution' of restricting case visibility to narrow geographic region or activity team. That wouldn't really change anything. No matter how good the case management system, the FBI is NOT in the business of intelligence but rather police work. Software isn't going to change that one bit. For data-mining to work well, the FBI/Justice needs to somehow get out from under a pile of regs that Congress put into place to prevent the flow of information. I'm every much a patriot but err considerably on the side of citizen privacy. The continuing saga of FBI missteps does nothing to engender trust. and proposed legislation has civil libertarians up in arms and rightfully so. Yes, we need a degree of national security and yes that requires information. But beyond a case management system, the US administration needs to focus on real problems - like the wide-open borders which we ignore in order to pander to the hispanic vote, poor aircrew protection, and the muslim clerics who reside in this country preaching hate, sedition, and murder. The Australians have got it straight - if you don't want to live by our customs, under our laws, speak our language, and live in peace with your neighbors, then clear off! We will happily deport you and ban you from entering our country again. This is not a matter of 1st Amendment rights. Peaceful disagreement and protest is one thing. Deliberate inciting of terrorist acts is illegal and has no protection under the law. So, I wonder if I can have my job back... From isn at c4i.org Wed Dec 7 01:16:41 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 7 01:48:38 2005 Subject: [ISN] A gift list from 'Security Claus' Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,106807,00.html Opinion by Ira Winkler DECEMBER 06, 2005 COMPUTERWORLD It's the time of year when you need to pick out gifts for your friends, family and co-workers. I thought I would add a little security to your season, and maybe help you choose gifts that are unusual but also useful. So to that end, enjoy! Software and Gadgets Security software suites: For about $50, you can buy a firewall/antivirus/antispam suite. Antispyware is also a good option as well. Sadly, many people don't have this type of software, and frequently, if they do, they don't maintain the licenses so that the software can update attack signature files. Without an updated license, the software is as bad as having nothing. Personal shredders: With identity theft being a crime that will only continue to grow, a gift that helps to prevent identity theft should be very welcome. Personal shredders can be found for under $30 and are useful for everyone. You should look for cross-cut shredders that can accommodate at least five sheets of papers with staples, if you really like the person receiving the gift. USB drives: Most people don't perform backups regularly, primarily because they don't have a logistically feasible way to do it. This puts them at risk from everything from viruses to just stupid accidents. Without backups, you are basically screwed if something goes wrong. The newer Universal Serial Bus drives can hold up to 2GB and should be able to back up most people's "My Documents" directory structure. People with a lot of pictures and music will need several of them, but you can be one of the first to help them out. 3M Privacy Filters: For the frequent travelers on your list, 3M Privacy Filters are great gifts. I've gathered some of my best intelligence looking over people's shoulders on airplanes and in other public areas. While people shouldn't do sensitive work where "outsiders" can spy on them, they will. Just to make sure your friends don't lose that big contract and get fired, these filters are great gifts. Laptop cable locks: Also for the road warriors on your list, a cable lock can be a great gift. If you take a good look at a laptop computer, you will see an oval hole or two that's about a half inch in length. There are special cables that have a head that fits right into that hole. You wrap the cable around something that isn't going to move too easily, and then lock the head into your computer. While this doesn't guarantee your computer can't be physically stolen, it makes stealing your computer exponentially more difficult. Books Hackers Challenge and Hackers Challenge 2 (McGraw-Hill Cos., 2001 and 2002, respectively): If you're looking for a great reference for technical computer security professionals, this is it. These books test your computer security skills by putting you through more than 20 realistic scenarios, and see how well you would respond to them. You'll have a lot of problems finding a person better qualified to put a book like this together than Mike Schiffman. Hackers Beware (Sams, 2001): If you're not a computer security professional but you're technically inclined and want an idea about the intricacies of hacking, this is a good book. While the hacking techniques presented might be somewhat dated, the fundamental concepts are universal. You will also pick up a few security tips along the way. Eric Cole, the author, is one of the most knowledgeable people in the field and one of the SANS Institute 's most popular instructors. Spies Among Us (Wiley, 2005): OK, I'm biased as far as this one goes, but it is a good book. If you don't know why the gift recommendations above are so important, then you definitely need the book. I wrote this book, not for security professionals, but for the manager and the average person. It's intended to take away the hype surrounding computers and general security and provide practical and cost-effective solutions to everyday security problems. The case studies have been described as reading like spy novels. Don't take my word for it; read the reviews at Amazon.com. Paranoia: A Novel (St. Martin's Press, 2004): If you're looking for an entertaining, fictional take on security, Paranoia would be it. The plot involves industrial espionage, and Joe Finder did a great job researching the subject and makes the book a page turner. Movies Sneakers : This movie is a security classic. While the basic plot isn't overly realistic, it's still a great movie, and there are a lot of security lessons to take away. War Games : If you or your friends have never heard of this movie, you have to see it. It is the first and best of its genre. While it is a little idealistic of the hacker culture, the hacking techniques shown are still in use today. It's also good for highlighting the fact that even if computer hacking is not intended to cause damage, it can still have disastrous effects. Ferris Bueller's Day Off : This movie is probably one of the best examples of social engineering, the term for conning people, you will ever find. It's also really funny. From isn at c4i.org Wed Dec 7 01:17:23 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 7 01:51:49 2005 Subject: [ISN] White House accidentally exposes data in PDF file Message-ID: http://www.gcn.com/vol1_no1/daily-updates/37688-1.html By Patience Wait GCN Staff 12/05/05 Government agencies continue to stumble over security procedures designed to conceal certain information embedded in documents posted to the Internet. In the latest error, the White House posted a copy of President Bush's "Plan for Victory in Iraq," the heart of his speech last week at the Naval Academy. But the Adobe portable document format file on the Web site also contained the hidden name of the original author of the document: Peter Feaver, a Duke University political science professor who joined the National Security Council staff last June as a special adviser. The discovery that Feaver was the originator of the plan has stirred controversy in Washington. The New York Times has reported that Feaver co-authored an analysis of surveys regarding the popularity of the Iraq war with the American public and concluded that citizens will support the war, despite fairly heavy casualties, as long as they believe it will ultimately succeed. "The recent disclosure of the original authorship of the [plan] document underscores once more why all organizations must put policy and technology in place to prevent the leakage of damaging information," said Joe Fantuzzi, CEO of Workshare Inc., a document integrity solutions company based in San Francisco. It "is unfortunate that the White House allowed this distraction to unnecessarily politicize the debate over policy." The White House did not return a phone call asking for comment. Earlier this year, the Multi-National Force-Iraq issued a report on the killing of an Italian security agent after he rescued a countrywoman who had been held hostage by insurgents. The report, posted to the Web as a PDF file, was supposed to be redacted but a simple text cut and paste into other document formats revealed [1] the redacted information. A military investigation later determined that the disclosure was the result of user error. In October, a U.N. report on the assassination of a popular Lebanese politician opened an ongoing controversy [2] when a "technical error" allowed online readers to look at changes made to the document, revealing that names of specific Syrian officials had been removed from the final report. "The complexity of technology continues to befuddle even sophisticated users," Fantuzzi said. Organizations "must recognize that PDF is not inherently secure, and policy, education and automation of document security must be implemented to prevent these costly mistakes." [1] http://www.gcn.com/24_11/news/35808-1.html [2] http://www.gcn.com/vol1_no1/daily-updates/37416-1.html From isn at c4i.org Thu Dec 8 10:04:43 2005 From: isn at c4i.org (InfoSec News) Date: Thu Dec 8 10:15:06 2005 Subject: [ISN] Changing Passwords En Masse -- December 7, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Quest Software http://list.windowsitpro.com/t?ctl=1B510:4FB69 Postini http://list.windowsitpro.com/t?ctl=1B502:4FB69 ==================== 1. In Focus: Changing Passwords En Masse 2. Security News and Features - Recent Security Vulnerabilities - Microsoft Restructures Security Solutions Competency - HP Boosts OpenView with Federated Identities - Sunbelt Shines New Light into Kerio Personal Firewall 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - Intrusion Detection for 100Mbps Networks ==================== ==== Sponsor: Quest Software ==== "Get to One" system with help from Quest Software Streamline processes and increase security with tips from our new white paper. For most organizations, heterogeneous enterprises are a fact of life, but they present significant management and security challenges. Fortunately, Quest Software's Vintela products can help. Through natively implementing standards on non-Windows systems, those systems can participate as "full citizens" in the world of Microsoft infrastructure and management technologies. Learn how with info from, "Get to One: Integrating Heterogeneous Systems for Security and Management." This paper explains how an integrated architecture can streamline processes, save money, reduce complexity, increase security and enable compliance for Windows, Unix, Linux, Java and Mac systems. "Get to One" solution for identity management, systems management and systems monitoring. Download the white paper today: http://list.windowsitpro.com/t?ctl=1B510:4FB69 ==================== ==== 1. In Focus: Changing Passwords En Masse by Mark Joseph Edwards, News Editor, mark at ntsecurity / net A few weeks ago, I wrote about tools you can use to test password strength and to recover unknown passwords. If you missed "Password Cracking Made Easy," you can read it on our Web site. http://list.windowsitpro.com/t?ctl=1B50C:4FB69 I want to follow up with a discussion of how to change passwords across all systems on your network. The most common instance of a password that you might want to change on any number of systems is the local Administrator account password. Changing this password regularly is probably a wise idea because doing so helps prevent unwanted access to systems. Some administrators don't care what the local Administrator account password is as long as nonadministrative employees don't know it. These admins prefer to generate a random password for each system. Other admins do want to know what the passwords are in case they need them for whatever reason. In either case, there are plenty of ways to change passwords across the board. If you have Microsoft Systems Management Server (SMS) you could use a simple, one-line installer program code such as Execute %SYS32%\net.exe user administrator in which is the actual password. Another solution is to use a script, probably written in Visual Basic (VB). Several sample scripts are available on the Internet. If you have relatively few systems and can readily create a list of those systems, you could try using the script posted at Spoogenet, at the first URL below. Or try the script posted at Sadikhov.com, at the second URL below. Or use Chwinpw (at the third URL below), a command- line tool from ITeF!x that can be integrated into a batch file or script. http://list.windowsitpro.com/t?ctl=1B50B:4FB69 http://list.windowsitpro.com/t?ctl=1B4FB:4FB69 http://list.windowsitpro.com/t?ctl=1B519:4FB69 If you have Active Directory (AD), you can use AD objects and a script to gain access to a list of all computers. Such a script can also be used to change the local Administrator password for all your computers. Check out the sample script posted at ScriptingAnswers.com, at the URL below. It's short, simple, and relatively easy to understand if you're familiar with VB or other programming languages. http://list.windowsitpro.com/t?ctl=1B4FD:4FB69 If you don't want to use a script and prefer a regular desktop application to do the work for you, there are probably a large number of choices, especially for enterprise networks. But if you manage a relatively small network and want a solution that doesn't carry an enterprise-class price, you could try Hyena from AMTSoftware International at the first URL below, which starts at $199. Or you might try DC PasswordChanger (DCPC), at the second URL below, which is free from Danish Company. http://list.windowsitpro.com/t?ctl=1B518:4FB69 http://list.windowsitpro.com/t?ctl=1B501:4FB69 If none of these solutions fit your needs, you can scour the Internet for something different. Try using your favorite search engine to look for phrases such as "change admin passwords," "change local admin passwords," "admin passwords" + "Active directory," and you'll find numerous discussions in which people have shared their insights. But before you do that, you might want to check the Windows IT Pro Magazine Web site to see what we've published about this topic. Use our search engine with the above phrases. The link below will take you directly to the search results for the phrase "change local administrator passwords." http://list.windowsitpro.com/t?ctl=1B51B:4FB69" ==================== ==== Sponsor: Postini ==== Protect and Manage Instant Messaging 85% of businesses use IM for business or personal use to improve communication and reduce email usage. In this free white paper learn how to protect your company and implement a managed IM security solution! http://list.windowsitpro.com/t?ctl=1B502:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=1B506:4FB69 Microsoft Restructures Security Solutions Competency Microsoft made changes to its Microsoft Partner Program to include third-party validation of security credentials for Security Solutions Competency compliance. The company also added two new specializations to the program. http://list.windowsitpro.com/t?ctl=1B511:4FB69 HP Boosts OpenView with Federated Identities HP announced that it will buy Trustgenix, maker of identity federation solutions. Terms of the acquisition weren't announced, however HP said it will integrate Trustgenix federated identity solutions into its OpenView management software. http://list.windowsitpro.com/t?ctl=1B50E:4FB69 Sunbelt Shines New Light into Kerio Personal Firewall Kerio Personal Firewall was scheduled for mothballs on December 31. Then Sunbelt Software stepped in to buy the solution from Kerio Technologies. The deal is expected to close by the end of the year. http://list.windowsitpro.com/t?ctl=1B50D:4FB69 ==================== ==== Resources and Events ==== Web Seminar--Plan and Implement Highly Available Exchange Systems Register today: http://list.windowsitpro.com/t?ctl=1B504:4FB69 Web Seminar--Manage and Reduce Planned Downtime Register today: http://list.windowsitpro.com/t?ctl=1B505:4FB69 SOXCon 2005--December 7, 2005--12:00 to 5:00 p.m. EST THE FIRST AND ONLY Internet conference and vendor exhibition focused exclusively on the systems, processes, management methodologies, and best practices that comprise the Sarbanes-Oxley Compliance Management market. Register here and view the full day's agenda. Sign up today at http://list.windowsitpro.com/t?ctl=1B500:4FB69 Microsoft Exchange & Windows Connections 2006 April 9-12, 2006, Orlando, Florida. Microsoft and Windows IT Pro magazine team up to produce the essential conference for systems administrators and IT managers in Windows and Exchange technology. Register by January 9 and receive one FREE hotel night at the Walt Disney World Swan Resort. Call 800-438-6720 for details. http://list.windowsitpro.com/t?ctl=1B517:4FB69 Web Seminar--Get the Tools, Tips, and Training That You Need to Avoid a Messaging Meltdown When an Outage Strikes Register today at http://list.windowsitpro.com/t?ctl=1B503:4FB69 ==================== ==== Featured White Paper ==== Download a White Paper--You Could Win an iPod Nano Get your free copy today at http://list.windowsitpro.com/t?ctl=1B515:4FB69 ==================== ==== Hot Release ==== Filtering the Spectrum of Internet Threats: Defending Against Inappropriate Content, Spyware, IM, and P2P at the Perimeter Because of the proliferation of Web-based threats, you can no longer rely on basic firewalls as your sole network protection. Attackers continue to evolve clever methods for reaching victims, such as sending crafty Web links through Instant Messaging (IM) clients or email, or by simply linking to other Web sites that your employees might surf. This free white paper examines the threats of allowing unwanted or offensive content into your network and describes the technologies and methodologies to combat these types of threats. Get your free copy now! http://list.windowsitpro.com/t?ctl=1B4FF:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Chain Reactions of Bad Advice by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=1B514:4FB69 One person creates a script to help secure Windows. Another person thinks it's a replacement for personal firewalls. Then another person agrees with him and a chain reaction of very bad advice ensues. Read all about it in this blog article. http://list.windowsitpro.com/t?ctl=1B512:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=1B513:4FB69 Q: How can I check the health of my Group Policy Objects (GPOs) in Windows Server 2003? Find the answer at http://list.windowsitpro.com/t?ctl=1B50F:4FB69 Security Forum: Antivirus Solutions A forum participant runs a network that consists of the main site plus eight remote sites. All the remote locations connect to the main site via T1 circuits and route through the main site's network out to the Internet for Web and email. The company doesn't have an in-house email server. The forum participant wonders whether anyone can recommend an antivirus solution to protect the entire enterprise, which includes about 107 employees. Join the discussion at: http://list.windowsitpro.com/t?ctl=1B4FE:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Want to Become a VIP Subscriber? Become a VIP subscriber and get continuous, inside access to ALL of the online resources published in Windows IT Pro, SQL Server Magazine, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. You'll also get a valuable one-year print subscription to Windows IT Pro and two VIP CDs (CDs include the entire article database on CD, delivered twice per year). Don't miss out ... sign up now: http://list.windowsitpro.com/t?ctl=1B509:4FB69 Windows Scripting Solutions--Holiday Special The Windows Scripting Solutions newsletter is a "must have." Subscribe today and SAVE up to $30 off the regular price. You'll get 12 helpful issues loaded with expert-reviewed downloadable code and scripting techniques, as well as hundreds of tips on automating repetitive tasks. In addition, you'll get access to the entire online newsletter archive (more than 500 scripting articles), including the popular "Shell Scripting 101" series. This resource will help to save you time and money. Order now: http://list.windowsitpro.com/t?ctl=1B507:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Intrusion Detection for 100Mbps Networks Arxceo announced a new addition to its line of network security appliances, Ally ip100, which provides antireconnaissance and anomaly- and behavior-based attack detection and prevention for 100Mbps networks. It's designed for perimeter protection and enterprise 100BaseT segments, such as 802.11a/b/g wireless networks or T1/DS1 remote offices. Ally ip100 runs on embedded Linux 2.6.11 and provides a Web-based interface for administrative tasks. Pop-up alerts are provided via SNMP and a Windows-based client application. Ally ip100's retail price is $895. For more information, go to http://list.windowsitpro.com/t?ctl=1B51A:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=1B516:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=1B50A:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Dec 8 10:05:26 2005 From: isn at c4i.org (InfoSec News) Date: Thu Dec 8 10:17:38 2005 Subject: [ISN] Sober is scheduled to Attack on January 2006 Message-ID: http://www.it-observer.com/articles.php?id=972 By IT Observer Staff 7 December 2005 The next planned widespread of 2005's most prolific e-mail worm, Sober, is scheduled to start on January 5, 2006 based on commands hard-coded within the worm. The attack date coincides with the 87th anniversary of the Nazi party. "This discovery emphasizes the ever-present and often underestimated threat of 'hacktivism' -- combining malicious code with political causes," said Joe Payne, vice president, VeriSign iDefense Security Intelligence Services. The company says the attack could have a significant damaging effect on internet traffic, as the worm designed to send politically motivated spam from tens of millions of e-mail addresses. The next phase of the multi-phased Sober worm has been discovered by iDefense using reverse-engineering techniques in the most recent version of the worm. Sober first began spreading about November 15. The computers were infected by the worm began sending another version a week later on November 22. The last known version uses social engineering techniques and posing as emails from the FBI, CIA and other intelligence units. From isn at c4i.org Thu Dec 8 10:03:18 2005 From: isn at c4i.org (InfoSec News) Date: Thu Dec 8 10:18:34 2005 Subject: [ISN] FBI rules out cyber-attacks Message-ID: http://www.theage.com.au/news/breaking/fbi-rules-out-cyberattacks/2005/12/08/1133829693386.html Washington December 8, 2005 Al Qaida and other terrorist groups are more sophisticated in their use of computers but still are unable to mount crippling internet-based attacks against US power grids, airports and other targets, the FBI's top cyber crime official said on Wednesday. Investigators keep a close watch on terrorist groups' use of computers but have not detected any plans to launch cyber attacks against major public institutions in the US, FBI assistant director Louis Reigel said. "I don't think that capability exists today," Reigel told reporters at FBI headquarters. The government has conducted simulated terrorist attacks on computer, banking and utility systems, and Reigel said his division of around 1100 agents took the prospect of such a strike seriously. FBI experts had noticed progress in the technical mastery suspected terrorists had shown online, he said. One new wrinkle first appeared four months ago, he said, without being specific. Terrorists also had made only infrequent use of steganography, the practice of hiding a text message in another kind of file, typically a picture, Reigel said. "It looks like a picture, but if you have the right program, you can extract a text message embedded in a picture," said Reigel, a 31-year FBI veteran who formerly led the New Orleans field office. On another matter, the FBI still had no suspect in the spread of the latest version of a Windows worm that began appearing last month as emails purporting to come from the FBI, CIA and German security services, Reigel said. The third version of the Sober worm spread so quickly and widely that at one point the FBI was bombarded with 200,000 emails a minute over four days, he said. "It almost killed our system," Reigel said, before technicians developed a means to divert the messages. Unlike with earlier versions, "this time we believe we have enough information to where we can pursue a logical investigation," he said. From isn at c4i.org Thu Dec 8 10:04:59 2005 From: isn at c4i.org (InfoSec News) Date: Thu Dec 8 10:20:53 2005 Subject: [ISN] Reuters Summit - U.S. Air Force expanding cyberwar mission Message-ID: http://in.today.reuters.com/news/newsArticle.aspx?type=technologyNews&storyID=2005-12-07T071237Z_01_NOOTR_RTRJONC_0_India-226749-1.xml By Jim Wolf Dec 7, 2005 WASHINGTON (Reuters) - The United States must expand its capabilities to shut down enemy electronic networks, U.S. Air Force Secretary Michael Wynne said on Tuesday. In an interview in his Pentagon office, Wynne said one way of knocking out a cell phone tower, short of bombing it, was through "a big electromagnetic burst ... as you've heard before and which has been done before." "I think one of the things we're trying to figure out is, is there a softer way to do that," he said, referring to electro-magnetic pulse attacks. "Those investigations continue to go on." The Air Force was expanding its focus on cyber warfare as an add-on to its existing missions to fight in air and space, Wynne said in the interview that was part of the Reuters Aerospace and Defense Summit. The Air Force would provide personnel and other resources to the Nebraska-based Strategic Command that has responsibility for cyber war, both defense and offense. Strategic Command has been given the job of integrating and coordinating large-scale cyber response and defense, using units provided, trained and equipped by the armed services, said a spokesman, Master Sgt. Philip Carder. The United States maintains capabilities to use cyberspace as a medium "through which we will deter, deny, or defeat any adversary that seeks to harm U.S. national and economic security," Carder said in an emailed reply to a query. The United States electronically jabbed Serbian computer networks during the 78-day NATO bombing campaign over Kosovo in 1999, Army Gen. Henry Shelton, then the top U.S. military officer said. "We only used our capability to a very limited degree," Shelton, then chairman of the Joint Chiefs of Staff, said on Oct. 7, 1999. Wynne said the capability to mount operations in cyberspace was a natural expansion of the Air Force's mission because of its ability to download data from platforms in space. "So the Air Force has sort of been a natural leader in the cyber world," he said. "And we thought it would be better to realize that talent as a mission of the Air Force. "We would like to make sure that the president has available to him all the options --- non-kinetic, kinetic -- for all-out, if you will, warfare brought to him by the Air Force on behalf of the joint fight," he said. "We just can't just be playing defense in this world," Wynne added. "At some point in time we have to develop some offensive skills." An attorney who specializes in the implications of military activities in cyberspace said the legality of offensive operations was fraught with complications. "Some of the best lawyers in the military are hard at work on this problem," said Thomas Wingfield of the Potomac Institute for Policy Studies in Arlington, Virginia. "How does the international law governing the use of military force apply to cyberspace, where hackers are anonymous, sponsoring governments hide their affiliation, and many of the targets, tactics, and weapons are largely without precedent?" Wingfield said in an e-mail to Reuters. ? Reuters 2005. All Rights Reserved. From isn at c4i.org Thu Dec 8 10:05:14 2005 From: isn at c4i.org (InfoSec News) Date: Thu Dec 8 10:23:43 2005 Subject: [ISN] Reef the Mains, Storm Jibs Ready Message-ID: http://cio-asia.com/ShowPage.aspx?pagetype=2&articleid=3147&pubid=5&issueid=76 By Victoria Ho CIO Asia December 2005 "Security trends have constantly been on the top three lists in magazines and surveys," said George Wang, Chief Information Security Officer, Asia, Reuters Asia Pte. Ltd., in his keynote speech at the IDG World Expo SecurityWorld Conference & Showcase in Singapore last month. This indicates just how much priority IT professions place on security, which was also reflected in the full house at the day long event. Addressing the issue of security failure, Wang attributed it to three factors: people concentrating too much on security itself, security measures not aligned with business strategy, and the existence of a communication gap between senior management and IT professionals. All Out of Magic Bullets Seeing the "big picture", he said, begins with positioning - that is, establishing a security position that suited both company resources and business direction. "It has to be a long-term commitment and sustainable," he said. Along the lines of business strategy, the plethora of factors requiring consideration stretches from corporate positioning to the culture of the organisation. "Does your risk strategy suit your company's security culture?" asked Wang. Battling with legalities and regulations sometimes places a damper on an organisation's capacity to pursue the right security measure. Proper risk assessment is also crucial in establishing a company's "risk appetite" is - how much risk it can comfortably afford to handle within its security plan. Corporate culture is important too, he said. He addressed the problem of the communication gap that exists between senior management and the executives proposing the security measures, saying that the problem lay with ineffective explanation of security objectives. Senior management is often not aware or concerned with the measures. "Transform management into stakeholders," he recommended, so as to place personal interest in the hands of management. This transparency he advocates is seen in his other measures for clear and elaborate communication: not just upwards with management, but across the departments as well, "so that security gets embedded in the value chain." Engaging the entire organisation involves the technical people as well as Legal, Human Resources and even Public Relations (PR). Wang pointed out the importance of preparing a PR strategy to handle situations, be it an emergency or simply to better communicate with clients, in conveying the organisation's security strategy, or collecting their opinions and additional requests. Customising the company's security policy in this way also creates a uniqueness Wang feels is necessary for an organisation to work. "Conventional best security practices do not make strategy. These are tactics, applicable to all," said Wang. "Strategy is unique to your organisation." This brought him back to his earlier point on sustainability, because only through customisation would a company be in better position to tailor solution to resources. It may be elementary, but still worth highlighting how pointless it is to Viren Mantri shoulder a security policy that has a short life span and drains the resources of a company, no matter how watertight or textbook-perfect it might appear to be. [...] From isn at c4i.org Thu Dec 8 10:03:58 2005 From: isn at c4i.org (InfoSec News) Date: Thu Dec 8 10:26:03 2005 Subject: [ISN] Gartner to IT: Place BlackBerry deployments on hold Message-ID: http://www.networkworld.com/news/2005/120705-gartner-blackberry.html By Juan Carlos Perez IDG News Service 12/07/05 Enterprises should halt business-critical deployments of BlackBerry devices and investments until its maker, Research In Motion, clarifies its legal position with regards to its patent tussle with NTP, Gartner is advising. The market research and consulting firm issued its recommendation after a federal judge's decision last week opened the door to a possible injunction that would stop sales of BlackBerry mobile e-mail devices, and shut down BlackBerry service, in the U.S. Judge James Spencer of the U.S. District Court for the Eastern District of Virginia last week denied RIM's motion to enforce an agreement with NTP to settle the case. He also refused a RIM motion to stop the court proceedings in NTP's patent lawsuit against it while the U.S. Patent and Trademark Office re-examines NTP's patents. The judge ruled that the settlement agreement reached in March between the companies is unenforceable and that his court can't suspend the case during a patent re-examination that could take years. As a result, four Gartner analysts published a research brief on Monday alerting current and prospective enterprise RIM customers to "stop or delay all mission-critical BlackBerry deployments and investments in the platform until RIM's legal position is clarified." Gartner is also advising customers to pressure RIM into making public its work-around plans for preventing disruption to its service while bypassing the patents in question. Another option Gartner says enterprises can consider is to migrate critical BlackBerry-based applications to another platform, such as laptops with wireless cards. Deborah Maguire, executive director of the Pennsylvania Senate Democratic caucus, is concerned about a possible disruption in the BlackBerry service. She and her team support Democratic Party senators and other staffers. Those users have had BlackBerry devices for the past year, and a service blackout would be unacceptable. "I don't think I could do my job as efficiently as I do it now if I didn't have my BlackBerry, and I know that goes for a lot of the senators as well," she said. "The senators receive e-mail from their constituents on a regular basis and it makes life easier if they can handle them at any time." Maguire is keeping an eye on the situation, and already has a backup plan set up. In the event of a service interruption, she would go back to the platform from Notify Technology she moved away from when she adopted the BlackBerry system. Having a backup plan is always a good idea, even at times when there is no specific problem with a platform, said Allen Nogee, an analyst from consulting and market research firm In-Stat. IT directors with BlackBerry deployments should be in close touch with RIM, and inquiring about the vendor's latest contingency plans, he said. However, Nogee believes it is unlikely that the dispute between RIM and NTP will end up in a BlackBerry outage. "If that happens, no one gains. It would be a lose-lose situation, and that doesn't make sense," he said. Even if RIM and NTP couldn't work things out and the situation reached a breaking point, the BlackBerry service would probably not be turned off from one day to the next, Nogee said. In that case, it's very possible that the service would be allowed to continue for a few months before pulling its plug, he said. RIM didn't return repeated requests for comment placed via phone and e-mail through its public-relations agency Brodeur. From isn at c4i.org Thu Dec 8 10:03:44 2005 From: isn at c4i.org (InfoSec News) Date: Thu Dec 8 10:31:52 2005 Subject: [ISN] Survey: Most home PC users lack security Message-ID: http://news.com.com/Survey+Most+home+PC+users+lack+security/2100-1029_3-5986344.html By Dawn Kawamoto Staff Writer, CNET News.com December 7, 2005 A survey of home PC users found 81 percent lacked at least one of three critical types of security, but the number of consumers using firewalls and updated antivirus software is improving, according to a report released Wednesday. The vast majority of consumers surveyed were found to lack at least one of three types of critical security--a firewall, updated antivirus software or anti-spyware protection, according to a report by America Online and the National Cyber Security Alliance. Of this group, 56 percent had no antivirus software, or had not updated it within a week, while 44 percent did not have a firewall properly configured, according to the report. Meanwhile, 38 percent of survey respondents lacked spyware protection. "Even though most consumers think they are protected, this study shows the opposite," Ron Teixeira, National Cyber Security Alliance executive director, said in a statement. "Far too many people still lack the three fundamental protections they need to stay safe online." Nonetheless, some improvements have been made. The number of homes with properly configured firewall protections rose to 56 percent from 28 percent a year ago. The improvements were attributed to the default firewall that is installed with Windows XP Service Pack 2, according to the survey. The percentage of home PC users with recently updated antivirus software on their computers rose to 44 percent this year, compared with 33 percent a year ago. And, the number of PCs with spyware and adware loaded onto their systems fell to 61 percent this year from 80 percent last year. Copyright ?1995-2005 CNET Networks, Inc. From isn at c4i.org Thu Dec 8 10:05:56 2005 From: isn at c4i.org (InfoSec News) Date: Thu Dec 8 10:33:05 2005 Subject: [ISN] Secure DNS faces resistance Message-ID: http://www.cbronline.com/article_news.asp?guid=5CB02292-1149-4657-BA91-3F67AA4C91B5 By CBR Staff Writer 1st December 2005 The deployment of DNSsec, an enhancement to the domain name system that could protect against certain types of phishing and pharming attacks, is still facing skepticism and resistance from those who would be involved in implementing it. While the vulnerabilities in the DNS are well known, the absence of widespread attacks, regulations, and proven business models are holding back DNSsec adoption, speakers here at the ICANN annual meeting in Vancouver said yesterday. Speaking during a workshop on the technology, Keith Schwalm of Good Harbor Consulting, a former US Secret Service agent, said that even the financial sector, traditional security early-adopters, are not rushing DNSsec. "What's important to them is they make this transition logically, and they are going to be very slow and methodical about it," he said. "They have expressed an understanding that it's important to their business, but it's not at the top of their list." Regulations such at the latest FFIEC rules that mandate two-factor authentication in US online banking services by the end of 2006 will form the focus of the financial services sector's security efforts over the next 12 months, he said. DNSsec is designed to add a layer of cryptographic signing to DNS records, so that when there is an attempt to resolve a domain name to an IP address, the user can have a higher degree of confidence that they are receiving the correct answer. It was yesterday demonstrated to be possible to use cache poisoning to conduct a man-in-the-middle attack that sends the user to the wrong IP address, where data can be phished. It's possible that a web surfer could think they are visiting their bank or an auction site and hand over their sensitive data, and it would be impossible to tell they were at a malicious site. But there are few, if any, well-documented widespread attacks such as this, and even those in the domain industry are unsure that DNSsec deployment should be an urgent priority. "We're still somewhat skeptical about DNSsec, but we want to be open-minded, we want to learn more," said Paul Diaz of Network Solutions Inc, one of the largest domain name registrars. The domain name industry is discussing what drivers for DNSsec adoption will be, and so far there is little agreement. Will it be regulation-driven? Consumer-driven? Or driven by online businesses eager to give customers an extra layer of security. Several speakers here at the Internet Corp for Assigned Names and Numbers meeting suggested that adoption could be driven by e-commerce sites or developers of popular software. "If Google or MSN or Yahoo said 'We're going to give number one ranking to anyone who's got DNSsec', the registrars would be in there like a shot," said Bruce Tonkin, of Melbourne IT Pty Ltd, an Australian registrar. "I can envisage browsers that are enabled with capabilities that would only display domain links that are secured," said Rick Wesson of Alice's Registry, which has already rolled out a DNSsec test. "It enables classes of content and classes of service that are delineated by security zones." In the absence of those kinds of drivers, registrars are still pondering whether to start offering DNSsec signing as a value-added service when people register domain names, but they're not sure there is either understanding or demand. "I don't think the market will understand the precise benefits here, and I don't think the market needs to. We see plenty of examples where the perception of additional security is enough," said Stuart Schechter of MIT. Ram Mohan, chief technology officer of Afilias Ltd, said: "Give it a name, call it the 'anti-pharming system' then you have the attention of the business folks". Schechter pointed to the web server SSL certificate market as an example, where prices are often wildly different for essentially the same technology: "A large part of market is willing to pay an additional $900 just for the VeriSign branding." The registrar market also deals with razor-thin margins most of the time, so registrars are keen to figure out whether they will actually be able to see return-on-investment when they roll out DNSsec. Adding cryptographic keys to DNS obviously adds costs to the infrastructure -- cryptographic functions can be CPU-intensive, and there are additional storage, bandwidth and memory requirements for handling the keys. Some registrars talk of adding a "significant" add-on fee for DNSsec "expert services", while others talk of making domain registration a case of picking from two services -- a domain name and a "secure domain name", the latter costing more. Others in the space talk not about the financial return from implementing the technology, but from the potential loss that could arise from not implementing it. "The answer is not return on investment, but return on risk," Afilias's Mohan said. "How much risk are you willing to take, how much risk do you want to mitigate, that is the metric that ought to apply." Afilias is operator of .org, one of the first top-level internet domains to implement DNSsec. The company's test-bed has been running for a month and has a handful of domains actively experimenting with the technology. From isn at c4i.org Fri Dec 9 01:38:08 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 9 01:49:35 2005 Subject: [ISN] Sony fixes security hole in CDs, again Message-ID: http://news.com.com/Sony+fixes+security+hole+in+CDs%2C+again/2100-1002_3-5987776.html By John Borland Staff Writer, CNET News.com December 8, 2005 Sony BMG is replacing a patch for its CD copy protection software after Princeton University researchers found a security flaw in the update. Sony announced on Tuesday that a new risk had been found with a batch of 27 of its compact discs, which automatically install antipiracy software on hard drives when put into a computer's disc drive. Along with the Electronic Frontier Foundation, a digital rights group, the record label released a patch aimed at fixing that flaw. However, Princeton computer science professor Ed Felten wrote in his blog on Wednesday that the patch itself could open computers to attack by hackers. Sony executives said Thursday that they are working as closely as possible with security professionals to address the issues identified by Felten, and would have a new patch available by midday that day. "The security space is a dynamic one, as we have learned," said Thomas Hesse, president of Sony's global digital businesses. "Our goal is to be diligent and swift, and we have gone to experts to handle this issue." Sony's ongoing troubles with copy protection software highlight the delicate line that record labels and other content companies are walking in trying to protect their products from widespread duplication. On the one hand, labels have watched their revenues decrease over the past several years, as more people swap songs online and burn CDs for friends and acquaintances. However, the labels' technological attempts to create a copy-protected CD that retains compatibility with millions of old CD players have opened them up to the unfamiliar hazards of software development. Several of Sony's attempts to patch security holes in its antipiracy software over the past weeks have turned out to raise their own new problems, instead of quelling concerns. The current security flaw in Sony's discs is related to software produced by SunnComm Technologies and affects 27 titles that remain on the market. It's separate from an earlier vulnerability that affected 52 other titles and that related to antipiracy software written by another company, First 4 Internet. Those titles have been recalled from store shelves. The flaw found by Felten could allow Sony's original patch to trigger malicious software on a computer, if that software was already in place when the patch was installed. From isn at c4i.org Fri Dec 9 01:37:30 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 9 01:51:44 2005 Subject: [ISN] Germany's Armed Forces do without Blackberry due to security concerns Message-ID: http://www.heise.de/english/newsticker/news/67156 08.12.2005 According to a report in Wirtschaftswoche, the Bundeswehr will not, for the time being, be using Blackberry devices made by Canada's Research in Motion (RIM) for its top-ranking political and military officers. The magazine is reporting that Germany's Defense Ministry has canceled a major order with T-Mobile for security concerns. Anzeige At the beginning of October, Wirtschaftswoche had already made public some security concerns that the German Bureau for Security in Information Technology (BSI) had about the e-mail PDA. According to the report, the BSI complained that all of the e-mail traffic went through a data center in Great Britain, so that British security authorities and the Secret Service would have access to all connection data and content, which they could then use for economic espionage. RIM responded that it was not possible to send e-mail data from RIM servers to third parties because this data was not saved on the company's computers, but was only passed on. In addition, the provider explained that the data were sufficiently encrypted with AES or triple DES algorithms. RIM claims that it does not even have a way itself to tap its customers' e-mail traffic. In the meantime, the company has contracted the Fraunhofer Institute for Secure Information Technology to test the security of Blackberry technology; in addition, BSI has also claimed that its own investigation has been partly misinterpreted. From isn at c4i.org Fri Dec 9 01:37:50 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 9 01:52:35 2005 Subject: [ISN] Law Firms Not Liable in Alleged Web Hacking Case Message-ID: http://www.law.com/jsp/article.jsp?id=1134036310706 Pamela A. MacLean The National Law Journal 12-09-2005 Two law firms that allegedly surreptitiously accessed the password-protected Web site of an expert witness in order to show a judge that the witness violated a gag order cannot be held liable under the Digital Millennium Copyright Act. A District of Columbia federal judge has dismissed the suit by Boston occupational illness expert Dr. David Egilman, who accused the law firms Jones Day and Keller & Heckman of Washington, and Keller attorney Douglas Behr, of misappropriating his protected work. Egilman accused the Keller firm and Behr of hacking into his Web site by acquiring a password and sharing it with Jones Day lawyers in the midst of a 2001 landmark Colorado state toxics trial. Egilman had testified on behalf of the first four of 50 workers at Rocky Flats nuclear weapons plant who unsuccessfully claimed that the federal government colluded with the world's largest beryllium maker, Brush Wellman Inc., to hide the health dangers of the metallic element. Despite a broad gag order by a Colorado state court judge, Frank Plaut, in Ballinger v. Brush Wellman Inc., No. 96-CV-2532, Egilman had posted critical material about Jones Day and Brush Wellman on his password-protected Web site in what Plaut ruled was a violation of the gag order. Plaut ordered jurors to disregard Egilman's testimony as a sanction after learning from Jones Day that the posting included accusations of potential illegal conduct by Jones Day, and allegations that a Brush Wellman medical doctor was educated in Nazi Germany, according to press accounts at the time. Plaut called the information "scurrilous and inflammatory" at the time. Egilman, who has testified in dozens of toxics trials and was the expert in the recent Texas Vioxx trial that resulted in a $253 million verdict, limited Web site access to his staff and his Brown University students. He posted uncensored information on occupational illness and related litigation, including previously confidential corporate internal documents related to many toxic torts. Jurors ultimately sided with Brush Wellman and, without Egilman's testimony, rejected the workers' claims that lung damage from exposure to radioactive beryllium could have been avoided. EFFECTIVENESS COMPROMISED? But Egilman pursued his fight against the law firms. Egilman sued Jones Day and Keller & Heckman, first in Texas and later in the District of Columbia, saying that his reputation was besmirched and his effectiveness compromised. He argued that the law firms and Behr circumvented measures installed to deny access to his copyright-protected work on the Web site, in violation of the 1978 Digital Millennium Copyright Act. U.S. District Judge Henry Kennedy Jr. in D.C. ruled that obtaining a username and password from a third party that has authorized access does not violate the DMCA. Kennedy cited the only other court to rule on improper use of a legitimate password, holding that gaining access to a third party's legitimate password is not the same as hacking. "It is irrelevant who provided the username/password combination to the defendant, or, given that the combination itself was legitimate, how it was obtained," Kennedy wrote in Egilman v. Keller & Heckman, No. 04-876HHK. Use of a legitimate password does not "circumvent" a technology used to control access, Kennedy concluded. "This is not really about the DMCA," Egilman said. "It is about how the legal system is designed to benefit people in power. That is why courts said it was legal for blacks to be slaves or ruled it legal to deny women the vote," he said. Accessing his computer "was illegal conduct. It was breaking and entering. It is simple theft," he said. As for Egilman's alternate claim that unauthorized use of the password violated the Computer Fraud and Abuse Act, the court found that he had filed that claim too late. Egilman said he is not sure whether he will appeal. "I spent $150,000 of my money doing this case. At some point I can't afford to represent the interests of regular people against criminal law firms," he said. Behr said only, "I don't want to talk about it," when asked about the case. Attorneys for Jones Day and Keller & Heckman declined to comment. Copyright 2005 ALM Properties, Inc. All rights reserved. From isn at c4i.org Fri Dec 9 01:38:31 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 9 01:53:11 2005 Subject: [ISN] Residents' data at risk on state's computers Message-ID: http://www.duluthsuperior.com/mld/duluthsuperior/news/local/13356945.htm BY PATRICK SWEENEY AND LESLIE BROOKS SUZUKAMO ST. PAUL PIONEER PRESS Dec. 08, 2005 ST. PAUL - Minnesotans' personal information stored on the state's large mainframe computers - including tax return information and bank account numbers - is at risk of being stolen, the Legislative Auditor said Wednesday. An audit conducted in October exposed a variety of vulnerabilities in the mainframe computers, including a lack of basic security features such as eliminating passwords for former employees. The investigation was the latest of three security audits since 2000 that found that, despite some recent improvements, personal information held by the state is "still vulnerable to loss, tampering and unauthorized disclosure." The audit found no evidence that computer hackers or state employees have stolen any of that data. But the auditors did not look for that kind of evidence, and one of the chief investigators for the auditing team said a dis- gruntled employee could download information from the system into a portable storage device without detection. As part of the audit, the investigators performed such a download to prove that it could be done, said Chris Buse, information technology audit manager. No personal information was compromised in the test, he said. Legislative Auditor Jim Nobles told a House-Senate commission that his staff found many shortcomings in the state's security practices for mainframe computers in the state's main data center that store driver's license information, process tax returns and maintain eligibility data on Minnesotans who receive welfare payments or state-subsidized health care. Most of the audit focused on the potential for a few thousand state employees or subcontractors with access to the computer systems to misuse their passwords and, from their offices or homes, penetrate databases beyond their job responsibilities. The audit also found a few ways outside hackers could enter the systems. "There are avenues of access that people can find, and they don't have to be inside the system," Nobles said. The problems within the state system are not uncommon for companies with large computer systems, but their wide scope troubled one corporate security expert. "If I was a person sitting in my chair at home, I'd be pretty alarmed," said Rick Greenwood, the chief technology officer at Roseville-based Shavlik Technologies, a company that sells software that helps large companies patch and protect their networks from computer viruses and worms. The state of the art for computer security is constantly changing, but some of the problems uncovered -- such as leaving passwords unchanged after an employee stops working for the state -- were particularly troubling, Greenwood said. The problems with managing passwords were fixed as soon as they were pointed out, said Steve Stedman, the state's chief technology officer. However, the state still has no automated way of turning off passwords after a worker leaves, so there's a lag, he said. Gopal Khanna, who was hired as Minnesota's chief information officer last summer, said he assumes hackers routinely try to break into the state's computers. But he said he knew of no instances in which computer surveillance systems detected successful intrusions. Minnesota's Web-based vehicle license tab renewal system was shut down in April after another legislative audit found security shortcomings. "While we may disagree with the magnitude of actual risk involved with some of the audit findings and recommendations at a detail level, we accept that the major thrust of the Office of Legislative Auditor report is, on the whole, an accurate assessment," Khanna said. Khanna said that he is moving toward hiring a high-level chief information security officer to oversee access to all the state's computer systems, and that he is preparing an action plan on information security that he will present to state officials by the end of January. Khanna emphasized that his office takes the security questions seriously and is studying ways to safeguard not just the mainframe computers but the state's sprawling network of servers. Both Nobles and Buse warned legislators Wednesday that they will have to be prepared to pay more, particularly in salaries for information security experts, to safeguard computerized data. Problems cited in the most recent audit report include: * Too many state employees have security clearances that give them wide access across multiple state computer systems. * Too many employees have key cards that allow them physical access to mainframe computers. * Some computer accounts allow users access to data without passwords, and software programs that require passwords to be changed regularly are sometimes bypassed. * State employees working from home receive unencrypted data, making it easier for hackers to steal. Computer users, in at least one case, did not change the default password supplied with a software product, making the software easily accessible to hackers. Buse said it is not possible for state officials to shut down most of the computer systems at risk, as they had with the online license tab renewal system. "The guts of government run on these machines," he said. -=- ? 2005 Duluth News Tribune and wire service sources. All Rights Reserved. From isn at c4i.org Fri Dec 9 01:37:13 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 9 01:55:52 2005 Subject: [ISN] Good news on ID theft Message-ID: http://www.signonsandiego.com/news/business/20051208-9999-1b8identity.html By Bruce V. Bigelow UNION-TRIBUNE STAFF WRITER December 8, 2005 A computerized analysis of four data breaches that compromised personal information on some 500,000 people suggests the alarm that often accompanies electronic break-ins may be largely unwarranted. On the other hand, the study also suggests that publicity can help deter fraudsters from using the stolen data. The analysis, conducted over the past six months by San Diego's ID Analytics, is believed to be the first to calculate just how much fraud occurred after each security breach. Such incidents frequently generate worries about identity theft, a crime in which fraudsters use stolen personal data to get credit cards and loans to make purchases under someone else's name. Previous studies have suggested that up to one in 70 Americans has fallen victim to identity theft, said Fred H. Cate, director of Indiana University's Center for Applied Cybersecurity Research. In the analysis done by ID Analytics, however, the highest rate of misuse of the four data breaches was calculated at 0.098 percent - or less than one in 1,000 identities. The company provided no specifics on the security breaches it studied. The low rate was surprising even at ID Analytics, which uses sophisticated computer technology to analyze consumer payments and applications for credit cards, loans and cellular telephone accounts for telltale signs of fraud. A survey in January by a market research firm, Javelin Strategy and Research, found the total cost of identity theft and credit card fraud to be $52.6 billion a year. Javelin also counted 9.3 million new victims of identity theft. With the U.S. population at 281.4 million, that works out to about 3.3 percent - or more than 30 times the rate calculated by ID Analytics. One reason ID Analytics' findings may be at odds with other studies on identity theft is that it focused narrowly on breaches that involved four electronic databases, said James Van Dyke, Javelin's founder and president. "No one should project the results of their good work on the overall problem," Van Dyke said. "Most of the new account identity theft fraud is not due to data breaches." Van Dyke explained: "You are more likely to become a victim of identity fraud from somebody who knows you personally. The list could include estranged relatives, neighbors, friends or somebody hired to work around the house." As part of its business, ID Analytics uses its network to analyze some 40 million consumer applications a month, scoring the risk of fraud as part of a service provided to its customers, which include major financial institutions and wireless service providers. "No breach is good," said Mike Cook, a co-founder and vice president of product at ID Analytics. "But there are different risks associated with different types of breaches." The company, which plans to release its findings today, conducted its analysis over the past six months - comparing the compromised data from each breach with its proprietary neural network technology. Such technology searches for patterns that could include customer accounts with multiple names and different addresses and telephone numbers. Cook reviewed the results of ID Analytics' analysis just days after the University of San Diego notified almost 7,800 individuals that hackers gained access to computers containing their personal income-tax data. In the past year or so, similar breaches have hit more than a dozen organizations, including ChoicePoint, LexisNexis, GMAC Financial Services, Science Applications International Corp. and the University of California Berkeley. "Breaches are everybody's problem," Cook said. "But the incidence of occurrence is much higher with educational institutions and government agencies." Among other things, the company found that: * Deliberate data breaches that target detailed customer information, including names, Social Security numbers, addresses and birth dates pose the highest potential for fraud. * A big data breach poses a lower risk that any single person will be defrauded. If it takes five minutes to fill out an illicit credit application, it could take even a diligent fraudster more than 50 years to make use of a database holding 1 million consumer identities. * By the same token, the smaller the data breach, the chances of fraud are higher for each consumer whose personal data were compromised. * Notifying consumers about a data breach may provide a deterrent effect on fraudsters. But such notifications can be costly, and they often needlessly alarm consumers when the risk of fraud is low. Avivah Litan, a Gartner research director for payments and fraud, said ID Analytics' findings were important for three reasons. "What it told me, number one, was that disclosure is a good thing. Publicity stopped the thieves immediately. Number two, it showed that the theft of a credit card is not necessarily going to lead to identity theft. And number three, that you can't really conclude that anything will happen from the theft of a laptop computer." Cate, of Indiana University, said ID Analytics' study suggests that laws requiring institutions to notify consumers of data breaches may be unnecessary - at least in cases where the costs of notification are high and the risks of fraud are low. "It turns out that almost all the data are telling us that these breaches aren't that big of a deal," Cate said. "Statistically, you are no more likely to be a victim of identity theft the day after a breach than you were the day before." From isn at c4i.org Fri Dec 9 01:36:51 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 9 01:57:12 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-49 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-12-01 - 2005-12-08 This week : 89 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Several vulnerabilities have been reported in xpdf, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Please refer to the Secunia advisory below for additional details. Reference: http://secunia.com/SA17897 -- Apple has acknowledged some vulnerabilities in Java for Mac OS X, which can be exploited by malicious people to compromise a user's system. References: http://secunia.com/SA17847 http://secunia.com/SA17748 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 2. [SA17748] Sun Java JRE Sandbox Security Bypass Vulnerabilities 3. [SA7127] Windows XP/2000/NT will let user execute any 16bit application 4. [SA17847] Apple Mac OS X update for Java 5. [SA16907] Opera Command Line URL Shell Command Injection 6. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 7. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability 8. [SA17430] Macromedia Flash Player SWF File Handling Arbitrary Code Execution 9. [SA17813] Mac OS X Security Update Fixes Multiple Vulnerabilities 10. [SA16560] Windows Registry Editor Utility String Concealment Weakness ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA17863] Ipswitch IMail Server IMAP and SMTP Service Two Vulnerabilities [SA17939] CF_Nuke Directory Traversal and Cross-Site Scripting Vulnerabilities [SA17900] A-FAQ SQL Injection Vulnerabilities [SA17906] Ideal BB.NET Custom Error Page Cross-Site Scripting Vulnerability [SA17905] rwAuction Pro "searchtxt" Cross-Site Scripting Vulnerability [SA17904] XcPhotoAlbum "SearchFor" Cross-Site Scripting Vulnerability [SA17903] XcClassified "SearchFor" Cross-Site Scripting Vulnerability [SA17902] NetAuctionHelp Auction Software Cross-Site Scripting Vulnerabilities [SA17901] IISWorks ASPKnowledgeBase "a" Cross-Site Scripting Vulnerability [SA17898] DUware DUportal Pro "result" Cross-Site Scripting Vulnerability [SA17857] SiteBeater News System "Archive.asp" Cross-Site Scripting Vulnerability [SA17856] SiteBeater MP3 Catalog "Search.asp" Cross-Site Scripting Vulnerability [SA17854] Solupress News "search.asp" Cross-Site Scripting Vulnerability [SA17851] MyTemplateSite "search.asp" Cross-Site Scripting Vulnerability [SA17933] Sony SunnComm MediaMax DRM Software Insecure Directory Permissions UNIX/Linux: [SA17899] Ubuntu update for kerberos [SA17847] Apple Mac OS X update for Java [SA17930] Red Hat update for imap [SA17929] Red Hat update for xpdf [SA17928] Red Hat update for libc-client [SA17926] Fedora update for xpdf [SA17923] Ubuntu update for apache2 [SA17921] pdftohtml Xpdf Buffer Overflow Vulnerabilities [SA17920] KDE kpdf Xpdf Buffer Overflow Vulnerabilities [SA17916] teTeX Xpdf Buffer Overflow Vulnerabilities [SA17912] Poppler Xpdf Buffer Overflow Vulnerabilities [SA17910] Horde IMP Attachments Script Insertion Vulnerability [SA17908] KOffice KWord PDF Filter Xpdf Buffer Overflow Vulnerabilities [SA17897] Xpdf Multiple Buffer Overflow Vulnerabilities [SA17892] FFmpeg libavcodec Buffer Overflow Vulnerability [SA17882] Debian update for inkscape [SA17874] Mandriva update for mailman [SA17860] Debian update for helix-player [SA17913] coWiki "q" Cross-Site Scripting Vulnerability [SA17878] Mandriva update for webmin [SA17877] Mandriva update for spamassassin [SA17839] FastJar File Extraction Directory Traversal Vulnerability [SA17917] SUSE update for kernel [SA17845] Fedora update for openldap [SA17924] AIX "umountall" Command Absolute Path Vulnerability [SA17907] cURL/libcURL URL Parsing Off-By-One Vulnerability [SA17886] Ubuntu update for inkscape [SA17844] Fedora update for perl Other: [SA17888] Cisco Products OpenSSL Potential SSL 2.0 Rollback Vulnerability [SA17852] MultiTech MultiVoIP Gateway Denial of Service Vulnerability Cross Platform: [SA17925] phpMyAdmin register_globals Emulation "import_blacklist" Manipulation [SA17896] DoceboLMS Information Disclosure and File Upload Vulnerabilities [SA17887] Jinzora Snoopy "_httpsrequest()" Command Injection Vulnerability [SA17866] MediaWiki Language Option PHP Code Execution Vulnerability [SA17858] PHPX "username" SQL Injection Vulnerability [SA17935] Magic Forum Personal Cross-Site Scripting and SQL Injection [SA17915] phpForumPro SQL Injection Vulnerabilities [SA17914] Cars Portal SQL Injection Vulnerabilities [SA17911] PluggedOut Blog "index.php" SQL Injection Vulnerabilities [SA17909] PluggedOut Nexus SQL Injection and Cross-Site Scripting Vulnerabilities [SA17894] Trac Search Module SQL Injection Vulnerability [SA17893] Blog System SQL Injection Vulnerabilities [SA17884] HobSR "view.php" SQL Injection Vulnerability [SA17883] Web4Future Affiliate Manager Pro "pid" SQL Injection Vulnerability [SA17881] Web4Future eCommerce Products SQL Injection Vulnerabilities [SA17880] Web4Future Portal Solutions Information Disclosure and SQL Injection [SA17879] Web4Future eDating Professional SQL Injection Vulnerabilities [SA17871] PHP-Fusion "srch_text" SQL Injection Vulnerability [SA17869] Zen Cart "admin_email" SQL Injection Vulnerability [SA17867] Nodezilla Potential Information Disclosure Vulnerability [SA17861] Quicksilver Forums HTTP_USER_AGENT SQL Injection Vulnerability [SA17859] SAPID CMS Security Bypass Vulnerability [SA17855] Coppermine Photo Gallery "relocate_server.php" Exposure of Configuration [SA17853] NetClassifieds Multiple SQL Injection Vulnerabilities [SA17849] phpYellow SQL Injection Vulnerabilities [SA17846] Relative Real Estate Systems "mls" SQL Injection Vulnerability [SA17843] LandShop SQL Injection Vulnerabilities [SA17842] Lore "id" SQL Injection Vulnerability [SA17841] Instant Photo Gallery SQL Injection Vulnerabilities [SA17840] Widget Imprint "product_id" SQL Injection Vulnerability [SA17937] Magic List Pro "ListID" SQL Injection Vulnerability [SA17895] phpMyAdmin Cross-Site Scripting Vulnerabilities [SA17885] PHP-addressbook "view.php" SQL Injection Vulnerability [SA17876] KeyWord Frequency Counter "url" Cross-Site Scripting Vulnerability [SA17875] Amazon Search Directory "search.cgi" Cross-Site Scripting Vulnerability [SA17873] Sun Java System Application Server Reverse SSL Proxy Plug-in Vulnerability [SA17872] Hot Links Pro "search.cgi" Cross-Site Scripting Vulnerability [SA17868] Hot Links SQL "search.cgi" Cross-Site Scripting Vulnerability [SA17864] Warm Links "search.cgi" Cross-Site Scripting Vulnerability [SA17862] 1-Search "1search.cgi" Cross-Site Scripting Vulnerability [SA17850] QualityEBiz Quality PPC "REQ" Cross-Site Scripting Vulnerability [SA17848] WebCalendar Two Vulnerabilities and a Weakness [SA17890] e107 "rate.php" Redirection and Multiple Rating Weakness [SA17889] Sun Java System Communications Services Delegated Administrator Password Disclosure ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA17863] Ipswitch IMail Server IMAP and SMTP Service Two Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-12-07 Two vulnerabilities have been reported in IMail Server, which can be exploited by malicious users to cause a DoS (Denial of Service) and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17863/ -- [SA17939] CF_Nuke Directory Traversal and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-12-07 r0t has discovered two vulnerabilities in CF_Nuke, which can be exploited by malicious people to conduct cross-site scripting attacks and to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/17939/ -- [SA17900] A-FAQ SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-06 r0t has reported two vulnerabilities in A-FAQ, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17900/ -- [SA17906] Ideal BB.NET Custom Error Page Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-07 r0t has discovered a vulnerability in Ideal BB.NET, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17906/ -- [SA17905] rwAuction Pro "searchtxt" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-06 r0t has reported a vulnerability in rwAuction Pro, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17905/ -- [SA17904] XcPhotoAlbum "SearchFor" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-06 r0t has reported a vulnerability in XcPhotoAlbum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17904/ -- [SA17903] XcClassified "SearchFor" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-06 r0t has reported a vulnerability in XcClassified, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17903/ -- [SA17902] NetAuctionHelp Auction Software Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-06 r0t has reported some vulnerabilities in NetAuctionHelp Auction Software, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17902/ -- [SA17901] IISWorks ASPKnowledgeBase "a" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-06 r0t has reported a vulnerability in IISWorks ASPKnowledgeBase, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17901/ -- [SA17898] DUware DUportal Pro "result" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-06 Dj_Eyes has reported a vulnerability in DUware DUportal Pro, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17898/ -- [SA17857] SiteBeater News System "Archive.asp" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-05 r0t has reported a vulnerability in SiteBeater News System, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17857/ -- [SA17856] SiteBeater MP3 Catalog "Search.asp" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-05 r0t has reported a vulnerability in SiteBeater MP3 Catalog, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17856/ -- [SA17854] Solupress News "search.asp" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-05 r0t has reported a vulnerability in Solupress News, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17854/ -- [SA17851] MyTemplateSite "search.asp" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-05 r0t has reported a vulnerability in MyTemplateSite, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17851/ -- [SA17933] Sony SunnComm MediaMax DRM Software Insecure Directory Permissions Critical: Less critical Where: Local system Impact: Manipulation of data, Privilege escalation Released: 2005-12-07 Jesse Burns and Alex Stamos has reported a security issue in SunnComm MediaMax, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17933/ UNIX/Linux:-- [SA17899] Ubuntu update for kerberos Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-12-06 Ubuntu has issued an update for kerberos. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17899/ -- [SA17847] Apple Mac OS X update for Java Critical: Highly critical Where: From remote Impact: System access Released: 2005-12-02 Apple has acknowledged some vulnerabilities in Java for Mac OS X, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17847/ -- [SA17930] Red Hat update for imap Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-07 Red Hat has issued an update for imap. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17930/ -- [SA17929] Red Hat update for xpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-07 Red Hat has issued an update for xpdf. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17929/ -- [SA17928] Red Hat update for libc-client Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-07 Red Hat has issued an update for libc-client. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17928/ -- [SA17926] Fedora update for xpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-07 Fedora has issued an update for xpdf. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17926/ -- [SA17923] Ubuntu update for apache2 Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-12-07 Ubuntu has issued an update for apache2. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17923/ -- [SA17921] pdftohtml Xpdf Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access, DoS Released: 2005-12-07 Some vulnerabilities have been reported in pdftohtml, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17921/ -- [SA17920] KDE kpdf Xpdf Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access, DoS Released: 2005-12-07 Some vulnerabilities have been reported in KDE kpdf, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17920/ -- [SA17916] teTeX Xpdf Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-07 Some vulnerabilities have been reported in teTeX, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17916/ -- [SA17912] Poppler Xpdf Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-07 Some vulnerabilities have been reported in Poppler, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17912/ -- [SA17910] Horde IMP Attachments Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-06 Igor has reported a vulnerability in Horde IMP, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17910/ -- [SA17908] KOffice KWord PDF Filter Xpdf Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-07 Some vulnerabilities have been reported in KOffice, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17908/ -- [SA17897] Xpdf Multiple Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-06 infamous41md has reported some vulnerabilities in xpdf, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17897/ -- [SA17892] FFmpeg libavcodec Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-06 Simon Kilvington has reported a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17892/ -- [SA17882] Debian update for inkscape Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2005-12-07 Debian has issued an update for inkscape. This fixes two vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and by malicious people to potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/17882/ -- [SA17874] Mandriva update for mailman Critical: Moderately critical Where: From remote Impact: Unknown, DoS Released: 2005-12-05 Mandriva has issued an update for mailman. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17874/ -- [SA17860] Debian update for helix-player Critical: Moderately critical Where: From remote Impact: System access Released: 2005-12-02 Debian has issued an update for helix-player. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17860/ -- [SA17913] coWiki "q" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-06 r0t has reported a vulnerability in coWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17913/ -- [SA17878] Mandriva update for webmin Critical: Less critical Where: From remote Impact: DoS Released: 2005-12-05 Mandriva has issued an update for webmin. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17878/ -- [SA17877] Mandriva update for spamassassin Critical: Less critical Where: From remote Impact: DoS Released: 2005-12-05 Mandriva has issued an update for spamassassin. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17877/ -- [SA17839] FastJar File Extraction Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-12-01 tv has discovered a vulnerability in FastJar, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17839/ -- [SA17917] SUSE update for kernel Critical: Less critical Where: From local network Impact: Exposure of sensitive information, DoS Released: 2005-12-06 SUSE has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service), or by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/17917/ -- [SA17845] Fedora update for openldap Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2005-12-02 Fedora has issued an update for openldap. This fixes a security issue, which can be exploited by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/17845/ -- [SA17924] AIX "umountall" Command Absolute Path Vulnerability Critical: Less critical Where: Local system Impact: Unknown Released: 2005-12-07 A vulnerability has been reported in AIX, which can be exploited by malicious, local users with unknown impact. Full Advisory: http://secunia.com/advisories/17924/ -- [SA17907] cURL/libcURL URL Parsing Off-By-One Vulnerability Critical: Less critical Where: Local system Impact: Unknown Released: 2005-12-07 Stefan Esser has reported a vulnerability in cURL/libcURL, which has an unknown impact. Full Advisory: http://secunia.com/advisories/17907/ -- [SA17886] Ubuntu update for inkscape Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-12-05 Ubuntu has issued an update for inkscape. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17886/ -- [SA17844] Fedora update for perl Critical: Not critical Where: From remote Impact: DoS Released: 2005-12-02 Fedora has issued an update for perl. This fixes a vulnerability, which can be exploited by malicious people to cause a Denial of Service. Full Advisory: http://secunia.com/advisories/17844/ Other:-- [SA17888] Cisco Products OpenSSL Potential SSL 2.0 Rollback Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-12-05 Cisco has acknowledged a vulnerability in some products, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17888/ -- [SA17852] MultiTech MultiVoIP Gateway Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-12-07 Ejovi Nuwere has reported a vulnerability in MultiTech MultiVoIP Gateway, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17852/ Cross Platform:-- [SA17925] phpMyAdmin register_globals Emulation "import_blacklist" Manipulation Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information, System access Released: 2005-12-07 Stefan Esser has reported a vulnerability in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose sensitive information, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17925/ -- [SA17896] DoceboLMS Information Disclosure and File Upload Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of system information, System access Released: 2005-12-06 rgod has reported two vulnerabilities in DoceboLMS, which can be exploited by malicious people to disclose system information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17896/ -- [SA17887] Jinzora Snoopy "_httpsrequest()" Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-12-05 A vulnerability has been reported in Jinzora, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17887/ -- [SA17866] MediaWiki Language Option PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-12-05 A vulnerability has been reported in MediaWiki, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17866/ -- [SA17858] PHPX "username" SQL Injection Vulnerability Critical: Highly critical Where: From remote Impact: Security Bypass, Manipulation of data, System access Released: 2005-12-02 rgod has reported a vulnerability in PHPX, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17858/ -- [SA17935] Magic Forum Personal Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-12-07 r0t has reported some vulnerabilities in Magic Forum Personal, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/17935/ -- [SA17915] phpForumPro SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-06 $um$id has reported two vulnerabilities in phpForumPro, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17915/ -- [SA17914] Cars Portal SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-06 r0t has reported two vulnerabilities in Cars Portal, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17914/ -- [SA17911] PluggedOut Blog "index.php" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-06 r0t has discovered some vulnerabilities in PluggedOut Blog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17911/ -- [SA17909] PluggedOut Nexus SQL Injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-12-06 r0t has discovered some vulnerabilities in PluggedOut Nexus, which can be exploited by malicious people to conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17909/ -- [SA17894] Trac Search Module SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-06 A vulnerability has been reported in Trac, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17894/ -- [SA17893] Blog System SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-06 vipsta has reported two vulnerabilities in Blog System, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17893/ -- [SA17884] HobSR "view.php" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-05 r0t has reported a vulnerability in HobSR, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17884/ -- [SA17883] Web4Future Affiliate Manager Pro "pid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-06 r0t has reported a vulnerability in Web4Future Affiliate Manager Pro, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17883/ -- [SA17881] Web4Future eCommerce Products SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-06 r0t has reported some vulnerabilities in various Web4Future eCommerce products, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17881/ -- [SA17880] Web4Future Portal Solutions Information Disclosure and SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information Released: 2005-12-05 r0t has reported two vulnerabilities in Web4Future Portal Solutions, which can be exploited by malicious people to disclose system information and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17880/ -- [SA17879] Web4Future eDating Professional SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-05 r0t has reported some vulnerabilities in Web4Future eDating Professional, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17879/ -- [SA17871] PHP-Fusion "srch_text" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-05 Nolan West has reported a vulnerability in PHP-Fusion, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17871/ -- [SA17869] Zen Cart "admin_email" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Manipulation of data Released: 2005-12-05 rgod has reported a vulnerability in Zen Cart, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17869/ -- [SA17867] Nodezilla Potential Information Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-12-05 A vulnerability has been reported in Nodezilla, which potentially can be exploited by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/17867/ -- [SA17861] Quicksilver Forums HTTP_USER_AGENT SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-05 A vulnerability has been reported in Quicksilver Forums, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17861/ -- [SA17859] SAPID CMS Security Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-12-02 A vulnerability has been reported in SAPID, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17859/ -- [SA17855] Coppermine Photo Gallery "relocate_server.php" Exposure of Configuration Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-12-02 A security issue has been reported in Coppermine Photo Gallery, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/17855/ -- [SA17853] NetClassifieds Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-02 r0t has reported some vulnerabilities in NetClassifieds, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17853/ -- [SA17849] phpYellow SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-05 r0t has reported two vulnerabilities in phpYellow, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17849/ -- [SA17846] Relative Real Estate Systems "mls" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-05 r0t has reported a vulnerability in Relative Real Estate Systems, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17846/ -- [SA17843] LandShop SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information Released: 2005-12-05 r0t has reported some vulnerabilities in LandShop, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17843/ -- [SA17842] Lore "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-01 r0t has reported a vulnerability in Lore, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17842/ -- [SA17841] Instant Photo Gallery SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-01 r0t has reported two vulnerabilities in Instant Photo Gallery, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17841/ -- [SA17840] Widget Imprint "product_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-05 r0t has reported a vulnerability in Widget Imprint, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17840/ -- [SA17937] Magic List Pro "ListID" SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-12-07 r0t has reported a vulnerability in Magic List Pro, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17937/ -- [SA17895] phpMyAdmin Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-06 Some vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17895/ -- [SA17885] PHP-addressbook "view.php" SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-12-06 $um$id has discovered a vulnerability in PHP-addressbook, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17885/ -- [SA17876] KeyWord Frequency Counter "url" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-06 r0t has discovered a vulnerability in KeyWord Frequency Counter, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17876/ -- [SA17875] Amazon Search Directory "search.cgi" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-05 r0t has reported a vulnerability in Amazon Search Directory, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17875/ -- [SA17873] Sun Java System Application Server Reverse SSL Proxy Plug-in Vulnerability Critical: Less critical Where: From remote Impact: Hijacking Released: 2005-12-06 A vulnerability has been reported in Sun ONE and Java System Application Server, which potentially can be exploited by malicious people to conduct MitM (Man-in-the-Middle) attacks. Full Advisory: http://secunia.com/advisories/17873/ -- [SA17872] Hot Links Pro "search.cgi" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-05 r0t has reported a vulnerability in Hot Links Pro, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17872/ -- [SA17868] Hot Links SQL "search.cgi" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-05 r0t has reported a vulnerability in Hot Links SQL, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17868/ -- [SA17864] Warm Links "search.cgi" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-05 r0t has reported a vulnerability in Warm Links, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17864/ -- [SA17862] 1-Search "1search.cgi" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-05 r0t has reported a vulnerability in 1-Search, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17862/ -- [SA17850] QualityEBiz Quality PPC "REQ" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-02 r0t has reported a vulnerability in QualityEBiz Quality PPC (QualityPPC), which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17850/ -- [SA17848] WebCalendar Two Vulnerabilities and a Weakness Critical: Less critical Where: From remote Impact: Manipulation of data, Exposure of system information, Cross Site Scripting Released: 2005-12-02 Two vulnerabilities and a weakness have been reported in WebCalendar, which can be exploited by malicious users to conduct SQL injection attacks, and by malicious people to gain knowledge of certain information and conduct HTTP response splitting attacks. Full Advisory: http://secunia.com/advisories/17848/ -- [SA17890] e107 "rate.php" Redirection and Multiple Rating Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2005-12-05 Marc Ruef has reported two weakness in e107, which potentially can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct phishing attacks. Full Advisory: http://secunia.com/advisories/17890/ -- [SA17889] Sun Java System Communications Services Delegated Administrator Password Disclosure Critical: Not critical Where: From local network Impact: Exposure of sensitive information Released: 2005-12-06 A weakness has been reported in Sun Java System Messaging Server, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/17889/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Dec 9 01:35:34 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 9 01:57:38 2005 Subject: [ISN] Microsoft's Ballmer: "Bad guys are still out there" Message-ID: http://www.gcn.com/vol1_no1/daily-updates/37717-1.html By Brad Grimes GCN Staff 12/07/05 The question came from Eugene Huang, Virginia's secretary of technology. Huang wanted to know how Microsoft Corp. had gone from being a laughingstock on IT security matters to a company increasingly respected for its efforts to develop secure software. Microsoft CEO Steve Ballmer acknowledged the company had made significant strides in the four years since chief software architect Bill Gates issued a memo making security a top priority. But Ballmer was quick to point out that Microsoft, its customers and other technology companies still had a way to go in securing IT infrastructures. "We all get lulled to sleep when there's a big gap" between software attacks, Ballmer said. "We need to stay diligent." Ballmer today addressed a gathering of government contractors and other industry representatives in Washington at an event presented by the Northern Virginia Technology Council, the Tech Council of Maryland, the Washington D.C. Technology Council and TechNet, a Silicon Valley-based industry association focused on policy issues. Earlier in his remarks, Ballmer said Microsoft's record on security issues was "not perfect, but we've made great progress. ...Virus outbreaks are fewer and less damaging." Still, he cautioned, "bad guys are still out there." Ballmer also talked about Microsoft's Windows Live and Office Live initiatives, which the company announced last month. Live represents Microsoft's move toward offering software as a service, the way Salesforce.com, for example, offers customer relationship management software online. Ballmer called it "the most important trend in the software business," but insisted Internet-based software would not replace traditional client-server programs. The "basic nature of software will change" Ballmer said, but not all software will run on the Net. "People still want intelligence in clients and servers." According to Ballmer, Microsoft's move toward software as a service coincides with requests the company has been getting from Defense Department customers who want help in deploying portals and other centrally managed applications across the entire military. In addition, Ballmer emphasized Microsoft's efforts to better integrate its various software platforms. He called Microsoft Office "the definitive front end to all data people want to use." As an example, Ballmer pointed to the new Microsoft Dynamics CRM 3.0, which the company introduced this week. The latest version of the CRM package integrates directly with Microsoft Outlook to provide a familiar look and feel for agencies that need to manage people and information, such as the growing number of state and local 311 information centers set up to handle nonemergency citizen calls. Referring to CRM as "a tool of oppression," Ballmer asserted that most people don't like CRM programs but feel comfortable in their e-mail clients. Microsoft is in joint development with SAP on a project called Mendocino, which will make Office a front end for certain functions in SAP's enterprise resource planning line of products. From isn at c4i.org Mon Dec 12 03:15:11 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 12 03:26:36 2005 Subject: [ISN] Server bug cripples Dublin law firms Message-ID: http://www.theregister.co.uk/2005/12/10/server_bug_cripples_dublin_law_firms/ By ElectricNews.Net 10th December 2005 Solicitors across Dublin fell victim to an accidental mass mailing that crippled their systems this week, clogging inboxes and causing widespread disruption. The problem was attributed to an improper server configuration, causing five servers to send out more than half a million emails to Dublin solicitors. The deluge of mail originated with a publishing company's email marketing message, which was sent to solicitors. When some solicitors attempted to reply to the mail, a fault in the solicitors' configuration of Microsoft Small Business Server sent the original email to their entire email database tens of thousands of times. The incident crashed mail servers and caused embarrassment to those involved. The problem even hit smaller solicitors. One firm told ElectricNews.net that although the email had caused no serious harm, it had arrived in one of their inboxes hundreds of times. Technology firm Enclave Technologies picked up on unusual email activity on Tuesday, although it pointed out that none of its clients had been affected by the problem. "We were quickly able to trace servers that were causing the problem and alert the firms involved. Our priority then was to furnish the IT support companies who looked after these servers with the knowledge to halt this spread of email," explained Jane Reid, network manager, Enclave Technologies. "Preventing the accidental propagation required the implementation of the Microsoft Knowledge Base (KB) patches KB886208 and KB835734. We would advise any company running Microsoft Small Business Server to ensure these patches are installed to prevent against this problem," she continued. The incident is being used as an opportunity to highlight the importance of keeping up to date with patches. Apparently, none of the solicitors involved had installed the server configuration recommended by Microsoft. Reid pointed out that situations like this are easily avoided. "Solicitors and other professional services firms' absolute focus is their clients and it should not have to be their IT infrastructure," she said. "We believe that companies who do not have their own internal IT capability can prevent this sort of accident in the future by ensuring their IT maintenance and support provider keep on top of best practice and the latest updates." Still, installing patches is not always the panacea it appears to be - some users who have installed patches in the past have reported further problems, while Microsoft recently withdrew a planned security patch, citing concerns over quality. Windows users have been hit by a number of bugs in recent months, including a flaw previously thought to be relatively harmless. The Internet Explorer security flaw exploits a problem with Javascript that could be used to take control of a Windows system. Copyright ? 2005, ElectricNews.Net From isn at c4i.org Mon Dec 12 03:16:56 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 12 03:28:50 2005 Subject: [ISN] World war on world wide web Message-ID: http://www.hindustantimes.com/news/181_1570499,0035.htm Mayank Tewari New Delhi December 10, 2005 The battle is virtual and is as good as a real one. It's a fight to prove how powerful a hacker can be when it comes to breaking into secure Indian websites and servers. In one corner of the ring stands the group of international hacker with names like CyberLord, fatal error and Suicide Scene. In the opposite corner stands the Indian security establishment with a bunch of unnamed patriotic hackers who scout the web for any new activity and alert the government. In the last week of November, international hackers defaced some 230 Indian sites -having domain names ending with .in. A week later more than 1000 Linux based web servers were hacked ain a single attack by international hackers. Over 250 of these servers were located in India. In the month of August, the websites of four IITs - Mumbai, Guwahati, Kharagpur and Chennai - were hacked and defaced by a group of Pakistani hackers who call themselves the Jubni team. The hackers claimed that some of the members of the group are Majeed, Jubni, Zohaib, Pak Brain, Mian Walian and Ch33ta. The ire of the group was directed towards India, USA and Israel. The beginning of September sounded alarm bells for the security agencies. A friendly hacker emailed senior government officials about a Pakistani hackers. plan to deface all defence websites on September 5 - the day the 1965 war broke out. The warning was received on September 2 and all defence websites were made more secure. Three days later, there were repeated attempts to break into our servers but the timely tip off saved the day. Sources in the government informed that it is common for hackers to supply intelligence to the Indian government. "There is a network of hackers where information about a lot events and Internet incidents is exchanged. We could be forewarned about a worm being propagated in some part of the world that may hit Indian servers soon. Based on the input we device patches and post them on our sites for everyone else to download and use. This impact of any cyber attack is thus neutralised to a great extent," said a government source. The website in question is www.cert-in.org.in. However not everyone pays heed to such security advisories. The CERT had issued an advisory in August 2005 about the Linux attacks that happened last week, but little attention was paid to it. Sources inform that such that awareness levels are so low in India that instead of sending email alerts of expected hacker attacks typed letters are sent out to various states informing them to heighten web security and in the wake of such intelligence. "It is to our credit that despite all of these drawbacks we are able to fight international hackers very well," said a government source. The Computer Emergency Response Team (CERT) also shares intelligence with similar bodies of other countries and is able to generate timely inputs. From isn at c4i.org Mon Dec 12 03:15:38 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 12 03:51:50 2005 Subject: [ISN] Code breakers needed Message-ID: http://www.chron.com/disp/story.mpl/business/3513114.html By GRANT SCHULTE Copyright 2005 Houston Chronicle Washington Bureau Dec. 8, 2005 WASHINGTON - Those pesky u-codes - the electronic keys needed to fix everything from air bags to headlights - were confounding Richard Mendoza yet again. Sure, the Houston mechanic had just invested $6,800 in software that could read a car's computer, pinpointing virtually any problem. And yes, he could have figured out why the Chevy Impala's air bag light was on, had he gotten the right digital feedback. But the information Mendoza needed was hidden by an "underlining code," a PIN automakers create to protect trade secrets and stop car thieves. Mendoza, the manager of independently owned repair garage Auto Check, sent his customer to the manufacturer. "They normally don't come back," he said. "It leaves the impression that you can't handle the job." Such cases are rare . maybe once every three months, Mendoza said . but highlight a growing concern among small, independent garages and some lawmakers. With vehicles relying ever-more on computers, Congress is reviewing a bill to pry open the technology that runs cars, trucks and vans. Automakers, who oppose the measure, said the results would reveal codes for the security systems of newer models, putting them at greater risk of theft, and force them into court battles on several fronts. A mechanic with access to an air bag's "underlining codes," for instance, could reprogram the system in a way that renders the light unreliable, manufacturers said. Representatives for General Motors Corp., which owns Chevrolet, declined to speak about the bill. The Motor Vehicle Owners' Right to Repair Act, sponsored by Rep. Joe Barton, requires auto manufacturers to provide owners, or their mechanic, the software or tools needed to diagnose a car's problem. Barton, who heads the committee reviewing the bill, is "very optimistic" the measure will pass unless both sides reach an agreement on how to deal with such disputes on their own, spokeswoman Karen Modlin said. The Texas Republican also has contacted the Federal Trade Commission in hopes of creating an independent middleman that would help settle such disputes, Modlin said. Talks have failed An effort to resolve the argument through a similar group, the National Automotive Service Task Force, failed in September. The talks between automakers and mechanics show no sign of resuming in the near future. Both sides said they would rather avoid government involvement. But with expanding technology, the high cost of diagnostic tools and a growing source of income at stake, independent mechanics said inaction now will cost them customers later. "We're afraid that if the legislation goes away, so will any hope of cooperation," said Robert Everett, a New Jersey mechanic who testified last month before the House Commerce, Trade and Consumer Protection Subcommittee. Problems could worsen Mechanics and some automakers agree that the difficulties facing independent mechanics could worsen without a compromise. Everett said computer codes have already complicated efforts to fix dashboards, interior lights and brake systems on some newer vehicles. Representatives for the automakers said the most critical repair information is already available. With 240 million vehicles on the nation's roads, manufacturers said they rely on aftermarket businesses to keep customers driving and repair costs down. But releasing certain information, like the codes that control a car's antitheft system, would create a host of problems, they said. "If you allow everyone access to the computer key information, then what good would the protection be?" said John Cabaniss, director of environment and energy at the Association of International Automobile Manufacturers. Many automakers also worry that the bill . which accuses them of restricting information "in a manner that has hindered open competition" . will leave them vulnerable to lawsuits. Disclosing proprietary information could likewise force them into expensive legal battles against intellectual property thieves, they said, despite language in the bill that protects trade secrets. Getting data, tools costly Michael Stanton, vice president of government affairs for the Alliance of Automobile Manufacturers, said independent mechanics can find most of the information they need through company-run subscription Web sites. "It's frustrating for them. I understand that," Stanton said. "But I think it's fair to say that the vast, vast majority of information is already available." Perhaps, but gathering the necessary data and tools is often too expensive and time-consuming for small businesses, said Christopher Garcia, a self-employed mechanic in Houston. In the past month, Garcia said, he accepted two customers whose cars weren't starting. Each should have taken five hours to fix. Instead, Garcia spent 15 hours hunting for the problem's cause in an unusual place: car repair manuals at the public library. From isn at c4i.org Mon Dec 12 03:15:51 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 12 03:52:45 2005 Subject: [ISN] NSA posts notice about faster, lighter crypto Message-ID: http://www.fcw.com/article91669-12-09-05-Web By Florence Olsen Dec. 9, 2005 The National Security Agency wants federal agencies to consider using a group of algorithms it refers to as Suite B to satisfy future cryptographic requirements. Suite B contains NSA-approved cryptographic algorithms of various key sizes to protect classified and unclassified but sensitive information. NSA has posted a notice about Suite B on its Web site. With little fanfare, the federal government has been conducting a cryptographic modernization program for the past several years. Suite B is part of that modernization effort. Agencies preparing to issue mandatory federal identity cards containing cryptographic software should be aware of Suite B, even though the Federal Information Processing Standard (FIPS) 201 for identity cards makes no specific reference to it, said Brendan Ziolo, marketing director at Certicom. The company's elliptic curve cryptographic (ECC) algorithms are included in Suite B. FIPS 201 allows agencies to choose ECC or Rivest-Shamir-Aldeman (RSA) algorithms for digital signatures and cryptographic key exchanges. The standard is not yet completely aligned with NSA's guidance on Suite B, Ziolo said. But if agencies want to simplify their transition to Suite B, he added, they should ask identity card suppliers about including ECC algorithms on the cards that agencies must begin issuing next year under Homeland Security Presidential Directive 12. ECC offers greater security and more efficient performance than RSA and other widely used first-generation public key algorithms, according to NSA's notice. "As vendors look to upgrade their systems, they should seriously consider the elliptic curve alternative[s] for the computational and bandwidth advantages they offer at comparable security," the notice states. Agencies and their suppliers might consider building FIPS 201-compliant identity cards with both RSA and ECC algorithms or, at least, they should have an ECC transition plan, Ziolo said. For the federal identity card program, agencies have to buy more than smart cards. They must also acquire card readers and have access to a public-key infrastructure (PKI). "Card readers need to catch up so they can support ECC," Ziolo said. "The PKI backend will need to support ECC as well," he said. In October 2003, NSA licensed 26 ECC patents from Certicom for $25 million. Because ECC offers small key sizes, it is suited for small devices, such as smart cards, for which speedy cryptography is also desirable, Ziolo said. From isn at c4i.org Mon Dec 12 03:16:18 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 12 03:53:41 2005 Subject: [ISN] Linux Advisory Watch - December 9th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | December 9th, 2005 Volume 6, Number 50a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week advisories were released for gdk-pixbuf, horde2, helix-player, Inkscape, horde2, Perl, Webmin, eagle-usb, spamassassin, mailman, xpdf, libc-client, and imap. The distributors include Debian, Gentoo, Mandriva, and Red Hat. ---- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec ---- SELinux Policy Development: Auditing An Application Now that you have a policy development environment and are able to compile SELinux policy, you can make policy changes to correct any audited messages in your system log or enable a permission needed by an application you use. You must create some source files when adding security policy statements that only apply to the local system, since if you add statements to existing files they will be overwritten during policy updates. Create local files by issuing these commands: touch /etc/selinux/engarde/src/policy/policy/modules/admin/local.fc touch /etc/selinux/engarde/src/policy/policy/modules/admin/local.te touch /etc/selinux/engarde/src/policy/policy/modules/admin/local.if Next, edit the /etc/selinux/engarde/src/policy/policy/modules.conf file and add a line reading local = base and save the file. Recompile the policy and check the output to ensure your local.* files were included. Let's say, for example, that you've installed some PHP scripts on your website that function fine in permissive mode, but fail when you enable enforcing mode, since the scripts are attempting an action that SELinux does not allow. The first step would be to open a terminal to the server, ensure you're logged in to the sysadm_r role, and execute the following commands: # setenforce 0 # dmesg -c # watch audit2allow -d These commands will allow you to view the missing SELinux permissions in real time. The audit2allow command is the single most useful tool when troubleshooting SELinux problems. When run with the -d switch, it monitors the dmesg output for SELinux audit errors, and automatically converts these errors into the correct allow command that could be added to the policy to permit the denied action. With the above commands running and your system in permissive mode, run through the parts of your application that are causing trouble and you should see your audit2allow terminal start outputting allow statements. Review these statements, since they may be unsafe due to incorrect file labeling and may be far too permissive. For example, your audit2allow output may recommend giving your application full read/write access to the etc_t type. This would allow writing of many files in the /etc directory that belong to other applications and would be unsafe. The correct way to design your policy would be to change the type of the files your application is actually accessing to something narrower and more restricted so you can allow write access to only that new type. If you're unsure what file is being accessed, look at your system log and search it for the actual denial message. The denial message will look something like the following: Oct 19 14:38:54 paxtest kernel: audit(1129747134.276:0): \ avc: denied { read } for name=messages dev=hda6 ino=2146393 \ scontext=root:staff_r:staff_t tcontext=system_u:object_r: \ var_log_t tclass=file The ino entry in the denial message indicates the inode of the file that the denial refers to. You can locate this file by using a find command thusly: # find / -inum 2146393 If you need to assign a different file context to a file, edit the $policy/policy/modules/admin/local.fc. The .fc files are lists of regular expressions matching a full file path followed by a security context to assign to that file during a relabel. Look at other existing .fc files in the policy for an idea of how these work. Once you assign a new context to a file, recompile and relabel, then perform your application testing again to generate a new list of allow statements that take the new context into account. Read Entire Aricle: http://www.linuxsecurity.com/content/view/120837/49/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New gdk-pixbuf packages fix several vulnerabilities 1st, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120917 * Debian: New horde2 packages fix cross-site scripting 1st, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120918 * Debian: New helix-player packages fix arbitrary code execution 2nd, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120925 * Debian: New Inkscape packages fix arbitrary code execution 7th, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120952 * Debian: New courier packages fix unauthorised access 8th, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120959 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Perl Format string errors can lead to code execution 7th, December, 2005 A fix is available for Perl to mitigate the effects of format string programming errors, that could otherwise be exploited to execute arbitrary code. http://www.linuxsecurity.com/content/view/120957 * Gentoo: Webmin, Usermin Format string vulnerability 7th, December, 2005 Webmin and Usermin are vulnerable to a format string vulnerability which may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120958 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated eagle-usb packages fixes firmware loading issues 2nd, December, 2005 This update loads the firmware each time an eagle-usb modem is plugged in, not just when the eagle-usb module is loaded. http://www.linuxsecurity.com/content/view/120931 * Mandriva: Updated spamassassin packages fixes vulnerability 2nd, December, 2005 SpamAssassin 3.0.4 allows attackers to bypass spam detection via an e-mail with a large number of recipients ("To" addresses), which triggers a bus error in Perl. Updated packages have been patched to address this issue. http://www.linuxsecurity.com/content/view/120932 * Mandriva: Updated mailman packages fix various vulnerabilities 2nd, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120933 * Mandriva: Updated webmin package fixes format string vulnerability 2nd, December, 2005 Jack Louis discovered a format string vulnerability in miniserv.pl Perl web server in Webmin before 1.250 and Usermin before 1.180, with syslog logging enabled. This can allow remote attackers to cause a denial of service (crash or memory consumption) and possibly execute arbitrary code via format string specifiers in the username parameter to the login form, which is ultimately used in a syslog call. http://www.linuxsecurity.com/content/view/120934 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Important: xpdf security update 6th, December, 2005 An updated xpdf package that fixes several security issues is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120946 * RedHat: Moderate: libc-client security update 6th, December, 2005 Updated libc-client packages that fix a buffer overflow issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120947 * RedHat: Moderate: imap security update 6th, December, 2005 An updated imap package that fixes a buffer overflow issue is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120948 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Dec 12 03:15:00 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 12 03:58:22 2005 Subject: [ISN] S. Korea unveils steps against hacking of online game items Message-ID: http://english.yna.co.kr/Engnews/20051212/660000000020051212115640E3.html 2005/12/12 SEOUL, Dec. 12 (Yonhap) -- South Korea's Information and Communication Ministry announced a set of measures Monday to crack down on increasing hacking attacks on online game items. According to the measures, the ministry will make guidebooks containing tips on how to prevent hacking of game items, helping online game operators and users effectively deal with hacking attempts. The ministry also promised to keep a close eye on hacking attempts at 70,000 game Web sites of by activating its newly developed malicious-code monitoring program. "The steps are designed to protect game users and minimize damage such hacking could inflict on their business," the ministry said. The ministry said such hacking activities not only steal online game items but also cost a lot of money for online game operators who have to put in more time and effort to protect users from the threats. Hacking attacks on online games are emerging as a new threat to computer users and game operators. According to AhnLab Inc., a security solution company, 527 cases of attempted hacks to steal accounts of "Lineage," a popular online game, were reported as of the end of November. Online game items refer to swords, shields and other cyber goods that can be obtained in the process of playing online games that thousands of people can play simultaneously. According to an estimate by the Korean Association of Game Industry, the nation's game item market, which soared to 700 billion won (US$677 million) last year from 100 billion won in 2002, is expected to reach 1 trillion won this year. The market is predicted to further expand to 1.5 trillion won in 2006. Some of the items are traded for as much as 10 million won, market experts said. South Korea leads the world in high-speed Internet connections per capita, with more than 12 million of its 48 million population having broadband Internet access. From isn at c4i.org Mon Dec 12 03:16:28 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 12 03:59:06 2005 Subject: [ISN] Good news on ID theft Message-ID: Forwarded from: Adam Shostack Oh, come on. It's not the size of the breach, it's what data was taken. Or perhaps it's the size of the data set: "A computerized analysis of four data breaches..." On Fri, Dec 09, 2005 at 12:37:13AM -0600, InfoSec News wrote: | http://www.signonsandiego.com/news/business/20051208-9999-1b8identity.html | | By Bruce V. Bigelow | UNION-TRIBUNE STAFF WRITER | December 8, 2005 | | A computerized analysis of four data breaches that compromised | personal information on some 500,000 people suggests the alarm that | often accompanies electronic break-ins may be largely unwarranted. | | On the other hand, the study also suggests that publicity can help | deter fraudsters from using the stolen data. | | The analysis, conducted over the past six months by San Diego's ID | Analytics, is believed to be the first to calculate just how much | fraud occurred after each security breach. From isn at c4i.org Mon Dec 12 03:16:42 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 12 03:59:50 2005 Subject: [ISN] eBay Yanks Listing For Excel Bug Message-ID: Forwarded from: Marjorie Simmons http://www.techweb.com/wire/ebiz/174910093 By Gregg Keizer TechWeb News December 09, 2005 An unknown security researcher tried to sell a vulnerability in Microsoft's Excel spreadsheet program on eBay, but the online auction site pulled the listing late Thursday. The unusual route to vulnerability profit-taking was squashed by eBay after the listing--offered by someone only identified as "fearwall"--was bid up to just under $60. According to the since-yanked listing, the zero-day vulnerability in Excel had been reported to Microsoft on Tuesday, Dec. 6. "All the details were submitted to Microsoft, and the reply was received indicating that they may start working on it," wrote the seller. "It can be assumed that no patch addressing this vulnerability will be available within the next few months." The unpatched vulnerability is in the way that Excel, the popular spreadsheet included in all editions of Microsoft's Office suite, validates the data in some worksheets when it parses files. "The vulnerability can be exploited to compromise a user's PC," claimed the seller. He also took several potshots at Microsoft, saying that the opening bid of $.01 was "a fair value estimation for any Microsoft product" and offered a 10 percent discount to any Microsoft employee who mentioned the discount code "LINUXRULZ." A spokeswoman for Microsoft confirmed that the listing on eBay was for a real bug in Excel. "The Microsoft Security Research Center has not been made aware of any attacks attempting to use the reported vulnerability or customer impact at this time, but [it] will continue to investigate the public reports to help provide additional guidance for customers," she said in an e-mail to TechWeb. The spokeswoman also said that Microsoft's researchers were investigating the vulnerability, and might (or might not) release either a fix or a security advisory in the future. "The company is working with eBay to determine the appropriate course of action," against the seller, she also said. From isn at c4i.org Tue Dec 13 02:19:31 2005 From: isn at c4i.org (InfoSec News) Date: Tue Dec 13 02:31:19 2005 Subject: [ISN] Card fraudsters dupe police chief Message-ID: http://www.timesonline.co.uk/article/0,,2-1921802,00.html By Tosin Sulaiman The Times December 12, 2005 JANET WILLIAMS, the head of Special Branch, has risen up police ranks by outwitting criminals. Now, after losing up to ?5,000 when fraudsters "skimmed" her credit card, it appears that she has been outwitted by them. Ms Williams, the first woman to lead the counter-terrorism unit, had the money stolen from her card when she used it to pay a restaurant bill, it emerged yesterday. She became aware of the crime a few days later when her card was declined because she was over her credit limit. A spokeswoman for Scotland Yard confirmed that criminals had made transactions using Ms Williams's card but declined to go into detail. "We are not prepared to discuss it because this is a private matter," she said. "Ms Williams did identify a fraudulent transaction on her credit card. She reported the matter and it has now been resolved." Ms Williams, who is in her forties and joined the Metropolitan Police in 1982, became head of Special Branch in November 2003, and is in charge of 560 officers responsible for gathering intelligence on terrorist suspects and for protecting the Prime Minister. Credit card fraud is one of the most common crimes in Britain, taking place once every eight seconds. It rose by 20 per cent last year and cost British banks ?505 million, although according to the Association of Payment Clearing Schemes (Apacs), skimming, when data from one credit card is copied to another, is becoming less common. Sandra Quinn, the communications director at Apacs, said: "This type of fraud (skimming) is now on the decline because the introduction of chip and pin has limited the opportunity for people to get hold of your card. At the beginning of this year this type of card fraud had come down 29 per cent. She said that people had been particularly vulnerable to fraud when using their card in restaurants and other places where the card may be taken out of sight. "That happens less with chip and pin because the terminal comes to the table and you stay in control of your card," she said. "You are able to watch it the whole time. We estimate that more than 80 per cent of businesses now have chip and pin." Ms Quinn advised people to ensure that they always knew where their cards were and to check their bank and credit card statements carefully. "Card fraud is impervious to who the victim is," she said. "For the fraudsters, there is no personal contact with the victim. That means we.re all more vulnerable than we are from other types of fraud or other types of crime." From isn at c4i.org Tue Dec 13 02:20:46 2005 From: isn at c4i.org (InfoSec News) Date: Tue Dec 13 02:32:09 2005 Subject: [ISN] Hacker disables Kremlin TV Message-ID: http://www.news.com.au/story/0,10117,17548681-23109,00.html 12-12-2005 Reuters A COMPUTER hacker drove the Kremlin's new English-language television channel off air today in a major embarrassment for the station just two days after it started broadcasting. Russia Today presents news from a Russian perspective and is designed to counteract what the Kremlin sees as an unfairly critical approach to Russia in the foreign media. Before going off air, it showed reports on the new parliament in Chechnya and the Russian constitution, but broadcasting was dogged by technical glitches. The screen froze several times, and at least one news package was played out of sequence. "There was an attempted invasion of the computer system, which gave rise to viruses, which led to break-downs in transmission," Margarita Simonyan, the channel's editor-in-chief, said. She could not say when programming would return - the channel showed a tuning signal after it fell off the air - but said technicians were working as hard as they could. From isn at c4i.org Tue Dec 13 02:22:36 2005 From: isn at c4i.org (InfoSec News) Date: Tue Dec 13 02:34:06 2005 Subject: [ISN] Security experts criticize malware list Message-ID: Forwarded from: Marjorie Simmons http://www.csoonline.com.au/index.php/id;551430318;fp;8;fpid;2 Matthew Broersma Techworld.com 08/12/2005 Just how useful is the Common Malware Enumeration (CME) initiative debuted by U.S.-CERT this autumn? The system was created to sort out some of the confusion created by the different naming systems used by different security vendors, and to help system administrators deal with outbreaks more effectively. Some security experts have, however, voiced doubts as to how well CME is working in practice. One complaint is that the system isn't providing much information on malware aside from listing the reference codes used by different security vendors. Such information was promised more than a year ago by the organizers of the CME plan -- U.S.-CERT, the U.S. Department of Homeland Security, and antivirus vendors such as Microsoft, Trend Micro, McAfee and Symantec. The plan was outlined in an open letter, published by the SANS Institute, in which the organizations said U.S.-CERT would "assign a CME identifier... to each new, unique threat and to include additional incident response information when available". The goal was "improving the malware information resources available to (antivirus) software users, first responders, and malware analysts -- anyone who depends on accurate, concise information about malware," the letter said. The letter was in response to criticism voiced in an earlier open letter to the security industry by Chris Mosby, a system administrator, in which he strongly criticized antivirus vendors for adopting "an isolationist attitude" that made it difficult for administrators to deal with complex virus outbreaks. "As the customers that spend money for your products, we should not have to work so hard to figure out if your products are keeping us protected," Mosby wrote. A year later, the most difficult part of the CME project - distinguishing similar pieces of malicious code from one another - appears to be working. But CME still only provides a basic list of names used by different vendors, without listing details or even including links. This makes the project of limited use, even compared with similar, independent projects such as Secunia's virus information database, according to SANS Internet Storm Center handler Patrick Nolan. "Links to technical analysis was a hoped-for outcome for the CME project, since vendors' technical analysis is the critical 'additional incident response information' needed by the people responding to malware outbreaks," Nolan wrote in a recent entry in the ISC diary. "A name by any other name is just a name." Thomas Kristensen said the lack of links or additional information means CME is of limited use to the general public. "It can only be used by the vendors and others with a specific interest in viruses to more easily identify viruses in other vendors' databases," he said. "It probably does what it was intended to do, and more information would probably exceed the intended purpose." Such criticisms are beside the point, according to Graham Cluley, senior technology consultant with Sophos Antivirus. "We mustn't criticize it for not being a 100 percent solution, it's a definite step in the right direction," he said. "The most important thing is that its making correlations between the different names." He said the system would be sure to improve over time. "Linking to more information seems to be an obvious thing they could do," he said. From isn at c4i.org Tue Dec 13 02:22:23 2005 From: isn at c4i.org (InfoSec News) Date: Tue Dec 13 02:38:04 2005 Subject: [ISN] Intel Researchers Sneak Up on Rootkits Message-ID: http://www.eweek.com/article2/0,1895,1900533,00.asp By John G. Spooner and Ryan Naraine December 12, 2005 Intel Corp.'s researchers are working to outwit cyber attackers, including those employing stealthy rootkits. The chip maker's Communications Technology Lab, in a project called System Integrity Services, has created a hardware engine to sniff out sophisticated malware attacks by monitoring the way operating systems and critical applications interact with hardware inside computers. By watching a computer's main memory, the System Integrity Services can detect when an attacker takes control of the system.such attacks sever the ties between data loaded into memory by an application and the application itself.and can fool a system so as to avoid detection while potentially allowing for surreptitious pilfering of data or the perpetration of other attacks. "Our threat model assumes that the attacker gets on the system somehow and has unrestricted access to the system," said Travis Schluessler, a security architect inside Intel's Communications Technology Lab. System Integrity Services "assumes [the attacker] will modify what's running in memory to fool anti-virus software or change firewall rules.so as to put the system in state where he can do whatever he wants." The System Integrity Service's hardware, however, can detect those intrusions by monitoring the interactions between the applications and memory. Once it discovers an intrusion, it can issue an alert. Thus it sets the bar much higher for malware being able to compromise system without being detected, Schluessler said. Researchers tested the system with a kernel debugger, an application whose behaviors and ability to make system changes are similar to that of a rootkit, to prove its effectiveness, he said. Although it might not make it to market immediately, Intel's anti-malware research comes at a time when anti-virus vendors are struggling to cope with the use of stealth rootkits in malware attacks. Using rootkit techniques, malware writers are able to gain administrative access to compromised machines to silently run updates to the software or reinstall malicious programs after a user deletes them. If it were to be put into a product platform, Intel's System Integrity Services could be used in conjunction with other elements, including the Intel Active Management Technology for monitoring hardware, and could also be used in concert with other research projects such as Circuit Breaker. Circuit Breaker, a research project that might also someday find its way into products regulates an infected computer's access to a network. Such a combination might help quickly head off widespread infections, which can cost companies not only in data theft by also in reduced employee productivity due to computer downtime and heavy use of IT resources to clean them up, the Intel researcher said. Indeed, in one example, "Once System Integrity Services has detected a problem, it can tell Circuit Breaker to turn [a machine] off the primary network and switch it over to a remediation network," he said. The System Integrity Services project is part of a broader focus on security inside Intel's labs. That focus has been brought about by the chip maker's recent shift to designing platforms around devices such as servers or desktop PCs. Unlike when it sold chips individually, the platform design strategy has Intel creating numerous add-ons, which include features such as virtualization and the Intel Active Management Technology, which are designed to increase the usability and manageability of desktops, notebooks and servers. Many of Intel's more advanced worm and virus detection technology are still at the research stage today.some of Intel's other projects include worm signature detectors called autograph and polygraph.but it could easily wind up as features inside Intel's future product platforms. Aside from being used to improve the products for customers, they could also be added to bolster Intel's competitiveness versus its rival Advanced Micro Devices Inc. The System Integrity Services' prototype hardware uses one of Intel's Xscale processors, which Schluessler said was overkill, and plugs into a PCI slot. A future version could potentially be built for a relatively small fee and included with Intel platforms, not unlike the way it packages wireless modules with its processors and chipsets for its Centrino-brand notebooks. "You can tie this technology in with AMT and the CPU [in each machine] and all of a sudden you've got something that's more than the sum of its parts," Schluessler said. Aside from working with Intel's own platforms, the technologies could be also tied in with products from Intel's close partners, including operating system and application vendors, the company's researchers have said. "We said, 'What kind of things can we do to address these challenges?' That has driven a lot of the platform thinking, whether it's VT [Intel Virtualization Technology] or active management, and how all those things work together," said Dylan Larson, network security initiatives manager at Intel's Communications Technology Lab, in a recent interview with Ziff Davis Internet. "We've had security expertise and lots of competency in this space for a long time. Now we're looking at this even more from a platform level on how we can bring these things together to drive new value to customers." The lab is also working on a projects called Autograph and Polygraph projects, which are designed to help prevent large-scale worm infections altogether by analyzing individual worms and quickly publishing data on how to detect them. Autograph and Polygraph employ a combination of heuristics and good old sleuthing to track down worms and locate their signatures.or the unique pattern of data required for its particular exploit.and then notify other systems with those signatures so that they can move to identify and block the worm, said Brad Karp, at Intel Research Pittsburg, a lab located on the campus of Carnegie Mellon University. Autograph's source code has been made available for download via the university's Web site, and Karp and his team are also working on a Polygraph, a similar program which can sniff out so-called polymorphic worms, which change each time they replicate in an effort to cover up their signatures and thwart the defense used in Autograph. The next step for the Systems Integrity Services now lies with Intel's platform development teams, which will make the call on whether or not to add the technology to its future systems, Schluessler said. From isn at c4i.org Tue Dec 13 02:21:37 2005 From: isn at c4i.org (InfoSec News) Date: Tue Dec 13 02:38:53 2005 Subject: [ISN] ISU reports computer security breaches Message-ID: http://desmoinesregister.com/apps/pbcs.dll/article?AID=/20051212/NEWS/51212001/1001/SiteMap By REGISTER STAFF REPORT December 12, 2005 Someone recently breached the security of two Iowa State University computers that contain sensitive information, according to a news release from the university. One of the computers held approximately 2,500 encrypted credit card numbers of athletics department donors. ISU information technology staff who investigated the computer breaks-ins say the intruder could not have read the credit card numbers because they were encrypted. The second computer was used to enter time card information for several university departments and contained Social Security Numbers of more than 3,000 Iowa State staff. Technology staff members say it's unlikely that the intruder accessed the files with that information. "Analysis of both computers indicates the intruder was not looking for personal data, but for space to distribute pirated movies," said Maury Hope, associate chief information officer in Information Technology Services. Iowa State's information technology staff removed intrusive software that had been installed on the computers and are tightening security measures on other computers to prevent similar intrusions in the future, Hope said. All employees whose personal data was on the time card computer have been notified, Hope said. "Although we don't believe the intruder accessed personal data, we don't know that for certain," he said. "We've provided those employees with precautionary steps they can take, such as keeping an eye on their credit reports." From isn at c4i.org Tue Dec 13 02:21:53 2005 From: isn at c4i.org (InfoSec News) Date: Tue Dec 13 02:39:40 2005 Subject: [ISN] Security breach at Sam's Club exposes credit card data Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,107014,00.html By Jaikumar Vijayan DECEMBER 12, 2005 COMPUTERWORLD Sam's Club, a division of Wal-Mart Stores Inc., is investigating a security breach that has exposed credit card data belonging to an unspecified number of customers who purchased gas at the wholesaler's stations between Sept 21 and Oct. 2. In a brief statement released Dec. 2, the Bentonville, Ark.-based company said it was alerted to the problem by credit card issuers who reported that customers were complaining of fraudulent charges on their statements. It's still not clear how the data was obtained, according to the statement. But "electronic systems and databases used inside its stores and for Samsclub.com are not involved," the company said. Sam's Club is currently working with both Visa International Inc. and MasterCard International Inc. to investigate the breach. The company also has notified the U.S. Attorney's Office for the Western District of Arkansas and the U.S. Secret Service . Sam's Club officials didn't respond to calls for comment. In a statement, Visa said it has alerted all of the affected financial institutions, asked them to provide independent fraud-monitoring services to affected customers and requested that they issue new cards as needed. "Visa will continue working with its member financial institutions, merchants and appropriate authorities to do whatever is necessary to protect cardholders," Visa said. Kayce Bell, chief operating officer at Alabama Credit Union (ACU) in Foley, Ala., said the company is reissuing cards to about 500 credit card and debit card holders as a result of the breach. The credit union was alerted to the problem last week by Credit Union National Association Inc., she said. "We received information through our national reporting service that there had been a very large breach of data at Sam's Club," Bell said. About 500 debit cards and credit cards issued by ACU were among the accounts compromised in this incident, she said. This isn't the first time this year the credit union has had to block and reissue credit and debit cards at Visa's request. Earlier this year, the ACU had to deactivate and reissue about 1,550 cards after Visa notified it that cards compromised in a CardSystems Inc. breach in June were being used fraudulently. The Sam's Club breach is the latest in a string of data compromises this year at organizations that have included Bank of America Corp., ChoicePoint Inc. , the University of California and CardSystems. Those breaches have fueled consumer concern about data protection and talk of legislative action to make companies more accountable for the data they own. The breaches have also resulted in Visa and MasterCard requiring all companies that handle payment-card information to comply with their Payment Card Industry (PCI) data-protection standard. "Visa is aggressively partnering with entities across the nation to broaden adherence to these standards," the company said in its statement regarding the Sam's Club breach. "As Visa has said before, it's important that every entity that handles payment card information adhere to the highest data protection standards, such as the PCI standard, to protect the security and privacy of their customers." From isn at c4i.org Tue Dec 13 02:22:07 2005 From: isn at c4i.org (InfoSec News) Date: Tue Dec 13 02:41:34 2005 Subject: [ISN] Hacker attacks in US linked to Chinese military: researchers Message-ID: http://www.breitbart.com/news/2005/12/12/051212224756.jwmkvntb.html Dec 12, 2005 A systematic effort by hackers to penetrate US government and industry computer networks stems most likely from the Chinese military, the head of a leading security institute said. The attacks have been traced to the Chinese province of Guangdong, and the techniques used make it appear unlikely to come from any other source than the military, said Alan Paller, the director of the SANS Institute, an education and research organization focusing on cybersecurity. "These attacks come from someone with intense discipline. No other organization could do this if they were not a military organization," Paller said in a conference call to announced a new cybersecurity education program. In the attacks, Paller said, the perpetrators "were in and out with no keystroke errors and left no fingerprints, and created a backdoor in less than 30 minutes. How can this be done by anyone other than a military organization?" Paller said that despite what appears to be a systematic effort to target government agencies and defense contractors, defenses have remained weak in many areas. "We know about major penetrations of defense contractors," he said. Security among private-sector Pentagon contractors may not be as robust, said Paller, because "they are less willing to make it hard for mobile people to get their work done." Paller said the US government strategy appears to be to downplay the attacks, which has not helped the situation. "We have a problem that our computer networks have been terribly and deeply penetrated throughout the United States ... and we've been keeping it secret," he said. "The people who benefit from keeping it secret are the attackers." Although Paller said the hackers probably have not obtained classified documents from the Pentagon, which uses a more secure network, it is possible they stole "extremely sensitive" information. He said it has been documented that US military flight planning software from its Redstone Arsenal was stolen. Pentagon officials confirmed earlier this year that US Defense Department websites are probed hundreds of times a day by hackers, but maintained that no classified site is known to have been penetrated by hackers. The US military has code-named the recent hacker effort "Titan Rain" and has made some strides in counter-hacking to identify the attackers, Paller said. This was first reported by Time magazine. Paller said a series of attacks on British computer networks reported earlier this year may have similar goals, but seems to use different techniques. In the United States, he said there are some areas of improvement such as the case of the Air Force, which has been insisting on better security from its IT vendors. But he argued that "the fundamental error is that America's security strategy relies on writing reports rather than hardening systems." From isn at c4i.org Wed Dec 14 16:14:00 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 14 22:04:03 2005 Subject: [ISN] Beijing goes on hacking defensive Message-ID: http://www.thestandard.com.hk/news_detail.asp?we_cat=2&art_id=7809&sid=5899047&con_type=1&d_str=20051214 AGENCE FRANCE-PRESSE December 14, 2005 China has reacted to speculation that its military is trying to penetrate computer networks in the United States, saying hacking is against Chinese law. "We have clear stipulations against hacking. No one can use the Internet to engage in illegal activities," foreign ministry spokesman Qin Gang told a regular briefing Tuesday. "The Chinese police will deal with hacking and other activities disturbing social order in accordance with law." Qin was responding to a reported claim by the head of a leading US security institute that the People's Liberation Army is most likely behind a systematic effort to penetrate US government and industry computer networks. The attacks have been traced to Guangdong, said Alan Paller, the director of the SANS Institute, an education and research organization focusing on cybersecurity, Monday. Paller said the techniques used made it appear unlikely to come from any other source than the Chinese military. "I'm not sure about the American accusations," Qin said. "If they have proof, they should tell us." Pentagon officials confirmed earlier this year that US Defense Department Web sites are probed hundreds of times a day by hackers, but maintained that no classified site is known to have been penetrated by hackers. The US military has code-named the recent hacker effort "Titan Rain" and has made some strides in counter-hacking to identify the attackers, according to Paller. ? 2005 The Standard From isn at c4i.org Wed Dec 14 16:14:22 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 14 22:04:48 2005 Subject: [ISN] Brookfield student accused of hacking Message-ID: Forwarded from: William Knowles http://www.jsonline.com/news/wauk/dec05/377589.asp By DAVID DOEGE ddoege @ journalsentinel.com Dec. 13, 2005 Waukesha - Brookfield police this week seized computer gear from the home of an 18-year-old student who said he illegally accessed Elmbrook School District computer records, according to documents filed in circuit court Tuesday. The student told a police detective investigating the computer break-in that he used "password cracking" software to access district records, then obtained an administrator's password, "which allowed him further access to confidential computer records," according to an affidavit used by investigators to obtain a search warrant for the teen's home. The affidavit indicates that a police investigation into a school district computer break-in began in August and that at least one other student obtained the illegal access. When police visited the 18-year-old student's home Monday, according to the affidavit, he and his parents allowed investigators inside, but they refused permission to seize personal computers they had in the home. After obtaining a search warrant later in the day, police returned to the family's home Monday night and left with four computer towers, a laptop computer, discs, papers and other equipment, according to an inventory attached to the warrant and affidavit when they were filed in Waukesha County Circuit Court Tuesday afternoon. Elmbrook School Superintendent Matthew Gibson said Tuesday that two Brookfield Central students were believed to have been involved in the computer break-in and that both have been suspended. Gibson said he did not yet know the depth of the students' access into district records and whether any damage was done or sensitive information was compromised. "It's difficult to respond to questions right now because it's early in our investigation," Gibson said. The police affidavit provides the following information: Brookfield Central High School Principal Donald Labonte met with police Aug. 25 and reported that several days earlier, he received an e-mail from a student who questioned the calculation of her grade point average and class ranking. Labonte told police that he was aware of "an incident at Brookfield East High School where school computer security had been compromised through access to the computers without consent." Police subsequently began a probe aimed at determining whether "students or others" accessed district records. The student whose home was visited by police on Monday said that he "watched another student illegally access" district records in April. The student said that after he subsequently gained access, he downloaded the password cracking software to his flash drive device and later to a personal computer in his home. ? 2005, Journal Sentinel Inc. All rights reserved *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Dec 14 16:13:34 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 14 22:09:13 2005 Subject: [ISN] Tech Group Blasts Federal Leadership on Cyber-Security Message-ID: Forwarded from: Melissa Shapiro http://www.washingtonpost.com/wp-dyn/content/article/2005/12/13/AR2005121301294.html By Brian Krebs washingtonpost.com Staff Writer December 13, 2005 A group of leading technology companies today chastised Congress and the Bush administration for what it characterized as a failure to support initiatives to fight online crime, saying a lack of leadership and accountability in this area is endangering U.S. economic and national security. The Cyber Security Industry Alliance said the federal government has largely declined to act on recommendations the group outlined a year ago, goals that mirrored policies originally set forth in early 2003 by the White House in the "National Strategy to Secure Cyberspace." Cyber-security as a government priority "has been on a downward slope and we need to arrest that decline and bring the issue back to the level [of importance] it was a few years ago," said Paul Kurtz, a former Bush administration cyber-security official who serves as chief executive of the alliance. The group's members include such tech titans as Computer Associates, Entrust, McAfee, RSA Security and Symantec. The industry-led criticism comes as the problem of computer- and Internet-based crime has reached an all-time high. A U.S. Treasury official said earlier this month that profits that online crooks are earning through computer crime now rivals that of the global trade in illegal narcotics. Earlier this year, federal investigators acknowledged that a series of computer break-ins at several government and defense technology contracting companies led to the theft of sensitive documents and intellectual property by Chinese hacker groups and other foreign governments. Among the failures cited by the alliance was the lack of a high-level executive branch official charged with overseeing efforts to secure government systems and encourage the sharing of information between government and the private sector on new information security threats. Last year, Congress directed the Department of Homeland Security to create such a position within the agency, but the White House has yet to name a candidate for the post. The alliance said funding for cyber-security research and development has remained flat at less than two percent of the federal R&D budget this year, even though the president's Information Technology Advisory Committee issued a report last February, "Cyber Security: A Crisis of Prioritization," concluding that while the U.S. information infrastructure remains highly vulnerable to terrorist and criminal attacks, there is little federal budgetary support for research to protect the digital infrastructure used by the U.S. government and private sector. The White House dissolved the advisory council without explanation just a few months after that report was issued. In addition, the alliance noted that the administration's budget for DHS-led cyber-security programs was cut by seven percent this year. The cuts came after the Department of Homeland Security led a list of seven agencies that received flunking grades for their cyber-security efforts in 2004, with the federal government at large earning an overall grade of "D-plus" from a key congressional oversight committee. James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies in Washington, said many in the private sector are growing weary with the federal government's lackluster response to the national cyber strategy. "It's getting kind of old that we're not making progress," Lewis said. Industry leaders also expressed frustration over the National Information Assurance Partnership (NIAP), a collaboration between the National Institute of Standards and Technology and the National Security Agency to test the security and reliability of commercial software destined for use in federal information systems. Software vendors have long complained that the NIAP certification process is unnecessarily lengthy and costly. The Department of Defense and DHS recently concluded a study of the program's effectiveness, but those findings have not yet been released to the public. Alan Paller, director of research for the Bethesda, Md.-based SANS Institute, said some federal agencies deserve praise for using their buying power to convince hardware and software vendors to deliver more secure products. But Paller said he's become alarmed at the culture of secrecy that has paralyzed the government from taking action to correct serious security vulnerabilities that remain widespread in federal government networks. "The only leadership I see right now on this issue in the federal government is in trying to hide attacks that have been successful," Paller said. "If senior management [in federal civilian agencies] can avoid letting the public know that the attacks are happening, they don't have an incentive to protect those systems." Kurtz said the federal government deserves credit for making incremental progress on some cyber-security fronts, such as funding tests of the resiliency and security of critical digital networks that run the air traffic control system, power grids, financial systems and military and intelligence networks. Kurtz also praised the Senate Foreign Relations Committee's recent recommendation that the full Senate vote on whether to ratify the Council of Europe's Convention on Cyber Crime, which he said should help U.S. law enforcement agencies better find and prosecute online crooks based abroad. Congress also is debating several consumer privacy and data breach notification bills intended to help consumers victimized by identity theft and online fraud. Andy Purdy, acting director of the DHS's National Cyber Security Division, said his office is working with the White House to find the most qualified person for the new cyber-security post, but he cautioned that the job may remain unfilled for several more months. "We believe the selection of that person -- in terms of the message it sends to help highlight the commitment of the administration to reducing cyber risk -- is a very important one and we don't want to rush it," he said. Purdy said he believes the president's budget is sufficient to accomplish the goals laid out in the national strategy and acknowledged "the importance and seriousness of raising federal agency scores on internal cyber security. "While the grades are not what we'd like to see, we believe there is sustained progress and we are encouraged by that progress and we are continuing to work closely with those agencies," Purdy said. He also defended the administration's record on implementing key portions of the White House cyber-security strategy. "We've made tremendous progress," Purdy said. "But we also recognize that in the need to formalize how we work with the private sector so that we can have the ongoing, sustained collaboration -- not just information sharing -- we have a long way to go." From isn at c4i.org Wed Dec 14 16:13:48 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 14 22:10:08 2005 Subject: [ISN] Security chiefs share pains of being caught in the middle Message-ID: http://www.networkworld.com/news/2005/121205-security-interop.html By Tim Greene NetworkWorld.com 12/13/05 Corporate security experts face a crisis as they are caught between regulators demanding better accountability for data security and the need to keep businesses up and running with the help of many business partners, an American Express security executive told Interop New York attendees Tuesday. As more data is housed at least temporarily outside corporate data centers, it becomes more difficult to comply with industry and government regulations, according to Steven Suther, director of information security management for American Express. "Tell me where your data is and how it is being secured," regulators want to know, he says. "So we need to define at what point is information outside our domain and how is it being protected." But businesses have very little control over how partners with whom they must share data protect it, he says. Amex asks its vendors to self-assess their security and if it comes up short, Amex will conduct on-site visits to assess the security in person. "We're testing their controls so we can tell regulators we're comfortable with what they are doing," Suther says. Amex has designated vendor-relations managers who are responsible for ensuring that data controls are in place for a specific list of firms that Amex has hired to perform financial services jobs, he says. The problem is complicated by whether the tools needed to protect data are available and affordable, says John Pironti, a principal for enterprise and security architecture for Unisys, and what combination of protections is considered sufficient by regulators. "What is good enough that everyone can agree on," Pironti says. It is difficult to take the requirements of, say, Sarbanes-Oxley, and translate that into security policies, Suther says. "We're all suffering the same kind of lack of confidence in what we should be doing," he says. Suther says he struggles to balance imposing security on his financial services vendors and allowing them to do their jobs so Amex's financial services business keeps running. "I have to be flexible right now if I want a universe of vendors for my business departments to choose from," Suther says. In practice, businesses are not imposing all the security they might or only doing so for the most important data, says Alex Van Deusen, a senior security consultant for Cisco. "They're just not rolling it out to every level of their enterprise," he says of businesses he has consulted with. Regardless of the technology in place to protect data, people still represent the biggest threat, says Alex Ryskin, IT director for the laser laboratories at the University of Rochester in New York. End users must face penalties if they fail to follow security policies so they recognize their importance and follow them, he says. "You would be shot - literally - in Soviet Russia," where he lived for 40 years, he says. "It did work." And U.S. corporations are starting to get tough themselves, says Van Deusen. "You need severe penalties, clearly defined: you are going to get fired," he says. Suther says that less drastic means can help enormously, particularly educating users on the risks and consequences for the business if security is breached. "It's one of the few areas where we feel we can do the most," he says. He recommends that businesses set up goals for data security and review how well they have worked every six months, with the goal of gaining better and better compliance over time. It is particularly important for business executives to be on board. They recognize the need for better security, and want to avoid devastating bad publicity if private data is compromised. But they also want no negative effects on their business processes. "We want to be able to say, 'Things have gotten better and you have not ended up on the front page of the Wall Street Journal,." he says. All contents copyright 1995-2005 Network World, Inc. From isn at c4i.org Wed Dec 14 16:11:33 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 14 22:12:44 2005 Subject: [ISN] Teaching teens about ID theft Message-ID: http://seattlepi.nwsource.com/local/251779_lcenter13.html By DEBORAH BACH SEATTLE POST-INTELLIGENCER REPORTER December 13, 2005 Applying for a job at an electronics store two years ago, Zach Friesen was stunned to learn that the store manager was turning him down because of his terrible credit record. "I looked at him and said, 'I've never had credit in my life. What are you talking about?'" the 19-year-old recalled. Someone had rung up about $40,000 worth of bills related to a houseboat purchase under Friesen's name -- when he was 7 years old. The fraud went undetected for a decade, and only when he applied for the job did Friesen discover that he was a prime target for identity thieves, who are increasingly focusing on young people. Friesen cleared up the situation and got the job. Since August, the University of Colorado sophomore has been traveling to high schools in various states, educating teens about identity theft through an initiative undertaken by Qwest Communications. Also participating in that effort is Judith Collins, a professor of criminal justice at Michigan State University who recently spoke to students at Franklin High School in Seattle. "How many of you know what it means to be credit-worthy?" Collins asked, standing at the front of the room. No hands were raised. "Anyone familiar with credit reporting agencies?" Again, no hands. That lack of knowledge, Collins told the class, is exactly what makes 18- to 29-year-olds the quickest-growing group of identity theft victims. Teens typically don't have credit reports, having never applied for a loan or a credit card, which leaves their Social Security numbers lying dormant for years. "Perpetrators know this," Collins said. "That's why you're so vulnerable." Collins knows all too well what she's talking about. She was an expert on white-collar crime when someone obtained her Social Security number in 1999 and used it to open 33 credit card accounts, ordering masses of merchandise to a post office box in California. Though a federal law passed in 1998 made identity theft a criminal offense, Collins said she got little help from police and conducted her own investigation. She uncovered about 25 other victims living within a 45-mile radius of her home who all went to the same medical clinic, leading Collins to suspect that someone broke into the clinic's patient database. The experience was "so traumatic" that Collins turned her attention to identity theft, helping start Michigan State's Identity Theft Crime and Research Laboratory. She has worked with hundreds of young people since that time and has many harrowing stories -- of teens whose bank accounts have been cleaned out, who have been denied employment and student loans or ended up with criminal records resulting from crimes committed using their identity. Collins recounted the experience of a young woman at Michigan State who was studying in the library one day and went to the bathroom, leaving her backpack with her purse inside sitting by her table. When she returned her purse was gone, taken by a woman who police believe was casing the campus, looking for someone who resembled her. Spotting the young Latino woman, with long, dark hair like her own, she'd found her match. The thief used the student's driver's license to cash a bad check -- unbeknownst to the victim until police showed up at her home on Christmas Day and arrested her in front of her extended family. Teens' belief in their invincibility, Collins said, puts them at additional risk. According to the National Cybersecurity Alliance, 40 percent of Americans under 25 believe that they are more likely to be hit by lightning, audited by the IRS or win the lottery than be the victim of a computer security problem. In reality, computer security breaches -- viruses, hacking and scams -- affect about 70 percent of computer users. Federal Trade Commission statistics for 2003 show that of the approximately 10 million cases of identity theft that year, the largest percentage -- 28 percent -- was among 18- to 29-year-olds. Washington ranked 10th in the nation in identity theft per capita, with credit card fraud the most common form. >From money laundering to drug trafficking, Collins said, identity theft is used in almost every crime committed today, costing the U.S. economy an estimated $50 billion annually. Terrorists rely on assumed identities to conceal their activities and whereabouts, she said, mentioning that al-Qaida training manuals contain tips on stealing identities. "It's the crime of the 21st century," she said. Thieves access personal information through myriad means, from lifting records from the workplace to stealing mail containing bank statements, credit card offers and tax information. They rummage through trash, use "change of address" forms to divert mail to another location, steal purses and wallets, and obtain credit reports by posing as a landlord or an employer. More sophisticated crooks hack into databases or scam victims through "phishing" -- sending e-mail or pop-up messages that claim to be from a legitimate business or organization asking the recipient to update, validate or confirm his or her account information and often warning of dire consequences for failing to act. The messages direct victims to Web sites that look just like the real thing -- for example, PayPal or eBay. Finding a mother's maiden name, a commonly suggested password on many Internet sites, is pay dirt. From there, Collins said, thieves can obtain original birth certificates, get Social Security cards and even apply for passports. "They engage in complete identity takeover," she said. Once they collect enough personal information, thieves might call credit card issuers to change the billing address on an account, then run up charges on it. They might open credit cards under the assumed name, creating delinquent accounts that become part of the victim's credit report. They might apply for phone or wireless service under stolen names, open bank accounts and write bad checks on them, buy cars, get jobs, file fraudulent tax returns or file for bankruptcy. They may give the victim's name to police during an arrest and when they ignore a court date, an arrest warrant is issued for the victim. Though identity theft can go undetected for years, Collins said, sudden pitches from credit card issuers or banks to teens should serve as a red flag. Potential victims can find out if a credit report has been issued in their name by asking any of the three major nationwide consumer reporting companies -- Experian, Equifax and TransUnion -- for a copy of their credit reports. The Fair Credit Reporting Act requires reporting agencies to provide any consumer with one free credit report annually upon request. With teens making up about 20 percent of its customer base, Qwest last year hosted a summit in Denver on protecting young people from Internet theft. The company launched a public awareness campaign, developing an educational video with the Denver District Attorney's Office and hiring Collins to develop a curriculum. Melodi Gates, Qwest's director of information security, said that as more young people became company customers, Qwest looked at what sort of educational outreach programs were available to them about identity theft and found very little. "We saw an opportunity to bring a message to people who might not have heard as much (about it) and are increasingly a set of victims," she said. Friesen, the college sophomore, spends about a week each month traveling around talking to young people in the hope that he can help them avoid the situation he found himself in two years ago. He realizes he escaped relatively unscathed, but the experience is nonetheless disquieting. "I haven't seen any more problems so far, but that's not to say I won't," he said. "I know my number's out there. But thanks to getting involved with Qwest and their campaign, they've done a great job in helping me understand more ways to keep myself safe." PROTECTING YOUR IDENTITY * Never carry your Social Security card or birth certificate with you. Keep them in a safe place at home. * Don't loan your cell phone, driver's license, checkbook or credit card to anyone. * Don't leave your purse, wallet or backpack unattended. * Don't use your mother's maiden name for a password. Choose strong passwords and change them often. * Don't respond to e-mails asking for personal information, even if they appear to be from legitimate Web sites. If you are concerned about your account, call the organization or open a new Internet browser and type in the company's correct Web address yourself. Do not cut and paste the link from the message into your browser -- phishers can make links look as if they go to one place, but instead send you to a different site. * Never e-mail personal or financial information. * Use anti-virus software and a firewall, and keep them up to date. IDENTITY THEFT WARNING SIGNS * Applying for a driver's license and discovering that one has already been issued in your name. * Telemarketers calling and asking to speak to you. * Receiving preapproved credit card offers, bank statements or collection statements in the mail. * Being denied applications for student loans, an apartment or a credit card. For more information about how to obtain a credit card and what to do if you're a victim of identity theft, go to www.incredibleinternet.com ? 1998-2005 Seattle Post-Intelligencer From isn at c4i.org Wed Dec 14 16:13:10 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 14 22:13:14 2005 Subject: [ISN] CodeCon submission deadline reminder Message-ID: Forwarded from: Len Sassaman Here's a reminder that the deadline for submissions to CodeCon 2006 is this week. Feel free to forward this to project developers who might not otherwise see it. --Len. -=- CodeCon 2006 February 10-12, 2006 San Francisco CA, USA www.codecon.org Call For Papers CodeCon is the premier showcase of cutting edge software development. It is an excellent opportunity for programmers to demonstrate their work and keep abreast of what's going on in their community. All presentations must include working demonstrations, ideally accompanied by source code. Presentations must be done by one of the active developers of the code in question. We emphasize that demonstrations be of *working* code. We hereby solicit papers and demonstrations. * Papers and proposals due: December 15, 2005 * Authors notified: January 1, 2006 Possible topics include, but are by no means restricted to: * community-based web sites - forums, weblogs, personals * development tools - languages, debuggers, version control * file sharing systems - swarming distribution, distributed search * security products - mail encryption, intrusion detection, firewalls Presentations will be 45 minutes long, with 15 minutes allocated for Q&A. Overruns will be truncated. Submission details: Submissions are being accepted immediately. Acceptance dates are November 15, and December 15. After the first acceptance date, submissions will be either accepted, rejected, or deferred to the second acceptance date. The conference language is English. Ideally, demonstrations should be usable by attendees with 802.11b connected devices either via a web interface, or locally on Windows, UNIX-like, or MacOS platforms. Cross-platform applications are most desirable. Our venue will be 21+. To submit, send mail to submissions-2006 at codecon.org including the following information: * Project name * url of project home page * tagline - one sentence or less summing up what the project does * names of presenter(s) and urls of their home pages, if they have any * one-paragraph bios of presenters, optional, under 100 words each * project history, under 150 words * what will be done in the project demo, under 200 words * slides to be shown during the presentation, if applicable * future plans General Chair: Jonathan Moore Program Chair: Len Sassaman Program Committee: * Bram Cohen, BitTorrent, USA * Jered Floyd, Permabit, USA * Ian Goldberg, Zero-Knowledge Systems, CA * Dan Kaminsky, Avaya, USA * Ben Laurie, The Bunker Secure Hosting, UK * Nick Mathewson, The Free Haven Project, USA * David Molnar, University of California, Berkeley, USA * Jonathan Moore, Mosuki, USA * Meredith L. Patterson, University of Iowa, USA * Len Sassaman, Katholieke Universiteit Leuven, BE Sponsorship: If your organization is interested in sponsoring CodeCon, we would love to hear from you. In particular, we are looking for sponsors for social meals and parties on any of the three days of the conference, as well as sponsors of the conference as a whole and donors of door prizes. If you might be interested in sponsoring any of these aspects, please contact the conference organizers at codecon-admin at codecon.org. Press policy: CodeCon provides a limited number of passes to qualifying press. Complimentary press passes will be evaluated on request. Everyone is welcome to pay the low registration fee to attend without an official press credential. Questions: If you have questions about CodeCon, or would like to contact the organizers, please mail codecon-admin at codecon.org. Please note this address is only for questions and administrative requests, and not for workshop presentation submissions. From isn at c4i.org Wed Dec 14 16:14:35 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 14 22:13:39 2005 Subject: [ISN] Defense seeks industry input for authentication infrastructure Message-ID: http://www.gcn.com/vol1_no1/daily-updates/37768-1.html By Rob Thormeyer GCN Staff 12/13/05 The Defense Department is seeking industry input to help the agency establish and deploy an authentication infrastructure that will support a variety of IT devices, including desktops, domain controllers, routers, and Web and mail servers. In a request for information[1], DOD's Public Key Infrastructure (PKI) Program said respondents should offer information about conceptual technical architecture, the technical feasibility of developing a responsive PKI that will support a minimum of 25 million certificates and, among other things, ideas and suggestions for designing, developing, acquiring and operating the PKI. The information collected will be used in an official solicitation Defense will issue for a PKI infrastructure to support commercial devices, the department said. Responses are due Jan. 9, 2006. Defense's PKI Program has been tasked to develop, operate and maintain a PKI infrastructure for commercial devices that require authentication certificates so the devices can be operated in a trusted manner, the agency said. [1] http://fs1.fbo.gov/EPSData/DISA/Synopses/4826/Reference-Number-DODPKINon-PersonEntities/RFIPKINon-PersonDevices.doc From isn at c4i.org Sun Dec 18 15:40:40 2005 From: isn at c4i.org (InfoSec News) Date: Sun Dec 18 15:59:18 2005 Subject: [ISN] Linux Advisory Watch - December 16th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | December 16th, 2005 Volume 6, Number 51a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for courier, osh, curl, ethereal, phpMyAdmin, Openswan, Xmail, Ethereal, perl, openvpn, thunderbird, xmovie, mplayer, and ffmpeg. The distributors include Debian, Gentoo, Mandriva. ---- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec ---- SELinux Policy Development: Modifying Policy Once you have your list of all your allow statements, examine them carefully and try to understand what you are allowing before adding them to policy. One weakness of audit2allow is that it is unaware of macros contained in the policy, so grep through your policy sources for allow statements close to the ones you'd like to add and try to find appropriate macros to use instead. If you're planning on doing a lot of policy customization it's a good idea to familiarize yourself with the existing policy sources so you're aware what macros are available. The $policy/policy/support/obj_perm_sets.spt is one good place to start, it contains macros that expand out to useful permissions groupings. For example, rather than allowing a domain the ioctl, read, getattr, lock, write, and append permissions to a given type, you can simply assign it the rw_file_perms macro instead. This helps keep policy readable later on. Once you have generated your needed allow statements, add them to the $policy/policy/modules/admin/local.te file and recompile the policy. If your application still won't work in enforcing mode, just repeat the process until you can run it with no SELinux audit errors. Always keep your policy changes in the: $policy/policy/modules/admin/local.* files. T hese files are included in the package empty and intended for local policy customization. If you change a file that belongs to a service and contains rules already your changes will be lost when the policy is upgraded, so keep local changes in the local.te and local.fc files where they belong. If you find a problem in existing policy, add your changes to local.* but provide a patch to the policy maintainers so they can include it in a later build. Most SELinux policies are being constantly developed and revised since the technology is still fairly new, and your upstream maintainers will thank you for your help. Policy development can be difficult at the beginning, but I think you'll find that as you make progress you'll be learning not only about SELinux but about the details of what your applications are really doing under the hood. You'll not only be making your system more secure, you'll be learning about the low level details of your system and its services. SELinux development has already resulted in upstream patches to many applications that had hidden bugs that were only found because SELinux alerted policy developers to the kernel level actions the applications were attempting. I hope you enjoyed reading this SELinux series as much as I enjoyed writing it. Until next time, stay secure and keep your policy locked down tight. Read Entire Aricle: http://www.linuxsecurity.com/content/view/120837/49/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New courier packages fix unauthorised access 8th, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120959 * Debian: New osh packages fix privilege escalation 9th, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120969 * Debian: New curl packages fix potential security problem 12th, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120980 * Debian: New ethereal packages fix arbitrary code execution 13th, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120987 * Debian: New Linux 2.4.27 packages fix several vulnerabilities 14th, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/121004 * Debian: New Linux 2.6.8 packages fix several vulnerabilities 14th, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/121005 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: phpMyAdmin Multiple vulnerabilities 11th, December, 2005 Multiple flaws in phpMyAdmin may lead to several XSS issues and local and remote file inclusion vulnerabilities. http://www.linuxsecurity.com/content/view/120975 * Gentoo: Openswan, IPsec-Tools Vulnerabilities in ISAKMP 12th, December, 2005 Openswan and IPsec-Tools suffer from an implementation flaw which may allow a Denial of Service attack. http://www.linuxsecurity.com/content/view/120981 * Gentoo: Xmail Privilege escalation through sendmail 14th, December, 2005 The sendmail program in Xmail is vulnerable to a buffer overflow, potentially resulting in local privilege escalation. http://www.linuxsecurity.com/content/view/121002 * Gentoo: Ethereal Buffer overflow in OSPF protocol dissector 14th, December, 2005 Ethereal is missing bounds checking in the OSPF protocol dissector that could lead to abnormal program termination or the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121003 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated curl package fixes format string vulnerability 8th, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120966 * Mandriva: Updated perl package fixes format string vulnerability 8th, December, 2005 Jack Louis discovered a new way to exploit format string errors in the Perl programming language that could lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120967 * Mandriva: Updated openvpn packages fix multiple vulnerabilities 10th, December, 2005 Two Denial of Service vulnerabilities exist in OpenVPN. The first allows a malicious or compromised server to execute arbitrary code on the client (CVE-2005-3393). The second DoS can occur if when in TCP server mode, OpenVPN received an error on accept(2) and the resulting exception handler causes a segfault (CVE-2005-3409). The updated packages have been patched to correct these problems.

http://www.linuxsecurity.com/content/view/120974 * Mandriva: Updated mozilla-thunderbird package fix vulnerability in enigmail 13th, December, 2005 A bug in enigmail, the GPG support extension for Mozilla MailNews and Mozilla Thunderbird was discovered that could lead to the encryption of an email with the wrong public key. This could potentially disclose confidential data to unintended recipients. The updated packages have been patched to prevent this problem. http://www.linuxsecurity.com/content/view/120986 * Mandriva: Updated ethereal packages fix vulnerability 14th, December, 2005 A stack-based buffer overflow was discovered in the OSPF dissector in Ethereal. This could potentially be abused to allow remote attackers to execute arbitrary code via crafted packets. The updated packages have been patched to prevent this problem. http://www.linuxsecurity.com/content/view/121010 * Mandriva: Updated xine-lib packages fix buffer overflow vulnerability 14th, December, 2005 Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. http://www.linuxsecurity.com/content/view/121011 * Mandriva: Updated xmovie packages fix buffer overflow vulnerability 14th, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/121012 * Mandriva: Updated gstreamer-ffmpeg packages fix buffer overflow vulnerability 14th, December, 2005 Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. http://www.linuxsecurity.com/content/view/121013 * Mandriva: Updated mplayer packages fix buffer overflow vulnerability 14th, December, 2005 Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. http://www.linuxsecurity.com/content/view/121014 * Mandriva: Updated ffmpeg packages fix buffer overflow vulnerability 14th, December, 2005 Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. http://www.linuxsecurity.com/content/view/121015 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Sun Dec 18 15:40:56 2005 From: isn at c4i.org (InfoSec News) Date: Sun Dec 18 15:59:49 2005 Subject: [ISN] Dents shown in NSA armor Message-ID: http://www.baltimoresun.com/news/local/bal-md.nsa15dec15,1,1801590.story?coll=bal-local-headlines By Matthew Dolan sun reporter December 15, 2005 GREENBELT -- At the National Security Agency, removing classified material from its secured Maryland complex may not be as hard as it should be. The surprising revelation from federal prosecutors came as the government brought to trial a former agency employee accused of illegally storing highly sensitive NSA computer manuals in the kitchen of his home, which was raided by the FBI in January 2004. The employee, Kenneth W. Ford Jr., 34, of Waldorf, was charged in U.S. District Court with possessing classified information and making a false statement on a job application for a government contractor. Attorneys made their closing arguments to the jury yesterday afternoon. Jury deliberations are expected to resume this morning. Given the secretive nature of the nation's largest intelligence agency, the trial has provided a rare look inside NSA's Anne Arundel County complex at Fort Meade. Evidence showed surveillance cameras that didn't record, a lack of security guards and a policy of less-than-routine searches of employees' cars. The accused, a former Secret Service agent who once guarded the White House, was reported by a woman he met on an Internet dating site who turned out to have an extensive criminal record. NSA is one of the state's largest employers, with an estimated work force of 15,000 people. The exact number is classified. Analysts focus on eavesdropping, tapping into electronic communications around the world. They live in a closed society where secrecy is a way of life. The acronym has been laughingly referred to as No Such Agency. "It's not called the National Security Agency for nothing," Assistant U.S. Attorney David I. Salem told jurors, adding that the agency held "some of the most sensitive secrets of the United States of America." Like pages torn from a spy novel, testimony showcased the cloak-and-dagger nature of the agency. Some NSA witnesses testified anonymously, using their first name and initial of their last name. Heavily edited documents were shown to jurors, who then had to swear they would keep mum about them. Ford worked for the agency for more than two years, but the exact nature of his job was not revealed yesterday. But two weeks of testimony in open court has shed some light on some alleged gaps in NSA security procedures. At least one witness testified there were no security guards at the "tech" building where Ford is accused of removing the classified documents, according to federal prosecutors. The surveillance video cameras at the building didn't work either, according to court testimony. Vehicles leaving the secured NSA compound are searched randomly but rarely, one witnesses said. And it was entirely possible, prosecutors said, for an employee to have a key to open a gate to a rear loading dock, carry boxes of classified documents into a waiting pickup truck and drive the material home unnoticed. "There isn't enough [security] to stop you from taking out [documents] if you want to," Salem said. Ultimately, the NSA has to trust in the integrity of its employees, he added. But Ford's attorney, Spencer M. Hecht, balked at the idea that it was relatively easy for an NSA employee to sneak mounds of classified papers out of the complex. "Trust? It's a joke," Hecht said. The defense attorney described a highly watched world of background checks, polygraphs, video cameras, searches, security protocols and severe penalties - all designed to ensure proper security at NSA. "There is no way that [Ford] would be able to remove those boxes," Hecht said. Prosecutors did not offer a definitive reason why Ford might have taken the documents home after he left the NSA for good in December 2003. He told some officials he considered them reference material, according to evidence at trial. Ford told others he didn't know he couldn't keep them, the evidence showed. "For all we know, he intended to be a spy," Salem said. "And we caught him before he could do it." But Hecht told the jury there would be no reason for Ford to take the documents because they would be of no use to him in any future job. The investigation started with a tip for Ford's then-girlfriend, Tanya Tucker, who called NSA officials Jan. 9 saying that she had seen confidential material in Ford's home. He planned to sell the documents the next day, she told intelligence officials. But the FBI waited days to act on her information and approached Ford in his home. Then, as many as 20 agents searched his house and car, finding reams of classified documents mixed in with his name tags. One taken by Tucker and placed in her suitcase had Ford's fingerprint on it, prosecutors said. Ford spoke to FBI agents for more than seven hours and signed a statement in which he acknowledged that he took the documents but denied he was a spy, prosecutors said. Hecht said the confession was false and made under duress. According to trial testimony, Ford met Tucker through an online dating site nine weeks before the raid. His mother has said she suspects that Tucker was involved in a plot to snare her son. During the trial, evidence revealed that Tucker had a substantial criminal record, including passing false documents. Acknowledging her credibility problems, Salem asked jurors yesterday to view her role in the trial solely as a critical tipster. Ford's attorney saw her role more sinisterly. "She manipulated Mr. Ford's life and set him up," Hecht told jurors. "And she wasn't charged with anything." From isn at c4i.org Sun Dec 18 15:39:22 2005 From: isn at c4i.org (InfoSec News) Date: Sun Dec 18 16:02:24 2005 Subject: [ISN] US Government Security Site Vulnerable to Common Attack Message-ID: http://news.netcraft.com/archives/2005/12/14/us_government_security_site_vulnerable_to_common_attack.html By Rich Miller December 14, 2005 The U.S. government site that tracks cyber security risks was recently found vulnerable to cross-site scripting, a technique commonly used in hacker attacks and web site spoofing. Several security sites have published a demonstration of the security hole in the web site for the National Institute of Standards and Technology (NIST), which hosts the U.S. National Vulnerability Database, which ironically includes numerous examples of cross-site scripting. Cross-site scripting (XSS) is a well known technique which involves injecting the text of code to be executed by the browser into urls that generate dynamic pages. Attacks using XSS have been found by security researchers in a wide variety of products and specific sites in recent years. The cross-site scripting vulnerability in the NIST site was found in a script that warns visitors that they are about to leave the NIST site, a common practice on U.S. government sites. The NIST script allows potentially malicious Javascript to be appended to the URL and executed by the browser, a technique which works in Firefox and Internet Explorer. The flaw was originally reported by the RootShell Security Group. Staff at the NIST web site closed the security hole after being contacted by people who saw the RootShell posting. The Netcraft Toolbar blocks common cross-site scripting attacks, protecting users from coding weaknesses in trusted sites, including the NIST flaw. "That was the first time when a trusted, security-related site generated a Block XSS? message to me," noted security researcher Juha-Matti Laurio, a frequent contributor to security community resources on the web. Web programmers can prevent most cross-site scripting attacks by validating form input and potential modifications to URLs, and ensuring that all user data is correctly encoded before it is displayed or stored. From isn at c4i.org Sun Dec 18 15:40:16 2005 From: isn at c4i.org (InfoSec News) Date: Sun Dec 18 16:03:28 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-50 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-12-08 - 2005-12-15 This week : 67 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Microsoft has released their monthly security bulletins for December, which fixes several vulnerabilities in Internet Explorer and a privilege escalation vulnerability in Windows 2000. Among the fixed vulnerabilities is also the 6 months old "Extremely Critical" vulnerability in Internet Explorer, which can be exploited to compromise a vulnerable system if the user visits a malicious web site. All users of Microsoft products are advised to visit Windows Update and apply available patches. References: http://secunia.com/SA15368 http://secunia.com/SA15821 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 2. [SA17934] Mozilla Firefox History Information Denial of Service Weakness 3. [SA15368] Microsoft Internet Explorer Multiple Vulnerabilities 4. [SA17564] Microsoft Internet Explorer CSS Import Disclosure of Sensitive Information 5. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability 6. [SA17748] Sun Java JRE Sandbox Security Bypass Vulnerabilities 7. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 8. [SA15781] Opera Suppressed "Download Dialog" File Execution Vulnerability 9. [SA17946] Netscape History Information Denial of Service Weakness 10. [SA17944] Mozilla Suite History Information Denial of Service Weakness ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA17998] Sights 'n Sounds Streaming Media Server Buffer Overflow Vulnerability [SA17989] LogiSphere Directory Traversal and Potential Denial of Service [SA17983] LocazoList Classifieds "searchdb.asp" Cross-Site Scripting Vulnerability [SA17978] Macromedia Flash Media Server Administration Service Denial of Service [SA17966] Pocket Controller Professional Missing Authentication Denial of Service [SA17990] MDaemon WorldClient LookOut Theme Inbox Denial of Service Weakness UNIX/Linux: [SA18003] HP Tru64 UNIX Secure Web Server XML_RPC PHP Code Execution Vulnerability [SA18012] Debian update for ethereal [SA18009] Ubuntu updates for xpdf / cupsys / tetex-bin / kdegraphics / koffice [SA17980] Gentoo update for openswan / ipsec-tools [SA17976] CUPS xpdf Multiple Buffer Overflow Vulnerabilities [SA17965] Debian update for curl [SA17959] Fedora update for poppler [SA18029] WHMCompleteSolution "search" Cross-Site Scripting Vulnerability [SA18010] UnixWare update for openssh [SA18005] Trustix update for cpplus [SA18002] SUSE update for mediawiki [SA17999] Ubuntu update for courier [SA17975] CP+ Unspecified Perl Vulnerability [SA17995] Fedora update for kernel [SA17986] UnixWare "uidadmin' Buffer Overflow Vulnerability [SA17977] Ubuntu update for curl [SA17967] Debian update for osh [SA17961] Mandriva update for curl [SA17960] Fedora update for curl [SA17993] Trustix update for perl Other: [SA17974] Nortel SSL VPN Web Interface Arbitrary Command Execution Vulnerability [SA17996] Motorola SB5100E Cable Modem LAND Packet Denial of Service Cross Platform: [SA18030] phpCOIN SQL Injection and File Inclusion Vulnerabilities [SA18039] mcGalleryPRO Multiple Vulnerabilities [SA18023] e107 SQL Injection Vulnerabilities [SA18022] Snipe Gallery Cross-Site Scripting and SQL Injection Vulnerabilities [SA18021] EncapsGallery "id" SQL Injection Vulnerability [SA18019] PhpWebGallery Multiple SQL Injection Vulnerabilities [SA18014] Dream Poll "id" SQL Injection Vulnerability [SA18011] phpWebThings SQL Injection Vulnerabilities [SA18007] Jamit Job Board "cat" SQL Injection Vulnerability [SA18000] MyBB SQL Injection and Unspecified Vulnerabilities [SA17987] Netref "cat" SQL Injection Vulnerability [SA17985] Apani EpiForce Agent ISAKMP IKE Message Processing Denial of Service [SA17984] Arab Portal SQL Injection Vulnerabilities [SA17979] Scout Portal Toolkit Cross-Site Scripting and SQL Injection [SA17973] Ethereal OSPF Protocol Dissector Buffer Overflow Vulnerability [SA18034] VCD-db Cross-Site Scripting Vulnerabilities [SA18031] Link Up Gold Cross-Site Scripting Vulnerabilities [SA18027] ADP Forum "users" Exposure of User Credentials [SA18024] myBloggie SQL Injection Vulnerabilities [SA18020] PHP JackKnife Gallery System "sKeywords" Cross-Site Scripting [SA18018] Mantis "view_filters_page.php" Cross-Site Scripting Vulnerability [SA18016] EveryAuction "searchstring" Cross-Site Scripting Vulnerability [SA18015] WikkaWiki "phrase" Cross-Site Scripting Vulnerability [SA18008] Apache mod_imap "Referer" Cross-Site Scripting Vulnerability [SA18006] MySQL Auction "keyword" Cross-Site Scripting Vulnerability [SA17997] milliscripts Redirection "domainname" Cross-Site Scripting Vulnerability [SA17988] Utopia News Pro SQL Injection Vulnerabilities [SA17982] Magic Book Professional "StartRow" Cross-Site Scripting Vulnerability [SA17981] QuickPayPro Cross-Site Scripting and SQL Injection Vulnerabilities [SA17972] CKGold "keywords" Cross-Site Scripting Vulnerability [SA17971] Kronolith Script Insertion Vulnerabilities [SA17970] Horde Script Insertion Vulnerabilities [SA17969] Nag Script Insertion Vulnerabilities [SA17968] Turba Script Insertion Vulnerabilities [SA17964] Mnemo Script Insertion Vulnerabilities [SA17962] CA CleverPath Portal Login Page Cross-Site Scripting Vulnerability [SA17958] UseBB Cross-Site Scripting Vulnerability [SA17991] Blackboard Learning and Community Portal Systems "frameset.jsp" Weakness [SA17963] Opera Bookmark Large Title Denial of Service Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA17998] Sights 'n Sounds Streaming Media Server Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-12 dr_insane has discovered a vulnerability in Sights 'n Sounds Streaming Media Server, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17998/ -- [SA17989] LogiSphere Directory Traversal and Potential Denial of Service Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, DoS Released: 2005-12-12 dr_insane has discovered two vulnerabilities in LogiSphere, which can be exploited by malicious users to access arbitrary files on a vulnerable system and potentially to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17989/ -- [SA17983] LocazoList Classifieds "searchdb.asp" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 r0t has reported a vulnerability in LocazoList Classifieds, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17983/ -- [SA17978] Macromedia Flash Media Server Administration Service Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-12-13 dr_insane has discovered a vulnerability in Macromedia Flash Media Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17978/ -- [SA17966] Pocket Controller Professional Missing Authentication Denial of Service Critical: Less critical Where: From local network Impact: Manipulation of data, DoS Released: 2005-12-09 Airscanner Mobile Security has reported a security issue in Pocket Controller Professional, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17966/ -- [SA17990] MDaemon WorldClient LookOut Theme Inbox Denial of Service Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2005-12-12 dr_insane has discovered a weakness in MDaemon, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17990/ UNIX/Linux:-- [SA18003] HP Tru64 UNIX Secure Web Server XML_RPC PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-12-12 HP has acknowledged a vulnerability in HP Tru64 UNIX Secure Web Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18003/ -- [SA18012] Debian update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-13 Debian has issued an update for ethereal. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18012/ -- [SA18009] Ubuntu updates for xpdf / cupsys / tetex-bin / kdegraphics / koffice Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-13 Ubuntu has issued updates for xpdf / cupsys / tetex-bin / kdegraphics / koffice . These fix some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable or a user's system. Full Advisory: http://secunia.com/advisories/18009/ -- [SA17980] Gentoo update for openswan / ipsec-tools Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-12-13 Gentoo has issued an update for openswan / ipsec-tools. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17980/ -- [SA17976] CUPS xpdf Multiple Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-13 Some vulnerabilities have been reported in CUPS, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17976/ -- [SA17965] Debian update for curl Critical: Moderately critical Where: From remote Impact: Unknown, System access Released: 2005-12-12 Debian has issued an update for curl. This fixes two vulnerabilities, where one has an unknown impact and another can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17965/ -- [SA17959] Fedora update for poppler Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-09 Fedora has issued an update for poppler. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17959/ -- [SA18029] WHMCompleteSolution "search" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-14 r0t has reported a vulnerability in WHMCompleteSolution, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18029/ -- [SA18010] UnixWare update for openssh Critical: Less critical Where: From remote Impact: Security Bypass, Privilege escalation Released: 2005-12-13 SCO has issued an update for openssh. This fixes two security issues, which can be exploited malicious users to gain escalated privileges or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18010/ -- [SA18005] Trustix update for cpplus Critical: Less critical Where: From remote Impact: DoS Released: 2005-12-12 Trustix has issued an update for cpplus. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18005/ -- [SA18002] SUSE update for mediawiki Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 SUSE has issued an update for mediawiki. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18002/ -- [SA17999] Ubuntu update for courier Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-12-12 Ubuntu has issued an update for courier-authdaemon. This fixes a vulnerability, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17999/ -- [SA17975] CP+ Unspecified Perl Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-12-12 A vulnerability has been reported in CP+ (cpplus), which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17975/ -- [SA17995] Fedora update for kernel Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2005-12-14 Fedora has issued an update for the kernel. This fixes some vulnerabilities, which potentially can be exploited by malicious, local users to gain escalated privileges and to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17995/ -- [SA17986] UnixWare "uidadmin' Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-12-13 iDEFENSE has reported a vulnerability in UnixWare, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17986/ -- [SA17977] Ubuntu update for curl Critical: Less critical Where: Local system Impact: Unknown Released: 2005-12-13 Ubuntu has issued an update for curl. This fixes a vulnerability, which has an unknown impact. Full Advisory: http://secunia.com/advisories/17977/ -- [SA17967] Debian update for osh Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-12-09 Debian has issued an update for osh. This fixes two vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17967/ -- [SA17961] Mandriva update for curl Critical: Less critical Where: Local system Impact: Unknown Released: 2005-12-09 Mandriva has issued an update for curl. This fixes a vulnerability with an unknown impact. Full Advisory: http://secunia.com/advisories/17961/ -- [SA17960] Fedora update for curl Critical: Less critical Where: Local system Impact: Unknown Released: 2005-12-09 Fedora has issued an update for curl. This fixes a vulnerability with an unknown impact. Full Advisory: http://secunia.com/advisories/17960/ -- [SA17993] Trustix update for perl Critical: Not critical Where: From remote Impact: DoS Released: 2005-12-12 Trustix has issued an update for perl. This fixes a vulnerability, which can be exploited by malicious people to cause a Denial of Service. Full Advisory: http://secunia.com/advisories/17993/ Other:-- [SA17974] Nortel SSL VPN Web Interface Arbitrary Command Execution Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-12-12 Daniel Fabian has reported a vulnerability in Nortel SSL VPN, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17974/ -- [SA17996] Motorola SB5100E Cable Modem LAND Packet Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-12-13 Alexey Sintsov has reported a vulnerability in Motorola SB5100E, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17996/ Cross Platform:-- [SA18030] phpCOIN SQL Injection and File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: Manipulation of data, Exposure of system information, System access Released: 2005-12-14 rgod has reported two vulnerabilities in phpCOIN, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18030/ -- [SA18039] mcGalleryPRO Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2005-12-14 r0t has reported some vulnerabilities in mcGalleryPRO, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and disclose sensitive information. Full Advisory: http://secunia.com/advisories/18039/ -- [SA18023] e107 SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-13 Yichen Xie and Alex Aiken have discovered some vulnerabilities in e107, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18023/ -- [SA18022] Snipe Gallery Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-12-14 r0t has reported some vulnerabilities in Snipe Gallery, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18022/ -- [SA18021] EncapsGallery "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-14 r0t has reported a vulnerability in EncapsGallery, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18021/ -- [SA18019] PhpWebGallery Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-14 r0t has discovered some vulnerabilities in PhpWebGallery, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18019/ -- [SA18014] Dream Poll "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-14 r0t has reported a vulnerability in Dream Poll, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18014/ -- [SA18011] phpWebThings SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-13 Yichen Xie and Alex Aiken have discovered some vulnerabilities in phpWebThings, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18011/ -- [SA18007] Jamit Job Board "cat" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-14 r0t has reported a vulnerability in Jamit Job Board, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18007/ -- [SA18000] MyBB SQL Injection and Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Manipulation of data Released: 2005-12-12 Some vulnerabilities have been reported in MyBB, where some have unknown impacts and others can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18000/ -- [SA17987] Netref "cat" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-12 syst3m_f4ult has reported a vulnerability in Netref, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17987/ -- [SA17985] Apani EpiForce Agent ISAKMP IKE Message Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-12-14 A vulnerability has been reported in Apani EpiForce, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17985/ -- [SA17984] Arab Portal SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-13 Devil-00 has reported two vulnerabilities in Arab Portal, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17984/ -- [SA17979] Scout Portal Toolkit Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-12-12 Preddy has reported some vulnerabilities in Scout Portal Toolkit, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/17979/ -- [SA17973] Ethereal OSPF Protocol Dissector Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-12 A vulnerability has been reported in Ethereal, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17973/ -- [SA18034] VCD-db Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2005-12-14 r0t has reported two vulnerabilities in VCD-db, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18034/ -- [SA18031] Link Up Gold Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: DoS Released: 2005-12-14 r0t has reported some vulnerabilities in Link Up Gold, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18031/ -- [SA18027] ADP Forum "users" Exposure of User Credentials Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-12-14 Liz0ziM has discovered a security issue in ADP Forum, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/18027/ -- [SA18024] myBloggie SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-12-13 Yichen Xie and Alex Aiken have discovered some vulnerabilities in myBloggie, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18024/ -- [SA18020] PHP JackKnife Gallery System "sKeywords" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-14 r0t has discovered a vulnerability in PHP JackKnife Gallery System, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18020/ -- [SA18018] Mantis "view_filters_page.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-14 r0t has discovered a vulnerability in Mantis, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18018/ -- [SA18016] EveryAuction "searchstring" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-13 $um$id has discovered a vulnerability in EveryAuction, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18016/ -- [SA18015] WikkaWiki "phrase" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-14 r0t has discovered a vulnerability in WikkaWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18015/ -- [SA18008] Apache mod_imap "Referer" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-13 A vulnerability has been reported in Apache httpd, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18008/ -- [SA18006] MySQL Auction "keyword" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-14 r0t has reported a vulnerability in MySQL Auction, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18006/ -- [SA17997] milliscripts Redirection "domainname" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 Luis Alberto Cortes Zavala has discovered a vulnerability in milliscripts Redirection, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17997/ -- [SA17988] Utopia News Pro SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-12-13 Yichen Xie and Alex Aiken have discovered some vulnerabilities in Utopia News Pro, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17988/ -- [SA17982] Magic Book Professional "StartRow" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 r0t has reported a vulnerability in Magic Book Professional, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17982/ -- [SA17981] QuickPayPro Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-12-14 r0t has reported some vulnerabilities in QuickPayPro, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17981/ -- [SA17972] CKGold "keywords" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-14 r0t has reported a vulnerability in CKGold, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17972/ -- [SA17971] Kronolith Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 SEC Consult has reported some vulnerabilities in Kronolith, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17971/ -- [SA17970] Horde Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 SEC Consult has reported some vulnerabilities in Horde, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17970/ -- [SA17969] Nag Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 SEC Consult has reported some vulnerabilities in Nag, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17969/ -- [SA17968] Turba Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 SEC Consult has reported some vulnerabilities in Turba, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17968/ -- [SA17964] Mnemo Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 SEC Consult has reported some vulnerabilities in Mnemo, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17964/ -- [SA17962] CA CleverPath Portal Login Page Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-09 A vulnerability has been reported in CA CleverPath Portal, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17962/ -- [SA17958] UseBB Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 A vulnerability has been reported in UseBB, which potentially can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17958/ -- [SA17991] Blackboard Learning and Community Portal Systems "frameset.jsp" Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2005-12-12 dr_insane has reported a weakness in Blackboard Learning and Community Portal Systems, potentially allowing malicious people to conduct phishing attacks. Full Advisory: http://secunia.com/advisories/17991/ -- [SA17963] Opera Bookmark Large Title Denial of Service Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2005-12-12 A weakness has been reported in Opera, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17963/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Sun Dec 18 15:42:12 2005 From: isn at c4i.org (InfoSec News) Date: Sun Dec 18 16:04:27 2005 Subject: [ISN] Cleaning Up After Mass Password Changes -- December 14, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. St. Bernard Software http://list.windowsitpro.com/t?ctl=1BECD:4FB69 Panda Software http://list.windowsitpro.com/t?ctl=1BED0:4FB69 ==================== 1. In Focus: Cleaning Up After Mass Password Changes 2. Security News and Features - Recent Security Vulnerabilities - Windows Server 2003 R2 Ready to Go - Two Microsoft Security Bulletins Released in December - Easy 802.11g Security 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - Security Appliance Line Gets Software Upgrade, New Models ==================== ==== Sponsor: St. Bernard Software ==== Filtering the Spectrum of Internet Threats: Defending Against Inappropriate Content, Spyware, IM, and P2P at the Perimeter Because of the proliferation of Web-based threats, you can no longer rely on basic firewalls as your sole network protection. Attackers continue to evolve clever methods for reaching victims, such as sending crafty Web links through Instant Messaging (IM) clients or email, or by simply linking to other Web sites that your employees might surf. This free white paper examines the threats of allowing unwanted or offensive content into your network and describes the technologies and methodologies to combat these types of threats. Get your free copy now! http://list.windowsitpro.com/t?ctl=1BECD:4FB69 ==================== ==== 1. In Focus: Cleaning Up After Mass Password Changes ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Last week, I mentioned ways to change passwords en masse. Hobbit (creator of the hugely popular netcat tool) wrote to remind me that I didn't mention the fact that storing plaintext passwords in scripts carries considerable risk. Obviously, the passwords might be recoverable by an intruder. After you've performed mass password changes, don't leave password strings lying around in plaintext. You might use strong encryption to encrypt the data, or better yet, you might remove the passwords from your system completely. To do that, delete any password strings in your scripts or delete the scripts completely. Then securely erase your disk space to ensure that the passwords can't be recovered by intruders. To wipe a disk clean, you need to overwrite all sectors on a drive in some fashion. Some disk-wiping tools can overwrite sectors numerous times to better ensure that the magnetic flux (which is the means by which data is recorded) is dramatically changed so that little if any flux remains to be used toward data recovery. You can use Stellar Information Systems' Stellar Wipe Safe Data Eraser, Heidi Computers' Eraser, or any number of other tools designed to destroy disk-based data. If you use Sunbelt Software's CounterSpy antispyware tool, you might know that it has a built-in file eraser utility that you could use. http://list.windowsitpro.com/t?ctl=1BEE4:4FB69 http://list.windowsitpro.com/t?ctl=1BEE8:4FB69 http://list.windowsitpro.com/t?ctl=1BEE2:4FB69 If you're interested in some facts and theory about how someone might recover data from your disks and how disk-erasing technology can help prevent that from happening, read "Secure Deletion of Data from Magnetic and Solid-State Memory" by Peter Gutmann at http://list.windowsitpro.com/t?ctl=1BED3:4FB69 Instead of creating and running your scripts from a hard disk, you could run your script from a floppy disk drive and then burn the floppy disk when you're done. I can't think of a more secure method than this. But many systems these days don't even have floppy disk drives. A long time ago, I used RAM disks to help some programs run much faster. A RAM disk would be great for helping to secure your passwords in scripts that are used to perform mass password changes. You can create a RAM disk, use it to develop and run your scripts, and when you're finished, repeatedly erase the RAM disk. Then uninstall the RAM disk drivers, shut down the system, power it off (which destroys anything in RAM), and reboot the computer. There's still a slim chance that someone might be able to recover passwords written to RAM, but it would be incredibly difficult, because the RAM space used by the RAM disk will be overwritten repeatedly by the OS and your applications. Using a RAM disk is probably much safer than relying on a tool to erase hard disk space. When establishing a RAM disk, be sure that you immediately set permissions on the new disk drive to prevent unwanted access. You can find numerous RAM disk drivers for Windows 2000 and Windows XP (some of which are free) by using your favorite search engine. Use a search string similar to RAMdisk +"Windows XP" +"Windows 2000" If you don't want to trust somebody else's RAM disk code, download Microsoft's RAM disk source code, review it carefully to make sure you trust it, then compile it yourself. Keep in mind that Microsoft's sample RAM disk code works only on Windows 2000. The Microsoft article "FILE: Ramdisk.sys sample driver for Windows 2000" cautions that if you use the code on Windows XP, it could render the System Restore features useless. http://list.windowsitpro.com/t?ctl=1BEE5:4FB69 Finally, you might use a thumb drive, which can essentially act like a RAM disk. Or you could use an MP3 player or digital camera as an additional disk drive on your system, then detach it when you're finished using it. As with hard disks and RAM disks, be absolutely certain that you delete any sensitive information the drive contains, then erase the unused space repeatedly. ==================== ==== Sponsor: Panda Software ==== Provide Secure Remote Access It may be tempting to deploy a WiFi wireless access point or offer PDAs or laptops to your roaming employees so they can work from virtually anywhere. In this free white paper you'll get the important security implications you should consider before you do so. http://list.windowsitpro.com/t?ctl=1BED0:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=1BED6:4FB69 Windows Server 2003 R2 Ready to Go Microsoft released Windows Server 2003 Release 2 (R2) to manufacturing. The updated version of the OS brings new features and functionality. A key security focus area for Microsoft is identity management, which is based on the capabilities of Active Directory (AD). R2 also brings improvements to virtual machine (VM) technology, branch office management, and storage management (first URL below). For a more-in-depth look at R2, see "R2 Moves Windows Server 2003 Forward" (second URL below). http://list.windowsitpro.com/t?ctl=1BEDF:4FB69 http://list.windowsitpro.com/t?ctl=1BEE0:4FB69 Two Microsoft Security Bulletins Released in December Microsoft released two security patches yesterday: one rated critical and the other, important. Microsoft also released five high- priority nonsecurity updates. As usual, the company also released an updated version of its Malicious Software Removal Tool (MSRT). For Randy Franklin Smith's analysis of the security bulletins, go to http://list.windowsitpro.com/t?ctl=1BEDB:4FB69 Easy 802.11g Security Many inexpensive wireless APs emphasize ease of setup at the expense of security. Jeff Fellinge helps you secure your wireless network in this article on our Web site. http://list.windowsitpro.com/t?ctl=1BEDE:4FB69 ==================== ==== Resources and Events ==== SQL Server 2005: Up & Running Roadshows Coming to Europe! SQL Server experts will present real-world information about administration, development, and business intelligence to help you put SQL Server 2005 into practice and learn how to use its new capabilities. Includes one-year PASS membership and subscription to SQL Server Magazine. Register now for London, UK, and Stockholm, Sweden, at http://list.windowsitpro.com/t?ctl=1BED2:4FB69 Upgrade to Analysis Services 2005 Get the tips and tricks you'll need to upgrade to Analysis Services 2005, including possible upgrade and migration scenarios, preplanning steps, and tips on running the new Analysis Services migration wizard. Plus, you'll discover what steps are required after the migration process is complete and explore some of the new features of Analysis Services 2005. http://list.windowsitpro.com/t?ctl=1BECF:4FB69 Are You Really Prepared for Disaster Recovery? Join industry guru Liam Colvin in this free Web seminar and get the tips you need to validate your disaster recovery data. You'll learn if your backup and restore data is worth staking your career on, what type of geo-clustering is right for you, which response to use in crisis situations, and more! http://list.windowsitpro.com/t?ctl=1BECE:4FB69 Scripting and code don't have to be boring. Subscribe today to Scripting Central and get a down-and-dirty technical yet lighthearted look at scripts. You'll also get tools and tips for writing scripts for a variety of Windows applications, such as Exchange and SQL Server. Sign up today! http://list.windowsitpro.com/t?ctl=1BEE7:4FB69 Do You Know What "High Availability" Really Means? Learn what high availability really means and the different strategies that you can use to improve your email systems' availability and resiliency. Download this FREE guide now and get prepared to choose the appropriate solutions to protect your messaging data at the lowest cost and with the highest reliability. http://list.windowsitpro.com/t?ctl=1BED5:4FB69 Black Hat Federal Briefings and Trainings January 23-26, 2006, Sheraton Crystal City, Washington, DC. This new show--with 4 Briefings tracks and 11 Training classes--focuses on the problems and issues that governments face in protecting their infrastructure. Content will be oriented toward attack and defense, rootkit detection to IDS evasion. Stellar speakers include Michael Lynn, Simson Garfinkel, Halvar Flake, and Dan Kaminsky. Visit http://list.windowsitpro.com/t?ctl=1BEE9:4FB69 for complete updates. ==================== ==== Featured White Paper ==== Ensure Data Protection and High Availability for Microsoft Exchange Having a mission-critical, data protection solution that is cost effective, hardware independent, and scalable is something every IT manager should consider. In this free white paper, get all you need to know about ensuring data protection and high availability for Exchange. This is one paper you can't afford to miss! Get your copy today at http://list.windowsitpro.com/t?ctl=1BED4:4FB69 ==================== ==== Hot Spot ==== Protect and Manage Instant Messaging 85% of businesses use IM for business or personal use to improve communication and reduce email usage. In this free white paper learn how to protect your company and implement a managed IM security solution! http://list.windowsitpro.com/t?ctl=1BED1:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Cisco Developers Might Be Up Late This Holiday Season by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=1BEE3:4FB69 Mike Lynn encountered difficulty early this year in his attempts to discuss a flaw in Cisco hardware at the Black Hat conference in Las Vegas. He apparently knows of 15 more flaws in Cisco hardware. But the story gets even worse. Read about it in this blog article on our Web site. http://list.windowsitpro.com/t?ctl=1BEDC:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=1BEE1:4FB69 Q: How do I enable HTTP Secure (HTTPS) traffic on my Microsoft IIS 6.0 Web server site by using my local forest Certificate Authority (CA)? Find the answer at http://list.windowsitpro.com/t?ctl=1BEDD:4FB69 Security Forum Featured Thread: Host-based Firewalls for Windows Server 2003 A forum participant wonders if someone can suggest a very powerful and easy to manage (locally and remotely) host-based firewall solution that runs on Windows Server 2003 and includes robust reporting and alerting features. Join the discussion at http://list.windowsitpro.com/t?ctl=1BECC:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) The Windows IT Pro Master CD has it all. Get the Windows IT Pro Master CD and get portable, high-speed access to the entire Windows IT Pro article database on CD--that's a library of more than 9000 articles! The newest issue includes BONUS Windows IT Tips; sign up now, and you'll SAVE 25%. Offer ends 12/31/05, so take advantage of this holiday offer now. http://list.windowsitpro.com/t?ctl=1BED7:4FB69 Exchange & Outlook Administrator Newsletter--Holiday Special Need answers to your tough Exchange questions? Subscribe to the Exchange & Outlook Administrator newsletter and SAVE up to $30 off the regular price. Each issue features tools and solutions you won't find anywhere else to help you migrate, optimize, administer, back up, recover, and secure Exchange and Outlook. Paid subscribers also get searchable access to the full online Exchange article database (more than 1000 articles). Order now: http://list.windowsitpro.com/t?ctl=1BED9:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Security Appliance Line Gets Software Upgrade, New Models Network Engines is shipping version 3.0 software for all its NS Series Security Appliances, including two new models: NS6250 and NS8400. The new features in 3.0 deliver platform extensibility, management integration into the Microsoft Operations Manager (MOM) environment, and advanced protection for Web-based communications, including Web content security for Microsoft Exchange, SharePoint Portal server, and IIS. The NS Series is a family of multifunctional security appliances based on Microsoft Internet Security and Acceleration (ISA) Server 2004 and designed for small and midsized businesses (SMBs) and remote offices. The new NS6250 is a lower cost solution for smaller businesses or branch locations; the NS8400 is the highest performance platform to date. List pricing for the NS Series ranges from $3795 to $16,495. Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=1BEE6:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=1BEDA:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Sun Dec 18 15:42:57 2005 From: isn at c4i.org (InfoSec News) Date: Sun Dec 18 16:05:31 2005 Subject: [ISN] 'BT worker' fingered for X-Factor betting scam Message-ID: http://www.theregister.co.uk/2005/12/14/bt_betting/ By Tim Richardson 14th December 2005 BT is investigating allegations that one of its workers is at the centre of a betting scam that made thousands of pounds from TV shows such as the X Factor. These shows - including Celebrity Fame Academy, Hell's Kitchen, and Strictly Come Dancing - involve viewers voting by phone, text or online for their favourite contestants. The Mirror reports that a BT insider who had access to the shows' voting database fed the results to a betting syndicate before they were made public to viewers on the live TV shows. The gang then placed bets at betting exchange Betfair.com on the outcome of the voting netting a fortune. Since the scammers - thought to be "well educated" men - already knew the result, their bets were a dead cert and raked in some ?105,000 from the betting scams. However, staff at Betfair became suspicious and called in police. One "friend of the mob" told the paper: "The guys knew they could not lose. It is corrupt. At first it was small amounts but they were caught out when they got greedier." A spokesman for BT told us: "We have launched an urgent investigation into the allegations in today's Daily Mirror, but we cannot say more at this stage. "However, one thing we would like to make clear is that this does not affect the integrity of the result. It is impossible to tamper with the results to affect the outcome in anyway - the viewers? choice will win.? ? From isn at c4i.org Sun Dec 18 15:54:29 2005 From: isn at c4i.org (InfoSec News) Date: Sun Dec 18 16:06:30 2005 Subject: [ISN] List downtime... Message-ID: Infosec News junkies have noticed a little longer downtime than usual, as it turns out, Attrition.org has some hardware failures and the decision was made to dip into their sushi/calamari/booze fund and purchase a new server. I'm hoping, knock on wood that things should be back to normal just in time for me to wish all of you a happy holidays, only to disappear again for Christmas and watch as my nephews break all their presents in fairly short order. ;) Thank you for your support! William Knowles wk@c4i.org From isn at c4i.org Wed Dec 21 01:36:40 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 21 01:42:29 2005 Subject: [ISN] Hackers Break Into Computer-Security Firm's Customer Database Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/12/19/AR2005121900928.html By Brian Krebs washingtonpost.com Staff Writer December 19, 2005 Guidance Software -- the leading provider of software used to diagnose hacker break-ins -- has itself been hacked, resulting in the exposure of financial and personal data connected to thousands of law enforcement officials and network-security professionals. Guidance alerted customers to the incident in a letter sent last week, saying it discovered on Dec. 7 that hackers had broken into a company database and made off with approximately 3,800 customer credit card numbers. The Pasadena, Calif.-based company said the incident occurred sometime in November and that it is working with the U.S. Secret Service on a more detailed investigation. Michael G. Kessler, president of New York City-based computer-forensics investigative firm Kessler International, received a letter notifying him that the company's American Express card was among those compromised by the attackers. Kessler received the notice from Guidance at the same time that a company credit-bill arrived with what he said were $20,000 in unauthorized charges for pay-per-click advertising at Google.com. "I just got our American Express bill and nearly fell out of my chair," Kessler said. "You'd think Guidance would be the last company this kind of thing would happen to." Guidance's EnCase software is used by hundreds of security researchers and law enforcement agencies worldwide, including the U.S. Secret Service, the FBI and New York City police. John Colbert, the company's chief executive officer, said Guidance alerted all of its customers less than two days after discovering the break-in, and that it would no longer store customer credit card data. "This certainly highlights the fact that intrusions can happen to anybody and that nobody should be complacent about security," he said. Colbert declined to discuss further details of the attack, citing the ongoing investigation. Guidance stored customer records in unencrypted databases, and indefinitely retained customers' "card value verification" (CVV) numbers, the three-digit codes on the back of credit cards that are meant to protect against fraud in online and telephone sales, according to Colbert and the notification letter sent to customers. Merchant guidelines published by both Visa and Mastercard require sellers to encrypt customer credit-card databases. They are also prohibited from retaining CVV numbers for any longer than it takes to verify a given transaction. Companies that violate those standards can be fined $500,000 per violation. Credit card issuers generally levee such fines against the bank that processes payment transactions for the merchant that commits the violations. The fines usually are passed on to the offending company. Secret Service and FBI customers were among those whose information was included in the hacked database, Colbert said, but he declined to say whether credit card information belonging to those agencies was compromised. Secret Service spokesman Eric Zahren would only confirm that the agency is investigating the break-in. FBI officials could not be immediately reached for comment. Kessler said several of his company's employees also received notices. Among the items Guidance said were taken by hackers were company employee's names, addresses, telephone numbers, credit card numbers, card expiration dates and card verification numbers. Another security professional who got the notification letter said he was surprised that the company did not detect the intrusion for nearly two weeks, a lapse in time that could make it much more difficult to catch the perpetrators. "Unfortunately, most cyber crimes require being worked very quickly in order to gather data before it is purged either by attackers or just in the normal course of business," said Doug Rehman, president of Rehman Technology Services in Mount Dora, Fla., who learned that his credit card and personal data had been exposed. "Hopefully this incident will be a call for our community to wake up, particularly the vendors who ought to be among the forefront of in dealing with security issues," Rehman said. The intrusion at Guidance caps a year marked by an unprecedented number of disclosures about hacker break-ins at major corporations that hold customer data. Many of those attacks targeted law enforcement entities indirectly or directly. In March, data aggregator LexisNexis acknowledged that hackers had illegally accessed information on more than 310,000 consumers, an attack that was later determined to have been launched after hackers broke into computers used by at least two separate police departments. Last week, investigators at CardCops.com found that a digital intrusion at a company that manufactures police name badges had compromised the personal information and credit card accounts belonging to dozens of police departments and officers. Krebs is a reporter for washingtonpost.com. ? 2005 Washingtonpost.Newsweek Interactive From isn at c4i.org Wed Dec 21 01:37:04 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 21 01:43:19 2005 Subject: [ISN] ABN Amro eyes electronic data transfers after tape loss incident Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,107239,00.html By Lucas Mearian DECEMBER 20, 2005 COMPUTERWORLD ABN Amro Mortgage Group Inc. has decided it will no longer send data tapes to its credit reporting bureaus after one of those tapes -- with the private information of more than 2 million customers on it -- went missing a month ago (see "Update: Missing ABN Amro tape with 2 million names found" [1]). Instead, according to ABN Amro Mortgage Group CEO Thomas Goldstein, the company will encrypt data and send it over secure networks when possible. Otherwise, it will use special couriers in an effort to avoid another tape loss. Those changes were announced on the same day the company said it had located the missing tape containing sensitive data about residential mortgage customers, which was lost Nov. 18 while being transported by a delivery service to a credit reporting company. The tape was found yesterday, three days after the company began notifying customers that it had been lost. On Friday, ABN Amro told customers that the tape was lost while being transported by DHL Worldwide Express delivery service from a data center run by a subsidiary of LaSalle Bank Corp. in Chicago to an Experian Information Solutions Inc. credit bureau facility in Allen, Texas. The tape contained the names, account information, payment histories and social security numbers for residential mortgage customers, according to the letter ABN Amro sent customers last week. Goldstein said during today.s press conference that the search for the tape by ABN Amro, DHL and Experian was "exhaustive," and ended last week, at which time they decided to notify customers. Goldstein said the tape was then found yesterday. He also said there is still no evidence that the data was misused while it was missing, but he said there.s no way to prove the tape wasn't read or copied while it was missing. Goldstein said that the package containing the missing tape was found in its original sealed container by a DHL employee without the original air bill and that DHL then readdressed the package back to ABN Amro. Despite the tape's recovery, the problems for ABN Amro didn't end today. A gift code given to customers whose information was temporarily lost to allow them to sign up for a free credit monitoring service overwhelmed a Web site run by credit reporting agency Trans Union LLC. ABN Amro said initially that it would enroll those customers in the credit monitoring service for 90 days at no cost. That time frame was extended to year today. Tens of thousands have already registered with Trans Union today, but "2.1 million letters going out has overwhelmed the [Trans Union] Web site," Goldstein said. "I feel terrible about the frustration our customers are having on top of just getting this notification. TU and we are working together to fix this". He said Trans Union is adding a "gateway" device to limit access to the service and notify customers when they can sign up. As for the plans to transfer data electronically rather than by courier, Goldstein said ABN Amro has completed about 70% of a rollout of a secure data network to move data to its credit-reporting bureaus. "The goal starting last spring was to eliminate all physical handling of tapes -- and any tape where we cannot eliminate the physical handling because the other party cannot receive [the electronic data] will go by special courier," Goldstein said. He cited FedEx Corp. as one company ABN Amro might use. "The tape in question was to be transferred fully electronically and encrypted this month. One of the really upsetting things about this is one more month, and this couldn't have happened," Goldstein said. ABN Amro plans to continue to use DHL to ship other packages. [1] http://www.computerworld.com/databasetopics/data/story/0,10801,107230,00.html From isn at c4i.org Wed Dec 21 01:37:30 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 21 01:45:54 2005 Subject: [ISN] Oracle turns to Fortify to secure source code Message-ID: http://www.networkworld.com/news/2005/122005-oracle-fortify.html By Stacy Cowley IDG News Service 12/20/05 Start-up source-code security technology developer Fortify Software scored a major triumph on Tuesday as Oracle announced plans to use Fortify's tools to seek out holes in Oracle's database and middleware software. Oracle Chief Security Officer Mary Ann Davidson says she searched for years for automated tools to examine Oracle's source code but had been unimpressed with the available products. Fortify was the first company to listen to Oracle's description of its development process and to tailor its software to meet Oracle's needs, Davidson says. Oracle has a code base of more than 30 million lines, and is the first top-tier commercial software developer to sign on as a Fortify customer. Other Fortify clients include a number of financial services companies, as well as Flash maker Macromedia. Identity management software developer Oblix, acquired by Oracle earlier this year, was also a customer, but Davidson says Oracle's work with Fortify predated its Oblix buy. Fortify's software is an integrated collection of tools that scan code for secure coding policy violations and other weaknesses. Oracle has licensed the tools for its Server Technologies group, which handles development of its database, application server, identity management and collaboration suite software. Oracle's application software, including its E-Business Suite and the products Oracle acquired from PeopleSoft and other vendors, is written in a variety of programming languages and isn't a good fit for Fortify's tools, and will not be included in the deal, Davidson says. Oracle hopes by eliminating vulnerabilities before code turns into shipped product, it will reduce the number of patches it needs to issue and improve its customers' security. "There's lots of Band-Aid products out there that protect against attacks. You wouldn't need so many Band-Aids if you could actually have a vaccine," Davidson says. Oracle, which once used "unbreakable" as its brand slogan, has taken a few hits on its security reputation this year after issuing a spate of critical patches. A German security firm published details of several high-risk vulnerabilities in Oracle's software after the firm said it tried for years to draw Oracle's attention to the security holes. Fortify launched last year and now has around 50 employees. Winning Oracle's business will be a major boost to Fortify's credibility as it looks to convince more large vendors to license its security tools. Working with Oracle has helped Fortify refine its first-generation software and improve its tools' performance, Fortify CEO John Jack says. "We now have a product that scales to the largest code base," Jack says. "It's been a great year." From isn at c4i.org Wed Dec 21 01:38:10 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 21 01:46:58 2005 Subject: [ISN] REVIEW: "The Art of Computer Virus Research and Defense", Peter Szor Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKACVRAD.RVW 20050731 "The Art of Computer Virus Research and Defense", Peter Szor, 2005, 0-321-30454-3, U$49.99/C$69.99 %A Peter Szor pszor@acm.org %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2005 %G 0-321-30454-3 %I Addison-Wesley Publishing Co. %O U$49.99/C$69.99 416-447-5101 800-822-6339 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0321304543/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321304543/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321304543/robsladesin03-20 %O Audience s+ Tech 3 Writing 2 (see revfaq.htm for explanation) %P 713 p. %T "The Art of Computer Virus Research and Defense" The preface states that the book is a compilation of research over a fifteen year period. While it is not explicitly stated, Szor seems to indicate that the primary audience for the work consists of those professionally engaged in the field of malware research and protection. (He also admits that his writing might be a little rough, which is true. While his text is generally clear enough, it is frequently disjointed, and often appears incomplete or jumpy. Illustrations are habitually less than helpful, although this can't be attributed to a lack of command of English.) Given the stature of people he lists in the acknowledgements one can hope for good quality in the technical information. Part one deals with the strategies of the attacker. Chapter one describes games and studies of natural ecologies relevant to computer viruses, as well as the early history (and even pre-history) of these programs. I could cavil that he misses some points (such as the 1980-81 Apple virus programs at two universities in Texas), or glosses over some important events (such as Shoch and Hupp's worm experiments at Xerox PARC), but the background is much better and broader than that found in most chronicles. The beginnings of malicious code analysis are provided in chapter two, although it concentrates on a glossary of malware types (albeit incomplete and not always universally agreed) and the CARO (Computer Antivirus Research Organization) naming convention. The environment in which viruses operate, particularly hardware and operating system platform dependencies, is reviewed in chapter three. This material is much more detailed than that given in any other virus related text. (Dependencies missing from the list seem to be those that utilize protective software itself, such as the old virus that used a function of the Thunderbyte antivirus to spread, or the more recent Witty worm, targeted at the BlackIce firewall. Companion viruses utilizing precedence priorities would seem to be related to operating system functions, but are not included in that section.) Unfortunately, the content will not be of direct and immediate use, since it primarily points out issues and relies on the reader's background to understand how to deal with the problems, but nonetheless the material is fascinating and the inventory impressive. Chapter four outlines infection strategies and is likewise comprehensive. Memory use and infection strategies are described in chapter five. The issue of viral self-protection; tactics to avoid detection and elimination; are given in chapter six. Chapter seven reviews variations on the theme of polymorphism, and also catalogues some of the virus generation kits. Payload types are enumerated in chapter eight. Oddly, botnets are mentioned neither here, nor in the material on worms, in chapter nine. (Szor's use of a modified Cohenesque definition of a virus as infecting files means that some of the items listed in this section are what would otherwise be called email viruses. His usage is not always consistent, as in the earlier mention of script viruses on page 81.) "Exploits," in chapter ten, covers a multitude of software vulnerabilities that might be used by a variety of malware categories for diverse purposes. This content is also some of the best that I've seen dealing with the matter of software vulnerabilities, and would be well recommended to those interested in building secure applications. Part two moves into the area of defence. Chapter eleven describes the basic types of antiviral or antimalware programs, concentrating primarily on various forms of scanning, although change detection and activity monitoring/restriction are mentioned. It is often desireable to find and disable malware in memory. The means of doing so, particularly in the hiding-place riddled Win32 system, are described in chapter twelve. Means of blocking worm attacks are discussed in chapter thirteen, although most appear to be either forms of application proxy firewalling, or (somewhat ironically) activity monitoring. Chapter fourteen lists generic network protection mechanisms, such as firewalls and intrusion detection systems, although the section on the use of network sniffers to capture memory- only worms is intriguing to the researcher. Software analysis, and the tools therefore, is covered in chapter fifteen, emphasizing functional aspects of the malware. Chapter sixteen concludes with a register of Websites for further study and reference. For those involved in malware research, Szor's book is easily the best since Ferbrache's "A Pathology of Computer Viruses" (cf. BKPTHVIR.RVW). It contains a wealth of information found nowhere else in book form. On the other hand, it is demanding of the reader, both in terms of the often uneven writing style, and the background knowledge of computer internals and programming that is required. The text does not provide material that would be suitable for general protection of computer systems and networks. On the other hand, intelligent amateur students of malicious software will find much to reward their investigation of this book. copyright Robert M. Slade, 2005 BKACVRAD.RVW 20050731 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Somebody was saying to Picasso that he ought to make pictures of things the way they are--objective pictures. He mumbled that he wasn't quite sure what that would be. The person who was bullying him produced a photograph of his wife from his wallet and said, `There, you see, that is a picture of how she really is.' Picasso looked at it and said, `She is rather small, isn't she? And flat? - Gregory Bateson http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed Dec 21 01:35:59 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 21 01:48:06 2005 Subject: [ISN] Renderman to the rescue Message-ID: http://www.edmontonsun.com/News/Special/2005/12/20/1361070-sun.html By JEREMY LOOME EDMONTON SUN December 20, 2005 Wireless computing has exploded in popularity over the last two years. But as a local former hacker and security consultant explains, convenience comes at a price. The Sun's four-day computer security series looks at wardriving. Renderman throws the van's wheel left and pulls onto Jasper Avenue, where the clear night is punctuated by neon. A laptop illuminates the van's darkened cab, spitting out a stream of coloured letters, numbers and names. To Renderman, they're so telling they might as well be the video screen at New York's fabled Times Square. "If I wanted to create havoc, I could just drive down the street knocking down network after network," he says with a tinge of despair. "Can you imagine the kind of problems that would cause on Jasper Avenue, with all these offices?" HE WAS FLATTERED A Las Vegas magazine once described Renderman as "infamous,'' which he admits was flattering. He's only famous to other hackers. Infamous implies that Renderman is a household name, something he spent years scrupulously avoiding. Now he's made it a mission to put the other side of the story out there: hackers aren't bad guys. Some are just curious. "Oh yeah, I could do some serious damage. That's the thing - I'm of enough moral fibre that I don't," he says. These days, he's working hard on turning his talents into a career as a security consultant. He has converted the van so that two antennas on the roof will pick up signals from computer network wireless access points at a distance, while another on the machine itself searches for the same on a vertical plane. The software is doing a heck of a job - more than 5,000 logged in under three hours. Of those, fully 45% have no protection on them at all. The people who bought them, Renderman notes, were probably duped by the misconception that a wireless router is a good way to protect your computer system. In fact, it's just a convenient entry and interception point for a "wardriver," a hacker gone mobile, unless it's encrypted. And even then ... But we'll get to that in a minute. For now, Renderman is taking time out at a stop light to gaze around at the neon. "What scares the crap out of me is the possibility of going downtown, sitting in a parkade for eight hours and having a server in the trunk, grabbing whatever connection it can, firing off a million addresses, and when it's done that, seeing what else is out there and firing off another million. The whole drive-by spamming thing is a very real possibility." There are points when the exercise becomes downright scary. The machine logs unprotected or poorly protected access points at a major car dealership, the debit and credit card line at a major grocery store chain, a law office, numerous government offices and just about every hotel room downtown. There are even a couple that register as being 20 metres away, when the only building 20 metres from the Impark pay lot in which we're situated is a police station. The easiest and most common thefts associated with wardriving are from intercepting e-mail transmissions, although a sophisticated hacker could also use them to run a "shell'' program allowing control of the remote terminal. Occasionally, he points to one of the names scrolling by, each attached by its owner to a particular wireless router. "Lousy security - wake up," says one. "Someone's got in there already and had a little fun," he notes. EXASPERATED He's having fun too, but Renderman is also exasperated. "The trick with all of this is that people don't think about it. They get the wireless set up, they think 'oh yeah, we're high tech now,' and they don't think to themselves 'why are we doing this? Do we have a need for a wireless network?' " Five years ago, there were fewer than 100 wireless access points in the city. The advent of cheap wireless routers and the explosion of laptop use has changed that dramatically. There are now upwards of 20,000 and few of them take protection very seriously, despite Edmonton being a city full of corporate and government offices. One of Render's favourite cruising spots is at the University of Alberta, where students and some of the faculties routinely have routers that haven't even been renamed. Each shows up either as "default" or as brand names like "Linksys." He points out that the university's internal network is well-protected. But there's nothing protecting wireless users in the point between their laptop and the connection hub. "The university has this whole captive portal set up so that you have to have a valid account to log in before it will let you out to the rest of the Internet," he says. "That's fine. I was playing between the space between the client and the access point. I didn't record any of the passwords or anything. "I just piped them all to the Linux (operating system) recycle bin. "I was sitting there sipping on a cup of Tim Hortons coffee, looking at my laptop and all those students are sitting there just wide open, and all it takes is one computer science student who gets an idea in his head to make a whole bunch of people's lives difficult." In the years that he's honed his craft, Renderman has spent as much or more time warning people about poor security as trying to compromise it. We pass one connection for someone named "The Black Pearl.'' It's not only ghosted so that few can see it, it's also encrypted with WPA2, a much tougher new standard, and with other security Kismet doesn't recognize. He figures an encrypted wireless hub is kind of like having a car alarm: it doesn't really make you safe, but it might make the thief pick an easier target. - - - Of course, toughness is relative. Some people think actor Russell Crowe is a tough guy. But he'd be dogmeat to a mixed martial arts expert. Thus it is with encryption: from the day it's issued, there are tough guys out there trying to break it down. A year ago, WEP - or Wired Equivalency Privacy, the frequently unused encryption that comes with some routers - was still aptly named. Then some hacker figured out that all you had to do was intercept enough data to see a repeating number sequence, which in all likelihood is the encryption key to the wireless router. A HACKER'S DREAM A few miles away from Jasper, Leonard Rogers teaches a class of NAIT students to intercept "packets" - the small, separate pieces of data transferred between networked computers. Wireless computers are a hacker's dream, because the packets are transmitted through thin air, which means anyone can grab them legally, as long as they don't open them. "I did a WEP test yesterday and it basically took me no time at all to get through it. I managed it seven times in a row and I think the best time was four minutes and 27 seconds," he says. "And most home users don't even bother to set it up, that's the scary part." The fact that Rogers is an expert isn't really the point. Freely available software on the Internet known by the nickname "warez'' does most of the work. One such program not only captures packets, it opens them, separates content into categories for easy reading and generally inserts encryption lines into the "header" - the form at the top of the window. Another disguises itself as an open wireless hub, then connects itself with the real one it's imitating. When a computer user connects, he's really connecting to the hacker's laptop, which can then grab anything the hacker wants before allowing the packets of data to continue on to the hub. The only difference, in the end, is that Rogers can crack WEP a little faster than most; hackers interviewed by the Sun required more than 100,000 packets on average and took between six and eight minutes to do what Rogers did in four. "The truth is, the tools are out there and readily available to perform any kind of attack," he says. "The truth is we've developed an entire generation of computer users who understand what they can do but not how they work. We didn't develop a moral code behind it. "We've taught our kids that computers are a tool that can be used, but we haven't necessarily taught them what they should and shouldn't be used for, so it's often open to interpretation." And they don't really have to be good at hacking, because time is on their side: anyone using WEP alone is unlikely to be paying enough attention to catch them anyway. - - - Nervous yet? You probably shouldn't be. Being vulnerable still doesn't make being hacked likely. And even if an average home user's hub is accessed, most of the time it will just be by someone using it for their own Internet connection. Wireless networks at companies are another matter. When he's not working as Renderman, Brad Haines offers his services up as a security consultant to local firms who risk losing sensitive personal data. As we drive by a car dealership, his laptop goes into overdrive, spitting out a series of red and yellow lines of text indicating an unencrypted network. "If I'm a customer there, I don't even want to know that," he says. "Can you imagine the information they're transmitting? Credit reports, card numbers, bank transactions." Hackers and wardrivers generally have two motivating factors: money and challenge. The former is the domain of professionals and, as Rogers puts it, "they're so good, you'd never even know they were there. These are people who spend weeks researching a target and knowing everything they can about it before the attack. They get in, they get out, and no one's the wiser." The rest is usually the domain of disgruntled teenagers. Renderman, however, is a different cup of tea, and is quick to note that many older hackers graduate from kiddie pranks to trying to teach others. He gained some prominence a few years ago when the Canadian Security and Intelligence Service put out a press release warning the public of Renderman's "wardriving.'' But to understand the guy, you need to know just a few things: one, he can pick a regular lock with regular tumblers in about 12 seconds. Two, he's recognizable by his trademark black fedora and, on more formal occasions, his zoot suits. He explains the former: "You know the kid who's always taking things apart? Well, I was always generally able to take them apart and put them back together in working order. And sometimes I could make them better. It's the challenge that makes you curious. A lock is a barrier to get past." He just smiles at the suggestion that perhaps the getup is his superhero suit: just as Superman is recognizable by his red cape and that stylized "S,'' Renderman can be picked out in a crowd by his fedora, usually fighting for his own quirky perspectives on truth, justice and the Internet way. That doesn't mean he's become mainstream, far from it. He has found security consulting tougher than expected, because moral convictions get in the way of his ability to work with some large companies. A POLICE CAR ROLLS BY He's also the first to defend some hackers' actions that companies and authorities deem offensive. A police car rolls by as we sit and monitor the laptop, and the driver peers into our car to see what we're up to. "That's always a bit nervewracking because you're never sure if you're going to get some overzealous guy who doesn't know it isn't illegal as long as you don't try to read the signals you intercept," he notes. I tell him of a conversation with a police Internet fraud specialist who described hackers and wardrivers as "sociopaths," people with remorse or empathy. "Is it sociopathic to be curious? No. That's what this is all about. People think they've designed something that is secure for the public, and some people enjoy the challenge of testing it. Anything beyond that is up to the maturity of the individual." TOMORROW: A futurist and an industry leader look at where computer security is heading in the next year and the decades to come. From isn at c4i.org Wed Dec 21 01:36:24 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 21 01:49:03 2005 Subject: [ISN] ITL Bulletin for December 2005 Message-ID: Forwarded from: Elizabeth Lennon PREVENTING AND HANDLING MALWARE INCIDENTS: HOW TO PROTECT INFORMATION TECHNOLOGY SYSTEMS FROM MALICIOUS CODE AND SOFTWARE Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce The term malware is used to describe malicious code and malicious software that are covertly inserted into an information technology (IT) system to compromise the confidentiality, integrity, or availability of the data, applications, or operating system, or to annoy or disrupt the system's owner. Malware incidents are a significant external threat to the security of many IT systems, often causing widespread damage and disruption, and forcing users and organizations to carry out extensive, costly efforts to restore system security. Malware includes five categories of inserted programs: viruses, worms, Trojan horses, malicious mobile code, and blended attacks. Viruses and worms are usually designed to carry out their functions without the user's knowledge. Blended attacks use a combination of techniques to insert malicious programs. Malware also includes other attacker tools such as backdoors, rootkits, and keystroke loggers, and tracking cookies which are used as spyware. Spyware, when inserted into a user's system, threatens personal privacy and enables the attacker to monitor personal activities and to carry out financial fraud. Guide to Malware Incident Handling and Prevention: Recommendations of the National Institute of Standards and Technology NIST's Information Technology Laboratory recently published NIST Special Publication (SP) 800-83, Guide to Malware Incident Handling and Prevention: Recommendations of the National Institute of Standards and Technology. The guide assists organizations and users in planning and implementing security programs to prevent potential malware incidents and to limit damage from unforeseen incidents that might occur. Written by Peter Mell of NIST and Karen Kent and Joseph Nusbaum of Booz Allen Hamilton, NIST SP 800-83 discusses the different types of malware and recommends prevention and incident handling techniques. The appendices provide additional resources on malware prevention and handling methods, and include detailed techniques and scenarios. A glossary of the many specialized terms used in the guide, a list of acronyms, and an extensive reference list of print and online resources are also provided. The publication is available in electronic format from NIST's website: http://csrc.nist.gov/publications/nistpubs/index.html Malware: What it is Malware includes the following major categories of malicious code and programs: * Viruses are self-replicating codes that insert copies of the virus into host programs or data files. Viruses often result from user interactions, such as opening a file or running a program, and include: o Compiled viruses that are executed by an operating system. These include file infector viruses, which attach themselves to executable programs; boot sector viruses, which infect the master boot records of hard drives or the boot sectors of removable media; and multipartite viruses, which combine the characteristics of file infector and boot sector viruses. o Interpreted viruses that are executed by an application. These include macro viruses that take advantage of the capabilities of the macro programming language to infect application documents and document templates; and scripting viruses that infect scripts and are understood by scripting languages processed by services on the operating system. * Worms are self-replicating, self-contained programs that usually perform without user intervention. Worms create fully functional copies of themselves, and they do not require a host program to infect a system. Attackers often insert worms because they can potentially infect many more systems in a short period of time than a virus can. Worms include: o Network service worms that take advantage of vulnerabilities in network services to propagate and infect other systems. o Mass mailing worms that are similar to e-mail-borne viruses but are self-contained, rather than infecting an existing file. * Trojan horses are self-contained, non-replicating programs that appear to be benign, but that actually have a hidden malicious purpose. Trojan horses either replace existing files with malicious versions or add new malicious files to systems. They often deliver other attacker tools to systems. * Malicious mobile code is software with malicious intent that is transmitted from a remote system to a local system. The inserted programs are executed on the local system, usually without the user's explicit instruction. Programs delivered in this way can be used by many different operating systems and applications, such as web browsers and e-mail clients. Although the mobile code may be benign, attackers use it to transmit viruses, worms, and Trojan horses to the user's workstation. Malicious mobile code does not infect files or attempt to propagate itself, but exploits vulnerabilities by taking advantage of the default privileges granted to mobile code. Languages used for malicious mobile code include Java, ActiveX, JavaScript, and VBScript. * Blended attacks use multiple methods of infection or transmission. A blended attack could combine the propagation methods of viruses and worms. * Tracking cookies are persistent cookies that are accessed by many websites, allowing a third party to create a profile of a user's behavior. Tracking cookies are often used in conjunction with web bugs, which are tiny graphics on websites and which are referenced within the HTML content of a web page or e-mail. The purpose of the graphic is to collect information about the user viewing the content. * Attacker tools might be delivered to a system as part of a malware infection or other system compromises. These tools allow attackers to have unauthorized access to or use of infected systems and their data, or to launch additional attacks. Popular types of attacker tools include: o Backdoors are malicious programs that listen for commands on a certain TCP or UDP port. Most backdoors allow an attacker to perform a certain set of actions on a system, such as acquiring passwords or executing arbitrary commands. Backdoors include zombies (also known as bots), which are installed on a system to cause it to attack other systems, and remote administration tools, which are installed on a system to enable a remote attacker to gain access to the system's functions and data. o Keystroke loggers monitor and record keyboard use. Some require the attacker to retrieve the data from the system, while other loggers actively transfer the data to another system through e-mail, file transfer, or other means. o Rootkits are collections of files that are installed on a system to alter its standard functionality in a malicious and stealthy way. A rootkit can make many changes to a system to hide the rootkit?s existence, making it very difficult for the user to determine that the rootkit is present and to identify what changes have been made. o Web browser plug-ins provide a way for certain types of content to be displayed or executed through a web browser. Attackers often create malicious web browser plug-ins that act as spyware and monitor the use of the browser. o E-mail generators are programs that can be used to create and send large quantities of e-mail, such as malware, spyware, and spam, to other systems without the user's permission or knowledge. o Attacker toolkits include several different types of utilities and scripts that can be used to probe and attack systems, such as packet sniffers, port scanners, vulnerability scanners, password crackers, remote login programs, and attack programs and scripts. * Common non-malware threats associated with malware include phishing, which uses computer-based means to trick users into revealing financial information and other sensitive data. Phishing attacks frequently place malware or attacker tools on systems. Virus hoaxes, which are false warning of new malware attacks, are another common threat. Recommendations for Preventing Malware Incidents Organizations should protect their information and information systems from malware through their ongoing IT security planning, management, and implementation activities. NIST recommends that organizations take the following actions to prevent malware incidents and to respond effectively and efficiently to any attacks that might occur. Develop and implement an approach to malware incident prevention, based on the attack methods that are most likely to be used, both currently and in the near future. Choose prevention techniques that are appropriate to the computing environment and system, and provide for policy statements, awareness programs for users and IT staff, and vulnerability and threat mitigation efforts. Ensure that policies support the prevention of malware incidents and provide for user and IT staff awareness, vulnerability mitigation, and security tool deployment and configuration. Malware prevention should be stated clearly in policies, which should be as general as possible to allow for flexibility in implementation and to reduce the need for frequent updates. At the same time, policy statements should be specific enough to make their intent and scope clear and to achieve consistent and effective results. Policies should include provisions that are applicable to remote workers, both those using systems controlled by the organization and those using systems outside of the organization?s control such as contractor computers, home computers, computers of business partners, and mobile devices. Incorporate malware incident prevention and handling into awareness programs and provide guidance and training to users. Users should be alerted to the ways that malware spreads, the risks that malware poses, the inability of technical controls to prevent all incidents, and the role of users in preventing incidents. Users should be aware of policies and procedures for incident handling, including how to detect malware on a computer, how to report suspected infections, and what can be done to assist the incident handlers. Establish capabilities to mitigate vulnerabilities and to help prevent malware incidents through documented policy, technical processes, and procedures. Appropriate techniques or combinations of techniques should be used for patch management, application of security configuration guides and checklists, and host protection to address vulnerabilities effectively. Establish threat mitigation capabilities to assist in containing malware incidents by detecting and stopping malware before it can affect systems. NIST strongly recommends that organizations install antivirus software on all systems when such software is available. Other technical controls that can be used are intrusion prevention systems, firewalls, routers, and certain application configuration settings. Establish a robust incident response process capability that addresses malware incident handling through preparation, detection and analysis, containment/eradication/recovery, and post-incident activities. o Preparation. Develop malware-specific incident handling policies and procedures. Regularly conduct malware-oriented training and exercises; designate a few individuals or a small team to be responsible for coordinating the organization's responses to malware incidents. Establish several communication mechanisms so that coordination among incident handlers, technical staff, management, and users can be sustained if an attack occurs. o Detection and Analysis. Monitor malware advisories and alerts produced by technical controls, such as antivirus software, spyware detection and removal utilities, and intrusion detection systems, to identify impending malware incidents. Review malware incident data from primary sources such as user reports, IT staff reports, and technical controls to identify malware-related activity. Construct trusted toolkits on removable media that contain up-to-date tools for identifying malware, listing currently running processes and performing other analysis actions. Establish a set of prioritization criteria that identify the appropriate level of response for various malware-related incidents. o Containment. Decide who has the authority to make major containment decisions, when actions are appropriate, and the methods of containment that will be employed. Early containment can help stop the spread of malware and prevent further damage to systems. Strategies and procedures for making containment-related decisions should reflect the level of risk acceptable to the organization. Provide users with instructions on how to identify infections and what measures to take if a system is infected, but do not rely primarily on users for containing malware incidents. Use updated antivirus software and other security tools to contain incidents. Submit copies of unknown malware to security software vendors for analysis and contact trusted parties, such as incident response organizations and antivirus vendors, when guidance is needed on handling new threats. Be prepared to shut down or block services such as e-mail or Internet access to contain a malware incident and understand the consequences of doing so. Be prepared to respond to problems caused by other organizations disabling their own services in response to a malware incident. Identify those hosts infected by malware, considering users who have remote access to systems and mobile users. o Eradication. Be prepared to use combinations of eradication techniques simultaneously for different situations to remove malware from infected systems. Support awareness activities to inform users about eradication and recovery efforts. o Recovery. Restore the functionality and data of infected systems and lift temporary containment measures. Consider possible worst-case scenarios and determine how recovery should be performed, including rebuilding compromised systems from scratch or known good backups. Determine when to remove temporary containment measures, such as suspension of services or connectivity. Containment measures should be kept in place until the number of infected systems and systems vulnerable to infection is sufficiently low that subsequent incidents should be of little consequence. The incident response team should assess the risks of restoring services or connectivity and report to organization managers, who are responsible for assessing the business impact of maintaining the containment measures and for determining actions to be taken concerning containment. o Post-Incident Activity. Conduct an assessment of lessons learned after major malware incidents to prevent similar future incidents. Identify needed changes to security policy, software configurations, and the implementation of malware detection and prevention controls. Establish malware incident prevention and handling capabilities that address current and short-term future threats and that are robust and flexible. Maintain awareness on the latest threats and the security controls that are available to combat each threat. Plan and implement appropriate controls, emphasizing the prevention of malicious incidents. The use of malware, spyware, phishing attacks, and other attempts to collect personal information are expected to lead to future identity theft and financial fraud. Demands for better protection should drive the development of more robust spyware detection and removal utilities, and more effective antivirus software. But there is always a concern that better technical controls could make attackers even more resourceful and innovative in avoiding automated detection and taking advantage of the trust of users. Other future threats are viruses and worms that could attack PDA devices and cell phones, or that could use these devices as malware carriers. Organizations must always be aware of the latest threats and should be prepared to implement appropriate security controls to protect their IT systems. More Information The following Special Publications (SPs) provide help to organizations in planning and implementing effective security controls. These publications are available in electronic format from the NIST Computer Security Resource Center at http://csrc.nist.gov/publications. NIST SP 800-28, Guidelines on Active Content and Mobile Code, discusses the security risks and security controls associated with the technology of active content. NIST SP 800-31, Intrusion Detection Systems (IDS), provides information on installing and using intrusion detection systems. NIST SP 800-40, Version 2, Creating a Patch and Vulnerability Management Program, helps organizations establish patch and vulnerability management programs to protect IT systems from the exploitation of vulnerabilities. NIST SP 800-42, Guideline on Network Security Testing, describes available security testing techniques, their strengths and weaknesses, and the recommended frequencies for testing as well as strategies for deploying network security testing. NIST SP 800-45, Guidelines on Electronic Mail Security, describes secure practices for the installation, configuration, and maintenance of mail servers and clients. NIST SP 800-53, Recommended Security Controls for Federal Information Systems, helps organizations to identify, select, and implement needed controls, including malware protection mechanisms for workstations, servers, mobile computing devices, firewalls, e-mail servers, and remote access servers. NIST SP 800-61, Computer Security Incident Handling Guide, describes the four phases of the incident response process -- preparation, detection and analysis, containment/eradication/recovery, and post-incident activity. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 975-2378 From isn at c4i.org Wed Dec 21 01:37:18 2005 From: isn at c4i.org (InfoSec News) Date: Wed Dec 21 01:50:02 2005 Subject: [ISN] IG cites Energy cybersecurity weaknesses Message-ID: http://www.fcw.com/article91775-12-20-05-Web By Dibya Sarkar Dec. 20, 2005 The Energy Department's unclassified cybersecurity program has several weaknesses that could affect critical systems, but officials are reportedly working on improving those areas, the department's inspector general said. After examining information technology departmentwide, Inspector General Gregory Friedman wrote in a new report released yesterday that there were problems ensuring authorized access to information resources, determining whether duties and responsibilities for processing financial transactions were properly segregated, and verifying that modifications to applications and systems were properly approved and managed. He wrote that the department also didn.t complete contingency planning for several systems in case of an emergency. "These problems persisted for several reasons," Friedman wrote. "First, the department did not provide adequate oversight to ensure that previously reported problems were promptly corrected. Second, the department did not provide adequate oversight to ensure field offices [including contractors] properly implemented all federal cybersecurity requirements." But senior managers are focused on upgrading cybersecurity, which would improve along with several other initiatives, according to the report. In other IT areas, Friedman wrote that Energy.s enterprise architecture did not fully define current and future IT requirements, and questioned whether the various enterprise architectures of the program offices fit in with the department's overall design. Energy didn't define "the roles, responsibilities and authorities necessary to development and implement a departmentwide architecture," or establish the scope, timetable and associated costs, he wrote. Friedman added there is little assurance that mobile communications devices and services were managed cost effectively. "At three of the eight sites visited, our audit work disclosed that the department could have saved as much as $1.12 million annually by adopting more efficient methods for using and managing communication devices and services," he wrote. IT was one of several management challenges, including contract administration, project management, financial management and reporting, highlighted in the IG's report. In the contract administration and project management areas, the report notes that department officials are paying closer attention to those issues and have taken steps to improve them. Department officials are also working to improve the Standard Accounting and Reporting System (STARS), the new accounting and financial reporting system. Although it was implemented in April, Friedman wrote that officials encountered reporting difficulties, errors, unreconciled accounting data and data conversion challenges from the old system to STARS. However, he wrote that officials have addressed many of the transaction processing backlogs and are trying to resolve the data integrity and conversion issues. Also, the department established a Chief Financial Officer Issue Resolution Tiger Team to develop a plan of action and milestones in this area, Friedman wrote, adding that the team is expected to submit a report to the deputy secretary soon. From isn at c4i.org Thu Dec 22 02:04:01 2005 From: isn at c4i.org (InfoSec News) Date: Thu Dec 22 02:13:43 2005 Subject: [ISN] Northrop Grumman wins Air Force network security deal Message-ID: http://www.washingtontechnology.com/news/1_1/daily_news/27638-1.html By William Welsh Deputy Editor 12/21/05 The aim of a new contract awarded to Northrop Grumman Corp. is to increase security of networks through which the Air Force sends both classified and unclassified information. Northrop Grumman Information Technology of McLean, Va., will perform the work under a $14.5 million deal awarded through the Air Force.s Network Centric Solutions (Netcents) contract. The company.s team includes Science Applications International Corp., Booz Allen and Hamilton, X-Technologies and Innove. Under the contract, Northrop Grumman IT will develop a system capable of judging the vulnerability of networks over their lifecycles. The system will use a mix of commercial and Defense Department software. Additional work will include integration, testing and delivery of the so-called vulnerability lifecycle management system, which ultimately will be installed at about 130 Air Force locations worldwide. The system will be configured to exchange network and security information with the Air Force Combat Information Transport System. Northrop Grumman, which has more than 125,000 employees and annual sales of $29.8 billion, ranks No. 2 on Washington Technology.s 2005 Top 100 list of federal prime contractors. From isn at c4i.org Thu Dec 22 02:04:18 2005 From: isn at c4i.org (InfoSec News) Date: Thu Dec 22 02:14:47 2005 Subject: [ISN] Tunnel rat, global hacker, or white supremacist? Message-ID: http://www.stuff.co.nz/stuff/0,2106,3520386a11275,00.html By JORDAN BAKER Sydney Morning Herald 22 December 2005 SYDNEY: Police know him as Andrew Sanders, supposed white supremacist. His neighbours know him as a quiet 25-year-old who cannot leave home without his mum. And computer nerds know him as Valiant, international cyber hacker. Years before the Cronulla riots prompted police to allege a link with white supremacists and raid his home, Sanders was the head of a hacking organisation called Halcon, which claimed to be the nation's most popular. Valiant, named after a Dungeons and Dragons character, was well known in the cyber world. He claimed to have developed something "remarkably similar to the New Love computer virus" and was selling copies of the notorious The Anarchist Cookbook autographed by Valiant. But Sanders became more famous than Valiant in 1999 when an organisation he was said to be linked with, the Australian Underground and Empire Loyalist Movement, claimed to have sabotaged the Australian Republican Movement's office. The republicans received a threatening fax from the group. Soon after, their phones and email broke down. Sanders, quoted as the founder of the empire group, denied any involvement: "We are against the republic and I will uphold freedom of speech to the day I die, but we would never go that far," he told the Sydney Morning Herald in 1999. However, Valiant boasted to Wired magazine that he "took out" the republican groups' telecommunications. The Valiant interviewed by the Australian newsletter QuadCon sounds like a computer nut who "lives to programme" and loves to find ways to hack into systems, then alert their administrators so they can plug the hole. But things in the hacking world turned nasty. A rival group said his New Love claims were hollow and "attacked" his house to teach him a lesson, plastering his front door and car with stickers bearing their logo, the SMH reported in 2001. By early 2001, Halcon folded. Sanders blamed another hacking organisation for its demise, which he described as "the rich kids of the local hacking scene", and said the Australian scene was falling apart. These days Sanders lives with his mother, Clara, and girlfriend at a modest home in Willmot. He is an avid "urban explorer", and investigates the tunnels and sewers of Sydney - a so-called tunnel rat. Police arrested him and four others in Ramsgate on Sunday, accusing him of being linked to white supremacist groups. Officers raided his house on Monday and said they found a haul of weapons and suspicious items. He is charged with possessing an unlicensed firearm, a prohibited weapon and an item used for disguising a face. His lawyer said much of it was related to "urban caving" and there was a dispute over the gun licence with the Firearms Registry. Sanders is stuck at home unless escorted by his mother, as part of the bail conditions set by the court. On the tunnelrats.org.au website, Sanders still calls himself Val. When asked to list his occupation, he said: "Troglodyte". His tunnel rat friends support him. Yesterday on the website, "Freak" - also known as Robert Roach - posted a message on the site's guestbook: "He is not a racist, nazi or a supremacist. I am his best mate and as ive [sic] told the media already i am Half leb half greek." Sanders's lawyer, Phillip Gibson, said: "Mr Sanders's association with any organisation in the past is irrelevant to the matters currently before the court." From isn at c4i.org Thu Dec 22 02:04:29 2005 From: isn at c4i.org (InfoSec News) Date: Thu Dec 22 02:15:53 2005 Subject: [ISN] Students suspected of hacking into computer system Message-ID: http://www.nctimes.com/articles/2005/12/21/news/coastal/21_38_0212_20_05.txt By: PHILIP K. IRELAND Staff Writer December 20, 2005 CARLSBAD ---- At least five students are suspected of breaking into a computer system last week that houses student records in the San Dieguito Union High School District, a source within the district said Tuesday. Four students at La Costa Canyon High School and one student from Torrey Pines High are suspected of accessing the district's system, changing grades and downloading teacher tests, said a source familiar with the investigation who spoke to the North County Times on condition of anonymity. "They had access to the whole district," the source said. "Everything." At least one student may have sold the tests to other students, the source said. Superintendent Peggy Lynch rejected the claim that student hackers gained access to the entire district that maintains student, parent and employee records. "We don't know that it was the whole network, and I don't believe that's true," Lynch said in a interview Tuesday. "I think everything I know at the moment is that no personal information was compromised ---- names, addresses, phone numbers" and Social Security numbers. Mark Kelly, a detective with the sheriff's Computer and Technology Crime High Tech Response Team leading the investigation, confirmed Monday that he has identified suspects. Kelly said he is investigating the crimes under section 502 of the California Penal Code, which deals with computer crimes such as accessing a system without permission, and knowingly copying, deleting, altering or destroying data. The crimes carry fines of up to $10,000 and three years in jail. Kelly said he was working overtime on the case, but declined to provide additional details or confirm information, saying that he didn't want to jeopardize the investigation. In a memorandum sent to school district staff at La Costa Canyon and Torrey Pines high schools, Lynch confirmed the attack. "It is apparent that there has been a breach of our network security by students," she wrote in the memo, obtained Tuesday by the North County Times. "We know that at least one teacher's test (has) been compromised and some student grades may have been altered." The memo instructed teachers to compare paper copies of grades with electronic versions of the same grades as soon as possible. The memo also informed staff that they would be required to change their passwords. "We are taking this very seriously," Lynch wrote. "Law enforcement is involved. The Technology Department is actively taking steps to prevent this type of breach in the future." La Costa Canyon Principal Amy Carlin said Monday that she could not confirm details of the computer breach. From isn at c4i.org Thu Dec 22 02:04:42 2005 From: isn at c4i.org (InfoSec News) Date: Thu Dec 22 02:16:55 2005 Subject: [ISN] Hackers download pirate movies onto compromised PCs Message-ID: http://www.channelregister.co.uk/2005/12/21/bittorrent_botnet_attack/ By John Leyden 21 Dec 2005 Mr. Bean features in bizarre botnet attack Hackers have developed a sneaky technique for installing pirated movie files on Windows PCs infected with the lockx.exe rootkit. Doctored copies of BitTorrent are loaded on infected machines and used to download Disney movies or the film version of Mr. Bean. The motive for the bizarre (and short-lived) attack, linked to a Middle East-based group in control of the network of infected machines - remains unclear. FaceTime Communications, the firm which uncovered the attack, reckons the assault is an experiment which might be applied to far more malign purposes in future. The trick creates a scenario where an infected users might be accused of sharing copyright-protected contact without ever using file sharing software. The lockx.exe rootkit file was bundled with a variant of the notorious SDBot worm that spread across AOL's IM network in late October. ? From isn at c4i.org Thu Dec 22 02:05:17 2005 From: isn at c4i.org (InfoSec News) Date: Thu Dec 22 02:18:03 2005 Subject: [ISN] Security UPDATE -- Recipe for Disaster -- December 21, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Panda http://list.windowsitpro.com/t?ctl=1C829:4FB69 Shavlik http://list.windowsitpro.com/t?ctl=1C82E:4FB69 ==================== 1. In Focus: Recipe for Disaster 2. Security News and Features - Recent Security Vulnerabilities - Minor Problem with Software Update Services 1.0 - Microsoft Earns New Common Criteria Certifications for Windows - Use Guest Accounts to Fight Malware 3. Instant Poll 4. Security Toolkit - Security Matters Blog - FAQ 5. New and Improved - Securely Back Up to a Remote Location ==================== ==== Sponsor: Panda ==== Provide Secure Remote Access It may be tempting to deploy a WiFi wireless access point or offer PDAs or laptops to your roaming employees so they can work from virtually anywhere. In this free white paper you'll get the important security implications you should consider before you do so. http://list.windowsitpro.com/t?ctl=1C829:4FB69 ==================== ==== 1. In Focus: Recipe for Disaster ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net What do you get when you mix malicious code developers, a newly reported vulnerability in the Windows 2000 and Windows NT kernel, and a dash of social engineering? A recipe for disaster. Microsoft released Security Bulletin MS05-055 "Vulnerability in Windows Kernel Could Allow Elevation of Privilege (908523)" (URL below) and an associated patch for Windows 2000 on December 13. Due to the nature of the problem, any program could gain complete system level access to an affected system. No matter how you lock down the system or how many restrictions you place on user accounts, an exploit is possible, provided an intruder can cause code to run on the system. http://list.windowsitpro.com/t?ctl=1C831:4FB69 eEye Digital Security discovered the problem in May. In a press release issued the same day as Microsoft's security bulletin, eEye explained the problem in some amount of detail: "The vulnerability exists in the thread termination routine contained within NTOSKRNL.EXE. Through a specific series of steps, a local attacker can cause the code responsible for discarding queued Asynchronous Procedure Call (APC) entries to erroneously attempt to free a region of kernel data, producing a 'data free' vulnerability that may be exploited in order to alter arbitrary kernel memory, or even divert the flow of execution directly." This sounds like a rootkit writer's dream come true except that the hacker must somehow cause a malicious program to run on the computer. That's where social engineering comes into play. Because there's no direct point of attack, exploiting this vulnerability might require a blend of tactics. Blended attacks rely on the domino effect to work--an attack targets one vulnerability, which provides access to another vulnerability, in the hopes that the attacks will eventually compromise a system. The initial exploit might rely on a weakness in a Web browser, email client, media player, or other piece of software. Or the hacker might take a more direct approach--such as packaging an exploit in a virus or worm--or a sneakier tactic, for example, putting an exploit in a software package that's hard to resist, such as in a new tool that claims to be the best thing since sliced bread. Now that word is out about this vulnerability, undoubtedly people are already developing code to exploit it. In my opinion, there's only one adequate defense against a vulnerability such as this particular kernel problem. That defense is to install the patch on Windows 2000 machines. If you use Windows NT, there's no patch. In that case, your best defense is layered security that includes antivirus and antispyware tools and host-based Intrusion Prevention Systems (IPSs) along with reminders to yourself and your users to use extreme caution when deciding whether to install any third-party software elements. ==================== ==== Sponsor: Shavlik ==== Maximizing Network Security Against Spyware and Other Threats Spyware installation usually exploits an underlying security vulnerability in the OS. You can remove spyware, but if you don't also patch the underlying vulnerability, you don't solve the real problem. By leaving your systems open to reinfestation, you risk surging bandwidth consumption, system instability, overwhelmed Help desks, lost user productivity, and other consequences. Unauthorized applications can even result in noncompliance with regulatory requirements. This free white paper addresses the need to manage both the threats and vulnerabilities from one console as a comprehensive security solution. http://list.windowsitpro.com/t?ctl=1C82E:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=1C830:4FB69 Minor Problem with Software Update Services 1.0 Microsoft made known a minor problem with Software Update Services (SUS) 1.0 that might lead to confusion among administrators. When SUS is synchronized with systems running Windows Server 2003 Service Pack 1 (SP1) after December 12, previously approved updates might all become listed as unapproved. The problem doesn't affect SUS servers built or deployed after December 13. http://list.windowsitpro.com/t?ctl=1C83A:4FB69 Microsoft Earns New Common Criteria Certifications for Windows At Microsoft's Security Summit East, held December 14-15 in Washington D.C., the company announced that several of its products received Common Criteria (CC) Evaluation Assurance Level (EAL) 4 certification augmented by ALC_FLR.3. The certifications were awarded to Windows Server 2003 Standard, Enterprise, and Datacenter editions as well as Windows Server 2003 Certificate Server and Windows XP Service Pack 2 (SP2). http://list.windowsitpro.com/t?ctl=1C837:4FB69 Use Guest Accounts to Fight Malware Configure applications that are most vulnerable to a malware attack to run under low-privilege Guest accounts. Mark Burnett explains in this article on our Web site. http://list.windowsitpro.com/t?ctl=1C838:4FB69 ==================== ==== Resources and Events ==== WEB SEMINAR: Manage and reduce planned downtime to prevent unexpected outages. View this seminar today: http://list.windowsitpro.com/t?ctl=1C82D:4FB69 SQL Server 2005 Up & Running Roadshows Coming to Europe! SQL Server experts will present real-world information about administration, development, and business intelligence to help you put SQL Server 2005 into practice and learn to use its new capabilities. Registration includes one-year PASS membership and subscription to SQL Server Magazine. Register now for London, UK and Stockholm, Sweden at http://list.windowsitpro.com/t?ctl=1C82B:4FB69 WEB SEMINAR: Free tools to help you analyze threats and create Acceptable-Use Policies (AUPs) for your network. View this seminar today: http://list.windowsitpro.com/t?ctl=1C82A:4FB69 New SQL Server 2005 Express Email Newsletter! Get up to speed fast with useful database projects and tips that illustrate the fundamentals of Microsoft's new free database offering. Download sample applications and code, get quick tips to help you work with SQL Server 2005, learn about the latest patches, service codes and updates for SQL Server 2005 Express, and more! http://list.windowsitpro.com/t?ctl=1C83D:4FB69 WEB SEMINAR: Identify and troubleshoot common SMTP problems and learn about each component of Exchange that touches inbound and outbound messages. Live seminar: February 14, 2006. http://list.windowsitpro.com/t?ctl=1C82F:4FB69 ==================== ==== Featured White Paper ==== Learn about the most common complications that arise during litigation- related email discovery and get tips on how to avoid them. http://list.windowsitpro.com/t?ctl=1C82C:4FB69 ==================== ==== Hot Spot ==== Managing Mobility in the Enterprise Is your mobile workforce set up for success? Mobile management is a key component for your mobile strategy, but inadequate levels can have severe consequences. This free white paper will help you identify the appropriate tools to manage it effectively, and avoid increases in TCO and more. Download it today and ensure your organization's mobility success! http://list.windowsitpro.com/t?ctl=1C828:4FB69 ==================== ==== 3. Instant Poll ==== Which of the following methods to do you use to secure your company's PDAs? - Run antivirus software on PDAs - Password-protect PDA functions - Encrypt important files on PDAs - Disable unnecessary short-range wireless features on PDAs - Two or more of the above - None of the above Go to the Security Hot Topic on our Web site and submit your vote http://list.windowsitpro.com/t?ctl=1C83B:4FB69 ==== 4. Security Toolkit ==== Security Matters Blog: Absolute Secure Communications? by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=1C83E:4FB69 Huge sums of money are being spent on the development of quantum cryptography. But is there a cheaper, simpler way? At least one person thinks there is, and he's written a paper to help prove it. Find out more in this blog article. http://list.windowsitpro.com/t?ctl=1C836:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=1C83C:4FB69 Q: How can I monitor registry activity during logon and logoff? Find the answer at http://list.windowsitpro.com/t?ctl=1C839:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Want to Become a VIP Subscriber? Become a VIP subscriber and get continuous, inside access to ALL the online resources published in Windows IT Pro, SQL Server Magazine, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters. That's more than 26,000 articles at your fingertips. You'll also get a valuable one-year print subscription to Windows IT Pro and two VIP CDs. (CDs include the entire article database on CD, delivered twice per year.) Don't miss out ... sign up now: http://list.windowsitpro.com/t?ctl=1C834:4FB69 Windows IT Security Newsletter The Windows IT Security Newsletter is a "must-have." Subscribe now and SAVE up to $30 off the regular price. You'll discover endless fundamentals on building and maintaining a secure enterprise, in-depth product coverage of the best security tools available, and expert advice on the best way to implement various security components. Paid subscribers also get searchable access to the full online security article database (over 1900 articles). Subscribe today: http://list.windowsitpro.com/t?ctl=1C833:4FB69 ==================== ==== 5. New and Improved === by Renee Munshi, products@windowsitpro.com Securely Back Up to a Remote Location Asigra Televaulting is an agentless enterprise-class backup and recovery solution that features data protection by means of 256-bit encryption and authentication. With Televaulting, business-critical corporate data is processed for backup, compressed, and encrypted, then is sent to a secure offsite data vault where it's available for restoration 24 x 7. Data is protected both while being transferred and while in storage. Asigra's software requires unique identifiers for login to the account, use of the proper encryption keys with one-way hashes used for verification, and login requests that originate from valid hardware that uses a specific IP address. For more information, go to http://list.windowsitpro.com/t?ctl=1C840:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=1C83F:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=1C835:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Dec 22 02:05:28 2005 From: isn at c4i.org (InfoSec News) Date: Thu Dec 22 02:19:15 2005 Subject: [ISN] Santa Claus worm strikes IM clients Message-ID: http://www.networkworld.com/news/2005/122005-santa-claus-worm.html By Tom Krazit IDG News Service 12/21/05 The Santa Claus worm doesn't care whether you've been naughty or nice, but it's making a list of PCs to infect this holiday season, according to a threat alert released by security firm IMlogic on Tuesday. A new instant messaging worm called IM.GiftCom.All is making the rounds this holiday season. Rated as a "medium" threat by IMlogic, the worm attempts to get users of the instant-messaging networks run by AOL, Yahoo and Microsoft to visit a seemingly festive Web site featuring Santa Claus. The message comes from someone already present on a user's "buddy list," said Art Gilliland, vice president of products for IMlogic. It contains a supposed link to a URL starting with "santaclause.aol.com/....." However, clicking on that link takes users to a different Web site and triggers the download of a malicious file to a user's PC, Gilliland said. That file is created using rootkit techniques, making it extremely difficult to detect with conventional antivirus or operating system tools, he said. Once resident on a system, the file tries to shut down anti-virus software and collects personal information that can be redistributed over the Internet. IMlogic has not recorded an instance where that personal information was actually sent out to the Internet, but the program does log information, Gilliland said. Users are advised to avoid clicking on anything sent through an IM system unless they have verified that the file or picture is legitimate and the sender intended to pass it along, Gilliland said. IMlogic recently identified an IM bot that produces canned assurances that a file is legitimate when the recipient replies to check its authenticity, so it's important to take extra care to verify the sender's intentions, he said. From isn at c4i.org Thu Dec 22 02:05:41 2005 From: isn at c4i.org (InfoSec News) Date: Thu Dec 22 02:20:17 2005 Subject: [ISN] Diebold Hack Hints at Wider Flaws Message-ID: http://www.wired.com/news/evote/0,2645,69893,00.html By Kim Zetter Dec. 21, 2005 Election officials spooked by tampering in a test last week of Diebold optical-scan voting machines should be equally wary of optical-scan equipment produced by other manufacturers, according to a computer scientist who conducted the test. Election officials in Florida's Leon County, where the test occurred, promptly announced plans to drop Diebold machines in favor of optical-scan machines made by Election Systems & Software, or ES&S. But Hugh Thompson, an adjunct computer science professor at the Florida Institute of Technology who helped devise last week's test, believes other systems could also be vulnerable. "Looking at these systems doesn't send off signals that ... if we just get rid of Diebold and go to another vendor we'll be safe," Thompson said. "We know the Diebold machines are vulnerable. As for ES&S, we don't know that they're bad but we don't know that they're (good) either." Thompson and Harri Hursti, a Finnish computer scientist, were able to change votes on the Diebold machine without leaving a trace. Hursti conducted the same test for the California secretary of state's office Tuesday. The office did not return several calls for comment. Information about the vulnerability comes as states face deadlines to qualify for federal funding to replace punch-card and lever machines with new touch-screen or optical-scan machines. In order to get funding, states must have new machines in place by their first federal election after Jan. 1, 2006. Optical-scan machines have become the preferred choice of many election officials due to the controversy over touch-screen voting machines, many of which do not produce a paper trail. Optical-scan machines use a paper ballot on which voters mark selections with a pen before officials scan them into a machine. The paper serves as a backup if the machine fails or officials need to recount votes. The hack Thompson and Hursti performed involves a memory card that's inserted in the Diebold machines to record votes as officials scan ballots. According to Thompson, data on the cards isn't encrypted or secured with passwords. Anyone with programming skills and access to the cards -- such as a county elections technical administrator, a savvy poll worker or a voting company employee -- can alter the data using a laptop and card reader. To test the machines, Thompson and Hursti conducted a mock election on systems loaded with a rigged memory card. The election consisted of eight ballots asking voters to decide, yes or no, if the Diebold optical-scan machine could be hacked. Six people voted "no" and two voted "yes." But after scanning the ballots, the total showed one "no" vote and seven "yes" votes. Diebold did not return several calls for comment. Thompson said in a real race between candidates someone could pre-load 50 votes for Candidate A and minus 50 votes for Candidate B, for example. Candidate B would need to receive 100 votes before equaling Candidate A's level at the start of the race. The total number of votes on the machine would equal the number of voters, so election officials wouldn't become suspicious. "It's self-destroying evidence," he said. "Once ... the machine gets past zero and starts counting forward for Candidate B, there's no record that at one point there were negative votes for Candidate B." Thompson said a second vulnerability in the cards makes it easy to program the voting machine so that it thinks the card is blank at the start of the race. This is important because before voting begins on Election Day, poll workers print a report of vote totals from each machine to show voters that the machines contain no votes. "The logic to print that zero report is contained on the memory card itself," Thompson said. "So all you do is alter that code ... to always print out a zero report (in the morning)." David Jefferson, a computer scientist at Lawrence Livermore National Laboratory and chair of California's Voting Systems Technical Assessment and Advisory Board, said that programming software on a removable memory card raises grave concerns. "The instant anyone with security sensibility hears this, red flags and clanging alarms happen," Jefferson said. "Because this software that is inserted from the memory module is not part of the code base that goes through the qualification process, so it's code that escapes federal scrutiny." The vote manipulation could conceivably be caught in states where election laws require officials to conduct a 1 percent manual recount to compare digital votes against paper ballots. Parallel monitoring, in which officials pull out random machines for testing on Election Day, might also catch vote manipulation. But Thompson says machines could be programmed to recognize when they're being tested so as not to change votes during that time. And a manual recount that only examines 1 percent of machines might not be broad enough. "The question is, if you have altered a memory card in just one of the polling places or even just on one machine, what are the chances that the machine would fall under that 1 percent?" Thompson said. "That's kind of scary." From isn at c4i.org Thu Dec 22 02:03:49 2005 From: isn at c4i.org (InfoSec News) Date: Thu Dec 22 02:21:22 2005 Subject: [ISN] 'High' risk in Symantec antivirus software flaw Message-ID: http://news.com.com/High+risk+in+Symantec+antivirus+software+flaw/2100-1002_3-6004097.html By Colin Barker Special to CNET News.com December 21, 2005 Symantec's antivirus software contains a vulnerability that could be exploited by a malicious hacker to take control of a system, the company said late Tuesday. According to Symantec, the bug, which affects a range of the company's security products, is a "high" risk. Denmark security company Secunia has labeled it "highly critical." According to an advisory issued by Secunia, the bug affects most of Symantec's products, including enterprise and home user versions of Symantec AntiVirus, Symantec Norton AntiVirus and Symantec Norton Internet Security, across the Windows and Macintosh platforms. The vulnerability is within Symantec AntiVirus Library, which provides file format support for virus analysis. "During decompression of RAR files, Symantec is vulnerable to multiple heap overflows allowing attackers complete control of the system(s) being protected," said security consultant Alex Wheeler, who first discovered the flaw. "These vulnerabilities can be exploited remotely, without user interaction, in default configurations through common protocols such as SMTP." RAR is a native format for WinRAR, which is used to compress and decompress data. So far, the vulnerability has been reported in Dec2Rar.dll version 3.2.14.3 and, according to Wheeler, potentially affects all Symantec products that use the DLL. The full list of products affected can be seen here. Symantec has not yet released a patch to address this problem. In the meantime, Wheeler recommends that users "disable scanning of RAR-compressed files until the vulnerable code is fixed." This is not the first vulnerability Wheeler has discovered. In October, he highlighted a similar flaw in Kaspersky Lab's antivirus software, which was later acknowledged by the company. Again, it was a heap overflow vulnerability. In February, he found a different heap overflow vulnerability in Symantec's antivirus software. From isn at c4i.org Sat Dec 24 01:14:18 2005 From: isn at c4i.org (InfoSec News) Date: Sat Dec 24 01:16:28 2005 Subject: [ISN] Happy Holidays To All Message-ID: Merry Christmas to everyone reading the InfoSec News list! In the coming days as we enjoy our holiday festivities with friends and family, I ask that you take the time to remember the soldiers, support workers, and security personnel that work tirelessly to protect us. For as long as I can remember, there have always been members of the Armed Forces working on Christmas in places so far removed from the comfort and safety of their homes, and this year is no exception. As you and I open presents, these brave men and women have only the memories of holidays past to get them through the season. As we prepare for our own holiday celebrations, the staff of InfoSec News will take the time to reflect on all those who work to serve us so valiantly and all those who made the greatest sacrifice of all to guarantee our freedom. One doesn't need to be a Christian to enjoy the message of the season. Have a safe and happy holiday. Best wishes for a happy and healthy new year! William Knowles wk@c4i.org From isn at c4i.org Tue Dec 27 08:17:45 2005 From: isn at c4i.org (InfoSec News) Date: Tue, 27 Dec 2005 02:17:45 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2005-51 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-12-15 - 2005-12-22 This week : 112 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: A vulnerability has been reported in McAfee SecurityCenter, which potentially can be exploited by malicious people to compromise a vulnerable system. Successful exploitation requires that the user is e.g. tricked into visiting a malicious website. For additional information please refer to the referenced Secunia advisory below. Reference: http://secunia.com/SA18169 -- Alex Wheeler has reported a vulnerability in Symantec AntiVirus, which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error in Dec2Rar.dll when copying data based on the length field in the sub-block headers of a RAR archive. This can be exploited to cause a heap-based buffer overflow and may allow arbitrary code execution when a malicious RAR archive is scanned. Many Symantec products are vulnerable to this issue. All users of Symantec products are therefore advised to see the referenced Secunia advisory for complete details about vulnerable products. Reference: http://secunia.com/SA18131 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18131] Symantec AntiVirus RAR Archive Decompression Buffer Overflow 2. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 3. [SA15368] Microsoft Internet Explorer Multiple Vulnerabilities 4. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability 5. [SA18149] Apple QuickTime / iTunes Memory Corruption Vulnerability 6. [SA18162] VMware NAT Networking Buffer Overflow Vulnerability 7. [SA18106] Microsoft IIS Malformed URL Potential Denial of Service Vulnerability 8. [SA18078] Macromedia ColdFusion Multiple Vulnerabilities 9. [SA17934] Mozilla Firefox History Information Denial of Service Weakness 10. [SA18092] IBM Java SDK JRE Sandbox Security Bypass Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA18169] McAfee SecurityCenter "mcinsctl.dll" ActiveX File Overwrite Vulnerability [SA18197] Interaction SIP Proxy Buffer Overflow Vulnerability [SA18159] Information Call Center "CallCenterData.mdb" Exposure of User Credentials [SA18134] MailEnable Multiple IMAP Command Vulnerabilities [SA18133] pTools "docID" SQL Injection Vulnerability [SA18127] Honeycomb Archive SQL Injection and Cross-Site Scripting [SA18106] Microsoft IIS Malformed URL Potential Denial of Service Vulnerability [SA18097] Acidcat CMS SQL Injection Vulnerability [SA18089] iHTML Merchant Pro SQL Injection Vulnerabilities [SA18085] iCMS Cross-Site Scripting and SQL Injection Vulnerabilities [SA18079] Media2 CMS Shop "item" SQL Injection Vulnerability [SA18073] iHTML Merchant Mall SQL Injection Vulnerabilities [SA18201] SiteEnable / PortalApp "ret_page" Cross-Site Scripting Vulnerability [SA18200] IntranetApp Cross-Site Scripting Vulnerabilities [SA18199] ProjectApp Cross-Site Scripting Vulnerabilities [SA18174] UltraApps Issue Manager Privilege Escalation Vulnerability [SA18164] Dev Hound Script Insertion and Full Path Disclosure [SA18129] FarCry Search Feature Cross Site Scripting Vulnerability [SA18119] lemoon "q" Cross-Site Scripting Vulnerability [SA18118] damoon "q" Cross-Site Scripting Vulnerability [SA18070] Acuity CMS "strSearchKeywords" Cross-Site Scripting Vulnerability UNIX/Linux: [SA18111] Gentoo update for opera [SA18204] Avaya Modular Messaging POP3 Denial of Service Vulnerability [SA18192] Red Hat update for gpdf [SA18191] Red Hat update for cups [SA18189] Red Hat update for kdegraphics [SA18186] Red Hat update for netpbm [SA18180] HP-UX Software Distributor Unauthorised Access Vulnerability [SA18170] SCO OpenServer update for xloadimage [SA18161] Mandriva update for apache2 [SA18160] HP-UX WBEM Services Unspecified Denial of Service Vulnerability [SA18157] LiveJournal "cleanhtml.pl" Two Script Insertion Vulnerabilities [SA18124] ELOG Long Parameter Value Denial of Service Vulnerability [SA18115] SUSE update for ipsec-tools / freeswan / openswan [SA18109] Debian update for dropbear [SA18108] Dropbear SSH Server Buffer Overflow Vulnerability [SA18107] Ubuntu update for xine-lib [SA18101] SUSE Updates for Multiple Packages [SA18087] xine-lib FFmpeg libavcodec Buffer Overflow Vulnerability [SA18082] HP-UX TCP/IP "Rose Attack" Denial of Service Vulnerability [SA18165] IBM HMC OpenSSL Vulnerabilities [SA18151] Caravel CMS Cross-Site Scripting Vulnerabilities [SA18148] PlaySMS "err" Cross-Site Scripting Vulnerability [SA18146] UnixWare update for tcpdump [SA18100] UnixWare update for gzip [SA18076] Webglimpse "ID" Cross-Site Scripting Vulnerability [SA18075] Red Hat update perl [SA18071] ProjectForum Cross-Site Scripting Vulnerabilities [SA18193] Red Hat update for udev [SA18188] Red Hat update for curl [SA18156] Mandriva update for sudo [SA18139] Fedora update for kdebase [SA18105] Gentoo update for curl [SA18102] Fedora update for sudo [SA18088] AIX Multiple Privilege Escalation Vulnerabilities [SA18187] Red Hat update for perl [SA18183] SUSE update for perl [SA18172] Fedora update for fetchmail [SA18081] Gentoo update for centericq Other: [SA18179] ADTRAN NetVanta Products ISAKMP IKE Message Processing Vulnerabilities [SA18166] NEC UNIVERGE ISAKMP IKE Message Processing Denial of Service [SA18138] Ingate Firewall and SIParator Denial of Service Vulnerability [SA18103] Cisco Clean Access Manager Obsolete JSP Files Vulnerability Cross Platform: [SA18177] PhpGedView File Inclusion and PHP Code Injection Vulnerabilities [SA18131] Symantec AntiVirus RAR Archive Decompression Buffer Overflow [SA18092] IBM Java SDK JRE Sandbox Security Bypass Vulnerabilities [SA18077] Macromedia JRun Server Two Vulnerabilities [SA18184] phpBB Chatspot Module Two Vulnerabilities [SA18176] Blender "get_bhead()" Integer Overflow Vulnerability [SA18173] Portfolio NetPublish "template" Disclosure of Sensitive Information [SA18154] Beehive Forum Script Insertion Vulnerabilities [SA18152] Papoo SQL Injection Vulnerabilities [SA18150] phpSlash "story_id" SQL Injection Vulnerability [SA18149] Apple QuickTime / iTunes Memory Corruption Vulnerability [SA18145] Community Enterprise Cross-Site Scripting and SQL Injection [SA18121] ODFaq SQL Injection Vulnerabilities [SA18120] Komodo CMS Cross-Site Scripting and SQL Injection Vulnerabilities [SA18110] Miraserver SQL Injection Vulnerabilities [SA18099] Marwel "show" Potential SQL Injection Vulnerability [SA18094] AlmondSoft Products "id" SQL Injection Vulnerability [SA18078] Macromedia ColdFusion Multiple Vulnerabilities [SA18069] Envolution Cross-Site Scripting and SQL Injection Vulnerabilities [SA18162] VMware NAT Networking Buffer Overflow Vulnerability [SA18196] RAMSite R|1 CMS "searchfield" Cross-Site Scripting Vulnerability [SA18195] Redakto WCMS Cross-Site Scripting Vulnerabilities [SA18182] Scoop Cross-Site Scripting Vulnerabilities [SA18168] OpenEdit Cross-Site Scripting Vulnerabilities [SA18144] contenite "id" Cross-Site Scripting Vulnerability [SA18143] CONTENS "near" Cross-Site Scripting Vulnerability [SA18137] Metadot Portal Server "Group.pm" Privilege Escalation Vulnerability [SA18132] ASPBite "strSearch" Cross-Site Scripting Vulnerability [SA18130] Esselbach Storyteller CMS System "query" Cross-Site Scripting [SA18128] FLIP "name" Cross-Site Scripting Vulnerability [SA18126] Hot Banana Web Content Management Suite Cross-Site Scripting [SA18125] phpBB "Allow HTML" Script Insertion Security Issue [SA18122] AbleDesign ReSearch Cross-Site Scripting Vulnerability [SA18117] Libertas ECMS "page_search" Cross-Site Scripting Vulnerability [SA18116] Liferay Portal Enterprise Cross-Site Scripting Vulnerabilities [SA18114] Lutece "query" Cross-Site Scripting Vulnerability [SA18113] phpMyAdmin Cross-Site Request Forgery Vulnerability [SA18112] Cerberus Helpdesk Cross-Site Scripting and SQL Injection Vulnerabilities [SA18104] Magnolia Search Feature "query" Cross-Site Scripting Vulnerability [SA18096] AtlantForum Cross-Site Scripting Vulnerabilities [SA18095] Atlant Pro Cross-Site Scripting Vulnerabilities [SA18093] DCForum+ Cross-Site Scripting Vulnerabilities [SA18091] bbBoard "keys" Cross-Site Scripting Vulnerability [SA18090] SiteNet BBS Cross-Site Scripting Vulnerabilities [SA18086] myEZshop Shopping Cart Cross-Site Scripting and SQL Injection [SA18084] ScareCrow Cross-Site Scripting Vulnerabilities [SA18080] phpXplorer "address bar" Cross-Site Scripting Vulnerability [SA18074] AbleDesign D-Man "title" Cross-Site Scripting Vulnerability [SA18072] Red Queen Full Path Disclosure Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA18169] McAfee SecurityCenter "mcinsctl.dll" ActiveX File Overwrite Vulnerability Critical: Highly critical Where: From remote Impact: Manipulation of data, System access Released: 2005-12-21 Peter Vreugdenhil has reported a vulnerability in McAfee SecurityCenter, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18169/ -- [SA18197] Interaction SIP Proxy Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-12-21 Behrang Fouladi has reported a vulnerability in Interaction SIP Proxy, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18197/ -- [SA18159] Information Call Center "CallCenterData.mdb" Exposure of User Credentials Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-12-20 BiPi_HaCk has discovered a security issue in Information Call Center, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/18159/ -- [SA18134] MailEnable Multiple IMAP Command Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-21 Tim Shelton has reported some vulnerabilities in MailEnable, which can be exploited by malicious users to cause a DoS (Denial of Service) and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18134/ -- [SA18133] pTools "docID" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-20 Preddy has reported a vulnerability in pTools, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18133/ -- [SA18127] Honeycomb Archive SQL Injection and Cross-Site Scripting Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-12-20 r0t has reported two vulnerabilities in Honeycomb Archive, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18127/ -- [SA18106] Microsoft IIS Malformed URL Potential Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-12-19 Inge Henriksen has discovered a vulnerability in Microsoft Internet Information Services (IIS), which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18106/ -- [SA18097] Acidcat CMS SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2005-12-19 Hamid Ebadi has discovered a vulnerability in Acidcat CMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18097/ -- [SA18089] iHTML Merchant Pro SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-19 r0t has reported some vulnerabilities in iHTML Merchant Pro, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18089/ -- [SA18085] iCMS Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-12-19 $um$id has reported some vulnerabilities in iCMS, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18085/ -- [SA18079] Media2 CMS Shop "item" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-19 $um$id has reported a vulnerability in Media2 CMS Shop, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18079/ -- [SA18073] iHTML Merchant Mall SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-19 r0t has reported some vulnerabilities in iHTML Merchant Mall, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18073/ -- [SA18201] SiteEnable / PortalApp "ret_page" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-22 r0t has reported a vulnerability in SiteEnable and PortalApp, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18201/ -- [SA18200] IntranetApp Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-22 r0t has reported some vulnerabilities in IntranetApp, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18200/ -- [SA18199] ProjectApp Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-22 r0t has reported some vulnerabilities in ProjectApp, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18199/ -- [SA18174] UltraApps Issue Manager Privilege Escalation Vulnerability Critical: Less critical Where: From remote Impact: Privilege escalation Released: 2005-12-21 Information Risk Management Plc. has reported a vulnerability in UltraApps Issue Manager, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18174/ -- [SA18164] Dev Hound Script Insertion and Full Path Disclosure Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2005-12-22 Donnie Werner has reported a weakness and a vulnerability in Dev Hound, which can be exploited by malicious users to disclose system information and conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18164/ -- [SA18129] FarCry Search Feature Cross Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-20 r0t has reported a vulnerability in FarCry, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18129/ -- [SA18119] lemoon "q" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-19 r0t has reported a vulnerability in lemoon, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18119/ -- [SA18118] damoon "q" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-19 r0t has reported a vulnerability in damoon, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18118/ -- [SA18070] Acuity CMS "strSearchKeywords" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-19 r0t has reported a vulnerability in Acuity CMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18070/ UNIX/Linux:-- [SA18111] Gentoo update for opera Critical: Highly critical Where: From remote Impact: System access Released: 2005-12-19 Gentoo has issued an update for opera. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18111/ -- [SA18204] Avaya Modular Messaging POP3 Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-12-21 A vulnerability has been reported in Avaya Modular Messaging, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18204/ -- [SA18192] Red Hat update for gpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-21 Red Hat has issued an update for gpdf. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18192/ -- [SA18191] Red Hat update for cups Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-21 Red Hat has issued an update for cups. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18191/ -- [SA18189] Red Hat update for kdegraphics Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-21 Red Hat has issued an update for kdegraphics. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18189/ -- [SA18186] Red Hat update for netpbm Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-21 Red Hat has issued an update for netpbm. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18186/ -- [SA18180] HP-UX Software Distributor Unauthorised Access Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-12-21 A vulnerability has been reported in HP-UX, which potentially can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18180/ -- [SA18170] SCO OpenServer update for xloadimage Critical: Moderately critical Where: From remote Impact: System access Released: 2005-12-21 SCO has issued an update for xloadimage. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18170/ -- [SA18161] Mandriva update for apache2 Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-12-20 Mandriva has issued an update for apache2. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18161/ -- [SA18160] HP-UX WBEM Services Unspecified Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-12-20 A vulnerability has been reported in HP-UX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18160/ -- [SA18157] LiveJournal "cleanhtml.pl" Two Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-20 Two vulnerabilities have been reported in LiveJournal, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18157/ -- [SA18124] ELOG Long Parameter Value Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-12-20 sk has discovered a vulnerability in ELOG, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18124/ -- [SA18115] SUSE update for ipsec-tools / freeswan / openswan Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-12-20 SUSE has issued updates for ipsec-tools / freeswan / openswan. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18115/ -- [SA18109] Debian update for dropbear Critical: Moderately critical Where: From remote Impact: System access Released: 2005-12-19 Debian has issued an update for dropbear. This fixes a vulnerability, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18109/ -- [SA18108] Dropbear SSH Server Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-12-19 A vulnerability has been reported in Dropbear SSH Server, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18108/ -- [SA18107] Ubuntu update for xine-lib Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-19 Ubuntu has issued an update for xine-lib. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18107/ -- [SA18101] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, DoS Released: 2005-12-19 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious people to conduct SQL injection, script insertion, and cross-site scripting attacks, and to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18101/ -- [SA18087] xine-lib FFmpeg libavcodec Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-19 A vulnerability has been reported in xine-lib, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18087/ -- [SA18082] HP-UX TCP/IP "Rose Attack" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-12-16 A vulnerability has been reported in HP-UX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18082/ -- [SA18165] IBM HMC OpenSSL Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2005-12-20 IBM has acknowledged some vulnerabilities in IBM HMC, which can be exploited by malicious, local users to gain knowledge of sensitive information, and potentially by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18165/ -- [SA18151] Caravel CMS Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-20 r0t has reported some vulnerabilities in Caravel CMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18151/ -- [SA18148] PlaySMS "err" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-20 M.o.H.a.J.a.L.i has discovered a vulnerability in PlaySMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18148/ -- [SA18146] UnixWare update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2005-12-19 SCO has issued an update for tcpdump. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18146/ -- [SA18100] UnixWare update for gzip Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-12-19 SCO has issued an update for gzip. This fixes a vulnerability, which potentially can be exploited by malicious people to extract files to arbitrary directories on a user's system. Full Advisory: http://secunia.com/advisories/18100/ -- [SA18076] Webglimpse "ID" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-19 r0t has reported a vulnerability in Webglimpse, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18076/ -- [SA18075] Red Hat update perl Critical: Less critical Where: From remote Impact: Privilege escalation, DoS Released: 2005-12-21 Red Hat has issued an update for perl. This fixes some vulnerabilities, which can be exploited by malicious people to cause a Denial of Service, and by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18075/ -- [SA18071] ProjectForum Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-15 r0t has reported a vulnerability in ProjectForum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18071/ -- [SA18193] Red Hat update for udev Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-12-21 Red Hat has issued an update for udev. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain access to potentially sensitive information. Full Advisory: http://secunia.com/advisories/18193/ -- [SA18188] Red Hat update for curl Critical: Less critical Where: Local system Impact: Unknown Released: 2005-12-21 Red Hat has issued an update for curl. This fixes a vulnerability with an unknown impact. Full Advisory: http://secunia.com/advisories/18188/ -- [SA18156] Mandriva update for sudo Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-12-21 Mandriva has issued an update for sudo. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18156/ -- [SA18139] Fedora update for kdebase Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-12-19 Fedora has issued an update for kdebase. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18139/ -- [SA18105] Gentoo update for curl Critical: Less critical Where: Local system Impact: Unknown Released: 2005-12-19 Gentoo has issued an update for curl. This fixes a vulnerability, which has an unknown impact. Full Advisory: http://secunia.com/advisories/18105/ -- [SA18102] Fedora update for sudo Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-12-19 Fedora has issued an updated for sudo. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18102/ -- [SA18088] AIX Multiple Privilege Escalation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-12-16 David Litchfield has reported some vulnerabilities in AIX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18088/ -- [SA18187] Red Hat update for perl Critical: Not critical Where: From remote Impact: DoS Released: 2005-12-21 Red Hat has issued an update for perl. This fixes a vulnerability, which can be exploited by malicious people to cause a Denial of Service. Full Advisory: http://secunia.com/advisories/18187/ -- [SA18183] SUSE update for perl Critical: Not critical Where: From remote Impact: DoS Released: 2005-12-21 SUSE has issued an update for perl. This fixes a vulnerability, which can be exploited by malicious people to cause a Denial of Service. Full Advisory: http://secunia.com/advisories/18183/ -- [SA18172] Fedora update for fetchmail Critical: Not critical Where: From remote Impact: DoS Released: 2005-12-21 Fedora has issued an update for fetchmail. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18172/ -- [SA18081] Gentoo update for centericq Critical: Not critical Where: From remote Impact: DoS Released: 2005-12-20 Gentoo has issued an update for centericq. This fixes a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18081/ Other:-- [SA18179] ADTRAN NetVanta Products ISAKMP IKE Message Processing Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, DoS Released: 2005-12-21 Some vulnerabilities have been reported in ADTRAN NetVanta, which can be exploited by malicious people to cause a DoS (Denial of Service), and with an unknown impact. Full Advisory: http://secunia.com/advisories/18179/ -- [SA18166] NEC UNIVERGE ISAKMP IKE Message Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-12-21 Some vulnerabilities have been reported in NEC UNIVERGE IX1000/IX2000/IX3000 series router, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18166/ -- [SA18138] Ingate Firewall and SIParator Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-12-21 A vulnerability has been reported in Ingate Firewall and SIParator, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18138/ -- [SA18103] Cisco Clean Access Manager Obsolete JSP Files Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-12-22 Alex Lanstein has reported a vulnerability in Cisco CAM (Clean Access Manager), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18103/ Cross Platform:-- [SA18177] PhpGedView File Inclusion and PHP Code Injection Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2005-12-21 rgod has reported some vulnerabilities in PhpGedView, which can be exploited by malicious people to disclose sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18177/ -- [SA18131] Symantec AntiVirus RAR Archive Decompression Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-12-20 Alex Wheeler has reported a vulnerability in Symantec AntiVirus, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18131/ -- [SA18092] IBM Java SDK JRE Sandbox Security Bypass Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-12-16 Some vulnerabilities have been reported in IBM Java SDK, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18092/ -- [SA18077] Macromedia JRun Server Two Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2005-12-16 Two vulnerabilities have been reported in Macromedia JRun Server, which can be exploited by malicious people to disclose potentially sensitive information and to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18077/ -- [SA18184] phpBB Chatspot Module Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Spoofing, Manipulation of data Released: 2005-12-22 Two vulnerabilities have been reported in the Chatspot module for phpBB, which potentially can be exploited by malicious people to conduct spoofing and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18184/ -- [SA18176] Blender "get_bhead()" Integer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-21 Damian Put has reported a vulnerability in Blender, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18176/ -- [SA18173] Portfolio NetPublish "template" Disclosure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-12-22 Information Risk Management Plc. has reported a vulnerability in Portfolio NetPublish, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/18173/ -- [SA18154] Beehive Forum Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-22 trueend5 has discovered some vulnerabilities in Beehive Forum, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18154/ -- [SA18152] Papoo SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-22 r0t has reported some vulnerabilities in Papoo, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18152/ -- [SA18150] phpSlash "story_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-22 r0t has discovered a vulnerability in phpSlash, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18150/ -- [SA18149] Apple QuickTime / iTunes Memory Corruption Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown, DoS Released: 2005-12-21 Tom Ferris has discovered a vulnerability in Apple QuickTime / iTunes, which can be exploited by malicious people to cause a DoS (Denial of Service), and with an unknown impact. Full Advisory: http://secunia.com/advisories/18149/ -- [SA18145] Community Enterprise Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information Released: 2005-12-22 r0t has reported some vulnerabilities in Community Enterprise, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18145/ -- [SA18121] ODFaq SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-19 r0t has discovered two vulnerabilities in ODFaq, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18121/ -- [SA18120] Komodo CMS Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-12-19 r0t has reported two vulnerabilities in Komodo CMS, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18120/ -- [SA18110] Miraserver SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-20 r0t has reported some vulnerabilities in Miraserver, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18110/ -- [SA18099] Marwel "show" Potential SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-19 r0t has reported a vulnerability in Marwel, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18099/ -- [SA18094] AlmondSoft Products "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-16 r0t has reported a vulnerability in various AlmondSoft products, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18094/ -- [SA18078] Macromedia ColdFusion Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2005-12-16 Some vulnerabilities have been reported in Macromedia ColdFusion, which can be exploited by malicious people to bypass certain security restrictions, or by malicious, local users to disclose potentially sensitive information and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18078/ -- [SA18069] Envolution Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Cross Site Scripting Released: 2005-12-15 x1ng has discovered some vulnerabilities in Envolution, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18069/ -- [SA18162] VMware NAT Networking Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-12-21 Tim Shelton has reported a vulnerability in VMware, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18162/ -- [SA18196] RAMSite R|1 CMS "searchfield" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-22 r0t has reported a vulnerability in RAMSite R|1 CMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18196/ -- [SA18195] Redakto WCMS Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-22 r0t has reported some vulnerabilities in Redakto WCMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18195/ -- [SA18182] Scoop Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-22 r0t has reported some vulnerabilities in Scoop, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18182/ -- [SA18168] OpenEdit Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-22 r0t has reported two vulnerabilities in OpenEdit, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18168/ -- [SA18144] contenite "id" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-20 r0t has reported a vulnerability in contenite, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18144/ -- [SA18143] CONTENS "near" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2005-12-20 r0t has reported a vulnerability in CONTENS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18143/ -- [SA18137] Metadot Portal Server "Group.pm" Privilege Escalation Vulnerability Critical: Less critical Where: From remote Impact: Privilege escalation Released: 2005-12-21 Gerry Chng and Claudean Zheng have reported a vulnerability in Metadot Portal Server, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18137/ -- [SA18132] ASPBite "strSearch" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-20 Preddy has reported a vulnerability in ASPBite, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18132/ -- [SA18130] Esselbach Storyteller CMS System "query" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-19 r0t has reported a vulnerability in Esselbach Storyteller CMS System, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18130/ -- [SA18128] FLIP "name" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-19 r0t has reported a vulnerability in FLIP, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18128/ -- [SA18126] Hot Banana Web Content Management Suite Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-19 r0t has reported a vulnerability in Hot Banana Web Content Management Suite, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18126/ -- [SA18125] phpBB "Allow HTML" Script Insertion Security Issue Critical: Less critical Where: From remote Impact: Exposure of system information, Cross Site Scripting Released: 2005-12-19 Maksymilian Arciemowicz has discovered a security issue in phpBB, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18125/ -- [SA18122] AbleDesign ReSearch Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-20 $um$id has reported a vulnerability in AbleDesign ReSearch, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18122/ -- [SA18117] Libertas ECMS "page_search" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-19 r0t has reported a vulnerability in Libertas ECMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18117/ -- [SA18116] Liferay Portal Enterprise Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-19 r0t has reported some vulnerabilities in Liferay Portal Enterprise, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18116/ -- [SA18114] Lutece "query" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-19 r0t has reported a vulnerability in Lutece, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18114/ -- [SA18113] phpMyAdmin Cross-Site Request Forgery Vulnerability Critical: Less critical Where: From remote Impact: Hijacking, Manipulation of data Released: 2005-12-19 lwang has discovered a vulnerability in phpMyAdmin, which can be exploited by malicious people to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/18113/ -- [SA18112] Cerberus Helpdesk Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-12-20 Alejandro Ramos has reported some vulnerabilities in Cerberus Helpdesk, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18112/ -- [SA18104] Magnolia Search Feature "query" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-19 r0t has reported a vulnerability in Magnolia, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18104/ -- [SA18096] AtlantForum Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-16 r0t has reported some vulnerabilities in AtlantForum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18096/ -- [SA18095] Atlant Pro Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-16 r0t has reported two vulnerabilities in Atlant Pro, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18095/ -- [SA18093] DCForum+ Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-16 r0t has reported two vulnerabilities in DCForum+, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18093/ -- [SA18091] bbBoard "keys" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-16 r0t has reported a vulnerability in bbBoard, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18091/ -- [SA18090] SiteNet BBS Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-16 r0t has reported some vulnerabilities in SiteNet BBS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18090/ -- [SA18086] myEZshop Shopping Cart Cross-Site Scripting and SQL Injection Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-12-20 $um$id has reported some vulnerabilities in myEZshop Shopping Cart, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18086/ -- [SA18084] ScareCrow Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-16 r0t has reported some vulnerabilities in ScareCrow, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18084/ -- [SA18080] phpXplorer "address bar" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-16 r0t has reported a vulnerability in phpXplorer, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18080/ -- [SA18074] AbleDesign D-Man "title" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-20 $um$id has reported a vulnerability in AbleDesign D-Man, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18074/ -- [SA18072] Red Queen Full Path Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2005-12-19 r0t has reported a weakness in Red Queen, which can be exploited by malicious people to disclose system information. Full Advisory: http://secunia.com/advisories/18072/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Tue Dec 27 08:18:10 2005 From: isn at c4i.org (InfoSec News) Date: Tue, 27 Dec 2005 02:18:10 -0600 (CST) Subject: [ISN] Computer Forensics Podcast Message-ID: Forwarded from: Jesse Kornblum It looks like computer forensic geeks have joined the wonderful world of podcasting! Bret Padres and Ovie Carroll, both former AFOSI agents, have started a weekly podcast called CyberSpeak, http://cyberspeak.libsyn.com/ The show covers computer forensics and computer security issues in a fun and informative matter. This week's show, for example, covered "an update on the Sober worm, a hard drive destruction device, an update on the Best Buy hacker, and an appearance by open source forensics tool author Nicholas Harbour" author of our friend dcfldd. iTunes and other RSS users can subscribe directly to http://cyberspeak.libsyn.com/rss Disclaimer: I have been invited to participate in this podcast in the near future. From isn at c4i.org Tue Dec 27 08:16:19 2005 From: isn at c4i.org (InfoSec News) Date: Tue, 27 Dec 2005 02:16:19 -0600 (CST) Subject: [ISN] Encryption: A nice idea that few want to implement? Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,107280,00.html Opinion by Larry Ponemon DECEMBER 22, 2005 COMPUTERWORLD Companies are not embracing encryption as a way to protect sensitive data. According to Ponemon Institute's 2005 National Encryption Survey, only 4.2% of companies responding to our survey say their organizations have an enterprisewide encryption plan. However, the study also reveals that encryption is viewed by many as an important security tool that enhances the IT professionals' overall sense of trust or comfort in data-protection efforts. The primary reasons cited for not encrypting sensitive or confidential information were concern about system performance (69%), complexity (44%) and cost (25%). (See "Securing Card Data Isn't An Easy Sell." [1]) Sponsored by PGP Corp., this independent study was conducted to learn what privacy and security professionals think about encryption and how adequate they believed their organization's security programs are to protect sensitive and confidential information. Encryption is mostly used to protect sensitive or confidential electronic documents when sending them to another system or location (47%), according to our survey results. Only 31% of respondents encrypt data on a device such as a server or laptop, and 24% encrypt sensitive or confidential backup files or tapes before sending them to off-site storage locations. Given the number of security breaches that are being reported, it seems that now might be a good time to look more closely at encryption. Just this week, for example, tapes containing data on 2 million ABN Amro customers went missing, although the tapes were later recovered (see Update: Missing ABN Amro tape with 2 million names found [2]). And companies are starting to be held liable for not safeguarding data. The Federal Trade Commission recently charged shoe discounter DSW Inc. with failing to provide reasonable and appropriate security for sensitive customer information, because the company allegedly stored information in unencrypted files that could be accessed easily using a commonly known user ID and password. DSW recently settled with FTC over charges that its data-security failures constituted an unfair practice under federal law, allowing hackers to access credit card, debit card and checking account information of more than 1.4 million consumers. Who responded? Our Web-based survey used two proprietary data sets composed of privacy and information security professionals. Both require subjects to opt in prior to making contact. All data was captured through e-mail or letter invitation to a secure extranet Web site. The total sampling frame included 6,298 individuals. Of these, more than 91% were designated as information security specialists, and the remaining 9% were designated as information privacy specialists. The total number of completed responses was 791, making a 13% response rate. 81% of the final sample is male, and 19% is female. We found that our subsample of privacy professionals is skewed toward female subjects. What we learned Here are some of the most interesting findings from our study: * Organizations that use encryption technology do so for the following reasons: electronic transmission of sensitive or confidential information (43%), electronic data on storage devices (30%), backup media (17%) and outbound e-mails (7%). * The top reasons for encryption are to prevent data breaches (55%), to protect the company's brand or reputation that could result from a breach (40%), to comply with the Sarbanes-Oxley Act (29%) and to avoid having to notify customer or employees after a data breach occurs. * Regulations that have proven most influential in deciding to use encryption include various state and emerging federal requirements on data security breach notification (57%), the Health Insurance Portability and Accountability Act (43%) and Sarbanes-Oxley (34%). * The types of data considered most important to be encrypted for storage and/or transmission are business confidential documents (57%), records containing intellectual property (56%), sensitive customer information (56%), accounting and financial information (41%) and employee information (35%). Interestingly, all customer information and consumer information scored a low 8% and 6%, respectively. * The top five types of personal information about a customer, consumer or employee that should be encrypted are health information (72%), sexual orientation (69%), Social Security number (67%), family members (66%) and work history (57%). * The bottom five types of personal information about a customer, consumer or employee that should be encrypted are e-mail (10%), home location and telephone (6%), educational background (5%), interests and preferences (2%) and gender (1%). Our research suggests that privacy and security professionals believe encryption is important to safeguarding sensitive data. Concerns about encryption negatively affecting system performance, ease of use and cost can and should be addressed in order to achieve more security and avoid a breach that can prove costly to a company's bottom line and reputation. For more information about the 2005 National Encryption Study, contact research at ponemon.org. Larry Ponemon is chairman of Ponemon Institute, a think tank dedicated to ethical information management practices and research. He is an adjunct professor of ethics and privacy at Carnegie Mellon University's CIO Institute and is a CyLab faculty member. Ponemon can be reached at larry at ponemon.org. [1] http://www.computerworld.com/securitytopics/security/story/0,10801,107183,00.html [2] http://www.computerworld.com/databasetopics/data/story/0,10801,107230,00.html From isn at c4i.org Tue Dec 27 08:17:04 2005 From: isn at c4i.org (InfoSec News) Date: Tue, 27 Dec 2005 02:17:04 -0600 (CST) Subject: [ISN] Nessus 3.0: The End of the Age of Open-Source Innocence? Message-ID: http://www.linuxinsider.com/story/N0UXlcbNa4sr09/Nessus-30-The-End-of-the-Age-of-Open-Source-Innocence.xhtml By Jennifer LeClaire LinuxInsider 12/22/05 "Here's the danger we are running into," said Alan Shimel, Chief Strategy Officer for StillSecure. "People contribute resources to these communities, whether it be time, money, or code. When they see everything they give converted for the commercial success of an individual rather than as a community as a whole, how long do you think they are going to want to keep giving?" Nessus, maker of one of the most popular open-source vulnerability scanner programs available, changed its licensing agreement with the release of version 3.0.0 on December 12, causing a bit of a stir among security industry players that rely on the code as a component of their commercial solutions. The latest version is not available under the GPL license, but instead will be sold as a commercial product. The recent licensing changes affect a broad spectrum of users, including corporations, the open-source community, and even businesses using services that use Nessus. So what exactly does this mean for open source? Is it the end of the age of innocence? What options do interested parties have going forward? Wider Implications? William Hurley, CTO for Qlusters, Inc., a Linux data center operations management software vendor, told LinuxInsider that the Nessus announcement provides evidence that projects need community supporters or they must go elsewhere. "This announcement primarily affects the security community, and only to a small extent the open-source movement. Many companies are still making the transition to an open-source development model," Hurley said. "This announcement is testament to the fact that though single projects like Nessus may need make dramatic shifts in order to secure a viable future, open source overall is alive and well; continuing to gather more and more support." End of Innocence That's one perspective. Here's another: Alan Shimel, Chief Strategy Officer for StillSecure, a company that peddles a vulnerability management platform, told LinuxInsider that the release of Nessus 3.0.0 marks the end of the age of innocence for open-source software. "Here's the danger we are running into," he said. "People contribute resources to these communities, whether it be time, money, or code. When they see everything they give converted for the commercial success of an individual rather than as a community as a whole, how long do you think they are going to want to keep giving?" Shimel said it is similar to the Google (Nasdaq: GOOG) discussion. Google makes US$60 billion a year, much of which comes from every day Joes clicking on ads for search words. Shimel believes some in the open-source community will be left with a bad taste in their mouths in the wake of Nessus 3.0.0. Differing Opinions Not everyone in the software industry agrees with Shimel, of course. Scott Testa, COO of Mindbridge Software, a software and Web-based consulting company, is one who sees the issue differently. Simply stated, Testa told LinuxInsider that "Open-source software has been around as long as computers have existed. Open-source software will always be around. Some will be commercialized, others will remain open." Hurley agreed with Testa. Many companies, Hurley said, have already evaluated some of the problems that relationships like Nessus/Tenable produce and have chosen a blended open-source strategy in which they dual-license products. "Nessus is one of tens of thousands of open-source projects," Hurley said. "Although very popular in its vertical market, it should not be used to judge the overall fate of the open-source software movement." Decisions, Decisions In any case, Shimel said users are now forced to make a decision, with three options available: use Nessus v3.0 for free but with a seven-day delay in updates; pay Tenable fees required to obtain a direct feed for updates; or transition to a commercial vulnerability management system. Regardless of the long-term implications for the open-source community, the move to Nessus 3.0.0 has short-term implications for security software vendors and users. What do individuals and corporations do? Evaluations should be made on a case-by-case basis, Hurley said. Some may be ready to upgrade to one of the many commercial options, others may not be able to justify the cost and will want to evaluate other options like hosted or outsourcer scanning services. "In the end, most will probably choose to use Nessus 3.0 for free with the seven-day delay in updates because it's not intended to be a real-time defense mechanism," Hurley said. "If Nessus was an IDS or IPS, like Snort, a seven-day delay in updates would make it virtually useless. However, this isn't the case with Nessus, and the seven-day delay will probably be amenable to most users." Absolutely Unacceptable But on this point Hurley and Shimel also disagree. Shimel said waiting up to seven days for an update is not a viable option. In certain areas, waiting five to seven days for an update is not critical, but with security, he said, it is paramount. "If Microsoft (Nasdaq: MSFT) issues a patch for critical Windows vulnerability on Patch Tuesday, no one's security policy is going find waiting until the following week to receive it acceptable," Shimel said. "So you really have either no choice than to either to pay for them or develop these on your own." A Fourth Option Hurley said there is a fourth option, one he calls the most viable for most users: migrate to a different open-source vulnerability scanner. "Nessus is not the only open-source vulnerability scanner available. It's simply, up until this point, the most popular," Hurley said. "A quick search on SourceForge will provide users with several alternatives to choose from." This includes new projects, like OpenVas.org, that recently sprung up in response to the Nessus announcement. These projects have chosen the option to fork off of the Nessus code base and create viable alternatives to Nessus, and its plug-ins, that can remain in the open-source domain. Copyright ? 1998-2005 ECT News Network, Inc. All rights reserved. From isn at c4i.org Tue Dec 27 08:18:34 2005 From: isn at c4i.org (InfoSec News) Date: Tue, 27 Dec 2005 02:18:34 -0600 (CST) Subject: [ISN] Auditors: FBI on thin ice in Sentinel buy Message-ID: http://www.gcn.com/vol1_no1/daily-updates/37830-1.html By Wilson P. Dizard III GCN Staff 12/22/05 The FBI faces special risks in developing the Sentinel case management system because it plans to do so at the same time that it is rolling out its new enterprise architecture, according to a letter [1]issued today by Government Accountability Office auditors. The bureau now is evaluating proposals for systems integration of the case management system, which would serve as a replacement [2] to the defunct Virtual Case File project, which was scuttled earlier this year after costing more than $100 million. "There were only two proposals submitted," an FBI official said, referring to those from Lockheed Martin Corp. and Northrop Grumman Corp. The official, who spoke on condition of anonymity, said that the FBI contracting team is getting advice from Aerospace Corp. of Columbia, Md., and Mitre Corp. of McLean, Va., and likely will award the contract in January. Industry sources echoed the official.s statements. "They are getting close [to an award,]" the bureau official said.. "They had some clarification questions [for Northrop Grumman and Lockheed]," the official added. The Sentinel contract could be worth up to $170 million, according to the consulting firm Input of Reston, Va. The FBI earlier had planned to award the contract this month. Another federal official familiar with the project said the bureau is facing close scrutiny from Congress in the purchasing decision. The GAO letter describing the Sentinel risks responded to questions from Rep. Frank Wolf (R-Va.), chairman of the Appropriations Subcommittee on Science, the departments of State, Justice and Commerce and related agencies. The auditors noted in their letter that urgent and compelling mission needs could justify proceeding with a major IT project even if an agency does not have a complete EA. "A key to dealing with this practical reality is recognizing that doing so increases the risk of deploying systems that are duplicative, not well integrated and unnecessarily costly to operate and interface," according to GAO. The auditors stated that the bureau had taken some steps to reduce the risk of proceeding with Sentinel. But they went on to criticize the bureau's poor oversight of its EA contractor, which is working without performance-based contracting controls. The lack of performance-based controls "has inhibited the bureau.s ability to adequately define product quality expectations, which in turn increases the chances that delivered products will require rework," according to the letter. The bureau plans to develop and fully implement the contract controls next year, GAO said. The bureau faces additional risks because of problems with its human capital programs, according to GAO. For example, at one point recently, four out of five key architect positions were vacant, even though the FBI has special legal authority to pay employees as much as $175,000 or more to attract managers, according to the letter. The bureau now is in the process of hiring a human capital contractor to pinpoint gaps between the bureau.s need for employee training, pay and nonpay incentive plans as well as professional development practices and its existing practices, GAO said. The GAO cited a study [3] by the National Academy of Public Administration that reported problems with the bureau's personnel policies and called for improvements. The bureau official defended the FBI.s progress on personnel issues, saying that CIO Zalmai Azmi "has put a significant amount of personal and organizational energy into improving personnel [practices]." The FBI official, when told of the GAO letter, said, "This is a whole new threshold. I am not accustomed to GAO audits before the start of a project." Lockheed Martin confirmed that it is bidding on the contract. Northrop Grumman did not comment on Sentinel. FBI public affairs officials were preparing an official response to the letter this afternoon. [1] http://www.gao.gov/new.items/d06302r.pdf [2] http://www.gcn.com/24_12/news/35886-1.html [3] http://www.napawash.org/Pubs/FBIHR8-12-05.pdf From isn at c4i.org Tue Dec 27 08:19:02 2005 From: isn at c4i.org (InfoSec News) Date: Tue, 27 Dec 2005 02:19:02 -0600 (CST) Subject: [ISN] Google plugs security holes in Web site Message-ID: http://www.networkworld.com/news/2005/122205-google-holes.html By Elizabeth Montalbano IDG News Service 12/22/05 Google has patched security flaws in its Web site that would have exposed users to phishing and other attacks designed to steal account information, according to security researchers. Researchers at risk management software company Watchfire posted an advisory this week about the flaws, which are called XSS, or cross-site scripting, vulnerabilities. These types of vulnerabilities leave a site open to various attacks, such as account hijacking, changing of user settings, cookie theft/poisoning or false advertising. The advisory for the flaws can be found here [1]. The possibility for attacks at www.google.com was present when users encountered two different error pages, the "404 not found" error message and a Web-site redirection error message. Google did not properly secure these pages, which exposed users to possible attack by exploiting the 7-bit Unicode Transformation Format character-encoding mechanism, according to Watchfire. The company corrected the flaws by using character-encoding enforcement, according to Watchfire. Google was not immediately available for comment Thursday. [1] http://www.watchfire.com/securityzone/advisories/12-21-05.aspx From isn at c4i.org Tue Dec 27 08:19:29 2005 From: isn at c4i.org (InfoSec News) Date: Tue, 27 Dec 2005 02:19:29 -0600 (CST) Subject: [ISN] Top Security Trends for 2006 Message-ID: http://www.redherring.com/Article.aspx?a=15013&hed=Top+Security+Trends+for+2006§or=Industries&subsector=SecurityAndDefense December 25, 2005 2005 has been a banner year for cyber-villains. Thanks to hackers, some of the United States. largest corporations, including financial services giant Citigroup and media powerhouse Time Warner, had sensitive data swiped from their supposedly secure databases. Smaller companies weren.t immune this year either, with retailer DSW Shoe Warehouse and credit card processor CardSystems, bought by Pay Per Touch in October, both victims of cyber break-ins (see Credit Cards Bar CardSystems [1]). Data theft wasn't the only danger in 2005. An Internet worm, Zotob, infected computers at media companies like CNN and financial behemoths like Visa in August. And email nuisances, spam and phishing, were also on the rise. Will it get better in 2006? Not really, say security experts. In fact, the threats may get worse. That's because just as security systems become more sophisticated, the threats will become more complex and innovative - all in an effort to stay a step ahead. Looking forward, security experts see eight major trends in security in 2006. Among them, voice spam is expected to become a growing annoyance as VoIP applications become more widely used. Another concern: cyber-criminals will exploit the low levels of security in mobile communications to gain access to data in laptops and other devices. Here are the security trends to watch for in 2006: Phishing Frenzy Phishing, the practice of sending fraudulent emails to encourage users to divulge personal or financial information, will increasingly target customers of smaller organizations in 2006. Until recently, phishing victims often received email purporting to be from large banks like Citibank and Bank of America or sites like eBay. But these organizations are deploying greater security measures to combat phishing, forcing scammers to turn to smaller targets. Next year's targets could include customers of, say, the local credit union, security experts said. Scammers will aim for residents of a specific town posing as a local financial institution, local governmental organization, or university, predicts Joel Smith, chief technology office for AppRiver, a Gulf Breeze, Florida-based spam and virus filtering service provider (see Worm Poses as FBI or CIA Email [2]). "We are going to see more regionalized, localized targeting," he said. "Scammers will look for subscribers of regional ISPs [Internet Service Providers] and send them emails purporting to be from the local credit union." For scammers, the upside with such targets could be a higher rate of return. "Small organizations or targets from smaller cities may not have been as exposed to the phishing spams as larger or technologically savvy groups," says Mr. Smith. Business Worm's Rise Before Zotob struck, computer attacks were often directed at home users. But this worm, which exploited a vulnerability in Microsoft.s Windows operating system, affected businesses, marking the rise of Internet criminals focused on financial gain (see Zotob Heralds Business Worm [3]). These attacks on businesses are expected to increase next year, said Bruce Schneier, founder and chief technology officer for security firm Counterpane Internet Security. These Internet criminals differ from the hacker hobbyists who were content terrorizing home users in several respects, he said. "Hobbyist hackers looked for new and clever attacks, while criminals will use whatever works," he said. "Hobbyists generally didn't care who they attacked, while criminals are more likely to target individual organizations." The big concern? This new breed of cyber-thieves will target proprietary information like trade secrets, or personal data like social security numbers that can be sold on online black markets. For businesses, the spread of this new breed of worms will mean they'll have to tweak security policies to institute new security protocols that can react faster to threats. Insider Threat Many of the data leaks in 2005 may have stemmed from poor security measures. And while companies spend millions securing their networks from intruders, they often ignore one of the most likely sources of leaks: insiders or company executives who can inadvertently or deliberately leak information. Many companies that have off-site call centers managed by third parties don't routinely review their systems to stop leaks, said Joseph Ansanelli, privacy expert and chief executive officer of Vontu, a San Francisco-based company that works to prevent data loss. Often overlooked, the insider threat will grow in 2006, forcing more companies to add a layer to their network that will monitor the information accessed and distributed by employees (see Q&A: Security Wonk Dan Verton [4]). Increasing Network Control The threat of crooked insiders and more stringent compliance regulations will force companies to implement identity-driven networks that control who uses a network. Driving the change is legislation like Sarbanes-Oxley, which calls for specific security measures and complete visibility into network users, devices, addresses, policies, and activity. The basic network identity services that exist today cannot meet the requirements, said Robert Thomas, president and chief executive officer for network security company, Infoblox. "The anonymity associated with conventional network deployments has existed for years; however, the repercussions of that anonymity, increasing regulatory compliance pressures, and security concerns over the last year or two have dramatically raised the visibility around these issues and call for a new approach," he said. Wireless Security Focus Hackers are finding it increasingly easy to steal information from devices that contain people.s private data, as a growing number have wireless capabilities, said security experts. Wireless technologies like Wi-Fi may be more widespread, but many users are still ignorant about the security measures they must use on these networks to keep hackers at bay. Security experts see 2006 as the year when threats on wireless networks will come of age. As Wi-Fi moves to airplanes, trains, and other public locations, cyber-criminals will seek to exploit the lack of knowledge about mobile security measures to gain access to user information. One prime target? Laptops carried by business users, said MessageLabs, which provides email security and management services. Increased Security Legislation Over the last two years, a number of states have enacted laws similar to one in California requiring companies to disclose security breaches to protect state residents from identify theft. In 2006, a federal law along these lines is a strong possibility, security experts said. Other legislation in the federal pipeline includes a bill that would set standards on what is spyware, how these programs should behave, and what is deemed violations. Spyware are malicious programs that sneak into users. computers and monitor their usage. "The legislators will also continue to dictate what types of security measures must be taken in order to prevent unauthorized access to sensitive company information," said Vontu's Mr. Ansanelli. Voice Spam Begins The popularity of Skype and VoIP will lead to new forms of spam attacks next year, security experts predict. As VoIP applications become more widely used, there will be a rise in voice spam. That's because VoIP services lack strong encryption and they can become a target of scammers, said Information Risk Management, an independent security consultancy firm. "Just as web users can be plagued by pop-up advertisements and spam email, it is expected that VoIP services will be the next target," said the company in a report. "Users could find calls redirected or hijacked by advertisements." Though there are some security solutions for VoIP traffic and equipment, service providers will have to move in faster to nip the problem in its early stages. Selling to SMBs Of course, all these new threats can mean new business for security companies. Traditionally, security companies have focused on selling their products to bigger players as large organizations have big IT budgets that will let them spend on securing their networks. But as smaller firms become the targets of security attacks, security startups will pay more attention to them. Companies offering managed security services, which involves outsourcing the needs to specialists rather than doing it in-house, will be best positioned to capitalize on this trend, security experts said. In 2006, there's likely to be a spike in small and medium businesses using managed security services hosted by security companies, said Brad Miller, chief executive officer of Perimeter Internetworking, a managed network security services provider. This "enables SMBs for the first time to outsource their security and receive pre-integrated services and continuous updates at an affordable price," said Mr. Miller. "They did not have this option before." [1] http://redherring.com/Article.aspx?a=12823&hed=Credit+Cards+Bar+CardSystems [2] http://www.redherring.com/Article.aspx?a=14592&hed=Worm+Poses+as+FBI+or+CIA+Email [3] http://www.redherring.com/Article.aspx?a=13298&hed=Zotob%26nbsp%3bHeralds%26nbsp%3b%e2%80%98Business+Worm%e2%80%99 [4] http://www.redherring.com/Article.aspx?a=13472&hed=Q%26amp%3bA%3a+Security+Wonk+Dan+Verton+ From isn at c4i.org Tue Dec 27 08:20:09 2005 From: isn at c4i.org (InfoSec News) Date: Tue, 27 Dec 2005 02:20:09 -0600 (CST) Subject: [ISN] Oracle turns to Fortify to secure source code Message-ID: Forwarded from: security curmudgeon : http://www.networkworld.com/news/2005/122005-oracle-fortify.html : : By Stacy Cowley : : Start-up source-code security technology developer Fortify Software : scored a major triumph on Tuesday as Oracle announced plans to use : Fortify's tools to seek out holes in Oracle's database and middleware : software. : : Oracle Chief Security Officer Mary Ann Davidson says she searched for : years for automated tools to examine Oracle's source code but had been : unimpressed with the available products. Fortify was the first company : to listen to Oracle's description of its development process and to : tailor its software to meet Oracle's needs, Davidson says. Oracle should have taken the money they paid Davidson and used it to hire humans who can perform code review. Better bang for the buck. : Oracle has a code base of more than 30 million lines, and is the first : top-tier commercial software developer to sign on as a Fortify customer. : Other Fortify clients include a number of financial services companies, : as well as Flash maker Macromedia. Identity management software I have not used Fortify's products, nor heard good/bad about them. But, using Macromedia as part of a sales pitch is a little damning. Looking at Macromedia vulnerabilities in Nov/Dec of 2005: Macromedia JRun Server URL Request Overflow - Dec 15, 2005 Macromedia JRun Server Crafted URL Application Source Disclosure - Dec 15, 2005 Macromedia ColdFusion JRun Clustered Sandbox Security Bypass - Dec 15, 2005 Macromedia ColdFusion CFMAIL Tag Subject Field Arbitrary File Access - Dec 15, 2005 Macromedia ColdFusion Crafted API Administrator Password Hash Disclosure - Dec 15, 2005 Macromedia Flash Media Server Administration Service Crafted Packet Remote DoS - Dec 7, 2005 Macromedia Flash/Breeze Communication Server Malformed RTMP Data DoS - Nov 15, 2005 Macromedia Contribute Publishing Server Shared FTP Credential Weak Password Encryption - Nov 15, 2005 Macromedia Flash Player Flash.ocx ActionDefineFunction Function Arbitrary Code Execution - Nov 7, 2005 Macromedia Flash Player Flash.ocx Unspecified Function Arbitrary Code Execution - Nov 4, 2005 : Oracle hopes by eliminating vulnerabilities before code turns into : shipped product, it will reduce the number of patches it needs to issue : and improve its customers' security. : : "There's lots of Band-Aid products out there that protect against : attacks. You wouldn't need so many Band-Aids if you could actually have : a vaccine," Davidson says. Davidson sounds like a bad politician. How long has she been in the industry? : Oracle, which once used "unbreakable" as its brand slogan, has taken a : few hits on its security reputation this year after issuing a spate of : critical patches. A German security firm published details of several : high-risk vulnerabilities in Oracle's software after the firm said it : tried for years to draw Oracle's attention to the security holes. A few hits? Try *hundreds* of vulnerabilities in 2005 alone. Try being the worst database products for security your money can buy. Try having the worst turnaround in addressing vulnerabilities (even trivial XSS) in years. From isn at c4i.org Tue Dec 27 08:20:47 2005 From: isn at c4i.org (InfoSec News) Date: Tue, 27 Dec 2005 02:20:47 -0600 (CST) Subject: [ISN] Linux Security Week - December 26th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | December 26th, 2005 Volume 6, Number 52n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Adaptive Firewalls with Iptables," "Protecting against undefined exploits and security threats," and "Four Security Resolutions For The New Year." --- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec --- LINUX ADVISORY WATCH Happy Holidays! This week, advisories were released for dropbear, nbd, phpbb2, OpenLDAP, Xpdf, cURL, CenterICQ, digikam, apache2, sudo, kernel, netpbm, udev, gpdf, kdegraphics, cups, and perl. The distributors include Debian, Gentoo, Mandriva, and Red Hat. http://www.linuxsecurity.com/content/view/121084/150/ --- * EnGarde Secure Community 3.0.2 Released 6th, December, 2005 Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.2 (Version 3.0, Release 2). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool, the SELinux policy, and the LiveCD environment. http://www.linuxsecurity.com/content/view/120951 --- Hacks From Pax: SELinux Administration This week, I'll talk about how an SELinux system differs from a standard Linux system in terms of administration. Most of what you already know about Linux system administration will still apply to an SELinux system, but there are some additions and changes that are critical to understand when using SELinux. http://www.linuxsecurity.com/content/view/120700/49/ --- Hacks From Pax: SELinux And Access Decisions Hi, and welcome to my second of a series of articles on Security Enhanced Linux. My previous article detailed the background of SELinux and explained what makes SELinux such a revolutionary advance in systems security. This week, we'll be discussing how SELinux security contexts work and how policy decisions are made by SELinux. SELinux systems can differ based on their security policy, so for the purposes of this article's examples I'll be using an EnGarde Secure Linux 3.0 system, which by default uses a tightly configured policy that confines every included application. http://www.linuxsecurity.com/content/view/120622/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Hold the Photons! 20th, December, 2005 How would you feel if you invested millions of dollars in quantum cryptography, and then learned that you could do the same thing with a few 25-cent Radio Shack components? I'm exaggerating a little here, but if a new idea out of Texas A&M University turns out to be secure, we've come close. http://www.linuxsecurity.com/content/view/121045 * OpenSSH cutting edge 20th, December, 2005 Federico Biancuzzi interviews OpenSSH developer Damien Miller to discuss features included in the upcoming version 4.3, public key crypto protocols details, timing based attacks and anti-worm measures. http://www.linuxsecurity.com/content/view/121048 * Encryption: A nice idea that few want to implement? 23rd, December, 2005 Companies are not embracing encryption as a way to protect sensitive data. According to Ponemon Institute's 2005 National Encryption Survey, only 4.2% of companies responding to our survey say their organizations have an enterprisewide encryption plan. However, the study also reveals that encryption is viewed by many as an important security tool that enhances the IT professionals' overall sense of trust or comfort in data-protection efforts. The primary reasons cited for not encrypting sensitive or confidential information were concern about system performance (69%), complexity (44%) and cost (25%). (See "Securing Card Data Isn't An Easy Sell.") http://www.linuxsecurity.com/content/view/121088 * Pre-Review: Penetration Tester's Open Source Toolkit 23rd, December, 2005 Today I received a copy of the new Syngress book Penetration Tester's Open Source Toolkit by Johnny Long, Chris Hurley, SensePost, Mark Wolfgang, Mike Petruzzi, et al. This book appears unnecessarily massive; it's probably 1/2 thicker than my first book, but at 704 pages it's nearly 100 pages shorter than Tao. I think Syngress used thicker, "softer" paper, if that makes sense to anyone. http://www.linuxsecurity.com/content/view/121087 * Adaptive Firewalls with iptables 26th, December, 2005 Up until now, we've looked at stateless and stateful firewalls. Remember, stateless firewalls only have the features of a given packet to use as criteria for whether that packet should be passed, blocked, or logged. With a stateful firewall, in addition to the fields in that packet, we also have access to the kernel's table of open connections to use in deciding the fate of this packet. http://www.linuxsecurity.com/content/view/121099 * New biometrics software looks for sweat 23rd, December, 2005 Researchers at Clarkson University have found that fingerprint readers can be spoofed by fingerprint images lifted with Play-doh or gelatin or a model of a finger molded out of dental plaster. The group even assembled a collection of fingers cut from the hands of cadavers. In a systematic test of more than 60 of the carefully crafted samples, the researchers found that 90 percent of the fakes could be passed off as the real thing. http://www.linuxsecurity.com/content/view/121089 * Ping: ICMP vs. ARP 22nd, December, 2005 Today almost every organization employs firewalls for enhanced security. Firewalls can be set up in such a way that Internet Control Message Protocol (ICMP) requests are blocked, which means that traditional pings do not work. Setting a firewall to block ICMP requests is based on the theory that if a would-be hacker cannot "see" the target, he may not attack the host. http://www.linuxsecurity.com/content/view/121078 * Protecting against undefined exploits and security threats 21st, December, 2005 There is a wealth of tools available to help protect the enterprise from security threats. Firewalls, virtual private networks, strong user authentication, encryption, intrusion detection/prevention systems (IDS/IPS), email filters, antivirus, vulnerability scanners are all options. Each of these point solutions is capable of addressing a specific element of the security mosaic. In order to address their limitations many enterprises attempt to aggregate these solutions in a futile attempt to achieve effective IT security. http://www.linuxsecurity.com/content/view/121068 * Security-Enhanced Linux Moving into Mainstream 19th, December, 2005 Security Enhanced Linux has move into the mainstream of operating system architecture in recent years. For those who don't understand the technology, many articles exist. SELinux provides mandatory access control to a wider audience. It helps eliminate O-day attacks. http://www.linuxsecurity.com/content/view/121038 * Security the focus as Debian upgrades 21st, December, 2005 The Debian Project has released an update to its popular GNU/Linux distribution, with security-related bugfixes a key feature. "This is the first update of Debian GNU/Linux 3.1 (codename 'Sarge') which mainly adds security updates to the stable release, along with some corrections to serious problems," said Debian security team member Martin Schulze in an e-mail announcing the update. http://www.linuxsecurity.com/content/view/121067 * Nessus 3.0: The End of the Age of Open-Source Innocence? 22nd, December, 2005 "Here's the danger we are running into," said Alan Shimel, Chief Strategy Officer for StillSecure. "People contribute resources to these communities, whether it be time, money, or code. When they see everything they give converted for the commercial success of an individual rather than as a community as a whole, how long do you think they are going to want to keep giving?" http://www.linuxsecurity.com/content/view/121077 * VMWare: Virtual Machine Security Flaw 'Very Serious' 23rd, December, 2005 Virtual infrastructure software maker VMWare Inc. has rushed out fixes for a "very serious" security flaw that put users of its product line at risk of code execution attacks. The vulnerability, which affects both Windows and Linux systems, affects VMware Workstation 5.5, VMware GSX Server 3.2, VMware ACE 1.0.1 and the free VMware Player 1.0. All previous versions of these products are also affected. http://www.linuxsecurity.com/content/view/121091 * Viewing 2005: The year in security 19th, December, 2005 The security events of 2005 led some to believe things were getting better when, in truth, it was more the case that what you can't see really can hurt you. The surface may have appeared still and unthreatening but underneath the currents were anything but friendly, as Will Sturgeon explains. Phishing, spam, spyware, Trojans, viruses and worms - you'd be forgiven for thinking 2005 was very much 'same old, same old' but there were trends which came to light during the past 12 months that will have the security experts scrutinising their radars long into the New Year. http://www.linuxsecurity.com/content/view/121039 * The Enemy Within 19th, December, 2005 Workers across Europe are continuing to place their own companies at risk from information security attacks. This 'threat from within' is undermining the investments organisations make to defend against security threats, according to a study by security firm McAfee. http://www.linuxsecurity.com/content/view/121040 * Social Engineering And Other Threats To Internal Security 21st, December, 2005 Consider the following scenario. A good looking woman is wandering around your premises and approaches you asking to show her how to use some functions in Excel or any other application. Do you start quizzing her on who she is, from what department does she come from or do you invite her to your PC and show her what she needs to know? Let=E2..s say you choose the latter and then she asks you for a drink, would you leave her unattended at your PC or do you get her to accompany you? http://www.linuxsecurity.com/content/view/121062 * Firms count the cost of security threats 20th, December, 2005 Security threats soared during 2005, along with the risk of financial losses, but a new report shows that companies still aren't heeding the warnings. According to the State of Information Security 2005 report from PricewaterhouseCoopers and CIO Magazine, not only are security-related events up 22.4 percent on last year's figures, but the number of organisations reporting financial losses as a result of the attacks is also surging. Twenty-two percent of companies said they had been hit financially, compared with last year's 7 per cent. http://www.linuxsecurity.com/content/view/121046 * Information Security for Small Businesses 20th, December, 2005 Due to technological advances, the rapid growth of the Internet, and a significant decline in computer and network equipment prices in recent years, many technologies and systems that were once only available to large corporations are now employed by the small business community. Thanks to the Internet and the world of ecommerce, small businesses can dramatically increase their customer base and reach new markets by selling their products and services online. http://www.linuxsecurity.com/content/view/121047 * Study: Network security market to reach $6 billion 20th, December, 2005 Network security software and hardware is expected to be a $6 billion market by 2008, a jump fueled primarily by the increasing need for companies to purchase products that secure content and devices, such as intrusion prevention systems (IPS) and network access control (NAC) equipment. http://www.linuxsecurity.com/content/view/121058 * Security: Forensic Tools in Court 21st, December, 2005 An interesting question comes to mind when you use as many open source forensic and security tools as I do =E2.. if I ever go to court over this case, will my tools be considered valid? When you do examine this issue closely, you find many versions of the answer, both on the legal and techie sides. http://www.linuxsecurity.com/content/view/121063 * Preparing for day zero 21st, December, 2005 The zero-day spectre is looming ever larger. Nimda struck in 2001 =E2.. a year after Microsoft issued a patch for the security hole in Internet Explorer. In 2003, Slammer exploited a vulnerability for which a patch had been issued six months earlier. Then with Blaster, the window was down to three weeks. =E2..If you had no time to patch in 2001, and no time to patch in 2003, what about now with three weeks? And what about the Zotob worm =E2.. five days?=E2.=9D http://www.linuxsecurity.com/content/view/121070 * Security Risks You and Your Family Impose on your Companies=E2.. Computing and Networking Assets 22nd, December, 2005 Computer and Network Security is quickly becoming Information Technology=E2..s hot occupation. After the colossal disasters of the September, 2001 terrorist attacks and the more recent natural disasters companies have looked long and hard at how to better protect their computing and networking assets from the numerous hackers, natural disasters and foreign terrorists. This includes spending more resources on hardware, upgrading software, and relearning Information Technology priorities. Unfortunately, a grand majority of the greatest minds in Information Technology Security are overlooking the one element that can stroll right up to a companies computing asset and destroy it in one or two clicks. It=E2..s you the employee, your family or family friend. http://www.linuxsecurity.com/content/view/121074 * Rising to a Higher Standard Isn't Easy 22nd, December, 2005 Some employees are held to a higher standard of behavior than most. Anyone in a position with broad powers or influence falls into this group, including accountants, managers, systems administrators -- and information security professionals. Like systems administrators, information security professionals generally have access to a great deal of data and information. Even if they don't have direct access, they generally know how to obtain it by exploiting a weakness (like hackers, but with the opposite intent) or by simply giving themselves elevated privileges. http://www.linuxsecurity.com/content/view/121075 * Top 7 PHP Security Blunders 23rd, December, 2005 PHP is a terrific language for the rapid development of dynamic Websites. It also has many features that are friendly to beginning programmers, such as the fact that it doesn't require variable declarations. However, many of these features can lead a programmer inadvertently to allow security holes to creep into a Web application. The popular security mailing lists teem with notes of flaws identified in PHP applications, but PHP can be as secure as any other language once you understand the basic types of flaws PHP applications tend to exhibit. http://www.linuxsecurity.com/content/view/121090 * Four Security Resolutions For The New Year 26th, December, 2005 I always know what my first New Year=E2..s resolution is going to be, because it's the same every year: lose weight. Chances are, you have the same one. But by the time the Super Bowl happens, and you eat seven thousand calories on that one day, you'll have already have given up on that resolution. http://www.linuxsecurity.com/content/view/121098 * IT security professionals moving up the corporate pecking order 26th, December, 2005 Ultimate responsibility for information security is moving up corporate management hierarchies, as board-level directors and CEOs - or CISO/CSOs =E2.. are increasingly held accountable for safeguarding IT infrastructures, new research has revealed. The second annual Global Information Security Workforce Study, conducted by global analyst firm IDC and sponsored by not-for-profit IT security educational organisation, the International Information Systems Security Certification Consortium (ISC)2, expects this accountability shift to continue as information security becomes more relevant in risk management and IT governance strategies. http://www.linuxsecurity.com/content/view/121100 * Feds Say Computer Surveillance Hindered Without Patriot Act 22nd, December, 2005 In part of a major Bush Administration lobbying blitz Wednesday, the Department of Justice has released a list of technology-related ramifications if the remaining provisions of the Patriot Act aren't passed by Dec. 31. Lobbying hard for the passage of the remaining portions of the broad-sweeping legislation, the department released a statement Wednesday stating that the federal government would revert back to a "pre-9/11 mode of information sharing=E2.=A6where terrorists and spies can use technology against us." http://www.linuxsecurity.com/content/view/121076 * Dutch Botnet Bigger Than Expected 22nd, December, 2005 Dutch prosecutors who=09last month arrested a trio of young men for creating a large botnet allegedly used to extort a U.S. company, steal identities, and distribute spyware now say they bagged bigger prey: a botnet of 1.5 million machines. http://www.linuxsecurity.com/content/view/121081 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Dec 27 08:23:32 2005 From: isn at c4i.org (InfoSec News) Date: Tue, 27 Dec 2005 02:23:32 -0600 (CST) Subject: [ISN] REVIEW: "Always Use Protection", Dan Appleman Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKALUSPR.RVW 20050805 "Always Use Protection", Dan Appleman, 2004, 1-59059-326-X, U$17.99 %A Dan Appleman www.alwaysuseprotection.com %C 2560 Ninth Street, Suite 219, Berkeley, CA 94710 %D 2004 %G 1-59059-326-X %I Apress %O U$17.99 510-549-5930 fax 510-549-5939 info at apress.com %O http://www.amazon.com/exec/obidos/ASIN/159059326X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/159059326X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/159059326X/robsladesin03-20 %O Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation) %P 266 p. %T "Always Use Protection: A Teen's Guide to Safe Computing" In the introduction, the author is at pains to point out that this is not another "don't talk to strangers in chat rooms" book. He seems to be primarily concerned with virus infections and other malware. Part one is about protecting the computer. Chapter one is a very brief mention of the possibility of gremlins in your machine. Some sloppy definitions of malware and a warning about cyberterrorism are in chapter two. There is some good advice on avoiding virus infections in chapter three. Unfortunately, there is also a lot of questionable or useless material that will not give the reader any protection. Chapter four's advice on antivirus scanners isn't necessarily wrong, but it certainly isn't great. It's marginally better than just saying "get antiviral software," but not by much. "Firewalls" (chapter five) deals only with network address translation and packet filtering types, and is not clear about their limitations. The details on configuring routers tend to be both too specific to a particular model, and also not technical enough to provide real assistance. Windows Update does not work well with older versions of Windows, and generally refuses to work with non-Internet Explorer browsers, which chapter six fails to mention. Chapter seven is a bit of a grab bag: some good suggestions on securing the Outlook email client, some good but incomplete material on services, and three basic recommendations on wireless LANs which are good as far as they go. (Changing the SSID is fine, but if you keep broadcasting the information it doesn't do much good, and Wired Equivalent Privacy encryption will protect you against those who don't even know they are logging on to your network, as well as those opportunists who only want a free Internet connection, but it is hardly secure against even the novices among your script kiddie friends.) The advice on backups, in chapter eight, is actually realistic. Chapter nine is quite a complex troubleshooting tool to use if you have been hit, and I really don't know how useful it would be in that case. Part two deals with privacy. Chapter ten discusses identity theft, but glosses over the most common form, simple impersonation. Some generic, but decent, advice on passwords is provided in chapter eleven. Chapter twelve has a good overview of the personal information on your machine that you may not know about. Various ways that your data can be collected, and some things you can do to prevent it, is in chapter thirteen, but in rather random and ragged fashion. Part three examines some more direct attacks. Chapter fourteen suggests that chat rooms aren't all *that* dangerous, and has some brief words of advice. Some of the more common scams (mostly email) are listed in chapter fifteen. This book is better than nothing, quite a lot better. (Thomas Greene's "Computer Security for the Home and Small Office" [cf. BKCMSCHO.RVW] is more complete and technically accurate, but few teens will be interested enough to follow it all the way through.) In fact, I can think of quite a few adults who should read this book. They won't be completely protected, or even mostly protected, but they'll have fewer problems. copyright Robert M. Slade, 2005 BKALUSPR.RVW 20050805 ====================== (quote inserted randomly by Pegasus Mailer) rslade at vcn.bc.ca slade at victoria.tc.ca rslade at sun.soci.niu.edu A realist is somebody who thinks the world is simple enough to be understood. It isn't. - Donald Westlake http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed Dec 28 14:19:42 2005 From: isn at c4i.org (InfoSec News) Date: Wed, 28 Dec 2005 13:19:42 -0600 (CST) Subject: [ISN] Windows zero day nightmare exploited Message-ID: http://www.theinquirer.net/?article=28590 By INQUIRER staff 28 December 2005 F-SECURE, Bugtraq and a number of other security aware outfits have warned of a zero day vulnerability that's being actively exploited as we write. Fully patched Windows XP SP2 machines are vulnerable and there's no known fix as yet. A number of trojans are being distributed using the vulnerability, related to Windows' image rendering. Have a look, for example, at the F-Secure site, here [1], for more information. F-Secure says you can get blatted if you visit a site with an image file containing the exploit. IE users may automatically be infected. Firefox users can get infected if the image file is downloaded. There's more solid advice at F-Secure. We await a patch from Microsoft. ? * UPDATE Ken Dunham, director at iDefense, said the zero day WMF exploitation threat affecting fully patched versions of XP and Windows 2003 Web Server is underway. It has been exploited by multiple sites and added to the infamous Meetasploit tools. Attacks in the last 12 hours, said Dunham, have been minor. But systems so far attacked have shown clear signs of infection. He warned further attacks were likely. There is no solid workaround against emerging WMF exploits. Locking down WMF files on the gateway and building network detection signatures may mitigate known threats. The impact of attacks may also increase. [1] http://www.f-secure.com/weblog/ From isn at c4i.org Wed Dec 28 14:19:59 2005 From: isn at c4i.org (InfoSec News) Date: Wed, 28 Dec 2005 13:19:59 -0600 (CST) Subject: [ISN] Book Review - Securing IM and P2P Applications for the Enterprise Message-ID: http://books.slashdot.org/books/05/12/28/1622246.shtml [ http://www.amazon.com/exec/obidos/ASIN/1597490172/c4iorg - WK] Author: Paul Piccard Pages: 454 Publisher: Syngress Rating: 9 Reviewer: Ben Rothke ISBN: 1597490172 Summary: How to get a handle on the increasing number of IM, P2P, and IRC applications that are found on the corporate networks Similarly, many organizations have deployed myriad security hardware and software products in their infrastructure. But when it comes to instant messaging and peer to peer applications, these applications often execute below the radar of many security products. This is due to the fact that the security infrastructure in many organizations was not architected to deal with such applications. These applications often have so much functionality that it obviates much of the security afforded by the security hardware and software products. Using file transfer as an example, many organizations have policies and controls in place to stop the use of protocols such as ftp and tftp. This is fine, but that will only work for the ftp protocol. File transfer can still be carried out by most instant messaging clients, and that can pose serious security risks. With that, Securing IM and P2P Applications for the Enterprise provides an excellent overview on how to handle, manage and secure IM, P2P, and IRC applications. This book is written for security and system administrators that need specific details on how to control and secure IM, P2P and IRC applications in their organization. The need to get a handle on IM and P2P is crucial given that IM has turned into a global communications medium with most organizations today reported that they allow it for business usage. Many marketing and technical support calls are now handled via IM and this translates in to well over 250 million IM users worldwide. P2P is great for downloading music and movies, but that that poses serious security and legal liability risks when done on most corporate networks. But with all the benefits that IM provides, it introduces many security and privacy risks. IM viruses, identity theft issues, phishing, spyware and SPIM (SPAM over IM) are just a few of the many risks. These risks can turn into intellectual property losses and legal liability issues especially when they are combined with targeted attacks on corporate IM users. Companies that don't have an effective way in which to deal with IM and P2P are in serious danger as most IM and P2P threats fly under the radar of many traditional security solutions. The book has a fairly straightforward approach. Chapter 1 provides an introduction to IM and the most common security issues that IM brings into an organization. The bulk of the remainder of the book details various different IM applications in Part 1 (AIM, Yahoo, MSN, ICQ, Google, Skype), P2P applications in Part 2 (Gnutella, eDonkey/eMule, BitTorrent, FastTrack) and IRC networks and applications in Part 3. Each chapter details the specific architecture of each application, its protocols, security issues, and solutions in which to secure the application. System administrators can use many of the checklists to quickly perform the initial steps necessary to secure their organization from unauthorized IM, P2P, and IRC applications. Each chapter also provides significant details about the internals on how each application operates. In addition, various 3rd-party tools that can be used to secure and limit the various applications are listed. Many companies are finding that a significant amount of their bandwidth is being used by P2P applications and Part 2 describes how to secure networks from the use of P2P applications. This is not always an easy thing to carry out given that many P2P applications, such as Gnutella are designed to easily bypass many of the security control mechanisms placed against it. Administrators will find that in this case, simply blocking Gnutella ports will not block all Gnutella traffic and the application still will be able to run. What is required in this case is the use of a firewall that supports deep packet inspection. Chapter 9 helpfully lists the commands to use when using iptables to block Gnutella traffic. Chapter 12 provides an interesting look at FastTrack, which is the P2P protocol and network used by clients such as Grokster, Morpheus and other file sharing programs. The chapter also uses Ethereal to detail the internals of FastTrack. Part 3 deals with IRC and is the sparsest part of the book. This is due to the fact the P2P and IM are much more heavily used on enterprise networks, which this book is geared to. The only negatives about the book are its price, and some of its formatting. At $49.95, it is on the higher-end of computer security books, with the majority of such titles being in the $25.909 - $39.99 range. The formatting uses a font size that is somewhat larger than other book. This seemingly serves to achieve a high page count. In addition, the book often references tables of secondary information that spans a few pages (for examples see pages 72-80, 115-120 and more). Such information would be better served in a multiple-column table in a smaller font. Printing the information in such a manner can cut down on the page total, and save a few trees at the same time. Besides those two minor issues, Securing IM and P2P Applications for the Enterprise is a most helpful guide. Security and system administrators can use the book to get a handle on the increasing number of IM, P2P, and IRC applications that are found on the corporate networks they support. -=- Ben Rothke, CISSP is a New York City based senior security consultant with ThruPoint, Inc. and the author of Computer Security 20 Things Every Employee Should Know (McGraw-Hill 2006) and can be reached at ben at rothke.com" From isn at c4i.org Wed Dec 28 14:20:06 2005 From: isn at c4i.org (InfoSec News) Date: Wed, 28 Dec 2005 13:20:06 -0600 (CST) Subject: [ISN] Marriott Discloses Missing Data Files Message-ID: Fowarded from: William Knowles http://www.washingtonpost.com/wp-dyn/content/article/2005/12/27/AR2005122700959.html By Michael S. Rosenwald Washington Post Staff Writer December 28, 2005 Marriott International Inc.'s time-share division said yesterday that it is missing backup computer tapes containing credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company. Officials at Marriott Vacation Club International said it is not clear whether the tapes, missing since mid-November, were stolen from the company's Orlando headquarters or whether they were simply lost. An internal investigation produced no clear answer. The company notified the Secret Service over the past two weeks, and has also told credit card companies and other financial institutions about the loss of the tapes. The company began sending letters to time-share owners and customers Saturday, and issued a press release about the loss yesterday. Company officials said they delayed making the matter public until they had researched what information was on the tapes and whom it affected, and determined the issue was sensitive enough to warrant a broad disclosure. "At this point, we are taking all things into consideration," company spokesman Ed Kinney said. "The tapes may have been taken, but they could have been misplaced. We're still investigating the situation." The Vacation Club has told time-share owners, customers and the division's employees to be on the alert for changes to their credit histories or accounts. So far no one has reported any misuse, Kinney said. Those affected have been offered free credit monitoring services. "We regret this situation has occurred and realize this may cause concern for our associates and customers," said Stephen P. Weisz, president of Marriott Vacation Club International, a wholly owned subsidiary of the Bethesda hotel chain. More than 280,000 families use its time-shares worldwide. The loss of Marriott's tapes is the latest in a series of high-profile security lapses involving data that can be used in identity theft schemes. In 2005, there were at least 134 data breaches affecting more than 57 million people, according to the Identity Theft Resource Center, a California nonprofit that helps people hurt by identity theft and lobbies on computer-privacy issues. Last February, ChoicePoint Inc. disclosed that it had released thousands of reports containing names, addresses, Social Security numbers and financial information to people posing as officials in legitimate insurance, debt-collection and check-cashing businesses. In June, MasterCard International said that Card Systems Solutions, which processes credit card transactions, had been hacked and that forty million people had their credit card information exposed. Even high-security defense companies have been victimized. In January, thieves stole computers from Science Applications International Corp. of San Diego that contained personal data on thousands of current and past employees, including former military and intelligence officials. It is not clear how many cases of identity theft have been caused by the data breaches. There are about 10 million cases of identify theft a year, with total losses of $53 billion, said Robert Douglas, a Colorado privacy consultant and chief executive of PrivacyToday.com. The costly identity theft schemes have caused state and federal lawmakers to fight for tighter protection of personal data and quick disclosures of breaches. In 2003, California became the first state to pass a rigorous disclosure law requiring that organizations inform individuals if their personal information is compromised. More than 20 states have passed similar laws since then. Congress is considering more than two dozen bills on what companies should be required to do in data breach cases. "For the longest time, people have said it's the consumers' fault," Douglas said. "They don't shred their bank statements at home, or what have you. But since the California law was passed now we are learning how much of this information has been breached and is floating around out there." "We try to be proactive in cases like this," Kinney said. "We followed our own process of being open and proactive." Kinney said the tapes, which require specialized equipment to access, were the responsibility of the company's information resources group. Citing company policy, he declined to say if anyone from the group had been dismissed or disciplined because of the disappearance of the tapes. ? 2005 The Washington Post Company *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Dec 29 02:40:41 2005 From: isn at c4i.org (InfoSec News) Date: Thu, 29 Dec 2005 01:40:41 -0600 (CST) Subject: [ISN] A year of living dangerously Message-ID: http://www.globetechnology.com/servlet/story/RTGAM.20051228.gtkirwandec28/BNStory/Technology/ By MARY KIRWAN December 28, 2005 Special to Globe and Mail Update What dreadful images were seared into our collective imagination in 2005, as terrorists continued to ply their villainous trade, and destroy innocent lives. What will remain with me will be the pictures of the smouldering wreckage of a topless London double-decker bus, and the certain knowledge that Dante's Inferno was raging deep beneath the streets of London. And who can forget the image of the young female barrister emerging from the carnage, her face covered in an eerie white gauze? And the equally tragic aftermath, as an innocent UK immigrant is shot to death on a commuter train in a badly- botched police surveillance operation. Even more recently, fear claimed another victim, as U.S. plain-clothes police killed a mentally ill airline passenger in Miami who claimed to have a bomb. After 911, numerous anti-terrorism laws were passed around the world, in a vain attempt to get a grip on the war on terror. But when the enemy is face-less, and does not seek to satisfy any discernible objective- except to wreak carnage on a global scale - it is far harder to root him out. Civil libertarians believe we have done great harm in the process to our way of life, and that we are no safer as a result. But are we safer? We are told that since 911, we are far safer when we travel thanks to technological and operational changes. Yet cargo goes unchecked, and investigative journalists and security "experts" around the world routinely bypass airport security, smuggle weapons, and wander about secure zones, un-challenged by airport personnel. It would almost be funny, if it weren't so terrifying. The Final Report on the 9/11 Commission Recommendations released this month, graded the U.S. Transportation system with an 'F'. finding that "few improvements have been made to the existing passenger screening system since right after 9/11." The Commission found that checked bag and cargo screening improvements "have not been made a priority by the Congress or the administration," and that "progress on implementation of in-line screening has been slow" - due to "inadequate funding." Yet money, as I wrote in my last column, is being thrown about - with gay abandon by governments acting like drunken sailors - on all manner of ill- considered IT projects that are probably doomed from the outset. Meanwhile, common-sense initiatives with discernible security benefits are starved of funding. The role of technology And if you scratch the surface, you will find technology implicated somewhere along the way. As everything is digitized, and the Net infiltrates every nook and cranny of our lives, there are sure to be consequences. Meanwhile, security experts around the world are bickering about whether the threat of cyber-terrorism is real. FBI assistant director Louis M. Reigel recently stated that a cyber.terrorism capability simply doesn't exist today. In the same breath, he admitted that the third version of the Sober worm spread so quickly that it almost took out the FBI's computer systems entirely before a fix was found. I fear that we need to spend more time thinking out of the box, rather than wasting time discounting the threat of cyber-terror and nit picking. Terrorists are clearly aware that technology can augment and support their operations. It surely does not have to be all or nothing, as blended threats to critical infrastructure sectors, in particular, remain very real. In Australia, for example, the Ten News Network recently reported that a bomb threat was received by Delta Electricity in New South Wales. The utility was extorted to pay an un-disclosed amount, or face the consequences. The threat was reported to have been made against one of the four plants they operate in the state. It was taken very seriously by Delta and law-enforcement, and security at the plants was reportedly "upgraded." There is nothing new about criminals combining extortion with old-fashioned terror tactics, but if you add targeted viruses and sophisticated malware to the mix . things that have the potential to cause widespread havoc, and expose highly sensitive data . you have a very potent brew indeed. By way of example, the codes required to enter secure areas at 16 Japanese airports and one in Guam recently appeared on the Internet. A virus infected a computer belonging to a Japan Airlines co-pilot, and his computer leaked these highly sensitive details onto the Web. Although JAL has regulations prohibiting the downloading of sensitive information to personal computers, reports indicate that the airport codes were "too widely known" among "aircrews, ground staff, maintenance workers, cleaners and other airport staff" to be considered off-limits. And that was seemingly an 'innocent' error. Imagine a targeted attack. Failure of imagination As kids we are told to 'let our imaginations run wild,' but life has a way of kicking us back to earth with a resounding bang. Who has time for imagination? However, a failure of imagination can have all kinds of undesirable and unpredictable consequences. It can even get people killed. And it surely facilitates crime, as we stay perennially one step behind the bad guys. The 911 Commission attributed much of the failure to predict and counter the threat from extremists to such a failure of imagination. Intelligence analysts had predicted that terrorists might hijack planes to fly them into targets, but it was assumed the planes would come from outside the U.S. and that there would be ample time to shoot them down. The Commission also found that there was an inordinate emphasis on old, rather than evolving threats. In essence, we simply forgot to expect the unexpected. But career criminals and terrorists are not constrained by morality or lack of imagination. They will use whatever tools are at their deposal to achieve their goals, including the Internet and complex technology. Columbian drug cartels and organized crime are old hands at using technology to facilitate business. As a one-time drug prosecutor, I was always struck by the pragmatic way that high-level drug dealers described their business . many of them spoke like the cr?me de la cr?me of the MBA crop. Of course, many have business, legal and technical training, and they will use all the tricks in the book to improve business. Including violence, extortion, intimidation- and technology. Detective Ken Reimer of the Toronto Police Service's fraud squad, an expert on debit card fraud, spends a good part of his life watching criminals use technology to constantly refine their methods to steal personal identification numbers (PINs) and magnetic strip codes from the back of debit cards - creating ever more elaborate false fronts for ATM machines, and false card readers with embedded chip technology that can read and store PIN numbers. The lynchpins of these lucrative operations are known to police to have computer and engineering backgrounds. They also will go to considerable lengths to defeat technology . if it is worth their while. They issue "tenders" to the black market for specifications to break the latest bank equipment that tries to foil debit card crime - and the battle goes on. Detective Reimer and his colleagues express frustration that repeat offenders are routinely released on bail, and they must watch them drive straight from the courthouse to their next target location to try out their latest skimming device. But at least garden-variety criminals are predictable, as they are invariably motivated by money. But terrorists need money too, to realize their apocalyptic conflagrations . and the links between organized crime and terrorists have always been amorphous, but nonetheless real. Criminals of all stripes will continue to exploit technology for their own ends. They will 'mix and match'- blend the old with the new, and attempt to foil law enforcement efforts to track them. Detective Reimer has encountered encryption on laptops seized from bad guys, but so far police have been able to crack the codes. However, if criminals and terrorists use very strong encryption correctly, it can be impossible to break it. What then? Cpl. Jamie Driscoll of the RCMP Electronic Surveillance Support Unit, agreed that the ever-changing nature of technology is an ongoing challenge, but he is confident that the RCMP can evolve to match the capabilities of their tech-savvy adversaries. But we will not stay ahead, or even keep pace, with people who desire to do us harm, if we fixate on irrelevant distinctions, and stop thinking out of the box. Or if we keep throwing good money after bad. Can we look forward to a common-sense revolution in 2006? In the spirit of the season, I remain optimistic. Happy holidays. From isn at c4i.org Thu Dec 29 02:40:54 2005 From: isn at c4i.org (InfoSec News) Date: Thu, 29 Dec 2005 01:40:54 -0600 (CST) Subject: [ISN] NIST updates cryptography manual to help agencies meet FISMA requirements Message-ID: http://www.gcn.com/vol1_no1/daily-updates/37840-1.html By Rob Thormeyer GCN Staff 12/28/05 The National Institute of Standards and Technology released a revised cryptography manual that gives federal cybersecurity officials guidance on how to encrypt and protect sensitive data. NIST issued the revised Special Publication 800-21-1 [1] - first released in 1999 - to help government organizations as they comply with the Federal Information Security Management Act of 2002, which requires agencies, among other things, to certify and accredit their IT systems. The report "is intended to provide a structured, yet flexible set of guidelines for selecting, specifying, employing and evaluating cryptographic protection mechanisms in federal information systems - and thus, makes a significant contribution toward satisfying the security requirements of" FISMA, NIST said. In particular, the report gives agencies guidance on selecting cryptography products, including performing a risk assessment and identifying security regulations and policies that are applicable to the agency and system. NIST tailored the report for federal managers who are responsible for designing, procuring, installing and operating computer security systems. "The goal is to provide these individuals with sufficient information to allow them to make informed decisions about the cryptographic methods that will meet their specific needs to protect the confidentiality, authentication and integrity of data that is transmitted and/or stored in a system or network," the report said. [1] http://csrc.nist.gov/publications/nistpubs/800-21-1/sp800-21-1_Dec2005.pdf From isn at c4i.org Thu Dec 29 02:41:11 2005 From: isn at c4i.org (InfoSec News) Date: Thu, 29 Dec 2005 01:41:11 -0600 (CST) Subject: [ISN] Hacker pleads guilty in digital attack of eBay Message-ID: http://www.mercurynews.com/mld/mercurynews/business/13502374.htm By Michael Bazeley Mercury News Dec. 28, 2005 An Oregon man has pleaded guilty to charges he used a computer worm to infect as many as 20,000 computers that then attacked eBay.com and other Web sites two years ago. Anthony Clark, 21, of Beaverton, Ore., entered his plea Tuesday afternoon in San Jose federal court. He was charged with intentionally damaging a protected computer. He will be sentenced in April and could receive up to 10 years in prison and a $250,000 fine. Clark and un-named accomplices launched a ``distributed denial of service'' attack against eBay's auction Web site in the summer of 2003, automatically bombarding the site with massive amounts of Internet traffic in an attempt to cripple the company's network. Clark carried out the attack by using a worm program that hijacked thousands of personal computers. The worm instructed the computers to log in to an Internet Relay Chat server, where they waited for instructions from Clark, according to the U.S. Attorney's office. The U.S. Secret Service and the U.S. Attorney's Office Computer Hacking and Intellectual Property unit in San Jose investigated the case. ``It's not that frequently that you see people successfully prosecuted for participating in these attacks,'' said Christopher Sonderby, chief of the CHIP unit. EBay declined to characterize the scope of the attack because the court is still investigating the damages to decide Clark's sentence. ``I think the unique thing here is that we were able to trace it,'' said eBay spokesman Chris Donlay. Clark's attorney could not be reached for comment. From isn at c4i.org Thu Dec 29 02:41:22 2005 From: isn at c4i.org (InfoSec News) Date: Thu, 29 Dec 2005 01:41:22 -0600 (CST) Subject: [ISN] Chinese Cyber Criminals Attack Korean Bank Message-ID: http://english.chosun.com/w21data/html/news/200512/200512280025.html Dec. 28, 2005 The website of the Jeonbuk Mutual Savings Bank based in Gunsan, North Jeolla Province, was reportedly attacked by Chinese hackers, marking the first domestic hacking incident of a bank involving Chinese cyber criminals. Customers who log onto the website are likely to fall victim to the hackers by having their cyber money or internet game items stolen or experiencing a slow down in internet speeds, among other possible damage. The bank said it hurriedly deleted the Trojan horse programs, that can steal user IDs and passwords, exposed on specific online game sites linked to from its homepage and is now tracing the source of the program. Trojan Horses are a type of hacking program that takes advantage of programs with vulnerable Internet security. The programs allow hackers to steal specific personal information, mainly game IDs and passwords of users. A bank official said there would be no critical damage due to the exposure of personal information, as that server merely introduces banking services, without actually offering Internet banking services. From isn at c4i.org Thu Dec 29 02:41:34 2005 From: isn at c4i.org (InfoSec News) Date: Thu, 29 Dec 2005 01:41:34 -0600 (CST) Subject: [ISN] FBI to hire IT help Message-ID: http://www.washingtontechnology.com/news/1_1/daily_news/27657-1.html By Wilson P. Dizard III Contributing Staff Writer 12/28/05 The FBI today unveiled a campaign to hire a large number of IT professionals to operate and maintain the bureau's global systems. "Joining the FBI technology team will be an exciting and rewarding career," said FBI director Robert S. Mueller III in a statement. "The FBI is dedicated to developing and implementing state-of-the-art IT systems to support our agents and analysts in the field. These IT positions are critical in support of this FBI's mission to protect the United States against terrorism, foreign intelligence, criminal enterprises and cyberattacks." The Government Accountability Office recently reported that the bureau's shortage of key IT personnel poses problems for the rollout of new systems. According to an FBI statement, the bureau is recruiting computer scientists, engineers, IT specialists and project managers at salaries ranging from $35,452 to $135,136, with potential recruitment bonuses. The FBI has adopted special procedures to hire staff quickly, with interviews beginning in January. The bureau said it is seeking expertise in: * Systems engineering * Data Warehousing * Federated search technology * Data engineering * Service-oriented architecture * Application engineering * Portal technology. The bureau urged applicants to apply online [1]. [1] http://www.fbijobs.gov/ From isn at c4i.org Thu Dec 29 02:42:31 2005 From: isn at c4i.org (InfoSec News) Date: Thu, 29 Dec 2005 01:42:31 -0600 (CST) Subject: [ISN] Black Hat Federal and Europe Call for Papers Message-ID: Forwarded from: Jeff Moss Hey InfoSec News readers, Black Hat Federal 2006 Speakers Chosen Black Hat Federal 2006 speakers have now been chosen. Black Hat Federal focuses on threats and defenses to those in the Federal sector. From root kit hunting and physical forensics to adversary characterization, Black Hat Federal has practical and cutting edge research targeted specifically to federal sector security professionals. Black Hat Federal 2006 speakers include Dave Aitel, Simson L. Garfinkel, Tzi-cker Chiueh, and Dan Kaminsky. Black Hat Federal takes place January 23-26, 2006, Sheraton Crystal City, Washington, DC. http://www.blackhat.com/html/bh-federal-06/bh-fed-06-speakers.html Black Hat Europe 2006 CFP Closing soon Our Black Hat Europe 2006 Briefings CFP is about to close! Submissions are due no later than January 1st. Many speakers have already been selected, so don't wait until the deadline to submit. http://www.blackhat.com/html/bh-europe-06/bh-eu-06-cfp.html Black Hat Europe 2006 Early Registration still open Save hundreds of euros on early registration for Black Hat Europe 2006 by registering now. Selected speakers so far include Halvar Flake, Johnny Long, spoonm, and Jarno Niemel?. Early bird rates close February 1. Black Hat Briefings Europe takes place February 28th to March 3rd, Grand Hotel Krasnapolsky, Amsterdam, the Netherlands. Two days of Training and two days of the Briefings. http://www.blackhat.com/html/bh-europe-06/bh-eu-06-index.html Black Hat USA 2006 CFP will open earlier this year, starting the end of January. More details will be on-line when available. Happy almost New Year, Jeff Moss From isn at c4i.org Thu Dec 29 02:43:14 2005 From: isn at c4i.org (InfoSec News) Date: Thu, 29 Dec 2005 01:43:14 -0600 (CST) Subject: [ISN] REVIEW: "Degunking Your Email, Spam, and Viruses", Jeff Duntemann Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKDYESAV.RVW 20041205 "Degunking Your Email, Spam, and Viruses", Jeff Duntemann, 2004, 1-932111-93-X, U$24.99/C$37.99 %A Jeff Duntemann feedback at paraglyphpress.com %C Suite 115 4015 North 78th Street, Scottsdale AZ 85251 %D 2004 %G 1-932111-93-X %I Paraglyph Press %O U$24.99/C$37.99 602-749-8787 ssayre at paraglyphpress.com %O http://www.amazon.com/exec/obidos/ASIN/193211193X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/193211193X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/193211193X/robsladesin03-20 %O tl i rl 3 tc 3 ta 4 tv 4 wq 3 %P 334 p. %T "Degunking Your Email, Spam, and Viruses" Lots of books have "quick tips" at the front these days. Usually these are nothing more than promotional fluff, designed to convince you that the author Knows Important Stuff. However, when I perused the suggestions for what to do about email and viruses if you had limited amounts of time, I was quite impressed that Duntemann had, in fact, carefully selected those tasks that would give the most protective value for the temporal coin. I could cavil at a few, but generally this list is very well chosen for those readers who do need to get started right away. Chapter one is an introduction, defining the various problems, and outlining the "12-step" program that structures most of the rest of the book. Although chapter two is supposed to be about creating an email strategy it doesn't go quite that far. But Duntemann does provide guidance on the type of email user you are, and notes the importance (which varies) of having alternative email addresses. Various email clients, and important features, are reviewed in chapter three. The advice is good (although I don't know why he is dissing Pegasus :-) Chapter four outlines good email habits, and effective practices for using and managing email. The advice on maintaining contact and synchronization on the road, given in chapter five, is helpful to travelers although I am not sure that it a) applies to everyone, and b) is a "gunky" problem. Chapter six provides valuable advice for managing stored or saved messages. Chapter seven describes the situation with regard to spam, and suggests the standard actions to avoid it. The concepts and tools for spam filtering are outlined in chapter eight. Chapter nine walks the reader through the installation and "training" of POPfile, while ten lists arguments against non-Bayesian spam prevention filters and systems. Chapter eleven is a good introduction to the broad categories of malware. The choice and evaluation of antiviral programs, given in chapter twelve, is quite decent, although the space and precedence given to the "three sisters" seems to be excessive: companies like Sophos, F-Prot, and Avast turn out technically superior products and are hardly "obscure." Spyware and adware, as well as suggestions to limit them and products to deal with them, are covered in chapter thirteen. Chapter fourteen has good advice about dealing with worms (although I'm surprised that Duntemann did not mention turning off DCOM, which would probably have saved his friend some grief). Chain letters and scams are discussed in chapter fifteen. (I was teaching in Nigeria when I read this book, so I found the coverage of the 419 scam ironic. Nigeria isn't in chaos: it just seems that way.) Chapter sixteen finishes off with advice on what to do if you *have* been hit with something nasty. The book has a lot of very practical and useful information. It is written at a level that any intermediate user, and many intelligent novices can use directly without further experimentation. (A few items could use more detail: how do you turn an .iso file into a bootable CD?) I would recommend this as an excellent reference to have to hand for pretty much any computer user. copyright Robert M. Slade, 2004 BKDYESAV.RVW 20041205 ====================== (quote inserted randomly by Pegasus Mailer) rslade at vcn.bc.ca slade at victoria.tc.ca rslade at sun.soci.niu.edu Post hoc, ergo propter hoc After it, therefore because of it http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Fri Dec 30 02:18:25 2005 From: isn at c4i.org (InfoSec News) Date: Fri, 30 Dec 2005 01:18:25 -0600 (CST) Subject: [ISN] E-Transaction Law needed Message-ID: http://english.vietnamnet.vn/reports/2005/12/527373/ The Phong 29/12/2005 VietnamNet - In the past two months, hackers have launched repeated attacks on individual forums and government websites in Vietnam. A new law comes into effect in March to combat the problem, but experts wonder if it's enough. The severe Dos war On December 13th, regular visitors of Athena - a network security training center in HCMC - were surprised to find that hackers had changed the forum.s interface, and an obscene warning\remained. HAVonline.net, a forum for networking security in Vietnam, crashed in late November due to Dos attacks. The same fate befell Viethackers.org two weeks later. Earlier, engineers from FPT - an Internet Service Provider in Vietnam - found that one of the company's Domain Name Servers had been broken into, resulting in some clients not being able to view certain web pages, such as Google. A Dos attack - or Distributed Denial of Service - is designed to bring a computer network to its knees by flooding it with useless traffic. Recently, threats of attack and counter-attack have been circulating on many Vietnamese forums, signaling that a Dos war may be about to break out among members of these forums. Two young online-credit card abusers captured by the police in late November have just been released, because the judge in the case could not identify the victims. Though the government is still apparently reluctant to take strong legal action to curb these activities, E-Transaction Law is set to come into effect March 1st, 2006. Still a ways off However, IT experts are skeptical that the law will make a difference. "The upcoming E-Transaction Law is vague about enforcement. The interests of victims have not been well defined", said Le Ngoc Quang, IDG Vietnam's marketing director. He added that most online users will not rally behind a law that they're not sure will protect them from hackers. "We need to look at how other countries deal this situation," Quang continued. The director of IT company N.T.B. commented that he used to buy books online at sites like Amazon.com using his credit cards until they started refusing buyers with IP addresses from Vietnam. There are still plenty of other websites to take his online business, but he explains, "Now, I am too afraid of Vietnamese hackers stealing my credit card's information. If this was to happen, to whom I would cry for help?" The vulnerability of online transactions in Vietnam obviously hinders development of eBusiness and eCommerce and also makes foreign investment less attractive. Do Ngoc Duy Trac, a security networking expert from VASC Infosec club, expressed his concern over enforcement of the upcoming law. "We need a law-enforcement body that is strong and powerful enough to do the job," Trac said. Dr. Mai Anh, head editor of the E-Transaction Law's, hopes the upcoming law will relieve concerns over the security and safety of online transactions. "I know the Ministry of Police is setting up an anti-high tech crime task force, and the Information Technology Law will be effective in late 2006. I think that in a couple years time, Vietnam will have a good legal foundation to maintain security on the Internet," he commented. From isn at c4i.org Fri Dec 30 02:19:20 2005 From: isn at c4i.org (InfoSec News) Date: Fri, 30 Dec 2005 01:19:20 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2005-52 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-12-22 - 2005-12-29 This week : 24 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. NOTE: This vulnerability can be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer. Additionally, exploit code is publicly available. This is being exploited in the wild. The vulnerability can also be triggered from explorer if the malicious file has been saved to a folder and renamed to other image file extensions like ".jpg", ".gif", ".tif", and ".png" etc. Please refer to the referenced Secunia advisory for additional details and information about a temporary workaround. Reference: http://secunia.com/SA18255 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18131] Symantec AntiVirus RAR Archive Decompression Buffer Overflow 2. [SA18255] Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution 3. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 4. [SA15368] Microsoft Internet Explorer Multiple Vulnerabilities 5. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability 6. [SA18169] McAfee SecurityCenter "mcinsctl.dll" ActiveX File Overwrite Vulnerability 7. [SA18162] VMware NAT Networking Buffer Overflow Vulnerability 8. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 9. [SA18149] Apple QuickTime / iTunes Memory Corruption Vulnerability 10. [SA18205] Linux Kernel Socket Data Buffering Denial of Service ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA18255] Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution [SA18245] Golden FTP Server APPE Command Buffer Overflow [SA18226] WebDB SQL Injection Vulnerability [SA18243] Spb Kiosk Engine Program Execution Control Bypass Weakness UNIX/Linux: [SA18221] Gentoo update for mantis [SA18236] Gentoo update for scponly [SA18223] scponly Privilege Escalation and Security Bypass Vulnerabilities [SA18222] UnixWare TCP Timestamp Denial of Service [SA18237] Gentoo update for rssh [SA18230] Sun Solaris PC NetLink Insecure File Handling Vulnerability [SA18228] Debian update for dhis-tools-dns [SA18227] DHIS Tools Insecure Temporary File Creation [SA18224] rssh "chroot" Directory Privilege Escalation Vulnerability [SA18231] Mandriva update for fetchmail [SA18225] Debian update for ketm Other: Cross Platform: [SA18256] SimpBook "message" Script Insertion Vulnerability [SA18239] DEV web management system Cross-Site Scripting and SQL Injection [SA18238] BZFlag "callsign" Handling Denial of Service Vulnerability [SA18259] FatWire UpdateEngine Cross-Site Scripting Vulnerabilities [SA18258] communique "query" Cross-Site Scripting Vulnerability [SA18257] CommonSpot "bNewWindow" Cross-Site Scripting Vulnerability [SA18234] EPiX "query" Cross-Site Scripting Vulnerability [SA18232] Juniper NetScreen Security Manager Potential Denial of Service [SA18229] Ethereal GTP Dissector Denial of Service Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA18255] Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution Critical: Extremely critical Where: From remote Impact: System access Released: 2005-12-28 A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18255/ -- [SA18245] Golden FTP Server APPE Command Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-12-26 Tim Shelton has discovered a vulnerability in Golden FTP Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18245/ -- [SA18226] WebDB SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-23 r0t has reported a vulnerability in WebDB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18226/ -- [SA18243] Spb Kiosk Engine Program Execution Control Bypass Weakness Critical: Not critical Where: Local system Impact: Security Bypass Released: 2005-12-28 Seth Fogie has reported a weakness in Spb Kiosks Engine, which potentially can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18243/ UNIX/Linux:-- [SA18221] Gentoo update for mantis Critical: Moderately critical Where: From remote Impact: Unknown, Cross Site Scripting, Manipulation of data Released: 2005-12-23 Gentoo has issued an update for mantis. This fixes some vulnerabilities, where some have unknown impacts and others potentially can be exploited by malicious people to conduct cross-site scripting, HTTP response splitting, and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18221/ -- [SA18236] Gentoo update for scponly Critical: Less critical Where: From remote Impact: Security Bypass, Privilege escalation Released: 2005-12-29 Gentoo has issued an update for scponly. This fixes two vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges, or by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18236/ -- [SA18223] scponly Privilege Escalation and Security Bypass Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Privilege escalation Released: 2005-12-23 Two vulnerabilities have been reported in scponly, which can be exploited by malicious, local users to gain escalated privileges, or by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18223/ -- [SA18222] UnixWare TCP Timestamp Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-12-23 A vulnerability has been reported in UnixWare, which can be exploited by malicious people to cause a DoS (Denial of Service) on active TCP sessions. Full Advisory: http://secunia.com/advisories/18222/ -- [SA18237] Gentoo update for rssh Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-12-28 Gentoo has issued an update for rssh. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18237/ -- [SA18230] Sun Solaris PC NetLink Insecure File Handling Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-12-26 Two vulnerabilities have been reported in Sun Solaris PC NetLink, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/18230/ -- [SA18228] Debian update for dhis-tools-dns Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-12-27 Debian has issued an update for dhis-tools-dns. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18228/ -- [SA18227] DHIS Tools Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-12-27 Javier Fernandez-Sanguino Pena has reported a vulnerability in DHIS Tools, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18227/ -- [SA18224] rssh "chroot" Directory Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-12-23 Max Vozeler has reported a vulnerability in rssh, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18224/ -- [SA18231] Mandriva update for fetchmail Critical: Not critical Where: From remote Impact: DoS Released: 2005-12-26 Mandriva has issued an update for fetchmail. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18231/ -- [SA18225] Debian update for ketm Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-12-27 Steve Kemp has reported a vulnerability in ketm, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18225/ Other: Cross Platform:-- [SA18256] SimpBook "message" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-26 0o_zeus_o0 has discovered a vulnerability in SimpBook, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18256/ -- [SA18239] DEV web management system Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-12-27 rgod has reported some vulnerabilities in DEV web management system, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18239/ -- [SA18238] BZFlag "callsign" Handling Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-12-27 Luigi Auriemma has reported a vulnerability in BZFlag, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18238/ -- [SA18259] FatWire UpdateEngine Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-27 r0t has reported two vulnerabilities in FatWire UpdateEngine, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18259/ -- [SA18258] communique "query" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-27 r0t has reported a vulnerability in communique, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18258/ -- [SA18257] CommonSpot "bNewWindow" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2005-12-27 r0t has reported a vulnerability in CommonSpot, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18257/ -- [SA18234] EPiX "query" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-27 r0t has reported a vulnerability in EPiX, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18234/ -- [SA18232] Juniper NetScreen Security Manager Potential Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-12-29 David Maciejak has reported a vulnerability in NetScreen Security Manager (NSM) which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18232/ -- [SA18229] Ethereal GTP Dissector Denial of Service Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2005-12-28 A vulnerability has been reported in Ethereal, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18229/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Dec 30 02:19:55 2005 From: isn at c4i.org (InfoSec News) Date: Fri, 30 Dec 2005 01:19:55 -0600 (CST) Subject: [ISN] Hacking of IISc website was a warning Message-ID: http://timesofindia.indiatimes.com/articleshow/1351795.cms TIMES NEWS NETWORK December 30, 2005 BANGALORE: Was the hacking of the IISc website four years ago a warning of what was in store? It was, intelligence sleuths say now. IISc had come under the radar of fundamentalist Islamic groups in 2001. The Al Qaida had succeeded in hacking the website of IISc's supercomputer education and research centre . "www.serc.iisc.ernet.in". And also that of the atomic energy regulatory board in October 2001. The hackers had left a message for the then PM A B Vajpayee, "We proved you lame everywhere, even in real or this cyber world. Admit it." The police rule out the involvement of Al Qaida in the attack at this stage, but feel it is definitely the handiwork of some Islamic fundamentalist organisation. A top intelligence official told TOI the hacking of the website was a pointer to what was to follow. "Terrorists knew the importance of IISc for a fast developing country like India." Striking the institute, which produces some of the finest brains and products of the world is like cutting off the roots of development," the official said, while explaining why IISc was targeted "The very fact that terrorists chose to strike at IISc and not in the premises of any other software major shows that they are desperate to cut off the country's nerves," the official said. From isn at c4i.org Fri Dec 30 02:17:49 2005 From: isn at c4i.org (InfoSec News) Date: Fri, 30 Dec 2005 01:17:49 -0600 (CST) Subject: [ISN] Hackers seize on newfound flaw in Windows Message-ID: http://seattlepi.nwsource.com/business/253931_msftflaw30.html By ROCHELLE GARNER BLOOMBERG NEWS December 30, 2005 A newfound flaw in Microsoft Corp.'s Windows operating system is being used by hackers to install malicious code on personal computers. Users can infect their computers by visiting certain Web sites that are able to exploit some Windows-based applications, Internet security company Panda Software said. It called the discovery "one of the most serious vulnerabilities recently detected." The flaw in the world's most popular software leaves PCs open to adware and spyware as well as Trojans, which can hide damaging programs. Internet Explorer, Outlook and the Windows Picture and Fax viewer are used to insert the potentially harmful code, said Patrick Hinojosa, chief technology officer of Panda. "Because this exploits particular programs on Windows, rather than Windows itself, your machine can get infected simply by visiting a Web site that's set up to exploit the flaw," Hinojosa said. Microsoft is investigating reports of the problem, the company said on its Web site. It hasn't yet developed a security patch, and recommends that customers use caution and keep antivirus software up to date. Panda found cases of infection almost immediately after the flaw was first reported Tuesday, Hinojosa said. Web sites exploiting the security lapse include toolbarbiz.biz and buytoolbar.biz, Panda said. The sites are set up to install malicious code by using the way applications process Windows Metafiles to show images. Microsoft has been working to improve the security of Windows, which has come under attack from more than 17,000 computer viruses and worms. The latest vulnerability was found in Windows XP, Windows 2000 and Windows NT systems. Panda said it is still testing Windows 98 for the flaw. From isn at c4i.org Fri Dec 30 02:20:29 2005 From: isn at c4i.org (InfoSec News) Date: Fri, 30 Dec 2005 01:20:29 -0600 (CST) Subject: [ISN] Hackers steal $50K from E-Trade account Message-ID: http://www.nbc-2.com/articles/readarticle.asp?articleid=5357 By David Karsh 12/29/2005 CHARLOTTE COUNTY - Managing your money on-line can be a risky proposition. One Southwest Florida family found out the hard way after losing more than $50,000 to computer hackers. A simple login in to a familiar web site revealed a nightmare. "We looked at the account and instead of having $119,000, there was only $56,000. At that point I said what's going on?" said Jeanette Miller of Port Charlotte. Miller manages her parents' money on an investment site called E-Trade. Several major transactions were made over the past few days, but none of them were by her. "I said whatever you have going on in this account, everything from December 12 until now has not been our doing. This is theft," said Miller. In just over a week, half her parent's retirement savings has been wiped out. "My husband is 80, I'm 75. What can we do? That's all the money we have left," said Traudle Simon. Managing your money on-line is easy and convenient, but it can also be very risky. If your account falls into the wrong hands, it can be nearly impossible for investigators to track down the bad guy. "It's really pretty frustrating because it's a complicated thing to deal with," said Lieutenant Debbie Bowe of the Charlotte County Sheriff's Office. Anti-virus programs and firewalls are the best defense against hackers, but once they get past those, it's way too easy for them to make off with your money. "Even though we may have a victim here, the suspect might be in a foreign country or in a state a long distance from here. There's no way we can actually investigate it," said Bowe. Which means that most victims are on their own. Unfortunately, it's a lesson that some people are learning the hard way. E-Trade has not responded to our requests for an interview, but the family said the company told them hackers broke into their account. Detectives say this is becoming quite common in our area, but very few arrests are ever made. ? 2005 by NBC2 News. All rights reserved. From isn at c4i.org Fri Dec 30 02:21:14 2005 From: isn at c4i.org (InfoSec News) Date: Fri, 30 Dec 2005 01:21:14 -0600 (CST) Subject: [ISN] Sony settles 'rootkit' class action lawsuit Message-ID: http://news.com.com/Sony+settles+rootkit+class+action+lawsuit/2100-1002_3-6012173.html By Ingrid Marson Special to CNET News.com December 29, 2005 Sony BMG has struck a deal with the plaintiffs in a class action lawsuit over copy-restriction software it used in music CDs, according to a settlement document filed at a New York court Wednesday. The record label has agreed to compensate buyers of CDs that contained the XCP and MediaMax DRM programs and to provide software utilities to allow consumers to uninstall both types of software from their computer. The furor over Sony's DRM software began at the end of October when a U.S. programmer discovered that XCP software on a Sony music CD had installed copy-restriction software on his computer that was hidden using a rootkit. Antivirus companies later discovered Trojan horses that exploited this software to avoid detection and found that another type of Sony DRM, MediaMax, also posed a security risk. During November a number of individuals filed cases against Sony at courts across America. These cases were granted class action status Dec. 1. Sony BMG met lawyers from the firm handling the class action suit in early December and engaged in "virtual round-the-clock settlement negotiations", according to the settlement filing, which has been posted on the Sunbelt Software Web site. In the settlement filing, Sony states that it will immediately recall all XCP CDs and replace them with non-content-protected CDs. It has also agreed to offer incentives to U.S. customers to "ensure that XCP CDs are promptly removed from the market." Sony first released details about its CD recall scheme in late November. Customers who exchange their XCP CD can either download three albums from a list of over 200 titles, or claim a cash payment of $7.50 and a free download of one album. To claim this compensation, customers must return their XCP CDs to Sony or provide the company with a receipt showing they returned or exchanged the CD at a retailer after Nov. 14. Sony is not recalling MediaMax CDs, but has agreed to compensate buyers of these albums by allowing them to download one free album, as well as offering them MP3 versions of the music on the MediaMax album. The settlement filing is awaiting approval by the U.S. District Court for the Southern District of New York. Ingrid Marson of ZDNet UK reported from London. From isn at c4i.org Fri Dec 30 02:21:54 2005 From: isn at c4i.org (InfoSec News) Date: Fri, 30 Dec 2005 01:21:54 -0600 (CST) Subject: [ISN] Hackers Rebel Against Spy Cams Message-ID: http://www.wired.com/news/technology/0,69942-0.html By Ann Harrison December 29, 2005 BERLIN -- When the Austrian government passed a law this year allowing police to install closed-circuit surveillance cameras in public spaces without a court order, the Austrian civil liberties group Quintessenz vowed to watch the watchers. Members of the organization worked out a way to intercept the camera images with an inexpensive, 1-GHz satellite receiver. The signal could then be descrambled using hardware designed to enhance copy-protected video as it's transferred from DVD to VHS tape. The Quintessenz activists then began figuring out how to blind the cameras with balloons, lasers and infrared devices. And, just for fun, the group created an anonymous surveillance system that uses face-recognition software to place a black stripe over the eyes of people whose images are recorded. Quintessenz members Adrian Dabrowski and Martin Slunksy presented their video-surveillance research at the 22nd annual Chaos Communication Congress here this week. Five hundred hackers jammed into a meeting room for a presentation that fit nicely into CCC's 2005 theme of "private investigations." Slunksy pointed out that searching for special strings in Google, such as axis-cgi/, will return links that access internet-connected cameras around the world. Quintessenz developers entered these Google results into a database, analyzed the IP addresses and set up a website that gives users the ability to search by country or topic -- and then rate the cameras. "You can use this to see if you are being watched in your daily life," said Dabrowski. The conference, hosted by Germany's Chaos Computer Club, featured many discussions on data interception and pushing back the unprecedented onslaught of surveillance technologies. Even the Dutch, once known as hacker-friendly, politically progressive Europeans, are now fearful and demanding more cameras on their streets, said Rop Gonggrijp, founder of Dutch ISP Xs4All. Gonggrijp says the Dutch chief of police has announced the intention to store large amounts of surveillance data and mine it to determine who to pressure and question. "People are screaming for more control," said Gonggrijp. Dutch journalist Brenno de Winter warned that the European Parliament's support for data retention doesn't ensure security, and makes citizens vulnerable to automated traffic analysis of who communicates with whom through phone calls and internet connections. "What we have seen is a system that fails because we miss out on too much information, and even if we have all that information, it doesn't give us the right information and it is easy to circumvent," said de Winter. CCC member and security researcher Frank Rieger said hackers should provide secure communications for political and social movements and encourage the widespread use of anonymity technologies. He said people on the other side of the camera need to be laughed at and shamed. "It must not be cool anymore to have access to this data," said Rieger, who argued that Western societies are becoming democratically legitimized police states ruled by an unaccountable elite. "We have enough technical knowledge to turn this around; let's expose them in public, publish everything we know about them and let them know how it feels to be under surveillance." The four-day Chaos Computer Congress is meeting near Alexanderplatz in the former East Berlin, where more than a half-million people rallied for political reform five days before the fall of the Berlin Wall. In his keynote address, Joichi Ito, general manager of international operations for Technorati, warned that the internet could itself become a walled-in network controlled by the International Telecommunication Union, Microsoft and telecommunications companies. Ito said these restrictions would stifle free speech and the ability to question authority without retribution. "An open network is more important for democracy than the right to bear arms and the right to vote," said Ito. "Voice is more important than votes."